Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMART HDD


  • This topic is locked This topic is locked
20 replies to this topic

#1 whogordon

whogordon

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 01 April 2012 - 12:06 PM

I HAVE the malware smart hdd,the problem is i cant download rkill because keyboard wont workin safe mode?hope i posted in the right forum

thank youi read the removal guide

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:18 PM

Posted 01 April 2012 - 04:02 PM

Hello,Please follow the instructions in ==>This Guide<== starting at step 6. If you cannot complete a step, skip it and continue.Once the proper logs are created, then post them in a reply to this topic by using the Add Reply button.If you can produce at least some of the logs, then please create the post and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the reply and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.Please note that I am not a member of the Malware Removal Team and will not be assisting you in removing the infection. I'm simply helping you to post the information they need in order to assist you.If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,743 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 AM

Posted 07 April 2012 - 12:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/448427 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 02:29 PM

My problem started when i obtained SMART HDD malware whhich i removed using malware removal guide on this site,also i had google redirect and seemed to have cleared up that issue using kasperskytdss killer.when i open kaspersky tdss killer it says an update is available so i click ok to update it and the program closes.the program will run when i skip the update and comes up with no threats found. also when i start rkill program it appears to start and shut down 2 or 3 times before the program actually initializes and runs.it was coming up clean (no processes terminated) until i just ran it now and it killed this (C:\WINDOWS\system32\grpconv.exe)not sure if relavant?
attached are the gmer and dds logs i just ran ,please note the first time i downloaded gmer tool(from 1st download link zip file given in this sites instructions) and ran it ,i got a blue screen error message stating (a problem was detected and windows shut down to prevent damage DRIVER_IRQL_NOT_LESS_OR_EQUAL) and also some ***stop error codes. .I have more info on blue screen error if u need it.
I then deleted the gmer file and redownloaded the zip file from the 1st link given and renamed the tool and i was able to run and complete the scan..
I have recently installed spyware doctor free version and ran it and it is coming up with 23 infections related to Trojan-downloader.murlo labeled as medium risk.
other symptoms are i will have programs open running and i will close those programs and the task manager shows the programs close but the windows will remain open although the task manger shows the program has stopped running. I run AVG antivirus and recall it came up with a message a stating High Memory Usage detected from Internet Explorer using 360 mb....
Yes I have original windows installation cd, running windows xp
thats about all i have for now thank you :)

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Ben at 12:28:29 on 2012-04-09
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3711.2668 [GMT -4:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
svchost.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\WINDOWS\system32\dlbtcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://messages.finance.yahoo.com/Stocks_%28A_to_Z%29/Stocks_I/messagesview?bn=9866
uSearch Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: H - No File
uURLSearchHooks: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Defender BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {b2ed7faf-72a0-46d1-9d9d-602226f5cb9f} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: PC Tools Browser Defender: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\secuni~1.lnk - c:\program files\secunia\psi\psi_tray.exe
uPolicies-explorer: DisallowRun = 0 (0x0)
uPolicies-explorer: NoFileUrl = 0 (0x0)
uPolicies-explorer: NoUpdateCheck = 0 (0x0)
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
mPolicies-explorer: DisallowRun = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} - hxxps://support.microsoft.com/Dcode/ActiveX/MSDcode.cab
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Risk/Images/stg_drm.ocx
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1271861187515
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1199468211625
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://www.surfhotelhamptonbeach.com/WinWebPush.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0014-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.1/jinstall-1_4_1-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Risk/Images/armhelper.ocx
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://www.driveragent.com/files/driveragent.cab
TCP: DhcpNameServer = 192.168.2.1
TCP: Interfaces\{75E9BF7E-3404-4B55-B5E6-A543967E0501} : DhcpNameServer = 192.168.2.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-4-3 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-4-3 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-4-3 909728]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-4-3 185560]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-7-1 116608]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-10-24 2391832]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-4-3 550864]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-4-3 56840]
S0 adwarealert;adwarealert;c:\windows\system32\drivers\adwarealert.sys --> c:\windows\system32\drivers\adwarealert.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-1 253600]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-4-3 402336]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-4-3 1117624]
S3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [2009-8-20 2560]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-03 16:08:42 767952 ----a-w- c:\windows\BDTSupport.dll
2012-04-03 16:08:42 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-04-03 16:08:40 2250704 ----a-w- c:\windows\PCTBDCore.dll
2012-04-03 16:08:40 1681360 ----a-w- c:\windows\PCTBDRes.dll
2012-04-03 16:08:40 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-04-03 16:05:29 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-04-03 16:05:13 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-04-03 16:04:39 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-04-03 16:04:15 -------- d-----w- c:\program files\PC Tools
2012-04-03 16:01:15 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-04-03 16:01:15 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-04-03 16:00:53 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-04-03 16:00:53 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-04-03 16:00:44 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-04-03 16:00:43 -------- d-----w- c:\program files\common files\PC Tools
2012-04-03 15:59:31 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-04-03 15:59:29 -------- d-----w- c:\documents and settings\ben\application data\TestApp
2012-04-03 06:04:38 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-03 06:04:38 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 23:00:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-02 02:58:30 -------- d-----w- c:\documents and settings\ben\local settings\application data\Secunia PSI
2012-04-01 23:05:46 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-01 22:56:33 -------- d-----w- c:\program files\Secunia
2012-04-01 14:45:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-28 16:08:01 -------- dc----w- c:\windows\ie8
2012-03-26 15:52:27 -------- d-----w- C:\b3120e8e74c276562e865d21
2012-03-22 07:00:24 -------- d-----w- c:\program files\MSXML 4.0
.
==================== Find3M ====================
.
2012-04-02 23:55:33 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-02 23:00:13 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-01 14:46:55 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-26 20:32:12 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-24 02:10:26 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-01-24 02:10:26 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
.
============= FINISH: 12:29:34.65 ===============

Attached Files


Edited by whogordon, 09 April 2012 - 03:27 PM.


