Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't search google.ca - Cannot display webpage


  • This topic is locked This topic is locked
14 replies to this topic

#1 totalstu

totalstu

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 05 April 2012 - 09:41 AM

Hi,

Had a nasty virus that was causing popups, slowdowns, and even all icons, etc to be hidden. After running malwarebytes, spybot, superantispyware, getting rid of the free Panda AV that was on the computer and replacing it with another AV and running it I was able to clean up the mess. At least i thought I did. One issue remains and that is google.ca Trying to get there brings up "the page cannot be displayed". Interestingly, i can get to news.google.ca but once I try to search from within that page I get the page cannot be displayed. I can get to google.com and use successfully search. The hosts file on the computer looked like a mess (no text just symbols) so I deleted it and replaced it with one from a computer having no issues. Still can get ot or search google.ca. Below are DDS and GMER logs:

DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by jmaludzinski at 17:15:46 on 2012-04-04
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2189 [GMT -4:00]
.
AV: Endpoint Security Manager *Enabled/Updated* {208F4477-D1F0-411A-8D21-0367EC0D3D43}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Panda Software\AVTC\PskSvc.exe
C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\N-able Technologies\NRM\RSMWinService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
C:\Program Files\IIS Express\iisexpress.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Software\AVTC\PSCtrlC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Philips Display\SmartControl\DTHtml.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
TB: PCLaw Web Timer: {0e1230f8-ea50-42a9-983c-d22abc2eed4b} - c:\progra~1\lexisn~1\pclaw\plietool.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [WavXMgr] c:\program files\wave systems corp\services manager\docmgr\bin\WavXDocMgr.exe
mRun: [USCService] c:\program files\dell\dell controlpoint\security manager\BcmDeviceAndTaskStatusService.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [PivotSoftware] "c:\program files\portrait displays\pivot software\wpctrl.exe"
mRun: [DT PLP] c:\program files\common files\portrait displays\shared\DT_startup.exe -PLP
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Panda Controller Client] "c:\program files\panda software\avtc\PSCtrlC.exe"
StartupFolder: c:\docume~1\jmalud~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\jmalud~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\jmalud~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-system: SoftwareSASGeneration = dword:00000003
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\lexisn~1\pclaw\plietool.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: google.ca
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 10.1.2.3
TCP: Interfaces\{52304729-E6F7-4695-B445-03544C1119DB} : NameServer = 4.2.2.1,10.1.2.3
TCP: Interfaces\{52304729-E6F7-4695-B445-03544C1119DB} : DhcpNameServer = 10.1.2.3
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 wvauth
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [2010-9-22 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\Shldrv51.sys [2012-3-15 37448]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [2012-3-15 59080]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [2008-12-11 3575808]
R2 Panda Software Controller;Panda Software Controller;c:\program files\panda software\avtc\PSCtrlS.exe [2012-3-15 325440]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [2012-3-15 163848]
R2 PavPrSrv;Panda Process Protection Service;c:\program files\common files\panda software\pavshld\PavPrSrv.exe [2012-3-15 62768]
R2 PavSrv;Panda Antivirus Service;c:\program files\panda software\avtc\pavsrvx86.exe [2012-3-15 313152]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-1-5 109168]
R2 PskSvc;Panda Kernel Service;c:\program files\panda software\avtc\psksvc.exe [2012-3-15 27968]
R2 RSMWebServer;RSMWebServer;c:\program files\n-able technologies\nrm\RSMWinService.exe [2012-3-15 66048]
R2 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2012-3-15 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\n-able technologies\windows agent\bin\AgentMaint.exe [2011-12-9 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\n-able technologies\windows agent\bin\agent.exe [2011-12-9 204800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-2-29 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-2 253600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-10-6 136176]
S3 PavReport;Panda Antivirus Report Service;c:\program files\panda software\panda administrator 3\pavreport\PavReport.exe [2012-3-15 926976]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-25 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-04-03 21:38:03 -------- d-----w- c:\program files\ESET
2012-04-03 18:21:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-04-03 18:21:42 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 13:39:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 02:45:04 -------- d-----w- c:\documents and settings\jmaludzinski\local settings\application data\Mozilla
2012-03-29 00:46:30 -------- d-sha-r- C:\cmdcons
2012-03-29 00:44:45 98816 ----a-w- c:\windows\sed.exe
2012-03-29 00:44:45 518144 ----a-w- c:\windows\SWREG.exe
2012-03-29 00:44:45 256000 ----a-w- c:\windows\PEV.exe
2012-03-29 00:44:45 208896 ----a-w- c:\windows\MBR.exe
2012-03-28 23:40:32 -------- d-----w- c:\documents and settings\jmaludzinski\application data\SUPERAntiSpyware.com
2012-03-28 23:40:06 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 23:40:06 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-28 23:19:30 -------- d-----w- c:\program files\Trend Micro
2012-03-27 14:02:12 -------- d-----w- c:\program files\common files\Cisco Systems
2012-03-16 03:45:40 -------- d-----w- c:\documents and settings\all users\application data\Sentinel
2012-03-16 03:45:23 62784 ----a-w- c:\windows\system32\pavipc.dll
2012-03-16 03:45:23 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys
2012-03-16 03:45:23 55096 ----a-w- c:\windows\system32\drivers\npaflt.sys
2012-03-16 03:45:23 296256 ----a-w- c:\windows\system32\PavSHook.dll
2012-03-16 03:45:23 165184 ----a-w- c:\windows\system32\TpUtil.dll
2012-03-16 03:45:23 163848 ----a-w- c:\windows\system32\drivers\rkpavproc.sys
2012-03-16 03:45:23 107568 ----a-w- c:\windows\system32\SYSTOOLS.dll
2012-03-16 03:45:11 37448 ----a-w- c:\windows\system32\drivers\Shldrv51.sys
2012-03-16 03:45:11 163848 ----a-w- c:\windows\system32\drivers\PavProc.sys
2012-03-16 03:45:11 -------- d-----w- c:\program files\common files\Panda Software
2012-03-16 01:41:21 -------- d-----w- c:\windows\pss
2012-03-16 01:28:56 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-16 00:54:52 -------- d-----w- c:\program files\Windows Media Connect 2
2012-03-15 23:40:11 -------- d-----w- C:\_OTL
2012-03-15 21:39:28 -------- d-----w- c:\documents and settings\jmaludzinski\application data\Malwarebytes
2012-03-15 21:38:36 -------- d-----w- c:\program files\UltraVNC
2012-03-15 21:08:16 -------- d-----w- c:\program files\IIS Express
2012-03-15 20:38:04 -------- d-----w- c:\program files\Panda Software
2012-03-15 19:18:41 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-15 19:18:41 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-14 18:47:06 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-03-14 18:47:05 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-14 18:47:05 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2012-04-02 14:29:08 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-16 01:28:34 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:26:17 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 17:16:08.91 ===============

