Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected w/TDL4 & Google Redirect & svchost hogging memory


  • This topic is locked This topic is locked
19 replies to this topic

#1 golferboi

golferboi

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 29 March 2012 - 06:48 AM

So, it seems like I have multiple problems. When I start my computer it runs very slow. I checked the task manager and noticed that svchost.exe was hogging up all the CPU and memory. After letting it run for I while, the svchost.exe had used up 1.8GB of memory and I could not do anything on my computer. I restarted my computer to see if that resolved anything, but svchost.exe continued to hog up memory and cpu. So, I went to do a search on google and when I clicked on a link I was taken to a totally different website. I ended up having to copy and paste to get to the actual website. So what is very strange, when I restarted my computer a second time, Windows went away and I saw some type of mini browser running in the background. This is something that I did not spawn, so I don't know where it came from.

DSS LOG:
=============
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Run by Jamel Bearyman at 19:21:06 on 2012-03-28
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2047.518 [GMT -5:00]
.
AV: Norton 360 *Enabled/Updated* {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\System32\svchost.exe -k necusb3
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: 1 (0x1): {02478d38-c3f9-4efb-9b51-7695eca05670} - &Yahoo! Toolbar Helper
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1e8a6170-7264-4d0f-beae-d42a53123c75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Show Norton Toolbar: {90222687-f593-4738-b738-fbee9c7b26df} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {9404901D-06DA-4B23-A0EE-3EA4F64EC9B3} - No File
uRun: [TuneUp MemOptimizer] "c:\program files\tuneup utilities 2008\MemOptimizer.exe" autostart
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Windows Media Connect 2] "c:\program files\windows media connect 2\WMCCFG.exe" /StartQuiet
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10c.exe
uPolicies-explorer: <NO NAME> =
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: aol.com\free
Trusted Zone: cinemanow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/templates/ieawsdc.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33363249-0000-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/i263_32.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {41F17733-B041-4099-A042-B518BB6A408C} - hxxp://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37997.8237962963
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - hxxp://www.linksysfix.com/netcheck/24/install/gtdownls.cab
DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-1_4_0_01-win.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://lmpassage3.external.lmco.com/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{19DC4448-8754-4498-AFA4-959C5F650A59} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: necusb - nwusbw32.dll
Notify: nwusbw32 - nwusbw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: DVDIdleShell Class: {93994de8-8239-4655-b1d1-5f4e91300429} - c:\progra~1\dvdreg~1\DVDShell.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\jamel bearyman\application data\mozilla\firefox\profiles\hl3jmw52.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2010-2-19 207280]
R0 SahdIa32;HDD Filter Driver;c:\windows\system32\drivers\SahdIa32.sys [2011-2-5 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\system32\drivers\SaibIa32.sys [2011-2-5 15856]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2012-1-26 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\system32\drivers\SaibVd32.sys [2011-2-5 25584]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120328.002\NAVENG.SYS [2012-3-28 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120328.002\NAVEX15.SYS [2012-3-28 1576312]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\system32\drivers\usbscan.sys [2003-1-26 15104]
S2 VPCAppSv;Virtual PC Application Services;c:\windows\system32\drivers\vpcappsv.sys [2002-5-20 10374]
S3 psa128s;psa128s;c:\windows\system32\drivers\psa128s.sys --> c:\windows\system32\drivers\psa128s.sys [?]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\drivers\psa128u.sys --> c:\windows\system32\drivers\psa128u.sys [?]
S3 RioS35;RioS35S driver;c:\windows\system32\drivers\rios35.sys [2003-3-18 12661]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2007-10-24 10112]
.
=============== Created Last 30 ================
.
2012-03-25 02:11:32 98816 ----a-w- c:\windows\sed.exe
2012-03-25 02:11:32 518144 ----a-w- c:\windows\SWREG.exe
2012-03-25 02:11:32 256000 ----a-w- c:\windows\PEV.exe
2012-03-25 02:11:32 208896 ----a-w- c:\windows\MBR.exe
2012-03-22 01:26:13 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-22 01:26:13 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-10 18:19:39 -------- d-----w- c:\program files\iTunes
2012-03-05 02:28:54 -------- d-----w- c:\documents and settings\all users\application data\dvdfab
2012-03-05 02:28:33 -------- d-----w- c:\program files\DVDFab 8 Qt
.
==================== Find3M ====================
.
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2003-01-26 00:47:49 37731236 ----a-w- c:\program files\j2sdk-1_4_1_01-windows-i586.exe
2001-06-20 21:19:18 40960 ----a-w- c:\program files\ACMonitor_X83.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380021A rev.3.75 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys PCTCore.sys >>UNKNOWN [0x8A4E149F]<<
c:\windows\system32\drivers\SahdIa32.sys Sonic Solutions
c:\windows\system32\drivers\PCTCore.sys PC Tools Kernel Driver Suite
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a4e8740]; MOV EAX, [0x8a4e88b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A6F9AB8]
3 CLASSPNP[0xF763805B] -> nt!IofCallDriver[0x804E37D5] -> [0x8A6E3938]
5 SahdIa32[0xF7668939] -> nt!IofCallDriver[0x804E37D5] -> [0x8A78C920]
7 PCTCore[0xBA7C388F] -> nt!IofCallDriver[0x804E37D5] -> [0x8A79A030]
\Driver\atapi[0x8A788408] -> IRP_MJ_CREATE -> 0x8A4E149F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A4E12C6
\Driver\atapi -> 0x8a7911f8
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:25:03.45 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 31 March 2012 - 01:55 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 31 March 2012 - 03:17 PM

Thank you Gringo for helping me. Here is my log from ComboFix:

ComboFix 12-03-30.06 - Jamel Bearyman 03/30/2012 10:57:03.6.1 - x86
Running from: c:\documents and settings\Jamel Bearyman\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-30 )))))))))))))))))))))))))))))))
.
.
2012-03-22 01:26 . 2012-03-22 01:26 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-22 01:26 . 2012-03-22 01:26 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-10 18:54 . 2012-03-10 18:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-10 18:19 . 2012-03-10 18:21 -------- d-----w- c:\program files\iTunes
2012-03-05 02:28 . 2012-03-05 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\dvdfab
2012-03-05 02:28 . 2012-03-05 02:28 -------- d-----w- c:\program files\DVDFab 8 Qt
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 16:01 . 2009-09-27 04:46 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2009-09-27 04:46 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2003-01-26 00:47 . 2003-01-26 00:47 37731236 ----a-w- c:\program files\j2sdk-1_4_1_01-windows-i586.exe
2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
2012-03-22 01:26 . 2012-01-26 23:37 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-25_02.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-03-30 15:53 . 2012-03-30 15:53 16384 c:\windows\Temp\Perflib_Perfdata_544.dat
+ 2012-03-29 09:59 . 2012-03-29 19:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032920120330\index.dat
+ 2012-03-28 21:24 . 2012-03-28 20:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032820120329\index.dat
+ 2012-03-25 22:12 . 2012-03-25 19:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032520120326\index.dat
+ 2002-07-30 00:01 . 2012-03-29 22:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-07-30 00:01 . 2012-03-24 23:39 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2011-11-15 07:49 . 2012-03-29 10:03 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2011-11-15 07:49 . 2012-03-21 12:08 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2012-03-28 00:11 . 2012-03-29 22:03 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2012-03-28 20:00 . 2012-03-12 02:43 225764 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-02-29 196864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2006-10-19 8704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
2011-11-14 22:10 37888 ----a-w- c:\windows\SYSTEM32\nwusbw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
2011-11-14 22:10 37888 ----a-w- c:\windows\SYSTEM32\nwusbw32.dll
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" /R
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NVMCTRAY.DLL,NvTaskbarInit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"=c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"UpdReg"=c:\windows\Updreg.exe
"nwiz"=nwiz.exe /install
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe"
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"
"WD Button Manager"=WDBtnMgr.exe
"Memeo Instant Backup"=c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
"Seagate Dashboard"=c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\WINDOWS\\SYSTEM32\\devldr32.exe"=
"c:\\tmp\\utorrent_1.2.2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/19/2010 11:47 AM 207280]
R0 SahdIa32;HDD Filter Driver;c:\windows\SYSTEM32\DRIVERS\SahdIa32.sys [2/5/2011 3:41 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\SYSTEM32\DRIVERS\SaibIa32.sys [2/5/2011 3:41 PM 15856]
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/25/2008 5:35 PM 717296]
R1 c2scsi;c2scsi;c:\windows\SYSTEM32\DRIVERS\c2scsi.sys [1/26/2012 11:07 PM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\SYSTEM32\DRIVERS\SaibVd32.sys [2/5/2011 3:41 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/19/2010 11:49 AM 112592]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 4:10 PM 25824]
R2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/18/2001 6:00 AM 14336]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\eengine\EraserUtilRebootDrv.sys [2/13/2012 12:36 PM 106104]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [1/26/2003 7:37 PM 15104]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S2 VPCAppSv;Virtual PC Application Services;c:\windows\SYSTEM32\DRIVERS\vpcappsv.sys [5/20/2002 8:31 PM 10374]
S3 pcouffin;VSO Software pcouffin;c:\windows\SYSTEM32\DRIVERS\pcouffin.sys [12/16/2008 7:22 PM 47360]
S3 psa128s;psa128s;c:\windows\system32\DRIVERS\psa128s.sys --> c:\windows\system32\DRIVERS\psa128s.sys [?]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\Drivers\psa128u.sys --> c:\windows\system32\Drivers\psa128u.sys [?]
S3 RioS35;RioS35S driver;c:\windows\SYSTEM32\DRIVERS\rios35.sys [3/18/2003 9:09 PM 12661]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/19/2010 11:47 AM 358600]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [10/24/2007 7:44 PM 10112]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
necusb3 REG_MULTI_SZ necusb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 19:24]
.
2012-03-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: cinemanow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jamel Bearyman\Application Data\Mozilla\Firefox\Profiles\hl3jmw52.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-30 11:23
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST380021A rev.3.75 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5C72C6
\Driver\atapi -> 0x8a7911f8
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\WININET.dll
c:\windows\system32\nwusbw32.dll
.
- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-30 11:37:41
ComboFix-quarantined-files.txt 2012-03-30 16:37
ComboFix2.txt 2012-03-27 23:53
ComboFix3.txt 2012-03-27 22:54
ComboFix4.txt 2012-03-25 03:08
ComboFix5.txt 2012-03-30 15:38
.
Pre-Run: 20,968,349,696 bytes free
Post-Run: 21,031,739,392 bytes free
.
- - End Of File - - 9C6EBD4CAB6A84BFDD0C47CC8BE19380