#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 09 April 2012 - 05:41 PM

Hello whogordon
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  • We need to get a little more information before we begin cleaning your machine.



1.
Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

2.
Please download Listparts
Run the tool, click Scan and post the log (Result.txt) it makes.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 05:59 PM

here is listparts log? foraswMBR it is asking me if want to download latest avast! virus definitions before i scan ?should I?

ListParts by Farbar Version: 12-03-2012 03
Ran by Ben (administrator) on 09-04-2012 at 18:55:25
Windows XP (X86)
Running From: C:\Documents and Settings\Ben\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 20%
Total physical RAM: 3710.98 MB
Available physical RAM: 2961.03 MB
Total Pagefile: 5596.46 MB
Available Pagefile: 4960.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 2002.98 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:74.5 GB) (Free:53.57 GB) NTFS ==>[Drive with boot components (Windows XP)]

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 74 GB 0 B

Partitions of Disk 0:
===============

The disk management services could not complete the operation.

======================================================================================================

****** End Of Log ******

#7 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 06:03 PM

here is the aswMBR log report .I DID NOT download latest avast! virus definitions before i scanned as i was not sure if i was suppose too

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-09 18:54:47
-----------------------------
18:54:47.328 OS Version: Windows 5.1.2600 Service Pack 3
18:54:47.328 Number of processors: 1 586 0x304
18:54:47.328 ComputerName: BEN-07DC93C3C4E UserName: Ben
18:54:48.578 Initialize success
18:59:27.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:59:27.546 Disk 0 Vendor: WDC_WD800BB-75FJA1 14.03G14 Size: 76293MB BusType: 3
18:59:27.578 Disk 0 MBR read successfully
18:59:27.578 Disk 0 MBR scan
18:59:27.578 Disk 0 Windows XP default MBR code
18:59:27.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76285 MB offset 63
18:59:27.578 Disk 0 scanning sectors +156232125
18:59:27.703 Disk 0 scanning C:\WINDOWS\system32\drivers
18:59:44.843 Service scanning
19:00:26.171 Modules scanning
19:01:02.390 Disk 0 trace - called modules:
19:01:02.421 ntoskrnl.exe CLASSPNP.SYS disk.sys PCTCore.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
19:01:02.421 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b24cab8]
19:01:02.421 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8b248920]
19:01:02.421 5 PCTCore.sys[f7857407] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8b276b00]
19:01:02.421 Scan finished successfully
19:01:15.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Ben\Desktop\MBR.dat"
19:01:15.843 The log file has been saved successfully to "C:\Documents and Settings\Ben\Desktop\aswMBR.txt"

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 09 April 2012 - 06:12 PM

Hello,


Please run the following.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 07:40 PM