Hopefully I've completed this properly and that someone can help.

Thanks

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 05 April 2012 - 11:51 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 07 April 2012 - 10:44 PM

Hi Gringo,

Thanks for the assistance. Just so you're aware I'm doing all ths remotely connected to the computer in question. It's a friends computer and I'm trying to help him. I've tried using ESET online scanner but it woulldn't work. I've tried wiping the profile and starting anew but it didn't help. Thought it could be DNS so I pointed DNS to various servers but that didn't help either. Though, I can ping and nslookup www.google.com, I can ping but not nslookup www.google.ca. I can get to news.google.ca but searching from there doesn't work. I also noticed I can't get to bing.com but I can go to yahoo.ca, though searching doesn't work. The combofix log follows:


ComboFix 12-04-07.03 - jmaludzinski 07/04/2012 22:47:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2395 [GMT -4:00]
Running from: c:\temp\ComboFix.exe
AV: Endpoint Security Manager *Enabled/Updated* {208F4477-D1F0-411A-8D21-0367EC0D3D43}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-08 to 2012-04-08 )))))))))))))))))))))))))))))))
.
.
2012-04-08 00:42 . 2012-04-08 00:45 -------- d-----w- c:\documents and settings\admin.stuart
2012-04-03 21:38 . 2012-04-03 21:38 -------- d-----w- c:\program files\ESET
2012-04-03 18:21 . 2012-04-03 18:21 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 13:39 . 2012-04-02 14:29 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 02:45 . 2012-03-29 02:45 -------- d-----w- c:\documents and settings\jmaludzinski\Local Settings\Application Data\Mozilla
2012-03-29 02:40 . 2012-04-08 02:47 -------- d-----w- c:\documents and settings\LocalService\Application Data\ntr
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\documents and settings\jmaludzinski\Application Data\SUPERAntiSpyware.com
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 23:19 . 2012-03-28 23:19 -------- d-----w- c:\program files\Trend Micro
2012-03-27 14:02 . 2012-03-27 14:02 -------- d-----w- c:\program files\Common Files\Skype
2012-03-27 14:02 . 2012-03-27 14:02 -------- d-----w- c:\program files\Common Files\Cisco Systems
2012-03-16 03:45 . 2012-03-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Sentinel
2012-03-16 03:45 . 2010-07-14 09:48 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys
2012-03-16 03:45 . 2010-06-11 11:03 165184 ----a-w- c:\windows\system32\TpUtil.dll
2012-03-16 03:45 . 2010-06-11 11:02 296256 ----a-w- c:\windows\system32\PavSHook.dll
2012-03-16 03:45 . 2010-06-11 11:02 62784 ----a-w- c:\windows\system32\pavipc.dll
2012-03-16 03:45 . 2010-05-06 14:11 163848 ----a-w- c:\windows\system32\drivers\rkpavproc.sys
2012-03-16 03:45 . 2008-05-23 08:37 55096 ----a-w- c:\windows\system32\drivers\npaflt.sys
2012-03-16 03:45 . 2007-03-08 19:45 107568 ----a-w- c:\windows\system32\SYSTOOLS.dll
2012-03-16 03:45 . 2012-03-16 03:45 -------- d-----w- c:\program files\Common Files\Panda Software
2012-03-16 03:45 . 2011-02-21 11:38 37448 ----a-w- c:\windows\system32\drivers\Shldrv51.sys
2012-03-16 03:45 . 2010-05-06 14:11 163848 ----a-w- c:\windows\system32\drivers\PavProc.sys
2012-03-16 03:11 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-03-16 01:29 . 2012-03-16 01:29 -------- d-----w- c:\program files\Common Files\Java
2012-03-16 01:28 . 2012-03-16 01:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-16 00:54 . 2012-03-16 00:54 -------- d-----w- c:\program files\Windows Media Connect 2
2012-03-15 23:40 . 2012-03-15 23:40 -------- d-----w- C:\_OTL
2012-03-15 21:39 . 2012-03-15 21:39 -------- d-----w- c:\documents and settings\jmaludzinski\Application Data\Malwarebytes
2012-03-15 21:38 . 2012-03-15 21:42 -------- d-----w- c:\program files\UltraVNC
2012-03-15 21:08 . 2012-03-15 21:39 -------- d-----w- c:\program files\IIS Express
2012-03-15 21:03 . 2012-03-15 21:03 -------- d-----w- c:\program files\Microsoft.NET
2012-03-15 20:38 . 2012-03-27 14:02 -------- d-----w- c:\program files\Panda Software
2012-03-15 19:18 . 2012-04-03 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-15 19:18 . 2012-03-15 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-14 18:47 . 2012-03-14 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-14 18:47 . 2012-03-14 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-14 18:47 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-08 02:41 . 2010-09-30 14:24 0 ----a-w- c:\documents and settings\jmaludzinski\Local Settings\Application Data\WavXMapDrive.bat
2012-04-02 14:29 . 2011-08-23 13:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-16 01:28 . 2010-09-22 17:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:26 . 2008-04-25 16:16 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 17:12 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2008-04-25 21:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-29_00.54.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-08 02:32 . 2012-04-08 02:32 16384 c:\windows\Temp\Perflib_Perfdata_77c.dat
+ 2012-04-08 02:39 . 2012-04-08 02:39 16384 c:\windows\Temp\Perflib_Perfdata_684.dat
+ 2012-03-16 00:55 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2008-04-25 16:16 . 2012-03-29 00:17 96766 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2012-04-08 02:36 96766 c:\windows\system32\perfc009.dat
+ 2012-03-29 01:22 . 2012-03-29 01:22 49664 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\f2b23ca7\00439bd9_48e0cc01\App_GlobalResources.DLL
+ 2012-03-29 01:23 . 2012-03-29 01:23 17408 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\ec4a0fd2\00f75fde_48e0cc01\App_Web_dashboard.aspx.ce1153a4.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 10752 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\df5ee727\00ca2edd_48e0cc01\App_Web_schedulenew.aspx.a535fc8e.DLL