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 31 March 2012 - 08:01 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 01 April 2012 - 11:29 AM

Done

tdsskiller log:
10:49:02.0468 3680 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
10:49:02.0890 3680 ============================================================
10:49:02.0890 3680 Current date / time: 2012/04/01 10:49:02.0890
10:49:02.0890 3680 SystemInfo:
10:49:02.0890 3680
10:49:02.0890 3680 OS Version: 5.1.2600 ServicePack: 2.0
10:49:02.0890 3680 Product type: Workstation
10:49:02.0890 3680 ComputerName: JAMEL
10:49:02.0890 3680 UserName: Jamel Bearyman
10:49:02.0890 3680 Windows directory: C:\WINDOWS
10:49:02.0890 3680 System windows directory: C:\WINDOWS
10:49:02.0890 3680 Processor architecture: Intel x86
10:49:02.0890 3680 Number of processors: 1
10:49:02.0890 3680 Page size: 0x1000
10:49:02.0890 3680 Boot type: Normal boot
10:49:02.0890 3680 ============================================================
10:49:07.0000 3680 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:49:07.0000 3680 Drive \Device\Harddisk1\DR3 - Size: 0x15D50F65E00 (1397.27 Gb), SectorSize: 0x200, Cylinders: 0x2C881, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
10:49:07.0015 3680 \Device\Harddisk0\DR0:
10:49:07.0015 3680 MBR used
10:49:07.0015 3680 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xFB04, BlocksNum 0x94FE9BD
10:49:07.0015 3680 \Device\Harddisk1\DR3:
10:49:07.0015 3680 MBR used
10:49:07.0015 3680 \Device\Harddisk1\DR3\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xAEA86741
10:49:07.0109 3680 Initialize success
10:49:07.0109 3680 ============================================================
10:49:11.0046 2840 ============================================================
10:49:11.0046 2840 Scan started
10:49:11.0046 2840 Mode: Manual;
10:49:11.0046 2840 ============================================================
10:49:16.0546 2840 61883 (86d7b1e70661d754685b9ac6d749aae5) C:\WINDOWS\system32\DRIVERS\61883.sys
10:49:16.0578 2840 61883 - ok
10:49:16.0812 2840 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269 (a15069eec83ebc54150564b2585cfdba) C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
10:49:16.0937 2840 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269 - ok
10:49:17.0281 2840 Abiosdsk - ok
10:49:17.0703 2840 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\System32\DRIVERS\ABP480N5.SYS
10:49:17.0734 2840 abp480n5 - ok
10:49:18.0140 2840 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:49:18.0234 2840 ACPI - ok
10:49:18.0546 2840 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:49:18.0562 2840 ACPIEC - ok
10:49:18.0953 2840 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\System32\DRIVERS\adpu160m.sys
10:49:18.0953 2840 adpu160m - ok
10:49:19.0296 2840 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
10:49:19.0312 2840 aec - ok
10:49:19.0640 2840 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
10:49:19.0671 2840 Afc - ok
10:49:19.0906 2840 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
10:49:19.0906 2840 AFD - ok
10:49:20.0109 2840 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:49:20.0125 2840 agp440 - ok
10:49:20.0343 2840 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\System32\DRIVERS\agpCPQ.sys
10:49:20.0375 2840 agpCPQ - ok
10:49:20.0515 2840 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\System32\DRIVERS\aha154x.sys
10:49:20.0515 2840 Aha154x - ok
10:49:20.0671 2840 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\System32\DRIVERS\aic78u2.sys
10:49:20.0671 2840 aic78u2 - ok
10:49:21.0750 2840 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\System32\DRIVERS\aic78xx.sys
10:49:21.0781 2840 aic78xx - ok
10:49:21.0859 2840 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
10:49:21.0859 2840 Alerter - ok
10:49:22.0218 2840 ALG (f1958fbf86d5c004cf19a5951a9514b7) C:\WINDOWS\System32\alg.exe
10:49:22.0234 2840 ALG - ok
10:49:22.0390 2840 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\System32\DRIVERS\aliide.sys
10:49:22.0421 2840 AliIde - ok
10:49:22.0562 2840 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\System32\DRIVERS\alim1541.sys
10:49:22.0562 2840 alim1541 - ok
10:49:22.0703 2840 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\System32\DRIVERS\amdagp.sys
10:49:22.0703 2840 amdagp - ok
10:49:22.0843 2840 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\System32\DRIVERS\amsint.sys
10:49:22.0843 2840 amsint - ok
10:49:22.0984 2840 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
10:49:22.0984 2840 Apple Mobile Device - ok
10:49:23.0062 2840 AppMgmt - ok
10:49:23.0171 2840 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:49:23.0187 2840 Arp1394 - ok
10:49:23.0343 2840 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\System32\DRIVERS\asc.sys
10:49:23.0343 2840 asc - ok
10:49:23.0468 2840 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\System32\DRIVERS\asc3350p.sys
10:49:23.0468 2840 asc3350p - ok
10:49:23.0531 2840 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\System32\DRIVERS\asc3550.sys
10:49:23.0531 2840 asc3550 - ok
10:49:23.0718 2840 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:49:23.0765 2840 aspnet_state - ok
10:49:23.0906 2840 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:49:23.0906 2840 AsyncMac - ok
10:49:24.0187 2840 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:49:24.0187 2840 atapi - ok
10:49:24.0343 2840 Atdisk - ok
10:49:24.0453 2840 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:49:24.0453 2840 Atmarpc - ok
10:49:24.0562 2840 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
10:49:24.0562 2840 AudioSrv - ok
10:49:24.0671 2840 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:49:24.0718 2840 audstub - ok
10:49:24.0843 2840 Avc (87c223adb8f7596b31caae3c67b16ddd) C:\WINDOWS\system32\DRIVERS\avc.sys
10:49:24.0843 2840 Avc - ok
10:49:24.0968 2840 basic2 (9372cc48814a17e67c28945eb4acc189) C:\WINDOWS\system32\DRIVERS\basic2.sys
10:49:25.0000 2840 basic2 - ok
10:49:25.0156 2840 BCM43XX (ae96075a3aed5c40f1ead477ea94acd7) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
10:49:25.0171 2840 BCM43XX - ok
10:49:25.0281 2840 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:49:25.0281 2840 Beep - ok
10:49:25.0390 2840 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
10:49:25.0515 2840 BITS - ok
10:49:25.0625 2840 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
10:49:25.0671 2840 Bonjour Service - ok
10:49:26.0562 2840 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
10:49:26.0562 2840 Browser - ok
10:49:26.0687 2840 Browser Defender Update Service (21fa3e51618ff8e2f4b29964abc5884f) C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
10:49:26.0703 2840 Browser Defender Update Service - ok
10:49:27.0750 2840 BulkUsb (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\Drivers\usbscan.sys
10:49:27.0750 2840 BulkUsb - ok
10:49:28.0578 2840 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
10:49:28.0593 2840 BVRPMPR5 - ok
10:49:28.0734 2840 bvrp_pci (c043ca48f1f5c00ff8272180fbbd15e9) C:\WINDOWS\system32\drivers\bvrp_pci.sys
10:49:28.0734 2840 bvrp_pci - ok
10:49:29.0625 2840 c2scsi (0d5658db9c9fcf45330f40e664664ee6) C:\WINDOWS\system32\drivers\c2scsi.sys
10:49:29.0656 2840 c2scsi - ok
10:49:29.0765 2840 catchme - ok
10:49:30.0546 2840 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\DRIVERS\cbidf2k.sys
10:49:30.0546 2840 cbidf - ok
10:49:30.0656 2840 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:49:30.0671 2840 cbidf2k - ok
10:49:31.0343 2840 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
10:49:31.0343 2840 CCDECODE - ok
10:49:31.0515 2840 ccEvtMgr (fe69c498b922ce835e2e2123fbd0a272) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:49:31.0562 2840 ccEvtMgr - ok
10:49:31.0578 2840 ccSetMgr (fe69c498b922ce835e2e2123fbd0a272) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:49:31.0578 2840 ccSetMgr - ok
10:49:31.0718 2840 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\System32\DRIVERS\cd20xrnt.sys
10:49:31.0718 2840 cd20xrnt - ok
10:49:32.0765 2840 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:49:32.0765 2840 Cdaudio - ok
10:49:33.0078 2840 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
10:49:33.0093 2840 Cdfs - ok
10:49:33.0234 2840 Cdr4_xp (b025339fbc76547db7d9633d83d0706d) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
10:49:33.0234 2840 Cdr4_xp - ok
10:49:33.0375 2840 Cdralw2k (2ede09c61866fac671953576fe4ca3bc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
10:49:33.0375 2840 Cdralw2k - ok
10:49:33.0500 2840 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:49:33.0500 2840 Cdrom - ok
10:49:33.0656 2840 cdudf_xp (40c1cb3e65709aec17ca3ce66a4873e0) C:\WINDOWS\system32\drivers\cdudf_xp.sys
10:49:33.0671 2840 cdudf_xp - ok
10:49:33.0843 2840 Changer (daf1a8193b6caf0fb858cadcc5c4af4a) C:\WINDOWS\system32\drivers\Changer.sys
10:49:33.0859 2840 Changer - ok
10:49:33.0953 2840 CinemaNow Service (127d4d0e9f78834ffd1eeea3fcfb47c1) C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
10:49:33.0953 2840 CinemaNow Service - ok
10:49:34.0078 2840 cisvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
10:49:34.0078 2840 cisvc - ok
10:49:34.0203 2840 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
10:49:34.0203 2840 ClipSrv - ok
10:49:34.0359 2840 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:49:34.0468 2840 clr_optimization_v2.0.50727_32 - ok
10:49:34.0593 2840 CLTNetCnService (fe69c498b922ce835e2e2123fbd0a272) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:49:34.0593 2840 CLTNetCnService - ok
10:49:34.0734 2840 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\System32\DRIVERS\cmdide.sys
10:49:34.0734 2840 CmdIde - ok