Tdss log foundnothing here is the log ,then i will post comofix log next reply
19:37:58.0968 3868 TDSS rootkit removing tool 2.7.27.0 Apr 9 2012 09:53:37
19:37:59.0218 3868 ============================================================
19:37:59.0218 3868 Current date / time: 2012/04/09 19:37:59.0218
19:37:59.0218 3868 SystemInfo:
19:37:59.0218 3868
19:37:59.0218 3868 OS Version: 5.1.2600 ServicePack: 3.0
19:37:59.0218 3868 Product type: Workstation
19:37:59.0218 3868 ComputerName: BEN-07DC93C3C4E
19:37:59.0218 3868 UserName: Ben
19:37:59.0218 3868 Windows directory: C:\WINDOWS
19:37:59.0218 3868 System windows directory: C:\WINDOWS
19:37:59.0218 3868 Processor architecture: Intel x86
19:37:59.0218 3868 Number of processors: 1
19:37:59.0218 3868 Page size: 0x1000
19:37:59.0218 3868 Boot type: Normal boot
19:37:59.0218 3868 ============================================================
19:38:01.0000 3868 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:38:01.0000 3868 \Device\Harddisk0\DR0:
19:38:01.0000 3868 MBR used
19:38:01.0000 3868 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x94FE97E
19:38:01.0062 3868 Initialize success
19:38:01.0062 3868 ============================================================
19:38:07.0218 3992 ============================================================
19:38:07.0218 3992 Scan started
19:38:07.0218 3992 Mode: Manual;
19:38:07.0218 3992 ============================================================
19:38:07.0578 3992 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
19:38:07.0578 3992 !SASCORE - ok
19:38:07.0687 3992 Abiosdsk - ok
19:38:07.0781 3992 abp480n5 - ok
19:38:07.0875 3992 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:38:07.0875 3992 ACPI - ok
19:38:08.0046 3992 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
19:38:08.0046 3992 ACPIEC - ok
19:38:08.0203 3992 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:38:08.0203 3992 AdobeFlashPlayerUpdateSvc - ok
19:38:08.0296 3992 adpu160m - ok
19:38:08.0343 3992 adwarealert - ok
19:38:08.0437 3992 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:38:08.0437 3992 aec - ok
19:38:08.0531 3992 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
19:38:08.0546 3992 AFD - ok
19:38:08.0671 3992 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
19:38:08.0687 3992 agp440 - ok
19:38:08.0734 3992 Aha154x - ok
19:38:08.0781 3992 aic78u2 - ok
19:38:08.0812 3992 aic78xx - ok
19:38:08.0859 3992 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
19:38:08.0859 3992 Alerter - ok
19:38:08.0937 3992 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
19:38:08.0937 3992 ALG - ok
19:38:09.0078 3992 AliIde - ok
19:38:09.0125 3992 amsint - ok
19:38:09.0140 3992 AppMgmt - ok
19:38:09.0156 3992 asc - ok
19:38:09.0171 3992 asc3350p - ok
19:38:09.0187 3992 asc3550 - ok
19:38:09.0312 3992 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
19:38:09.0312 3992 aspnet_state - ok
19:38:09.0421 3992 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:38:09.0437 3992 AsyncMac - ok
19:38:09.0562 3992 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:38:09.0562 3992 atapi - ok
19:38:09.0609 3992 Atdisk - ok
19:38:09.0734 3992 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:38:09.0734 3992 Atmarpc - ok
19:38:09.0843 3992 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
19:38:09.0843 3992 AudioSrv - ok
19:38:10.0000 3992 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:38:10.0000 3992 audstub - ok
19:38:10.0203 3992 Avgfwdx (841b0a982065bffc7d7e84009f2fa76f) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
19:38:10.0203 3992 Avgfwdx - ok
19:38:10.0203 3992 Avgfwfd (841b0a982065bffc7d7e84009f2fa76f) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
19:38:10.0203 3992 Avgfwfd - ok
19:38:10.0468 3992 avgfws (5cd22eb540f82c70e33e530003f3903b) C:\Program Files\AVG\AVG2012\avgfws.exe
19:38:10.0484 3992 avgfws - ok
19:38:10.0671 3992 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
19:38:10.0703 3992 AVGIDSAgent - ok
19:38:10.0828 3992 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
19:38:10.0828 3992 AVGIDSDriver - ok
19:38:10.0937 3992 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
19:38:10.0937 3992 AVGIDSEH - ok
19:38:11.0109 3992 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
19:38:11.0109 3992 AVGIDSFilter - ok
19:38:11.0203 3992 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
19:38:11.0203 3992 AVGIDSShim - ok
19:38:11.0343 3992 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
19:38:11.0359 3992 Avgldx86 - ok
19:38:11.0390 3992 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
19:38:11.0390 3992 Avgmfx86 - ok
19:38:11.0531 3992 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
19:38:11.0531 3992 Avgrkx86 - ok
19:38:11.0671 3992 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
19:38:11.0671 3992 Avgtdix - ok
19:38:11.0843 3992 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
19:38:11.0859 3992 avgwd - ok
19:38:12.0031 3992 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:38:12.0031 3992 Beep - ok
19:38:12.0187 3992 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
19:38:12.0187 3992 BITS - ok
19:38:12.0265 3992 BLKWGU(Belkin) - ok
19:38:12.0359 3992 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
19:38:12.0359 3992 Browser - ok
19:38:12.0546 3992 Browser Defender Update Service (335219836821cb675533ab4731779754) C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
19:38:12.0546 3992 Browser Defender Update Service - ok
19:38:12.0796 3992 catchme - ok
19:38:12.0937 3992 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:38:12.0937 3992 cbidf2k - ok
19:38:13.0031 3992 cd20xrnt - ok
19:38:13.0234 3992 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:38:13.0234 3992 Cdaudio - ok
19:38:13.0328 3992 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:38:13.0328 3992 Cdfs - ok