+ 2012-03-29 02:05 . 2012-03-29 02:05 26624 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\c0967cad\009dfddb_48e0cc01\App_Web_processmgmt.aspx.fa119895.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 25600 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\b0fdfc5f\002491df_48e0cc01\App_Web_default.aspx.cdcab7d2.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 40960 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\a63269a5\002c400f_49e0cc01\TaskScheduler.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 78336 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\5a7fb2a9\00439bd9_48e0cc01\App_Code.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 10240 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\4efbf7c5\00f75fde_48e0cc01\App_Web_servicebodydetails.aspx.78eba7ab.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 23552 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\13902a43\00ca2edd_48e0cc01\App_Web_servicebody.aspx.78eba7ab.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 11264 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\093a60c5\0070ccda_48e0cc01\App_Web_processgeneral.ascx.3d31ccce.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 26112 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_yr5ej1sw.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 17920 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_vynwr5za.dll
+ 2012-03-29 02:40 . 2012-03-29 02:40 17920 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_ubblkd3o.dll
+ 2012-03-29 01:23 . 2012-03-29 01:23 35840 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_tzuknqcb.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 74752 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_sknqy0t0.dll
+ 2012-03-29 02:06 . 2012-03-29 02:06 28160 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_knyexh2z.dll
+ 2012-03-29 02:05 . 2012-03-29 02:05 54272 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_5thjq04a.dll
+ 2012-03-29 02:06 . 2012-03-29 02:06 49152 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_1fmdzfz5.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 97792 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_02fdlcis.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 6656 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\e39a674f\0070ccda_48e0cc01\App_Web_general.ascx.3d31ccce.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 5632 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\e28dad97\009dfddb_48e0cc01\App_Web_servicehosted.ascx.3d31ccce.DLL
+ 2012-03-29 02:05 . 2012-03-29 02:05 9728 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\dce230ee\009dfddb_48e0cc01\App_Web_processdetails.aspx.fa119895.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 6656 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\b853d5d8\0070ccda_48e0cc01\App_Web_dependancy.ascx.3d31ccce.DLL
+ 2012-03-29 02:05 . 2012-03-29 02:05 5120 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\b3e15b21\009dfddb_48e0cc01\App_Web_processicon.aspx.fa119895.DLL
+ 2012-03-29 01:23 . 2012-03-29 01:23 4608 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\b1930b28\002491df_48e0cc01\App_Web_remoteconnectionprogress.aspx.c626fd4d.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 5120 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\af5fbf9c\002491df_48e0cc01\App_Web_encryptpassword.aspx.f9b0821e.DLL
+ 2012-03-29 01:23 . 2012-03-29 01:23 6144 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\a2e1b4ba\009dfddb_48e0cc01\App_Web_progressbar.ascx.ce1153a4.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 6144 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\91790167\0070ccda_48e0cc01\App_Web_dlls.ascx.3d31ccce.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 6656 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\8ea8c65f\009dfddb_48e0cc01\App_Web_title.ascx.3d31ccce.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 6656 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\8c48f78c\00ca2edd_48e0cc01\App_Web_reboot.aspx.a535fc8e.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 8704 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\8bd5817b\00ca2edd_48e0cc01\App_Web_linkpager.ascx.78eba7ab.DLL
+ 2012-03-29 02:40 . 2012-03-29 02:40 5632 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\8921df84\00f75fde_48e0cc01\App_Web_oauthdemo.aspx.b85e697.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 4608 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\8402c8cb\00f75fde_48e0cc01\App_Web_serviceprocess.ascx.78eba7ab.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 7680 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\83a994de\0070ccda_48e0cc01\App_Web_logon.ascx.3d31ccce.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 6144 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\788baeee\009dfddb_48e0cc01\App_Web_threads.ascx.3d31ccce.DLL
+ 2012-03-29 02:40 . 2012-03-29 02:40 7168 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\771fb2d0\00f75fde_48e0cc01\App_Web_ntrplugincr.aspx.b85e697.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 4608 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\767478e3\0070ccda_48e0cc01\App_Web_compactviewgraph.aspx.3d31ccce.DLL
+ 2012-03-29 02:40 . 2012-03-29 02:40 8704 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\6625455c\00f75fde_48e0cc01\App_Web_ntrplugin.aspx.b85e697.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 9216 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\44043068\002491df_48e0cc01\App_Web_login.aspx.f9b0821e.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 5632 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\40b8e04f\0070ccda_48e0cc01\App_Web_openfiles.ascx.3d31ccce.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 4608 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\35170634\0070ccda_48e0cc01\App_Web_redirectpage.aspx.3d31ccce.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 5632 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\246e5bab\0070ccda_48e0cc01\App_Web_registrykeysinuse.ascx.3d31ccce.DLL