10:49:34.0890 2840 comHost (3b38f3defd61db294421993f969bc88f) C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
10:49:34.0906 2840 comHost - ok
10:49:34.0984 2840 COMSysApp - ok
10:49:35.0125 2840 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\System32\DRIVERS\cpqarray.sys
10:49:35.0125 2840 Cpqarray - ok
10:49:35.0234 2840 Creative Service for CDROM Access (3c8b6609712f4ff78e521f6dcfc4032b) C:\WINDOWS\System32\CTsvcCDA.EXE
10:49:35.0234 2840 Creative Service for CDROM Access - ok
10:49:35.0296 2840 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
10:49:35.0312 2840 CryptSvc - ok
10:49:35.0406 2840 ctljystk (71007bd2e1e26927fe3e4eb00c0beedf) C:\WINDOWS\system32\DRIVERS\ctljystk.sys
10:49:35.0421 2840 ctljystk - ok
10:49:35.0562 2840 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\System32\DRIVERS\dac2w2k.sys
10:49:35.0578 2840 dac2w2k - ok
10:49:35.0718 2840 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\System32\DRIVERS\dac960nt.sys
10:49:35.0718 2840 dac960nt - ok
10:49:35.0828 2840 DcomLaunch (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\system32\rpcss.dll
10:49:35.0906 2840 DcomLaunch - ok
10:49:35.0984 2840 Dhcp (ef545e1a4b043da4c84e230dd471c55f) C:\WINDOWS\System32\dhcpcsvc.dll
10:49:36.0000 2840 Dhcp - ok
10:49:36.0093 2840 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
10:49:36.0093 2840 Disk - ok
10:49:36.0140 2840 dmadmin - ok
10:49:36.0281 2840 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
10:49:36.0343 2840 dmboot - ok
10:49:36.0484 2840 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
10:49:36.0500 2840 dmio - ok
10:49:36.0687 2840 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:49:36.0687 2840 dmload - ok
10:49:36.0781 2840 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
10:49:36.0781 2840 dmserver - ok
10:49:36.0968 2840 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
10:49:36.0968 2840 DMusic - ok
10:49:37.0078 2840 Dnscache (aac8ffbfd61e784fa3bac851d4a0bd5f) C:\WINDOWS\System32\dnsrslvr.dll
10:49:37.0078 2840 Dnscache - ok
10:49:37.0203 2840 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\System32\DRIVERS\dpti2o.sys
10:49:37.0203 2840 dpti2o - ok
10:49:37.0281 2840 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
10:49:37.0281 2840 drmkaud - ok
10:49:37.0406 2840 DVDVRRdr_xp (485050f9bdca4c914fa1917dcbb7fe3c) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
10:49:37.0406 2840 DVDVRRdr_xp - ok
10:49:37.0531 2840 dvd_2K (00b1291369857416c873b70db96e8126) C:\WINDOWS\system32\drivers\dvd_2K.sys
10:49:37.0546 2840 dvd_2K - ok
10:49:37.0703 2840 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
10:49:37.0750 2840 eeCtrl - ok
10:49:37.0984 2840 EL90XBC (6e883bf518296a40959131c2304af714) C:\WINDOWS\system32\DRIVERS\el90xbc5.sys
10:49:37.0984 2840 EL90XBC - ok
10:49:38.0140 2840 emu10k (ae4e46d96e9d33790c8617e36791b576) C:\WINDOWS\system32\drivers\emu10k1f.sys
10:49:38.0187 2840 emu10k - ok
10:49:38.0343 2840 emu10k1 (aadc81e967c25dd7c90e150fec6eab74) C:\WINDOWS\system32\drivers\ctlface.sys
10:49:38.0343 2840 emu10k1 - ok
10:49:38.0468 2840 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
10:49:38.0468 2840 EraserUtilRebootDrv - ok
10:49:38.0593 2840 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
10:49:38.0593 2840 ERSvc - ok
10:49:38.0703 2840 Eventlog (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
10:49:38.0703 2840 Eventlog - ok
10:49:38.0828 2840 EventSystem (60d1a6342238378bfb7545c81ee3606c) C:\WINDOWS\System32\es.dll
10:49:38.0843 2840 EventSystem - ok
10:49:38.0984 2840 Fallback (9ea76a7f28cd968f8adc709e479f23b2) C:\WINDOWS\system32\DRIVERS\fallback.sys
10:49:39.0000 2840 Fallback - ok
10:49:39.0156 2840 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
10:49:39.0171 2840 Fastfat - ok
10:49:39.0281 2840 FastUserSwitchingCompatibility (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
10:49:39.0281 2840 FastUserSwitchingCompatibility - ok
10:49:39.0437 2840 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:49:39.0437 2840 Fdc - ok
10:49:39.0562 2840 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
10:49:39.0593 2840 Fips - ok
10:49:39.0734 2840 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:49:39.0734 2840 Flpydisk - ok
10:49:39.0875 2840 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\drivers\fltmgr.sys
10:49:39.0890 2840 FltMgr - ok
10:49:40.0031 2840 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:49:40.0031 2840 FontCache3.0.0.0 - ok
10:49:40.0171 2840 Fsks (b7b262d0431374f3afd1349e35b368d9) C:\WINDOWS\system32\DRIVERS\fsksnt.sys
10:49:40.0171 2840 Fsks - ok
10:49:40.0328 2840 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:49:40.0328 2840 Fs_Rec - ok
10:49:40.0468 2840 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:49:40.0468 2840 Ftdisk - ok
10:49:40.0593 2840 gameenum (5f92fd09e5610a5995da7d775eadcd12) C:\WINDOWS\system32\DRIVERS\gameenum.sys
10:49:40.0609 2840 gameenum - ok
10:49:40.0828 2840 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
10:49:40.0828 2840 GEARAspiWDM - ok
10:49:40.0906 2840 getPlusHelper (947da3ad94a7593bfa439939ac5e823b) C:\Program Files\NOS\bin\getPlus_Helper.dll
10:49:40.0921 2840 getPlusHelper - ok
10:49:41.0062 2840 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:49:41.0093 2840 Gpc - ok
10:49:41.0187 2840 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:49:41.0187 2840 helpsvc - ok
10:49:41.0375 2840 HidServ (9376e6893e52b368abc6255bf54f0b28) C:\WINDOWS\System32\hidserv.dll
10:49:41.0375 2840 HidServ - ok
10:49:41.0562 2840 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:49:41.0578 2840 HidUsb - ok
10:49:41.0718 2840 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\System32\DRIVERS\hpn.sys
10:49:41.0718 2840 hpn - ok
10:49:41.0859 2840 hpt3xx (b077b7f8e79779ea967e84a4fc040227) C:\WINDOWS\System32\DRIVERS\hpt3xx.sys
10:49:41.0875 2840 hpt3xx - ok
10:49:42.0062 2840 hsf_msft (74e379857d4c0dfb56de2d19b8f4c434) C:\WINDOWS\system32\DRIVERS\HSF_MSFT.sys
10:49:42.0109 2840 hsf_msft - ok
10:49:42.0609 2840 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
10:49:42.0625 2840 HTTP - ok
10:49:42.0734 2840 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
10:49:42.0734 2840 HTTPFilter - ok
10:49:43.0203 2840 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:49:43.0203 2840 i2omgmt - ok
10:49:43.0328 2840 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\System32\DRIVERS\i2omp.sys
10:49:43.0343 2840 i2omp - ok
10:49:43.0453 2840 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:49:43.0453 2840 i8042prt - ok
10:49:43.0609 2840 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
10:49:43.0640 2840 IDriverT - ok
10:49:43.0828 2840 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:49:43.0890 2840 idsvc - ok
10:49:44.0203 2840 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:49:44.0218 2840 Imapi - ok
10:49:44.0343 2840 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
10:49:44.0359 2840 ImapiService - ok
10:49:44.0515 2840 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\System32\DRIVERS\ini910u.sys
10:49:44.0515 2840 ini910u - ok
10:49:44.0656 2840 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:49:44.0656 2840 IntelIde - ok
10:49:44.0968 2840 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:49:44.0984 2840 intelppm - ok
10:49:45.0109 2840 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
10:49:45.0125 2840 ip6fw - ok
10:49:45.0250 2840 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:49:45.0265 2840 IpFilterDriver - ok
10:49:45.0375 2840 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:49:45.0390 2840 IpInIp - ok
10:49:45.0515 2840 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:49:45.0531 2840 IpNat - ok
10:49:45.0656 2840 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
10:49:45.0796 2840 iPod Service - ok
10:49:45.0968 2840 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:49:45.0968 2840 IPSec - ok
10:49:46.0078 2840 IPSECSHM - ok
10:49:46.0203 2840 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:49:46.0203 2840 IRENUM - ok
10:49:46.0343 2840 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:49:46.0343 2840 isapnp - ok
10:49:46.0546 2840 JavaQuickStarterService (74e30a41cdcf331c74bc4d97be40cc5b) C:\Program Files\Java\jre6\bin\jqs.exe
10:49:46.0546 2840 JavaQuickStarterService - ok
10:49:46.0718 2840 K56 (a4e3277398c8aba999483d4c658c9696) C:\WINDOWS\system32\DRIVERS\k56nt.sys
10:49:46.0765 2840 K56 - ok
10:49:46.0921 2840 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:49:46.0937 2840 Kbdclass - ok
10:49:47.0281 2840 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:49:47.0281 2840 kbdhid - ok
10:49:47.0406 2840 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
10:49:47.0406 2840 kmixer - ok
10:49:47.0546 2840 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
10:49:47.0562 2840 KSecDD - ok
10:49:47.0671 2840 lanmanserver (0cb3af149a0bac0836022ca307c7a0f8) C:\WINDOWS\System32\srvsvc.dll
10:49:47.0671 2840 lanmanserver - ok
10:49:47.0843 2840 lanmanworkstation (e1f27cfcd114ec9f1e1f44674b2ff9f0) C:\WINDOWS\System32\wkssvc.dll
10:49:47.0859 2840 lanmanworkstation - ok
10:49:48.0062 2840 lbrtfdc (cc50a66548c2f285bc8a7b0b8aa578e3) C:\WINDOWS\system32\drivers\lbrtfdc.sys
10:49:48.0062 2840 lbrtfdc - ok
10:49:48.0390 2840 LiveUpdate (a97eeb81f05bce3d7aa6c81f04ef39a4) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
10:49:48.0515 2840 LiveUpdate - ok
10:49:48.0625 2840 LiveUpdate Notice Ex (fe69c498b922ce835e2e2123fbd0a272) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:49:48.0625 2840 LiveUpdate Notice Ex - ok
10:49:48.0703 2840 LiveUpdate Notice Service (2d1389e05a807d956829f44bd4b60389) C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