19:38:13.0468 3992 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:38:13.0468 3992 Cdrom - ok
19:38:13.0546 3992 Changer - ok
19:38:13.0640 3992 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
19:38:13.0640 3992 CiSvc - ok
19:38:13.0734 3992 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
19:38:13.0734 3992 ClipSrv - ok
19:38:13.0875 3992 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:38:13.0875 3992 clr_optimization_v2.0.50727_32 - ok
19:38:14.0078 3992 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:38:14.0078 3992 clr_optimization_v4.0.30319_32 - ok
19:38:14.0171 3992 CmdIde - ok
19:38:14.0218 3992 COMSysApp - ok
19:38:14.0250 3992 Cpqarray - ok
19:38:14.0328 3992 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
19:38:14.0328 3992 CryptSvc - ok
19:38:14.0406 3992 dac2w2k - ok
19:38:14.0453 3992 dac960nt - ok
19:38:14.0546 3992 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
19:38:14.0546 3992 DcomLaunch - ok
19:38:14.0703 3992 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
19:38:14.0703 3992 Dhcp - ok
19:38:14.0828 3992 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:38:14.0828 3992 Disk - ok
19:38:14.0875 3992 dlbt_device - ok
19:38:14.0906 3992 dmadmin - ok
19:38:15.0093 3992 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:38:15.0109 3992 dmboot - ok
19:38:15.0203 3992 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:38:15.0203 3992 dmio - ok
19:38:15.0296 3992 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:38:15.0296 3992 dmload - ok
19:38:15.0390 3992 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
19:38:15.0390 3992 dmserver - ok
19:38:15.0531 3992 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:38:15.0531 3992 DMusic - ok
19:38:15.0609 3992 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
19:38:15.0609 3992 Dnscache - ok
19:38:15.0750 3992 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
19:38:15.0750 3992 Dot3svc - ok
19:38:15.0843 3992 dpti2o - ok
19:38:15.0937 3992 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:38:15.0937 3992 drmkaud - ok
19:38:16.0093 3992 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:38:16.0109 3992 E100B - ok
19:38:16.0234 3992 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
19:38:16.0234 3992 EapHost - ok
19:38:16.0312 3992 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
19:38:16.0312 3992 ERSvc - ok
19:38:16.0437 3992 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:38:16.0437 3992 Eventlog - ok
19:38:16.0531 3992 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
19:38:16.0531 3992 EventSystem - ok
19:38:16.0656 3992 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:38:16.0671 3992 Fastfat - ok
19:38:16.0765 3992 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:38:16.0781 3992 FastUserSwitchingCompatibility - ok
19:38:16.0906 3992 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
19:38:16.0921 3992 Fdc - ok
19:38:16.0953 3992 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:38:16.0953 3992 Fips - ok
19:38:17.0093 3992 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:38:17.0093 3992 Flpydisk - ok
19:38:17.0187 3992 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:38:17.0187 3992 FltMgr - ok
19:38:17.0421 3992 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:38:17.0421 3992 FontCache3.0.0.0 - ok
19:38:17.0593 3992 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:38:17.0593 3992 Fs_Rec - ok
19:38:17.0687 3992 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:38:17.0687 3992 Ftdisk - ok
19:38:17.0828 3992 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:38:17.0843 3992 Gpc - ok
19:38:17.0953 3992 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:38:17.0953 3992 helpsvc - ok
19:38:18.0015 3992 HidServ - ok
19:38:18.0140 3992 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:38:18.0140 3992 HidUsb - ok
19:38:18.0234 3992 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
19:38:18.0250 3992 hkmsvc - ok
19:38:18.0312 3992 hpn - ok
19:38:18.0421 3992 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:38:18.0421 3992 HTTP - ok
19:38:18.0531 3992 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
19:38:18.0531 3992 HTTPFilter - ok
19:38:18.0609 3992 i2omgmt - ok
19:38:18.0671 3992 i2omp - ok
19:38:18.0765 3992 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:38:18.0765 3992 i8042prt - ok
19:38:18.0937 3992 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:38:18.0953 3992 idsvc - ok
19:38:19.0078 3992 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:38:19.0078 3992 Imapi - ok
19:38:19.0156 3992 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
19:38:19.0171 3992 ImapiService - ok
19:38:19.0250 3992 ini910u - ok
19:38:19.0390 3992 IntelC51 (fcab28ffd3a8964581e16455efaf81c8) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
19:38:19.0390 3992 IntelC51 - ok
19:38:19.0500 3992 IntelC52 (a288e7e3a6255255b9066686d860fbc5) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
19:38:19.0500 3992 IntelC52 - ok
19:38:19.0640 3992 IntelC53 (d5e5a1abf6bdba7ca49941a044f04598) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
19:38:19.0640 3992 IntelC53 - ok
19:38:19.0718 3992 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
19:38:19.0734 3992 IntelIde - ok
19:38:19.0859 3992 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:38:19.0859 3992 intelppm - ok
19:38:19.0984 3992 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:38:19.0984 3992 Ip6Fw - ok
19:38:20.0093 3992 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:38:20.0093 3992 IpFilterDriver - ok
19:38:20.0218 3992 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:38:20.0218 3992 IpInIp - ok
19:38:20.0328 3992 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:38:20.0328 3992 IpNat - ok
19:38:20.0406 3992 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:38:20.0406 3992 IPSec - ok
19:38:20.0484 3992 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:38:20.0484 3992 IRENUM - ok