+ 2012-03-29 02:06 . 2012-03-29 02:06 6656 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\13a57f17\00f75fde_48e0cc01\App_Web_serviceoperation.aspx.78eba7ab.DLL
+ 2012-03-29 01:22 . 2012-03-29 01:22 8192 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\0b5c2b8f\0070ccda_48e0cc01\App_Web_servicegeneral.ascx.3d31ccce.DLL
+ 2012-03-29 02:40 . 2012-03-29 02:40 8192 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_m2xwgxb0.dll
+ 2012-03-29 01:23 . 2012-03-29 01:23 8192 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_gy2hk1vk.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 8192 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\App_Web_54fbkep4.dll
+ 2012-03-15 21:20 . 2012-04-03 18:22 122968 c:\windows\system32\Restore\rstrlog.dat
+ 2008-04-25 16:16 . 2012-04-08 02:36 526310 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2012-03-29 00:17 526310 c:\windows\system32\perfh009.dat
+ 2012-04-02 14:29 . 2012-04-02 14:29 353440 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_Plugin.exe
+ 2012-04-02 13:39 . 2012-04-02 13:39 353440 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.exe
+ 2012-04-02 13:39 . 2012-04-02 13:39 424608 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_228_ActiveX.dll
+ 2012-04-02 13:39 . 2012-04-02 14:29 253600 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-03-29 01:22 . 2012-03-29 01:22 258048 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\b1d48846\00c1fa19_49e0cc01\RSMLib.DLL
+ 2012-04-02 14:29 . 2012-04-02 14:29 8797344 c:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_228.dll
+ 2012-03-29 01:22 . 2012-03-29 01:22 5516800 c:\windows\Microsoft.NET\Framework\v4.0.30319\Temporary ASP.NET Files\root\59e84039\ef230868\assembly\dl3\7dc17356\002c400f_49e0cc01\AjaxControlToolkit.DLL
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-01-19 1044480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-20 13586432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 159616]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2009-03-03 694824]
"DT PLP"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-01-28 92784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Panda Controller Client"="c:\program files\Panda Software\AVTC\PSCtrlC.exe" [2010-07-16 152896]
.
c:\documents and settings\jmaludzinski\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2010-2-8 1338224]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= dword:00000003
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^jmaludzinski^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\jmaludzinski\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panda Controller Client]
2010-07-16 12:11 152896 ----a-w- c:\program files\Panda Software\AVTC\PSCtrlC.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [22/09/2010 4:09 PM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 5:55 PM 67664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\Shldrv51.sys [15/03/2012 11:45 PM 37448]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 7:38 PM 116608]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [15/03/2012 11:45 PM 59080]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [08/02/2010 5:20 PM 376688]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [11/12/2008 3:08 PM 3575808]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [15/03/2012 11:45 PM 163848]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [05/01/2011 3:56 PM 109168]
R2 RSMWebServer;RSMWebServer;c:\program files\N-able Technologies\NRM\RSMWinService.exe [15/03/2012 5:08 PM 66048]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [15/03/2012 4:32 PM 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\N-able Technologies\Windows Agent\bin\AgentMaint.exe [09/12/2011 5:57 PM 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\N-able Technologies\Windows Agent\bin\agent.exe [09/12/2011 5:57 PM 204800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/10/2010 2:40 PM 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/2012 8:50 AM 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2012 9:39 AM 253600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/10/2010 2:40 PM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2008 12:16 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
S4 PskSvc;Panda Kernel Service;c:\program files\Panda Software\AVTC\psksvc.exe [15/03/2012 11:45 PM 27968]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:29]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 18:40]
.
2012-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://74.125.226.75/
IE: {{91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
IE: {{9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
Trusted Zone: google.ca
TCP: DhcpNameServer = 10.1.2.3
TCP: Interfaces\{52304729-E6F7-4695-B445-03544C1119DB}: NameServer = 4.2.2.1,10.1.2.3
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-07 22:51
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c05a\6&34e5fed1&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(724)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(780)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1448)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-07 22:53:25
ComboFix-quarantined-files.txt 2012-04-08 02:53
.
Pre-Run: 477,324,558,336 bytes free
Post-Run: 477,352,013,824 bytes free
.
- - End Of File - - 5AA5767B7B960B3E415077F8D7B1735E