10:49:48.0734 2840 LiveUpdate Notice Service - ok
10:49:48.0906 2840 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
10:49:48.0906 2840 LmHosts - ok
10:49:49.0031 2840 McciCMService (a4225ba7b4ee5b8cdf8a808858dba437) C:\Program Files\Common Files\Motive\McciCMService.exe
10:49:49.0046 2840 McciCMService - ok
10:49:49.0140 2840 MDM (15d41dcdbac838b1ac7df7a878459dca) C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
10:49:49.0187 2840 MDM - ok
10:49:49.0281 2840 MemeoBackgroundService (780d96f551833e0dcfe0a33b02b774e8) C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
10:49:49.0281 2840 MemeoBackgroundService - ok
10:49:49.0593 2840 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
10:49:49.0593 2840 Messenger - ok
10:49:49.0734 2840 Microsoft Office Groove Audit Service (7c4c76b39d5525c4a465e0be32528e19) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
10:49:49.0750 2840 Microsoft Office Groove Audit Service - ok
10:49:50.0000 2840 mmc_2K (55f0ab2736235479a8ff1f1d5a0b27ae) C:\WINDOWS\system32\drivers\mmc_2K.sys
10:49:50.0000 2840 mmc_2K - ok
10:49:50.0156 2840 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:49:50.0156 2840 mnmdd - ok
10:49:50.0390 2840 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\System32\mnmsrvc.exe
10:49:50.0406 2840 mnmsrvc - ok
10:49:50.0515 2840 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
10:49:50.0515 2840 Modem - ok
10:49:50.0656 2840 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
10:49:50.0656 2840 MODEMCSA - ok
10:49:50.0750 2840 motmodem (5023875a94b0766d98a62a72bc4cb055) C:\WINDOWS\system32\DRIVERS\motmodem.sys
10:49:50.0750 2840 motmodem - ok
10:49:50.0937 2840 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:49:50.0937 2840 Mouclass - ok
10:49:51.0062 2840 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:49:51.0078 2840 mouhid - ok
10:49:51.0281 2840 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
10:49:51.0281 2840 MountMgr - ok
10:49:51.0390 2840 mqdmbus - ok
10:49:51.0484 2840 mqdmmdfl - ok
10:49:51.0593 2840 mqdmmdm - ok
10:49:51.0656 2840 mqdmserd - ok
10:49:51.0718 2840 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\System32\DRIVERS\mraid35x.sys
10:49:51.0718 2840 mraid35x - ok
10:49:51.0796 2840 MREMP50 - ok
10:49:51.0812 2840 MREMP50a64 - ok
10:49:51.0828 2840 MREMPR5 - ok
10:49:51.0843 2840 MRENDIS5 - ok
10:49:51.0859 2840 MRESP50 - ok
10:49:51.0875 2840 MRESP50a64 - ok
10:49:52.0015 2840 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:49:52.0031 2840 MRxDAV - ok
10:49:52.0203 2840 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:49:52.0234 2840 MRxSmb - ok
10:49:52.0312 2840 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\System32\msdtc.exe
10:49:52.0312 2840 MSDTC - ok
10:49:52.0578 2840 MSDV (6dd721dfd2648f3f6d5808b5ba6cb095) C:\WINDOWS\system32\DRIVERS\msdv.sys
10:49:52.0578 2840 MSDV - ok
10:49:52.0687 2840 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
10:49:52.0703 2840 Msfs - ok
10:49:52.0750 2840 MSIServer - ok
10:49:52.0859 2840 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:49:52.0859 2840 MSKSSRV - ok
10:49:53.0000 2840 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:49:53.0015 2840 MSPCLOCK - ok
10:49:53.0171 2840 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
10:49:53.0171 2840 MSPQM - ok
10:49:53.0281 2840 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:49:53.0281 2840 mssmbios - ok
10:49:53.0343 2840 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
10:49:53.0343 2840 MSTEE - ok
10:49:53.0484 2840 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
10:49:53.0484 2840 Mup - ok
10:49:53.0609 2840 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
10:49:53.0609 2840 NABTSFEC - ok
10:49:53.0812 2840 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120329.002\NAVENG.SYS
10:49:53.0859 2840 NAVENG - ok
10:49:54.0109 2840 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120329.002\NAVEX15.SYS
10:49:54.0171 2840 NAVEX15 - ok
10:49:54.0328 2840 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
10:49:54.0343 2840 NDIS - ok
10:49:54.0500 2840 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
10:49:54.0500 2840 NdisIP - ok
10:49:54.0609 2840 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:49:54.0625 2840 NdisTapi - ok
10:49:54.0750 2840 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:49:54.0765 2840 Ndisuio - ok
10:49:54.0937 2840 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:49:54.0953 2840 NdisWan - ok
10:49:55.0203 2840 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
10:49:55.0203 2840 NDProxy - ok
10:49:55.0328 2840 necusb (5d1b290280c38e8cba469e179e304c17) C:\WINDOWS\system32\ncusbw32.dll
10:49:55.0343 2840 necusb - ok
10:49:55.0484 2840 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:49:55.0500 2840 NetBIOS - ok
10:49:55.0609 2840 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:49:55.0625 2840 NetBT - ok
10:49:55.0687 2840 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
10:49:55.0703 2840 NetDDE - ok
10:49:55.0718 2840 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
10:49:55.0718 2840 NetDDEdsdm - ok
10:49:56.0046 2840 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
10:49:56.0078 2840 Netlogon - ok
10:49:56.0203 2840 Netman (36739b39267914ba69ad0610a0299732) C:\WINDOWS\System32\netman.dll
10:49:56.0218 2840 Netman - ok
10:49:56.0359 2840 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:49:56.0375 2840 NetTcpPortSharing - ok
10:49:56.0546 2840 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:49:56.0546 2840 NIC1394 - ok
10:49:56.0640 2840 Nla (097722f235a1fb698bf9234e01b52637) C:\WINDOWS\System32\mswsock.dll
10:49:56.0656 2840 Nla - ok
10:49:56.0781 2840 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
10:49:56.0781 2840 Npfs - ok
10:49:56.0953 2840 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
10:49:57.0000 2840 Ntfs - ok
10:49:57.0093 2840 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\System32\lsass.exe
10:49:57.0093 2840 NtLmSsp - ok
10:49:57.0234 2840 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
10:49:57.0296 2840 NtmsSvc - ok
10:49:57.0406 2840 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:49:57.0406 2840 Null - ok
10:49:57.0609 2840 nv (71dbdc08df86b80511e72953fa1ad6b0) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:49:57.0703 2840 nv - ok
10:49:57.0843 2840 nv4 (4d31783965b0b7ced7db3f4ee14cf260) C:\WINDOWS\system32\DRIVERS\nv4.sys
10:49:57.0906 2840 nv4 - ok
10:49:58.0015 2840 NVSvc (5ed834603c36414b579979b3a9c90f54) C:\WINDOWS\System32\nvsvc32.exe
10:49:58.0031 2840 NVSvc - ok
10:49:58.0171 2840 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:49:58.0171 2840 NwlnkFlt - ok
10:49:58.0296 2840 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:49:58.0296 2840 NwlnkFwd - ok
10:49:58.0437 2840 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:49:58.0546 2840 odserv - ok
10:49:58.0703 2840 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:49:58.0703 2840 ohci1394 - ok
10:49:58.0875 2840 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:49:58.0875 2840 ose - ok
10:49:59.0093 2840 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
10:49:59.0093 2840 P3 - ok
10:49:59.0234 2840 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
10:49:59.0234 2840 Parport - ok
10:49:59.0375 2840 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
10:49:59.0375 2840 PartMgr - ok
10:49:59.0500 2840 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:49:59.0500 2840 ParVdm - ok
10:49:59.0718 2840 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
10:49:59.0718 2840 PCI - ok
10:50:00.0250 2840 PCIDump - ok
10:50:00.0359 2840 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\System32\DRIVERS\pciide.sys
10:50:00.0359 2840 PCIIde - ok
10:50:00.0515 2840 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:50:00.0515 2840 Pcmcia - ok
10:50:00.0625 2840 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
10:50:00.0640 2840 pcouffin - ok
10:50:00.0796 2840 PCTCore (167b2fea66dde6925766d1a81a1affc0) C:\WINDOWS\system32\drivers\PCTCore.sys
10:50:00.0812 2840 PCTCore - ok
10:50:01.0046 2840 PDCOMP - ok
10:50:01.0109 2840 PDFRAME - ok
10:50:01.0187 2840 PDRELI - ok
10:50:01.0281 2840 PDRFRAME - ok
10:50:01.0359 2840 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\System32\DRIVERS\perc2.sys
10:50:01.0359 2840 perc2 - ok
10:50:01.0468 2840 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\System32\DRIVERS\perc2hib.sys
10:50:01.0468 2840 perc2hib - ok
10:50:01.0609 2840 PfModNT (c8a2d6ff660ac601b7bb9a9b16a5c25e) C:\WINDOWS\system32\drivers\PfModNT.sys
10:50:01.0609 2840 PfModNT - ok
10:50:01.0703 2840 PlugPlay (37561f8d4160d62da86d24ae41fae8de) C:\WINDOWS\system32\services.exe
10:50:01.0703 2840 PlugPlay - ok
10:50:01.0765 2840 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
10:50:01.0781 2840 PolicyAgent - ok
10:50:01.0937 2840 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:50:01.0937 2840 PptpMiniport - ok
10:50:02.0078 2840 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
10:50:02.0078 2840 Processor - ok
10:50:02.0234 2840 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
10:50:02.0234 2840 ProtectedStorage - ok
10:50:02.0390 2840 psa128s - ok
10:50:02.0437 2840 psa128u - ok
10:50:02.0718 2840 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
10:50:02.0734 2840 PSched - ok
10:50:02.0843 2840 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:50:02.0843 2840 Ptilink - ok
10:50:03.0156 2840 pwd_2k (b2e95bb13acad56138671a1aae7f9ed9) C:\WINDOWS\system32\drivers\pwd_2k.sys
10:50:03.0171 2840 pwd_2k - ok
10:50:03.0281 2840 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:50:03.0296 2840 PxHelp20 - ok