19:38:20.0562 3992 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:38:20.0562 3992 isapnp - ok
19:38:20.0781 3992 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
19:38:20.0781 3992 JavaQuickStarterService - ok
19:38:20.0906 3992 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:38:20.0921 3992 Kbdclass - ok
19:38:21.0046 3992 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:38:21.0046 3992 kbdhid - ok
19:38:21.0156 3992 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:38:21.0156 3992 kmixer - ok
19:38:21.0250 3992 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:38:21.0250 3992 KSecDD - ok
19:38:21.0390 3992 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
19:38:21.0390 3992 lanmanserver - ok
19:38:21.0484 3992 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
19:38:21.0484 3992 lanmanworkstation - ok
19:38:21.0578 3992 lbrtfdc - ok
19:38:21.0640 3992 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
19:38:21.0656 3992 LmHosts - ok
19:38:21.0750 3992 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
19:38:21.0750 3992 Messenger - ok
19:38:21.0859 3992 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:38:21.0859 3992 mnmdd - ok
19:38:21.0984 3992 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
19:38:21.0984 3992 mnmsrvc - ok
19:38:22.0140 3992 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:38:22.0140 3992 Modem - ok
19:38:22.0234 3992 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
19:38:22.0234 3992 MODEMCSA - ok
19:38:22.0390 3992 mohfilt (c6a08c4f34b3048a73bbb2951150f98d) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
19:38:22.0390 3992 mohfilt - ok
19:38:22.0468 3992 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:38:22.0468 3992 Mouclass - ok
19:38:22.0609 3992 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:38:22.0609 3992 mouhid - ok
19:38:22.0703 3992 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:38:22.0703 3992 MountMgr - ok
19:38:22.0781 3992 mraid35x - ok
19:38:22.0859 3992 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:38:22.0859 3992 MRxDAV - ok
19:38:22.0984 3992 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:38:22.0984 3992 MRxSmb - ok
19:38:23.0125 3992 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
19:38:23.0125 3992 MSDTC - ok
19:38:23.0234 3992 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:38:23.0234 3992 Msfs - ok
19:38:23.0312 3992 MSIServer - ok
19:38:23.0375 3992 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:38:23.0375 3992 MSKSSRV - ok
19:38:23.0453 3992 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:38:23.0468 3992 MSPCLOCK - ok
19:38:23.0546 3992 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:38:23.0546 3992 MSPQM - ok
19:38:23.0609 3992 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:38:23.0625 3992 mssmbios - ok
19:38:23.0718 3992 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
19:38:23.0718 3992 Mup - ok
19:38:23.0828 3992 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
19:38:23.0828 3992 napagent - ok
19:38:23.0953 3992 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:38:23.0953 3992 NDIS - ok
19:38:24.0078 3992 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:38:24.0078 3992 NdisTapi - ok
19:38:24.0171 3992 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:38:24.0171 3992 Ndisuio - ok
19:38:24.0250 3992 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:38:24.0265 3992 NdisWan - ok
19:38:24.0343 3992 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
19:38:24.0343 3992 NDProxy - ok
19:38:24.0484 3992 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:38:24.0484 3992 NetBIOS - ok
19:38:24.0578 3992 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:38:24.0578 3992 NetBT - ok
19:38:24.0718 3992 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:38:24.0718 3992 NetDDE - ok
19:38:24.0734 3992 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
19:38:24.0734 3992 NetDDEdsdm - ok
19:38:24.0843 3992 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:38:24.0843 3992 Netlogon - ok
19:38:24.0937 3992 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
19:38:24.0953 3992 Netman - ok
19:38:25.0093 3992 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:38:25.0109 3992 NetTcpPortSharing - ok
19:38:25.0218 3992 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
19:38:25.0218 3992 Nla - ok
19:38:25.0359 3992 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:38:25.0359 3992 Npfs - ok
19:38:25.0421 3992 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:38:25.0437 3992 Ntfs - ok
19:38:25.0562 3992 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:38:25.0562 3992 NtLmSsp - ok
19:38:25.0687 3992 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
19:38:25.0687 3992 NtmsSvc - ok
19:38:25.0796 3992 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:38:25.0796 3992 Null - ok
19:38:25.0921 3992 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:38:25.0921 3992 nv - ok
19:38:26.0062 3992 NVSvc (697a09635e30d3722e1124ec33face15) C:\WINDOWS\system32\nvsvc32.exe
19:38:26.0062 3992 NVSvc - ok
19:38:26.0140 3992 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:38:26.0140 3992 NwlnkFlt - ok
19:38:26.0234 3992 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:38:26.0234 3992 NwlnkFwd - ok
19:38:26.0375 3992 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
19:38:26.0375 3992 OMCI - ok
19:38:26.0531 3992 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
19:38:26.0531 3992 Parport - ok
19:38:26.0562 3992 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:38:26.0562 3992 PartMgr - ok
19:38:26.0703 3992 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:38:26.0703 3992 ParVdm - ok
19:38:26.0812 3992 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:38:26.0812 3992 PCI - ok
19:38:26.0906 3992 PCIDump - ok