I was able to stop all AV services I could find but as you can tell I was unable to stop the Endpoint Security Manager.

Thanks

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 07 April 2012 - 10:47 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 09 April 2012 - 09:54 AM

Hi Gringo,

As requested:

10:14:19.0734 5796 TDSS rootkit removing tool 2.7.27.0 Apr 9 2012 09:53:37
10:14:20.0249 5796 ============================================================
10:14:20.0249 5796 Current date / time: 2012/04/09 10:14:20.0249
10:14:20.0249 5796 SystemInfo:
10:14:20.0249 5796
10:14:20.0249 5796 OS Version: 5.1.2600 ServicePack: 3.0
10:14:20.0249 5796 Product type: Workstation
10:14:20.0249 5796 ComputerName: T3500_JACK
10:14:20.0249 5796 UserName: jmaludzinski
10:14:20.0249 5796 Windows directory: C:\WINDOWS
10:14:20.0249 5796 System windows directory: C:\WINDOWS
10:14:20.0249 5796 Processor architecture: Intel x86
10:14:20.0249 5796 Number of processors: 2
10:14:20.0249 5796 Page size: 0x1000
10:14:20.0249 5796 Boot type: Normal boot
10:14:20.0249 5796 ============================================================
10:14:20.0546 5796 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:14:20.0546 5796 \Device\Harddisk0\DR0:
10:14:20.0546 5796 MBR used
10:14:20.0546 5796 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x3A37127C
10:14:20.0578 5796 Initialize success
10:14:20.0578 5796 ============================================================
10:14:43.0999 5848 ============================================================
10:14:43.0999 5848 Scan started
10:14:43.0999 5848 Mode: Manual;
10:14:43.0999 5848 ============================================================
10:14:44.0155 5848 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
10:14:44.0170 5848 !SASCORE - ok
10:14:44.0249 5848 Abiosdsk - ok
10:14:44.0280 5848 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:14:44.0280 5848 abp480n5 - ok
10:14:44.0311 5848 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:14:44.0311 5848 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
10:14:44.0311 5848 ACPI ( Virus.Win32.Rloader.a ) - infected
10:14:44.0311 5848 ACPI - detected Virus.Win32.Rloader.a (0)
10:14:44.0327 5848 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:14:44.0327 5848 ACPIEC - ok
10:14:44.0358 5848 ADIHdAudAddService (053a070bd25649abbbad7862aea051d0) C:\WINDOWS\system32\drivers\ADIHdAud.sys
10:14:44.0358 5848 ADIHdAudAddService - ok
10:14:44.0420 5848 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
10:14:44.0436 5848 AdobeFlashPlayerUpdateSvc - ok
10:14:44.0452 5848 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:14:44.0452 5848 adpu160m - ok
10:14:44.0483 5848 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:14:44.0483 5848 aec - ok
10:14:44.0514 5848 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:14:44.0514 5848 AFD - ok
10:14:44.0530 5848 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:14:44.0530 5848 agp440 - ok
10:14:44.0530 5848 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:14:44.0530 5848 agpCPQ - ok
10:14:44.0561 5848 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:14:44.0561 5848 Aha154x - ok
10:14:44.0561 5848 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:14:44.0561 5848 aic78u2 - ok
10:14:44.0577 5848 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:14:44.0577 5848 aic78xx - ok
10:14:44.0608 5848 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:14:44.0624 5848 Alerter - ok
10:14:44.0639 5848 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:14:44.0639 5848 ALG - ok
10:14:44.0639 5848 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:14:44.0639 5848 AliIde - ok
10:14:44.0655 5848 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:14:44.0655 5848 alim1541 - ok
10:14:44.0655 5848 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:14:44.0655 5848 amdagp - ok
10:14:44.0702 5848 AmFSM (6a99ab54701e6c3959bda27ecbbb6c66) C:\WINDOWS\system32\DRIVERS\amm8651.sys
10:14:44.0702 5848 AmFSM - ok
10:14:44.0702 5848 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:14:44.0702 5848 amsint - ok
10:14:44.0717 5848 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
10:14:44.0717 5848 AppMgmt - ok
10:14:44.0749 5848 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:14:44.0749 5848 asc - ok
10:14:44.0749 5848 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:14:44.0749 5848 asc3350p - ok
10:14:44.0764 5848 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:14:44.0764 5848 asc3550 - ok
10:14:44.0811 5848 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
10:14:44.0842 5848 aspnet_state - ok
10:14:44.0858 5848 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:14:44.0858 5848 AsyncMac - ok
10:14:44.0889 5848 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:14:44.0889 5848 atapi - ok
10:14:44.0889 5848 Atdisk - ok
10:14:44.0905 5848 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:14:44.0920 5848 Atmarpc - ok
10:14:44.0936 5848 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:14:44.0936 5848 AudioSrv - ok
10:14:44.0952 5848 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:14:44.0952 5848 audstub - ok
10:14:44.0999 5848 b57w2k (741dfbf3a4dc41a400dbc71199564853) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