10:50:03.0406 2840 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\System32\DRIVERS\ql1080.sys
10:50:03.0421 2840 ql1080 - ok
10:50:03.0531 2840 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\System32\DRIVERS\ql10wnt.sys
10:50:03.0531 2840 Ql10wnt - ok
10:50:03.0640 2840 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\System32\DRIVERS\ql12160.sys
10:50:03.0640 2840 ql12160 - ok
10:50:03.0750 2840 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\System32\DRIVERS\ql1240.sys
10:50:03.0750 2840 ql1240 - ok
10:50:03.0859 2840 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\System32\DRIVERS\ql1280.sys
10:50:03.0875 2840 ql1280 - ok
10:50:04.0015 2840 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:50:04.0015 2840 RasAcd - ok
10:50:04.0109 2840 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
10:50:04.0109 2840 RasAuto - ok
10:50:04.0234 2840 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:50:04.0250 2840 Rasl2tp - ok
10:50:04.0390 2840 RasMan (d4bd2eeab07fef323f0a0ceecc954f51) C:\WINDOWS\System32\rasmans.dll
10:50:04.0390 2840 RasMan - ok
10:50:04.0515 2840 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:50:04.0531 2840 RasPppoe - ok
10:50:04.0656 2840 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:50:04.0656 2840 Raspti - ok
10:50:04.0796 2840 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:50:04.0812 2840 Rdbss - ok
10:50:04.0953 2840 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:50:04.0953 2840 RDPCDD - ok
10:50:05.0109 2840 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:50:05.0140 2840 rdpdr - ok
10:50:05.0296 2840 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
10:50:05.0296 2840 RDPWD - ok
10:50:05.0437 2840 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
10:50:05.0437 2840 RDSessMgr - ok
10:50:05.0593 2840 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:50:05.0593 2840 redbook - ok
10:50:05.0703 2840 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
10:50:05.0718 2840 RemoteAccess - ok
10:50:05.0953 2840 RioS35 (d5f71afb0661dfe955af4bb507ebcd78) C:\WINDOWS\system32\Drivers\RioS35.sys
10:50:05.0968 2840 RioS35 - ok
10:50:06.0093 2840 Rksample (4c35e57300a2dc5932a8e29efa527c32) C:\WINDOWS\system32\DRIVERS\rksample.sys
10:50:06.0093 2840 Rksample - ok
10:50:06.0156 2840 Roxio UPnP Renderer 11 - ok
10:50:06.0328 2840 RoxMediaDB12 (ff578453d3b3adaab22d7151d7f9e592) C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
10:50:06.0437 2840 RoxMediaDB12 - ok
10:50:06.0578 2840 RoxWatch12 (71b38b8df1a9b55fc0fb64958cc7b9dd) C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe
10:50:06.0593 2840 RoxWatch12 - ok
10:50:06.0640 2840 rpcapd - ok
10:50:06.0734 2840 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\System32\locator.exe
10:50:06.0734 2840 RpcLocator - ok
10:50:06.0875 2840 RpcSs (01095febf33beea00c2a0730b9b3ec28) C:\WINDOWS\System32\rpcss.dll
10:50:06.0875 2840 RpcSs - ok
10:50:07.0000 2840 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
10:50:07.0000 2840 RSVP - ok
10:50:07.0187 2840 rtl8139 (d6066a0596b13e486204dd365fdb2d4f) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
10:50:07.0187 2840 rtl8139 - ok
10:50:07.0437 2840 SahdIa32 (0b2d5d2341437d7d7e1a6c7bbce3786a) C:\WINDOWS\system32\Drivers\SahdIa32.sys
10:50:07.0453 2840 SahdIa32 - ok
10:50:07.0609 2840 SaibIa32 (7a5f65b16249af2bc9d18d815f5d7172) C:\WINDOWS\system32\Drivers\SaibIa32.sys
10:50:07.0625 2840 SaibIa32 - ok
10:50:07.0859 2840 SaibVd32 (e333c9515822de586a3ff759a0c9b7bf) C:\WINDOWS\system32\Drivers\SaibVd32.sys
10:50:07.0875 2840 SaibVd32 - ok
10:50:08.0046 2840 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
10:50:08.0046 2840 SamSs - ok
10:50:08.0203 2840 SbcpHid (30d94039a729571146eb9d736ec1aadd) C:\WINDOWS\System32\Drivers\SbcpHid.sys
10:50:08.0203 2840 SbcpHid - ok
10:50:08.0343 2840 sbp2port (3e2c3b180872be4120f246d85560b734) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
10:50:08.0343 2840 sbp2port - ok
10:50:08.0437 2840 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
10:50:08.0453 2840 SCardSvr - ok
10:50:08.0562 2840 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
10:50:08.0593 2840 Schedule - ok
10:50:08.0734 2840 sdAuxService (e8854048dfbf245f4f0b7009e49c7ef9) C:\Program Files\Spyware Doctor\pctsAuxs.exe
10:50:08.0750 2840 sdAuxService - ok
10:50:08.0875 2840 sdCoreService (4e28d7b4285a1b3d0ec212d9bd0ff4bf) C:\Program Files\Spyware Doctor\pctsSvc.exe
10:50:08.0984 2840 sdCoreService - ok
10:50:09.0093 2840 SeagateDashboardService (16b44d246835eac156f8daf0aa4f530c) C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
10:50:09.0109 2840 SeagateDashboardService - ok
10:50:09.0250 2840 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:50:09.0265 2840 Secdrv - ok
10:50:09.0359 2840 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
10:50:09.0359 2840 seclogon - ok
10:50:09.0500 2840 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
10:50:09.0500 2840 SENS - ok
10:50:09.0656 2840 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:50:09.0656 2840 serenum - ok
10:50:09.0765 2840 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
10:50:09.0781 2840 Serial - ok
10:50:10.0125 2840 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:50:10.0125 2840 Sfloppy - ok
10:50:10.0218 2840 sfman (28b740a66cb88be3d0cd93d5664d7d88) C:\WINDOWS\system32\drivers\sfman.sys
10:50:10.0234 2840 sfman - ok
10:50:10.0312 2840 SharedAccess (36cc8c01b5e50163037bef56cb96deff) C:\WINDOWS\System32\ipnathlp.dll
10:50:10.0328 2840 SharedAccess - ok
10:50:10.0515 2840 ShellHWDetection (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
10:50:10.0531 2840 ShellHWDetection - ok
10:50:10.0625 2840 Simbad - ok
10:50:10.0734 2840 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\System32\DRIVERS\sisagp.sys
10:50:10.0750 2840 sisagp - ok
10:50:10.0890 2840 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
10:50:10.0890 2840 SLIP - ok
10:50:11.0078 2840 SoftFax (413cfa795cad19a010889df0ec060408) C:\WINDOWS\system32\DRIVERS\faxnt.sys
10:50:11.0093 2840 SoftFax - ok
10:50:11.0234 2840 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\System32\DRIVERS\sparrow.sys
10:50:11.0234 2840 Sparrow - ok
10:50:11.0437 2840 SPBBCDrv (cdea9a0a0e547fef4c44ccae35a9b09c) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
10:50:11.0671 2840 SPBBCDrv - ok
10:50:11.0937 2840 SpeakerPhone (c11082c80723771c1979eacf7fdde1c3) C:\WINDOWS\system32\DRIVERS\spkpnt.sys
10:50:11.0937 2840 SpeakerPhone - ok
10:50:12.0078 2840 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
10:50:12.0078 2840 splitter - ok
10:50:12.0171 2840 Spooler (7435b108b935e42ea92ca94f59c8e717) C:\WINDOWS\system32\spoolsv.exe
10:50:12.0171 2840 Spooler - ok
10:50:12.0421 2840 sptd (71e276f6d189413266ea22171806597b) C:\WINDOWS\system32\Drivers\sptd.sys
10:50:12.0421 2840 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: 71e276f6d189413266ea22171806597b
10:50:12.0437 2840 sptd ( LockedFile.Multi.Generic ) - warning
10:50:12.0437 2840 sptd - detected LockedFile.Multi.Generic (1)
10:50:13.0281 2840 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
10:50:13.0296 2840 sr - ok
10:50:13.0390 2840 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
10:50:13.0421 2840 srservice - ok
10:50:13.0531 2840 SRTSP (655773f2f1a3730c6cf20280a49f4ee1) C:\WINDOWS\system32\Drivers\SRTSP.SYS
10:50:13.0578 2840 SRTSP - ok
10:50:13.0687 2840 SRTSPL (2a0aaf370d4c6574a34ae2f4a0709cae) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
10:50:13.0703 2840 SRTSPL - ok
10:50:13.0859 2840 SRTSPX (3104bdceace2d5710776dd05e6a286c1) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
10:50:13.0859 2840 SRTSPX - ok
10:50:14.0078 2840 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
10:50:14.0187 2840 Srv - ok
10:50:14.0359 2840 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
10:50:14.0375 2840 SSDPSRV - ok
10:50:14.0593 2840 stisvc (b6763f8534ac547cf1af98afdff2edc8) C:\WINDOWS\system32\wiaservc.dll
10:50:14.0734 2840 stisvc - ok
10:50:14.0921 2840 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
10:50:14.0937 2840 streamip - ok
10:50:15.0078 2840 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:50:15.0078 2840 swenum - ok
10:50:15.0281 2840 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
10:50:15.0281 2840 swmidi - ok
10:50:15.0468 2840 SwPrv - ok
10:50:15.0687 2840 Symantec Core LC (fa2f6a8849219b16460bf44f9d1f3aa7) C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
10:50:15.0750 2840 Symantec Core LC - ok
10:50:15.0968 2840 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\System32\DRIVERS\symc810.sys
10:50:15.0984 2840 symc810 - ok
10:50:16.0390 2840 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\System32\DRIVERS\symc8xx.sys
10:50:16.0390 2840 symc8xx - ok
10:50:16.0609 2840 SYMDNS (a16d76baa5d2cbe45c57fa582c1208e5) C:\WINDOWS\System32\Drivers\SYMDNS.SYS
10:50:16.0609 2840 SYMDNS - ok
10:50:16.0734 2840 SymEvent (06b95820df51502099a8a15c93e87986) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
10:50:16.0765 2840 SymEvent - ok
10:50:17.0015 2840 SYMFW (c64d200569a18ea6c676266dee3ac158) C:\WINDOWS\System32\Drivers\SYMFW.SYS
10:50:17.0015 2840 SYMFW - ok
10:50:17.0281 2840 SYMIDS (7764d3d7a3c858f04ced3c1f16410d89) C:\WINDOWS\System32\Drivers\SYMIDS.SYS
10:50:17.0281 2840 SYMIDS - ok
10:50:17.0640 2840 SYMIDSCO (2133d1f879b280121b0e6a7d34b24a02) C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20120322.001\SymIDSCo.sys
10:50:17.0703 2840 SYMIDSCO - ok
10:50:18.0046 2840 symlcbrd (b226f8a4d780acdf76145b58bb791d5b) C:\WINDOWS\system32\drivers\symlcbrd.sys
10:50:18.0062 2840 symlcbrd - ok
10:50:18.0218 2840 SYMNDIS (8522728ac549d31a4762c184187efa68) C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
10:50:18.0234 2840 SYMNDIS - ok