19:38:26.0984 3992 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
19:38:26.0984 3992 PCIIde - ok
19:38:27.0140 3992 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
19:38:27.0140 3992 Pcmcia - ok
19:38:27.0250 3992 PCTBD (3a0262b85b5bb4d4cfc096ea00ed610b) C:\WINDOWS\system32\Drivers\PCTBD.sys
19:38:27.0250 3992 PCTBD - ok
19:38:27.0390 3992 PCTCore (0edb74bd0d52d6d94cf862322e48b94e) C:\WINDOWS\system32\drivers\PCTCore.sys
19:38:27.0390 3992 PCTCore - ok
19:38:27.0500 3992 pctDS (8734f7346b39a710491e0ddb136da2a3) C:\WINDOWS\system32\drivers\pctDS.sys
19:38:27.0500 3992 pctDS - ok
19:38:27.0656 3992 pctEFA (653d8079cc000ec454789740a07b84a8) C:\WINDOWS\system32\drivers\pctEFA.sys
19:38:27.0671 3992 pctEFA - ok
19:38:27.0828 3992 PCTSD (eb98f7514dcf1b922b318e6182d836b1) C:\WINDOWS\system32\Drivers\PCTSD.sys
19:38:27.0828 3992 PCTSD - ok
19:38:27.0859 3992 PDCOMP - ok
19:38:27.0953 3992 PDFRAME - ok
19:38:27.0968 3992 PDRELI - ok
19:38:27.0984 3992 PDRFRAME - ok
19:38:28.0000 3992 perc2 - ok
19:38:28.0015 3992 perc2hib - ok
19:38:28.0093 3992 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
19:38:28.0093 3992 PlugPlay - ok
19:38:28.0156 3992 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:38:28.0171 3992 PolicyAgent - ok
19:38:28.0328 3992 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:38:28.0328 3992 PptpMiniport - ok
19:38:28.0359 3992 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:38:28.0359 3992 ProtectedStorage - ok
19:38:28.0500 3992 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:38:28.0500 3992 PSched - ok
19:38:28.0562 3992 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:38:28.0562 3992 Ptilink - ok
19:38:28.0687 3992 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:38:28.0687 3992 PxHelp20 - ok
19:38:28.0765 3992 ql1080 - ok
19:38:28.0812 3992 Ql10wnt - ok
19:38:28.0828 3992 ql12160 - ok
19:38:28.0843 3992 ql1240 - ok
19:38:28.0859 3992 ql1280 - ok
19:38:28.0906 3992 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:38:28.0906 3992 RasAcd - ok
19:38:28.0984 3992 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
19:38:28.0984 3992 RasAuto - ok
19:38:29.0109 3992 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:38:29.0109 3992 Rasl2tp - ok
19:38:29.0218 3992 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
19:38:29.0218 3992 RasMan - ok
19:38:29.0359 3992 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:38:29.0359 3992 RasPppoe - ok
19:38:29.0500 3992 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:38:29.0500 3992 Raspti - ok
19:38:29.0593 3992 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:38:29.0593 3992 Rdbss - ok
19:38:29.0734 3992 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:38:29.0734 3992 RDPCDD - ok
19:38:29.0828 3992 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
19:38:29.0828 3992 RDPWD - ok
19:38:29.0953 3992 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
19:38:29.0953 3992 RDSessMgr - ok
19:38:30.0109 3992 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:38:30.0109 3992 redbook - ok
19:38:30.0203 3992 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
19:38:30.0218 3992 RemoteAccess - ok
19:38:30.0359 3992 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
19:38:30.0359 3992 RpcLocator - ok
19:38:30.0468 3992 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
19:38:30.0468 3992 RpcSs - ok
19:38:30.0609 3992 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
19:38:30.0609 3992 RSVP - ok
19:38:30.0718 3992 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
19:38:30.0718 3992 SamSs - ok
19:38:30.0828 3992 SASKUTIL - ok
19:38:30.0953 3992 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
19:38:30.0953 3992 SCardSvr - ok
19:38:31.0062 3992 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
19:38:31.0078 3992 Schedule - ok
19:38:31.0250 3992 sdAuxService (17d6a03103586d7954ba74c2219ce1bb) C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
19:38:31.0265 3992 sdAuxService - ok
19:38:31.0359 3992 sdCoreService (d2b30a5a8f57c00b0fa84a8880e9ec5b) C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
19:38:31.0359 3992 sdCoreService - ok
19:38:31.0484 3992 SeaPort (4a5809a1d796e2675ac0332bf7b0cb11) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
19:38:31.0484 3992 SeaPort - ok
19:38:31.0640 3992 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:38:31.0640 3992 Secdrv - ok
19:38:31.0734 3992 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
19:38:31.0734 3992 seclogon - ok
19:38:31.0890 3992 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
19:38:31.0906 3992 senfilt - ok
19:38:32.0031 3992 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
19:38:32.0046 3992 SENS - ok
19:38:32.0140 3992 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
19:38:32.0140 3992 serenum - ok
19:38:32.0234 3992 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
19:38:32.0234 3992 Serial - ok
19:38:32.0343 3992 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
19:38:32.0343 3992 Sfloppy - ok
19:38:32.0421 3992 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
19:38:32.0437 3992 SharedAccess - ok
19:38:32.0578 3992 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:38:32.0578 3992 ShellHWDetection - ok
19:38:32.0609 3992 Simbad - ok
19:38:32.0765 3992 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
19:38:32.0765 3992 smwdm - ok
19:38:32.0843 3992 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
19:38:32.0843 3992 SONYPVU1 - ok
19:38:32.0906 3992 Sparrow - ok
19:38:32.0984 3992 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:38:32.0984 3992 splitter - ok
19:38:33.0062 3992 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
19:38:33.0078 3992 Spooler - ok
19:38:33.0218 3992 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:38:33.0218 3992 sr - ok
19:38:33.0359 3992 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
19:38:33.0359 3992 srservice - ok