10:14:44.0999 5848 b57w2k - ok
10:14:45.0014 5848 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:14:45.0014 5848 Beep - ok
10:14:45.0045 5848 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
10:14:45.0092 5848 BITS - ok
10:14:45.0108 5848 Blfp (673c79036ab4a47bb8ad555d84ffe42d) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
10:14:45.0108 5848 Blfp - ok
10:14:45.0124 5848 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:14:45.0124 5848 Browser - ok
10:14:45.0202 5848 catchme - ok
10:14:45.0217 5848 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:14:45.0217 5848 cbidf - ok
10:14:45.0217 5848 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:14:45.0217 5848 cbidf2k - ok
10:14:45.0249 5848 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:14:45.0249 5848 cd20xrnt - ok
10:14:45.0249 5848 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:14:45.0249 5848 Cdaudio - ok
10:14:45.0280 5848 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:14:45.0280 5848 Cdfs - ok
10:14:45.0280 5848 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:14:45.0280 5848 Cdrom - ok
10:14:45.0295 5848 Changer - ok
10:14:45.0311 5848 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:14:45.0311 5848 CiSvc - ok
10:14:45.0327 5848 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:14:45.0327 5848 ClipSrv - ok
10:14:45.0389 5848 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:14:45.0405 5848 clr_optimization_v2.0.50727_32 - ok
10:14:45.0436 5848 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:14:45.0467 5848 clr_optimization_v4.0.30319_32 - ok
10:14:45.0483 5848 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:14:45.0483 5848 CmdIde - ok
10:14:45.0483 5848 COMSysApp - ok
10:14:45.0499 5848 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:14:45.0499 5848 Cpqarray - ok
10:14:45.0530 5848 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:14:45.0530 5848 CryptSvc - ok
10:14:45.0545 5848 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:14:45.0561 5848 dac2w2k - ok
10:14:45.0577 5848 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:14:45.0577 5848 dac960nt - ok
10:14:45.0608 5848 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:14:45.0624 5848 DcomLaunch - ok
10:14:45.0733 5848 dcpsysmgrsvc (7ef6e8af4d06e5fdf30e93158028cb7b) c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
10:14:45.0733 5848 dcpsysmgrsvc - ok
10:14:45.0780 5848 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:14:45.0780 5848 Dhcp - ok
10:14:45.0795 5848 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:14:45.0795 5848 Disk - ok
10:14:45.0795 5848 dmadmin - ok
10:14:45.0827 5848 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:14:45.0842 5848 dmboot - ok
10:14:45.0842 5848 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:14:45.0858 5848 dmio - ok
10:14:45.0858 5848 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:14:45.0858 5848 dmload - ok
10:14:45.0874 5848 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:14:45.0874 5848 dmserver - ok
10:14:45.0905 5848 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:14:45.0905 5848 DMusic - ok
10:14:45.0920 5848 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
10:14:45.0920 5848 Dnscache - ok
10:14:45.0936 5848 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:14:45.0936 5848 Dot3svc - ok
10:14:45.0952 5848 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:14:45.0952 5848 dpti2o - ok
10:14:45.0952 5848 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:14:45.0967 5848 drmkaud - ok
10:14:45.0967 5848 DTSRVC (6be0cabf9a92c61545af965f854b3844) C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
10:14:45.0983 5848 DTSRVC - ok
10:14:45.0999 5848 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:14:45.0999 5848 EapHost - ok
10:14:45.0999 5848 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:14:45.0999 5848 ERSvc - ok
10:14:46.0030 5848 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:14:46.0030 5848 Eventlog - ok
10:14:46.0045 5848 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
10:14:46.0045 5848 EventSystem - ok
10:14:46.0061 5848 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:14:46.0061 5848 Fastfat - ok
10:14:46.0108 5848 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:14:46.0108 5848 FastUserSwitchingCompatibility - ok
10:14:46.0139 5848 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
10:14:46.0139 5848 Fax - ok
10:14:46.0155 5848 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
10:14:46.0155 5848 Fdc - ok
10:14:46.0170 5848 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:14:46.0170 5848 Fips - ok
10:14:46.0186 5848 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:14:46.0186 5848 Flpydisk - ok
10:14:46.0202 5848 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
10:14:46.0202 5848 FltMgr - ok
10:14:46.0264 5848 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:14:46.0264 5848 FontCache3.0.0.0 - ok
10:14:46.0264 5848 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:14:46.0264 5848 Fs_Rec - ok
10:14:46.0280 5848 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:14:46.0280 5848 Ftdisk - ok
10:14:46.0295 5848 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:14:46.0295 5848 Gpc - ok