10:50:18.0343 2840 SYMREDRV (829830a3ca1c5e329d68e26c9cd2de8d) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
10:50:18.0343 2840 SYMREDRV - ok
10:50:18.0500 2840 SYMTDI (b1aa9704124b494c34e8d372e6654196) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
10:50:18.0531 2840 SYMTDI - ok
10:50:18.0703 2840 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\System32\DRIVERS\sym_hi.sys
10:50:18.0703 2840 sym_hi - ok
10:50:18.0921 2840 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\System32\DRIVERS\sym_u3.sys
10:50:18.0937 2840 sym_u3 - ok
10:50:19.0093 2840 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
10:50:19.0093 2840 sysaudio - ok
10:50:19.0234 2840 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
10:50:19.0250 2840 SysmonLog - ok
10:50:19.0375 2840 TapiSrv (fb78839b36025aa286a51289ed28b73e) C:\WINDOWS\System32\tapisrv.dll
10:50:19.0406 2840 TapiSrv - ok
10:50:19.0546 2840 tbhsd - ok
10:50:19.0671 2840 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:50:19.0718 2840 Tcpip - ok
10:50:19.0875 2840 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:50:19.0890 2840 TDPIPE - ok
10:50:20.0156 2840 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
10:50:20.0156 2840 TDTCP - ok
10:50:20.0296 2840 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:50:20.0296 2840 TermDD - ok
10:50:20.0406 2840 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
10:50:20.0453 2840 TermService - ok
10:50:20.0562 2840 TfFsMon - ok
10:50:20.0671 2840 TfNetMon - ok
10:50:20.0750 2840 TfSysMon - ok
10:50:20.0875 2840 Themes (6815def9b810aefac107eeaf72da6f82) C:\WINDOWS\System32\shsvcs.dll
10:50:20.0890 2840 Themes - ok
10:50:21.0093 2840 Tones (e0f10a379239b4fab319c55a9cd6bc96) C:\WINDOWS\system32\DRIVERS\tonesnt.sys
10:50:21.0093 2840 Tones - ok
10:50:21.0250 2840 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\System32\DRIVERS\toside.sys
10:50:21.0250 2840 TosIde - ok
10:50:21.0343 2840 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
10:50:21.0343 2840 TrkWks - ok
10:50:21.0468 2840 TuneUp.Defrag (f61187e55bfa395aa04e8b4550aa6df3) C:\WINDOWS\System32\TuneUpDefragService.exe
10:50:21.0500 2840 TuneUp.Defrag - ok
10:50:21.0625 2840 UDFReadr (ac93dd5792310b57b03816d7f8d957fc) C:\WINDOWS\system32\drivers\UDFReadr.sys
10:50:21.0640 2840 UDFReadr - ok
10:50:21.0890 2840 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
10:50:22.0203 2840 Udfs - ok
10:50:22.0421 2840 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\System32\DRIVERS\ultra.sys
10:50:22.0421 2840 ultra - ok
10:50:22.0625 2840 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
10:50:22.0640 2840 Update - ok
10:50:23.0078 2840 upnphost (aca5d98663d879c6baafcea7e2f1b710) C:\WINDOWS\System32\upnphost.dll
10:50:23.0093 2840 upnphost - ok
10:50:23.0203 2840 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
10:50:23.0218 2840 UPS - ok
10:50:23.0375 2840 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:50:23.0375 2840 USBAAPL - ok
10:50:23.0578 2840 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:50:23.0578 2840 usbccgp - ok
10:50:23.0734 2840 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:50:23.0750 2840 usbehci - ok
10:50:23.0921 2840 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:50:23.0921 2840 usbhub - ok
10:50:24.0140 2840 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:50:24.0140 2840 usbprint - ok
10:50:24.0343 2840 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:50:24.0343 2840 usbscan - ok
10:50:24.0640 2840 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:50:24.0671 2840 USBSTOR - ok
10:50:25.0046 2840 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:50:25.0062 2840 usbuhci - ok
10:50:25.0468 2840 UxTuneUp (411d534c568de0b9d38dbc892d027897) C:\WINDOWS\System32\uxtuneup.dll
10:50:25.0484 2840 UxTuneUp - ok
10:50:26.0000 2840 V124 (177b65899d418f8c8f037b20567a99d6) C:\WINDOWS\system32\DRIVERS\v124nt.sys
10:50:26.0171 2840 V124 - ok
10:50:26.0312 2840 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
10:50:26.0328 2840 VgaSave - ok
10:50:26.0468 2840 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\System32\DRIVERS\viaagp.sys
10:50:26.0468 2840 viaagp - ok
10:50:26.0640 2840 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\System32\DRIVERS\viaide.sys
10:50:26.0640 2840 ViaIde - ok
10:50:27.0140 2840 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
10:50:27.0171 2840 VolSnap - ok
10:50:27.0359 2840 VPCAppSv (7bf783faf307bc04130b36b4f76e5f3d) C:\WINDOWS\system32\DRIVERS\VPCAppSv.sys
10:50:27.0359 2840 VPCAppSv - ok
10:50:27.0453 2840 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
10:50:27.0500 2840 VSS - ok
10:50:27.0609 2840 w32time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
10:50:27.0640 2840 w32time - ok
10:50:27.0781 2840 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:50:27.0781 2840 Wanarp - ok
10:50:28.0015 2840 wanatw - ok
10:50:28.0156 2840 wceusbsh (b85b448fd2c398970382a28e47cf4bc6) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
10:50:28.0156 2840 wceusbsh - ok
10:50:28.0281 2840 WDC_SAM (011e8a3e13dd7007353edbee4b180b50) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
10:50:28.0296 2840 WDC_SAM - ok
10:50:28.0437 2840 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
10:50:28.0468 2840 Wdf01000 - ok
10:50:28.0562 2840 WDICA - ok
10:50:28.0671 2840 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
10:50:28.0687 2840 wdmaud - ok
10:50:28.0953 2840 WebClient (265f534ef76832435afbf771ec97176d) C:\WINDOWS\System32\webclnt.dll
10:50:28.0953 2840 WebClient - ok
10:50:29.0234 2840 winachsf (a941aa38e3951058e584c4bbddd56ed9) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
10:50:29.0281 2840 winachsf - ok
10:50:29.0437 2840 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:50:29.0437 2840 winmgmt - ok
10:50:29.0656 2840 WMDM PMSP Service (581176f60885aef8f78c6e38dcc3cdf9) C:\WINDOWS\System32\MsPMSPSv.exe
10:50:29.0656 2840 WMDM PMSP Service - ok
10:50:29.0765 2840 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
10:50:29.0812 2840 WmdmPmSN - ok
10:50:29.0984 2840 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\System32\wbem\wmiapsrv.exe
10:50:29.0984 2840 WmiApSrv - ok
10:50:30.0187 2840 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:50:30.0265 2840 WMPNetworkSvc - ok
10:50:30.0406 2840 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
10:50:30.0421 2840 WpdUsb - ok
10:50:30.0578 2840 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:50:30.0578 2840 WS2IFSL - ok
10:50:30.0671 2840 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) C:\WINDOWS\system32\wscsvc.dll
10:50:30.0734 2840 wscsvc - ok
10:50:30.0859 2840 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
10:50:30.0890 2840 WSTCODEC - ok
10:50:30.0984 2840 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
10:50:31.0031 2840 wuauserv - ok
10:50:31.0187 2840 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:50:31.0187 2840 WudfPf - ok
10:50:31.0343 2840 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:50:31.0375 2840 WudfRd - ok
10:50:31.0484 2840 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:50:31.0500 2840 WudfSvc - ok
10:50:31.0593 2840 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
10:50:31.0656 2840 WZCSVC - ok
10:50:31.0765 2840 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
10:50:31.0781 2840 xmlprov - ok
10:50:31.0843 2840 ZipToA - ok
10:50:31.0984 2840 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
10:50:32.0000 2840 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
10:50:32.0000 2840 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
10:50:32.0015 2840 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR3
10:50:32.0031 2840 \Device\Harddisk1\DR3 - ok
10:50:32.0093 2840 Boot (0x1200) (4b3d53239b87045fbb5b4f71f673c9ee) \Device\Harddisk0\DR0\Partition0
10:50:32.0093 2840 \Device\Harddisk0\DR0\Partition0 - ok
10:50:32.0140 2840 Boot (0x1200) (3e4b8b8f77de212b11f40ddbffde3a85) \Device\Harddisk1\DR3\Partition0
10:50:32.0140 2840 \Device\Harddisk1\DR3\Partition0 - ok
10:50:32.0171 2840 ============================================================
10:50:32.0171 2840 Scan finished
10:50:32.0171 2840 ============================================================
10:50:32.0234 2500 Detected object count: 2
10:50:32.0234 2500 Actual detected object count: 2
10:50:58.0234 2500 sptd ( LockedFile.Multi.Generic ) - skipped by user
10:50:58.0234 2500 sptd ( LockedFile.Multi.Generic ) - User select action: Skip
10:50:59.0625 2500 \Device\Harddisk0\DR0\# - copied to quarantine
10:50:59.0625 2500 \Device\Harddisk0\DR0 - copied to quarantine
10:50:59.0750 2500 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
10:50:59.0765 2500 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
10:50:59.0765 2500 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
10:50:59.0781 2500 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
10:50:59.0796 2500 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
10:50:59.0812 2500 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
10:50:59.0921 2500 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
10:50:59.0953 2500 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
10:51:00.0000 2500 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
10:51:00.0015 2500 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
10:51:00.0015 2500 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
10:51:00.0031 2500 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
10:51:00.0218 2500 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
10:51:00.0218 2500 \Device\Harddisk0\DR0 - ok
10:51:01.0437 2500 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
10:51:09.0125 2312 Deinitialize success