19:38:33.0468 3992 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
19:38:33.0468 3992 Srv - ok
19:38:33.0625 3992 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
19:38:33.0625 3992 SSDPSRV - ok
19:38:33.0718 3992 ssrangdr (f87737d83b965efa765117051e3b9d0c) C:\WINDOWS\system32\DRIVERS\ssrangdr.sys
19:38:33.0718 3992 ssrangdr - ok
19:38:33.0859 3992 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
19:38:33.0859 3992 stisvc - ok
19:38:34.0000 3992 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:38:34.0000 3992 swenum - ok
19:38:34.0093 3992 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:38:34.0093 3992 swmidi - ok
19:38:34.0171 3992 SwPrv - ok
19:38:34.0265 3992 symc810 - ok
19:38:34.0296 3992 symc8xx - ok
19:38:34.0312 3992 sym_hi - ok
19:38:34.0328 3992 sym_u3 - ok
19:38:34.0390 3992 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:38:34.0390 3992 sysaudio - ok
19:38:34.0500 3992 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
19:38:34.0500 3992 SysmonLog - ok
19:38:34.0609 3992 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
19:38:34.0609 3992 TapiSrv - ok
19:38:34.0765 3992 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:38:34.0765 3992 Tcpip - ok
19:38:34.0859 3992 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:38:34.0859 3992 TDPIPE - ok
19:38:34.0953 3992 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:38:34.0953 3992 TDTCP - ok
19:38:35.0093 3992 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:38:35.0109 3992 TermDD - ok
19:38:35.0203 3992 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
19:38:35.0203 3992 TermService - ok
19:38:35.0343 3992 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
19:38:35.0343 3992 Themes - ok
19:38:35.0390 3992 TosIde - ok
19:38:35.0515 3992 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
19:38:35.0531 3992 TrkWks - ok
19:38:35.0625 3992 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
19:38:35.0625 3992 TVICHW32 - ok
19:38:35.0734 3992 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:38:35.0734 3992 Udfs - ok
19:38:35.0796 3992 ultra - ok
19:38:35.0953 3992 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:38:35.0953 3992 Update - ok
19:38:36.0031 3992 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
19:38:36.0031 3992 upnphost - ok
19:38:36.0156 3992 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
19:38:36.0156 3992 UPS - ok
19:38:36.0218 3992 USBAAPL - ok
19:38:36.0281 3992 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:38:36.0296 3992 usbccgp - ok
19:38:36.0437 3992 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:38:36.0437 3992 usbehci - ok
19:38:36.0515 3992 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:38:36.0515 3992 usbhub - ok
19:38:36.0656 3992 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:38:36.0656 3992 usbprint - ok
19:38:36.0734 3992 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:38:36.0734 3992 usbscan - ok
19:38:36.0875 3992 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:38:36.0875 3992 USBSTOR - ok
19:38:36.0968 3992 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:38:36.0968 3992 usbuhci - ok
19:38:37.0062 3992 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:38:37.0062 3992 VgaSave - ok
19:38:37.0093 3992 ViaIde - ok
19:38:37.0156 3992 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:38:37.0156 3992 VolSnap - ok
19:38:37.0296 3992 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
19:38:37.0312 3992 VSS - ok
19:38:37.0359 3992 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
19:38:37.0375 3992 W32Time - ok
19:38:37.0515 3992 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:38:37.0515 3992 Wanarp - ok
19:38:37.0578 3992 WDICA - ok
19:38:37.0687 3992 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:38:37.0687 3992 wdmaud - ok
19:38:37.0828 3992 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
19:38:37.0828 3992 WebClient - ok
19:38:38.0000 3992 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
19:38:38.0000 3992 winmgmt - ok
19:38:38.0171 3992 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
19:38:38.0171 3992 WinRM - ok
19:38:38.0281 3992 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
19:38:38.0281 3992 WmdmPmSN - ok
19:38:38.0421 3992 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:38:38.0421 3992 WmiApSrv - ok
19:38:38.0609 3992 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
19:38:38.0625 3992 WMPNetworkSvc - ok
19:38:38.0875 3992 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:38:38.0890 3992 WPFFontCache_v0400 - ok
19:38:39.0031 3992 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:38:39.0031 3992 WS2IFSL - ok
19:38:39.0156 3992 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
19:38:39.0156 3992 wuauserv - ok
19:38:39.0265 3992 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:38:39.0265 3992 WudfPf - ok
19:38:39.0375 3992 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
19:38:39.0375 3992 WudfSvc - ok
19:38:39.0500 3992 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
19:38:39.0515 3992 WZCSVC - ok
19:38:39.0640 3992 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
19:38:39.0656 3992 xmlprov - ok
19:38:39.0796 3992 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
19:38:39.0796 3992 YahooAUService - ok
19:38:39.0843 3992 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
19:38:40.0062 3992 \Device\Harddisk0\DR0 - ok
19:38:40.0078 3992 Boot (0x1200) (9c57b47db961c01846f632222310f752) \Device\Harddisk0\DR0\Partition0
19:38:40.0078 3992 \Device\Harddisk0\DR0\Partition0 - ok
19:38:40.0078 3992 ============================================================
19:38:40.0078 3992 Scan finished
19:38:40.0078 3992 ============================================================
19:38:40.0093 3984 Detected object count: 0
19:38:40.0093 3984 Actual detected object count: 0
19:47:46.0390 2780 Deinitialize success