10:14:46.0358 5848 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
10:14:46.0358 5848 gupdate - ok
10:14:46.0358 5848 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
10:14:46.0358 5848 gupdatem - ok
10:14:46.0373 5848 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:14:46.0373 5848 HDAudBus - ok
10:14:46.0389 5848 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:14:46.0405 5848 helpsvc - ok
10:14:46.0405 5848 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
10:14:46.0405 5848 HidServ - ok
10:14:46.0420 5848 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:14:46.0420 5848 hidusb - ok
10:14:46.0452 5848 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:14:46.0452 5848 hkmsvc - ok
10:14:46.0467 5848 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:14:46.0467 5848 hpn - ok
10:14:46.0483 5848 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:14:46.0483 5848 HPZid412 - ok
10:14:46.0498 5848 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:14:46.0498 5848 HPZipr12 - ok
10:14:46.0514 5848 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:14:46.0514 5848 HPZius12 - ok
10:14:46.0545 5848 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:14:46.0545 5848 HTTP - ok
10:14:46.0577 5848 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:14:46.0577 5848 HTTPFilter - ok
10:14:46.0592 5848 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:14:46.0592 5848 i2omgmt - ok
10:14:46.0608 5848 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:14:46.0608 5848 i2omp - ok
10:14:46.0702 5848 IAANTMON (52e8a3cc8269adb27d25182284c5e650) C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
10:14:46.0702 5848 IAANTMON - ok
10:14:46.0733 5848 iaStor (71ecc07bc7c5e24c3dd01d8a29a24054) C:\WINDOWS\system32\drivers\iaStor.sys
10:14:46.0733 5848 iaStor - ok
10:14:46.0811 5848 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:14:46.0827 5848 idsvc - ok
10:14:46.0842 5848 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:14:46.0842 5848 Imapi - ok
10:14:46.0873 5848 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:14:46.0873 5848 ImapiService - ok
10:14:46.0905 5848 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:14:46.0905 5848 ini910u - ok
10:14:46.0920 5848 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:14:46.0920 5848 IntelIde - ok
10:14:46.0936 5848 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:14:46.0936 5848 intelppm - ok
10:14:46.0936 5848 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
10:14:46.0936 5848 Ip6Fw - ok
10:14:46.0952 5848 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:14:46.0952 5848 IpFilterDriver - ok
10:14:46.0952 5848 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:14:46.0967 5848 IpInIp - ok
10:14:46.0967 5848 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:14:46.0967 5848 IpNat - ok
10:14:46.0983 5848 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:14:46.0983 5848 IPSec - ok
10:14:46.0983 5848 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:14:46.0983 5848 IRENUM - ok
10:14:46.0998 5848 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:14:46.0998 5848 isapnp - ok
10:14:47.0061 5848 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
10:14:47.0061 5848 JavaQuickStarterService - ok
10:14:47.0077 5848 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:14:47.0077 5848 Kbdclass - ok
10:14:47.0077 5848 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:14:47.0077 5848 kbdhid - ok
10:14:47.0123 5848 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:14:47.0123 5848 kmixer - ok
10:14:47.0139 5848 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:14:47.0155 5848 KSecDD - ok
10:14:47.0155 5848 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
10:14:47.0155 5848 LanmanServer - ok
10:14:47.0202 5848 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
10:14:47.0202 5848 lanmanworkstation - ok
10:14:47.0202 5848 lbrtfdc - ok
10:14:47.0233 5848 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:14:47.0233 5848 LmHosts - ok
10:14:47.0280 5848 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:14:47.0280 5848 Messenger - ok
10:14:47.0280 5848 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:14:47.0280 5848 mnmdd - ok
10:14:47.0295 5848 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:14:47.0295 5848 mnmsrvc - ok
10:14:47.0327 5848 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:14:47.0327 5848 Modem - ok
10:14:47.0327 5848 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:14:47.0327 5848 Mouclass - ok
10:14:47.0342 5848 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:14:47.0342 5848 mouhid - ok
10:14:47.0358 5848 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:14:47.0358 5848 MountMgr - ok
10:14:47.0358 5848 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:14:47.0358 5848 mraid35x - ok
10:14:47.0373 5848 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:14:47.0373 5848 MRxDAV - ok
10:14:47.0420 5848 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:14:47.0436 5848 MRxSmb - ok
10:14:47.0452 5848 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:14:47.0452 5848 MSDTC - ok
10:14:47.0467 5848 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:14:47.0467 5848 Msfs - ok