aswMBR log:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-01 11:01:39
-----------------------------
11:01:39.906 OS Version: Windows 5.1.2600 Service Pack 2
11:01:39.906 Number of processors: 1 586 0x204
11:01:39.906 ComputerName: JAMEL UserName:
11:01:41.015 Initialize success
11:02:20.468 AVAST engine defs: 12040100
11:02:31.765 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:02:31.765 Disk 0 Vendor: ST380021A 3.75 Size: 76319MB BusType: 3
11:02:31.781 Disk 0 MBR read successfully
11:02:31.781 Disk 0 MBR scan
11:02:31.828 Disk 0 Windows XP default MBR code
11:02:31.828 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
11:02:31.843 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 64260
11:02:31.859 Disk 0 scanning sectors +156296385
11:02:31.953 Disk 0 scanning C:\WINDOWS\system32\drivers
11:02:52.062 Service scanning
11:03:12.875 Service necusb C:\WINDOWS\system32\ncusbw32.dll **INFECTED** Win32:Delf-QOQ [Trj]
11:03:23.578 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 32
11:03:33.359 Modules scanning
11:04:19.453 Disk 0 trace - called modules:
11:04:19.484 ntoskrnl.exe CLASSPNP.SYS disk.sys SahdIa32.sys PCTCore.sys >>UNKNOWN [0x8a7911f8]<<
11:04:19.484 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6f9ab8]
11:04:19.484 3 CLASSPNP.SYS[f763805b] -> nt!IofCallDriver -> [0x8a6e3938]
11:04:19.484 5 SahdIa32.sys[f7668939] -> nt!IofCallDriver -> [0x8a78c920]
11:04:19.484 7 PCTCore.sys[ba7c388f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a79a030]
11:04:19.484 \Driver\atapi[0x8a784268] -> IRP_MJ_CREATE -> 0x8a7911f8
11:04:20.171 AVAST engine scan C:\WINDOWS
11:04:43.656 AVAST engine scan C:\WINDOWS\system32
11:06:35.171 File: C:\WINDOWS\system32\ncusbw32.dll **INFECTED** Win32:Delf-QOQ [Trj]
11:06:47.484 File: C:\WINDOWS\system32\nwusbw32.dll **INFECTED** Win32:Delf-QOQ [Trj]
11:07:56.562 File: C:\WINDOWS\system32\x2i8L.com__ **INFECTED** Win32:FakeAlert-BVT [Trj]
11:09:43.531 AVAST engine scan C:\WINDOWS\system32\drivers
11:10:14.750 AVAST engine scan C:\Documents and Settings\Jamel Bearyman
11:55:19.187 AVAST engine scan C:\Documents and Settings\All Users
12:12:39.296 Scan finished successfully
12:25:33.531 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jamel Bearyman\Desktop\MBR.dat"
12:25:33.546 The log file has been saved successfully to "C:\Documents and Settings\Jamel Bearyman\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 01 April 2012 - 12:08 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::
KillAll::