#10 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 07:46 PM

here is combofix.txt


ComboFix 12-04-09.05 - Ben 04/09/2012 20:04:14.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3711.3240 [GMT -4:00]
Running from: c:\documents and settings\Ben\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.BEN-07DC93C3C4E\Start Menu\Programs\System Check
c:\documents and settings\All Users\Application Data\ezbudPjbVjXnxe
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\430C6D84.TMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgfinst.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Ben\Start Menu\Programs\System Check
.
.
((((((((((((((((((((((((( Files Created from 2012-03-10 to 2012-04-10 )))))))))))))))))))))))))))))))
.
.
2012-04-03 16:08 . 2012-02-17 19:08 767952 ----a-w- c:\windows\BDTSupport.dll
2012-04-03 16:08 . 2011-09-28 17:14 56840 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-04-03 16:08 . 2012-02-17 19:08 149456 ----a-w- c:\windows\SGDetectionTool.dll
2012-04-03 16:08 . 2012-02-17 19:08 2250704 ----a-w- c:\windows\PCTBDCore.dll
2012-04-03 16:08 . 2012-02-17 19:08 1681360 ----a-w- c:\windows\PCTBDRes.dll
2012-04-03 16:05 . 2012-02-24 14:31 253352 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-04-03 16:05 . 2012-02-24 14:35 17848 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-04-03 16:04 . 2012-02-24 14:37 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-04-03 16:04 . 2012-04-03 16:04 -------- d-----w- c:\program files\PC Tools
2012-04-03 16:01 . 2011-12-01 20:07 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-04-03 16:01 . 2011-12-01 20:07 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-04-03 16:00 . 2011-11-14 19:12 331880 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-04-03 16:00 . 2011-11-14 19:12 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-04-03 16:00 . 2012-02-24 14:36 185560 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-04-03 16:00 . 2012-04-03 16:09 -------- d-----w- c:\program files\Common Files\PC Tools
2012-04-03 15:59 . 2012-04-03 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-04-03 15:59 . 2012-04-03 15:59 -------- d-----w- c:\documents and settings\Ben\Application Data\TestApp
2012-04-03 06:04 . 2012-04-03 06:04 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 23:02 . 2012-04-02 23:02 -------- d-----w- c:\program files\Common Files\Java
2012-04-02 23:00 . 2012-04-02 23:00 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-02 02:58 . 2012-04-02 02:58 -------- d-----w- c:\documents and settings\Ben\Local Settings\Application Data\Secunia PSI
2012-04-01 23:05 . 2012-04-02 23:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-01 22:56 . 2012-04-01 22:56 -------- d-----w- c:\program files\Secunia
2012-03-28 16:08 . 2012-03-28 16:10 -------- dc----w- c:\windows\ie8
2012-03-26 16:29 . 2012-03-26 16:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2012-03-26 15:52 . 2012-03-26 15:52 -------- d-----w- C:\b3120e8e74c276562e865d21
2012-03-26 15:40 . 2012-03-26 15:40 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2012-03-26 15:39 . 2012-04-03 17:01 -------- d-----w- c:\program files\Common Files\Apple
2012-03-26 15:39 . 2012-04-03 16:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2012-03-22 07:00 . 2012-03-22 07:00 -------- d-----w- c:\program files\MSXML 4.0
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-02 23:55 . 2011-05-14 21:49 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-02 23:00 . 2010-04-27 04:46 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-04-01 14:46 . 2004-08-04 12:00 62976 ----a-w- c:\windows\system32\drivers\cdrom.sys
2012-03-26 20:32 . 2010-12-04 06:50 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2012-02-03 09:22 . 2004-08-04 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-24 02:10 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2012-01-24 02:10 . 2003-02-21 11:42 348160 ----a-w- c:\windows\system32\msvcr71.dll
2012-01-11 19:06 . 2012-02-18 16:57 3072 ------w- c:\windows\system32\iacenc.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Secunia PSI Tray.lnk - c:\program files\Secunia\PSI\psi_tray.exe [N/A]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFileUrl"= 0 (0x0)
"NoUpdateCheck"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dlbtcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 1:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 6:30 AM 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [4/3/2012 12:00 PM 331880]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [4/3/2012 12:01 PM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [4/3/2012 12:01 PM 909728]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 6:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 1:14 AM 295248]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [4/3/2012 12:00 PM 185560]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [7/1/2010 11:37 PM 116608]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [10/24/2011 8:29 PM 2391832]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 6:09 AM 192776]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [4/3/2012 12:08 PM 550864]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 1:03 AM 30944]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [4/3/2012 12:08 PM 56840]
S0 adwarealert;adwarealert;c:\windows\system32\DRIVERS\adwarealert.sys --> c:\windows\system32\DRIVERS\adwarealert.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/1/2012 7:05 PM 253600]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 1:03 AM 30944]
S3 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 6:25 AM 4433248]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 1:14 AM 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 1:14 AM 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 6:21 AM 16720]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\PC Tools Security\pctsAuxs.exe [4/3/2012 12:04 PM 402336]
S3 ssrangdr;ssrangdr;c:\windows\system32\drivers\ssrangdr.sys [8/20/2009 5:49 AM 2560]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 08:32 128512 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-01 23:55]
.
2012-04-10 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1343024091-1123561945-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-04-03 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1343024091-1123561945-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://messages.finance.yahoo.com/Stocks_%28A_to_Z%29/Stocks_I/messagesview?bn=9866
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 192.168.2.1
DPF: {7876E4A5-78B7-4020-B08F-C960A1ED54C9} - hxxp://www.surfhotelhamptonbeach.com/WinWebPush.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-61928864.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 20:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1343024091-1123561945-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FDFBF2BA-0321-8DFC-9ACC-24E1D599B3A7}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"jaehilcinedflboegfll"=hex:62,61,61,62,00,00
"jaehilcinedflboegfhp"=hex:62,61,6c,65,00,00
"iaeidhmdjlgecjndlc"=hex:6b,61,64,62,62,70,6b,6a,61,63,62,69,62,6e,6a,65,65,6f,
6a,6e,66,6d,00,00
"haohjifhbepckfmj"=hex:6b,61,64,62,63,70,6e,6a,65,66,6d,6b,67,6d,69,70,6e,6e,
61,65,69,63,00,00
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1124)
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2012-04-09 20:17:00
ComboFix-quarantined-files.txt 2012-04-10 00:16
.
Pre-Run: 57,512,042,496 bytes free
Post-Run: 57,732,333,568 bytes free
.
- - End Of File - - D5B1C536E5A4FCF834E28E0D382023C9

#11 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 07:51 PM

tdss found nothing combo fix found rootkit.zero access inserted into tcp/ip stack then combofix 2nd popup said rootkit is detected this may take some moments
then combofix said rootkit activity detected need to reboot.
PLEASE NOTE upon reboot after finalizing combo fix run i was unable to connect to internet so i ran internet connection wizard and restored default settings to connect to internet ,then i was able to connect and post these logs too you. hope i didnt restore the rootkit and such??

#12 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 09 April 2012 - 09:00 PM

PLEASE NOTE upon reboot after finalizing combo fix run i was unable to connect to internet so i ran internet connection wizard and restored default settings to connect to internet ,then i was able to connect and post these logs too you. hope i didnt restore the rootkit and such??


NO, you did not restore the rootkit. How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#13 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 09:10 PM

seems to be ok now :)

#14 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:08:18 AM

Posted 09 April 2012 - 09:15 PM

Hello,

Now that your machine is running better let's run a couple of other scans to make sure no leftovers.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


3.
Uninstalling A Program Through "add/remove"

Click "start" on the taskbar and then click on the "Control Panel" icon.
Please doubleclick the "Add or Remove Programs" icon
A list of programs installed will be "populated" this may take a bit of time.
If they exist, uninstall the following by clicking on the following entries and selecting "remove":

Java 2 Runtime Environment, SE v1.4.1

Additional instructions can be found here if needed.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#15 whogordon

whogordon
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:09:18 AM

Posted 09 April 2012 - 09:34 PM

malwarebytes is scanning now .when i try to remove that java program it says "support file could not be installed.the system cannot find the file specified"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users