File::
C:\WINDOWS\system32\ncusbw32.dll
C:\WINDOWS\system32\nwusbw32.dll
C:\WINDOWS\system32\x2i8L.com__ 

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 01 April 2012 - 04:12 PM

Hello,

I re-ran the combofix and it stated that a rootkit was detected on the tcp/ip stack and had to reboot. Things seem to be running better. I don't have the redirect anymore and the svchost.exe process is not hogging up memory, but I am wondering if the rootkit that was detected has been taken care of? Here is the log:

ComboFix 12-03-30.06 - Jamel Bearyman 04/01/2012 15:31:35.7.1 - x86
Running from: c:\documents and settings\Jamel Bearyman\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jamel Bearyman\Desktop\CFScript.txt
AV: Norton 360 *Disabled/Outdated* {A5F1BC7C-EA33-4247-961C-0217208396C4}
FW: Norton 360 *Disabled* {371C0A40-5A0C-4AD2-A6E5-69C02037FBF3}
.
FILE ::
"c:\windows\system32\ncusbw32.dll"
"c:\windows\system32\nwusbw32.dll"
"c:\windows\system32\x2i8L.com__"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
.
.
((((((((((((((((((((((((( Files Created from 2012-03-01 to 2012-04-01 )))))))))))))))))))))))))))))))
.
.
2012-04-01 20:58 . 2012-04-01 20:58 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2012-04-01 15:50 . 2012-04-01 15:50 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-22 01:26 . 2012-03-22 01:26 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-22 01:26 . 2012-03-22 01:26 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-10 18:54 . 2012-03-10 18:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-03-10 18:19 . 2012-03-10 18:21 -------- d-----w- c:\program files\iTunes
2012-03-05 02:28 . 2012-03-05 02:28 -------- d-----w- c:\documents and settings\All Users\Application Data\dvdfab
2012-03-05 02:28 . 2012-03-05 02:28 -------- d-----w- c:\program files\DVDFab 8 Qt
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-15 16:01 . 2009-09-27 04:46 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2009-09-27 04:46 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2003-01-26 00:47 . 2003-01-26 00:47 37731236 ----a-w- c:\program files\j2sdk-1_4_1_01-windows-i586.exe
2001-06-20 21:19 . 2001-06-19 21:34 40960 ----a-w- c:\program files\ACMonitor_X83.exe
2012-03-22 01:26 . 2012-01-26 23:37 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-03-25_02.59.03 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-01 20:59 . 2012-04-01 20:59 16384 c:\windows\Temp\Perflib_Perfdata_798.dat
+ 2012-03-29 09:59 . 2012-03-29 19:19 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032920120330\index.dat
+ 2012-03-28 21:24 . 2012-03-28 20:41 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032820120329\index.dat
+ 2012-03-25 22:12 . 2012-03-25 19:23 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\MSHist012012032520120326\index.dat
+ 2002-07-30 00:01 . 2012-04-01 15:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
- 2002-07-30 00:01 . 2012-03-24 23:39 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\INDEX.DAT
+ 2011-11-15 07:49 . 2012-03-29 10:03 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
- 2011-11-15 07:49 . 2012-03-21 12:08 16384 c:\windows\SYSTEM32\CONFIG\systemprofile\IETldCache\index.dat
+ 2012-03-28 00:11 . 2012-04-01 15:59 32768 c:\windows\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat
+ 2012-03-28 20:00 . 2012-03-12 02:43 225764 c:\windows\PCHEALTH\HELPCTR\Config\Cache\Personal_32_1033.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TuneUp MemOptimizer"="c:\program files\TuneUp Utilities 2008\MemOptimizer.exe" [2008-02-29 196864]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2003-10-06 5058560]
"Windows Media Connect 2"="c:\program files\Windows Media Connect 2\WMCCFG.exe" [2006-10-19 8704]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 115816]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-04-20 58656]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-07 421736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10c.exe" [2009-07-18 257440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\progra~1\DVDREG~1\DVDShell.dll" [2004-10-09 49152]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\necusb]
2011-11-14 22:10 37888 ----a-w- c:\windows\SYSTEM32\nwusbw32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nwusbw32]
2011-11-14 22:10 37888 ----a-w- c:\windows\SYSTEM32\nwusbw32.dll
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"RealPlayer"="c:\program files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" /R
"NvMediaCenter"=RUNDLL32.EXE c:\windows\System32\NVMCTRAY.DLL,NvTaskbarInit
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"RemoteControl"=c:\program files\Roxio\Roxio DVDMax Player\PDVDServ.exe
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"UpdReg"=c:\windows\Updreg.exe
"nwiz"=nwiz.exe /install
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"AHQInit"=c:\program files\Creative\SBLive\Program\AHQInit.exe
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
"CanonMyPrinter"=c:\program files\Canon\MyPrinter\BJMyPrt.exe /logon
"CanonSolutionMenu"=c:\program files\Canon\SolutionMenu\CNSLMAIN.exe /logon
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe"
"Desktop Disc Tool"="c:\program files\Roxio 2010\Roxio Burn\RoxioBurnLauncher.exe"
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatchTray12.exe"
"WD Button Manager"=WDBtnMgr.exe
"Memeo Instant Backup"=c:\program files\Memeo\AutoBackup\MemeoLauncher2.exe --silent --no_ui
"Seagate Dashboard"=c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe --silent --no_ui
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\ftp.exe"=
"c:\\WINDOWS\\SYSTEM32\\devldr32.exe"=
"c:\\tmp\\utorrent_1.2.2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Seagate\\Seagate Dashboard\\HipServAgent\\HipServAgent.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [2/19/2010 11:47 AM 207280]
R0 SahdIa32;HDD Filter Driver;c:\windows\SYSTEM32\DRIVERS\SahdIa32.sys [2/5/2011 3:41 PM 21488]
R0 SaibIa32;Volume Filter Driver;c:\windows\SYSTEM32\DRIVERS\SaibIa32.sys [2/5/2011 3:41 PM 15856]
R0 sptd;sptd;c:\windows\SYSTEM32\DRIVERS\sptd.sys [11/25/2008 5:35 PM 717296]
R1 c2scsi;c2scsi;c:\windows\SYSTEM32\DRIVERS\c2scsi.sys [1/26/2012 11:07 PM 244608]
R1 SaibVd32;Virtual Disk Driver;c:\windows\SYSTEM32\DRIVERS\SaibVd32.sys [2/5/2011 3:41 PM 25584]
R2 9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269;Roxio SAIB Service;c:\program files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe [6/2/2009 7:05 PM 457200]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [2/19/2010 11:49 AM 112592]
R2 CinemaNow Service;CinemaNow Service;c:\program files\CinemaNow\CinemaNow Media Manager\CinemaNowSvc.exe [6/23/2009 5:40 PM 127352]
R2 MemeoBackgroundService;MemeoBackgroundService;c:\program files\Memeo\AutoBackup\MemeoBackgroundService.exe [5/4/2011 4:10 PM 25824]
R2 necusb;NEC USB Device Service;c:\windows\System32\svchost.exe -k necusb3 [8/18/2001 6:00 AM 14336]
R2 SeagateDashboardService;Seagate Dashboard Service;c:\program files\Seagate\Seagate Dashboard\SeagateDashboardService.exe [6/1/2011 11:42 AM 14088]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;c:\windows\SYSTEM32\DRIVERS\usbscan.sys [1/26/2003 7:37 PM 15104]
S2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe [7/24/2009 8:33 AM 219632]
S2 VPCAppSv;Virtual PC Application Services;c:\windows\SYSTEM32\DRIVERS\vpcappsv.sys [5/20/2002 8:31 PM 10374]
S3 pcouffin;VSO Software pcouffin;c:\windows\SYSTEM32\DRIVERS\pcouffin.sys [12/16/2008 7:22 PM 47360]
S3 psa128s;psa128s;c:\windows\system32\DRIVERS\psa128s.sys --> c:\windows\system32\DRIVERS\psa128s.sys [?]
S3 psa128u;Nike psa[128max Player Control Driver;c:\windows\system32\Drivers\psa128u.sys --> c:\windows\system32\Drivers\psa128u.sys [?]
S3 RioS35;RioS35S driver;c:\windows\SYSTEM32\DRIVERS\rios35.sys [3/18/2003 9:09 PM 12661]
S3 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11;"c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe" --> c:\program files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe [?]
S3 RoxMediaDB12;RoxMediaDB12;c:\program files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe [7/24/2009 8:33 AM 1116656]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2/19/2010 11:47 AM 358600]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\SYSTEM32\DRIVERS\wdcsam.sys [10/24/2007 7:44 PM 10112]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
necusb3 REG_MULTI_SZ necusb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-01 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-02-29 19:24]
.
2012-03-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.my.yahoo.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
Trusted Zone: aol.com\free
Trusted Zone: cinemanow.com
Trusted Zone: intuit.com\ttlc
Trusted Zone: qflix.com
Trusted Zone: roxio.com
Trusted Zone: sonic.com\redirect
Trusted Zone: sonic.com\redirect2
Trusted Zone: turbotax.com
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Jamel Bearyman\Application Data\Mozilla\Firefox\Profiles\hl3jmw52.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.my.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-01 16:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\nwusbw32.dll
.
- - - - - - - > 'explorer.exe'(492)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\devldr32.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\System32\CTsvcCDA.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Motive\McciCMService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\windows\System32\nvsvc32.exe
c:\windows\System32\MsPMSPSv.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2012-04-01 16:06:36 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-01 21:06
ComboFix2.txt 2012-03-30 16:37
ComboFix3.txt 2012-03-27 23:53
ComboFix4.txt 2012-03-27 22:54
ComboFix5.txt 2012-04-01 20:13
.
Pre-Run: 20,689,068,032 bytes free
Post-Run: 21,086,064,640 bytes free
.
- - End Of File - - 27DD4904439E73E677FC4E6A52A99B3A

Thanks,
J

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 01 April 2012 - 05:14 PM

Blitzblank.

Download BlitzBlank and save it to your desktop. Open Blitzblank.exe

  • Click OK at the warning (and take note of it, this is a VERY powerful tool!).
  • Click the Script tab and copy/paste the following text there:
DeleteFile:
"c:\windows\system32\ncusbw32.dll"
"c:\windows\system32\nwusbw32.dll"
"c:\windows\system32\x2i8L.com__"
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post me the report created by Blitzblank. you can find it at the root of the drive Normaly C:\

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 04 April 2012 - 01:24 AM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 04 April 2012 - 08:27 PM

Hello Gringo,

I need more time. I am out of town and will be back tomorrow afternoon. I will run the program tomorrow afternoon.

Thanks,
J

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 04 April 2012 - 09:39 PM

No problem I will check on you if I have not heard from you in a couple of days


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 05 April 2012 - 12:59 PM

Hello Gringo,

I attempted to run the BlitzBlank program, but I got a syntax error saying the files were not found. This could have happened when I installed my new antivirus. It may have found the files and deleted them. With that said, I believe that I am good to go. Thanks for all you help.

J

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 05 April 2012 - 01:44 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
adobe Reader 9.3.1
Java 2 Runtime Environment, SE v1.4.0_01
Java 2 Runtime Environment, SE v1.4.1_01
Java 2 SDK, SE v1.4.1_01
Java Web Start
Java™ 6 Update 19
Java™ 6 Update 4
Java™ 6 Update 5
Java™ 6 Update 7
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 golferboi

golferboi
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:39 PM

Posted 06 April 2012 - 03:45 PM

Hello Gringo,

I did all the above. Here are the logs. Everything seems to be working fine.

Malwarebytes:

Malwarebytes Anti-Malware (Trial) 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.05.10

Windows XP Service Pack 2 x86 NTFS
Internet Explorer 8.0.6001.18702
Jamel Bearyman :: JAMEL [administrator]

Protection: Enabled

4/5/2012 5:46:56 PM
mbam-log-2012-04-05 (17-46-56).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200903
Time elapsed: 10 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HijackThis:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:13:16 PM, on 4/5/2012
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\PROGRA~1\DVDREG~1\DVDRegionFree.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://*.cinemanow.com
O15 - Trusted Zone: http://*.qflix.com
O15 - Trusted Zone: http://*.roxio.com
O15 - Trusted Zone: http://redirect.sonic.com
O15 - Trusted Zone: http://redirect2.sonic.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://apple.speedera.net/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/24/install/gtdownls.cab
O16 - DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0_01) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} (JuniperSetupClientControl Class) - https://lmpassage3.external.lmco.com/dana-cached/sc/JuniperSetupClient.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = man.fs.lmco.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = man.fs.lmco.com
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Roxio SAIB Service (9734BF6A-2DCD-40f0-BAB0-5AAFEEBE1269) - Unknown owner - C:\Program Files\Roxio\BackOnTrack\Disaster Recovery\SaibSVC.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\AVAST Software\Avast\AvastSvc.exe
O23 - Service: avast! Firewall - AVAST Software - C:\Program Files\AVAST Software\Avast\afwServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CinemaNow Service - CinemaNow, Inc. - C:\Program Files\CinemaNow\CinemaNow Media Manager\CinemanowSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: MemeoBackgroundService - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoBackgroundService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 11 - Unknown owner - C:\Program Files\Roxio Creator 2009\Digital Home 11\RoxioUPnPRenderer11.exe (file missing)
O23 - Service: RoxMediaDB12 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxMediaDB12.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\12.0\SharedCOM\RoxWatch12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe (file missing)
O23 - Service: Seagate Dashboard Service (SeagateDashboardService) - Memeo - C:\Program Files\Seagate\Seagate Dashboard\SeagateDashboardService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: ZipToA - Iomega Corporation - C:\WINDOWS\System32\ZipToA.exe

--
End of file - 11822 bytes

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:39 PM

Posted 06 April 2012 - 04:17 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
      O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2008\MemOptimizer.exe" autostart
      O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
      O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'SYSTEM')
      O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil10c.exe (User 'Default user')
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users