10:14:47.0483 5848 MSIServer - ok
10:14:47.0498 5848 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:14:47.0498 5848 MSKSSRV - ok
10:14:47.0514 5848 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:14:47.0514 5848 MSPCLOCK - ok
10:14:47.0530 5848 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:14:47.0530 5848 MSPQM - ok
10:14:47.0545 5848 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:14:47.0545 5848 mssmbios - ok
10:14:47.0561 5848 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:14:47.0561 5848 Mup - ok
10:14:47.0592 5848 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:14:47.0592 5848 napagent - ok
10:14:47.0608 5848 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:14:47.0608 5848 NDIS - ok
10:14:47.0639 5848 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:14:47.0639 5848 NdisTapi - ok
10:14:47.0655 5848 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:14:47.0655 5848 Ndisuio - ok
10:14:47.0670 5848 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:14:47.0670 5848 NdisWan - ok
10:14:47.0686 5848 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:14:47.0686 5848 NDProxy - ok
10:14:47.0702 5848 Net Driver HPZ12 (2969d26eee289be7422aa46fc55f4e38) C:\WINDOWS\system32\HPZinw12.dll
10:14:47.0717 5848 Net Driver HPZ12 - ok
10:14:47.0717 5848 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:14:47.0717 5848 NetBIOS - ok
10:14:47.0733 5848 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:14:47.0733 5848 NetBT - ok
10:14:47.0764 5848 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:14:47.0764 5848 NetDDE - ok
10:14:47.0764 5848 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:14:47.0764 5848 NetDDEdsdm - ok
10:14:47.0795 5848 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:14:47.0795 5848 Netlogon - ok
10:14:47.0795 5848 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:14:47.0811 5848 Netman - ok
10:14:47.0873 5848 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
10:14:47.0873 5848 NetTcpPortSharing - ok
10:14:47.0905 5848 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
10:14:47.0905 5848 Nla - ok
10:14:47.0936 5848 nmwcd (f6c40e0a565ee3ce5aeeb325e10054f2) C:\WINDOWS\system32\drivers\ccdcmb.sys
10:14:47.0936 5848 nmwcd - ok
10:14:47.0952 5848 nmwcdc (2a394e9e1fa3565e4b2fea470ffe4d6b) C:\WINDOWS\system32\drivers\ccdcmbo.sys
10:14:47.0952 5848 nmwcdc - ok
10:14:47.0967 5848 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:14:47.0967 5848 Npfs - ok
10:14:47.0998 5848 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:14:47.0998 5848 Ntfs - ok
10:14:48.0014 5848 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:14:48.0014 5848 NtLmSsp - ok
10:14:48.0014 5848 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:14:48.0030 5848 NtmsSvc - ok
10:14:48.0045 5848 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:14:48.0061 5848 Null - ok
10:14:48.0155 5848 nv (cf5761d1ec19a40210947c1593b1c07f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:14:48.0248 5848 nv - ok
10:14:48.0311 5848 NVIDIA Performance Driver Service (e00696d78af663c523d3483410c66f21) C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
10:14:48.0358 5848 NVIDIA Performance Driver Service - ok
10:14:48.0358 5848 NVSvc (a40ad9dae3053c3ea978a599e3a36292) C:\WINDOWS\system32\nvsvc32.exe
10:14:48.0373 5848 NVSvc - ok
10:14:48.0373 5848 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:14:48.0373 5848 NwlnkFlt - ok
10:14:48.0389 5848 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:14:48.0389 5848 NwlnkFwd - ok
10:14:48.0420 5848 Panda Software Controller (62ddeb7cbcfa3522aed4308b66780a93) C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
10:14:48.0420 5848 Panda Software Controller - ok
10:14:48.0420 5848 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:14:48.0420 5848 Parport - ok
10:14:48.0452 5848 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:14:48.0452 5848 PartMgr - ok
10:14:48.0452 5848 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:14:48.0452 5848 ParVdm - ok
10:14:48.0467 5848 PavProc (a110035fdc4b8f8f0cd5e71d031274e1) C:\WINDOWS\system32\DRIVERS\PavProc.sys
10:14:48.0467 5848 PavProc - ok
10:14:48.0467 5848 PavPrSrv (2ae3f6b23448443bbef5de207159213b) C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
10:14:48.0467 5848 PavPrSrv - ok
10:14:48.0545 5848 PavReport (a6ef20b50aa9f64591f6747b7a93477f) C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
10:14:48.0545 5848 PavReport - ok
10:14:48.0561 5848 PavSrv (b380167242f8b498d59999f324e4a89c) C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
10:14:48.0561 5848 PavSrv - ok
10:14:48.0577 5848 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
10:14:48.0577 5848 PBADRV - ok
10:14:48.0608 5848 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
10:14:48.0608 5848 pccsmcfd - ok
10:14:48.0608 5848 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:14:48.0608 5848 PCI - ok
10:14:48.0623 5848 PCIDump - ok
10:14:48.0623 5848 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:14:48.0623 5848 PCIIde - ok
10:14:48.0655 5848 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:14:48.0655 5848 Pcmcia - ok
10:14:48.0655 5848 PDCOMP - ok
10:14:48.0670 5848 PDFRAME - ok
10:14:48.0686 5848 PdiPorts (7ef57cdfa2656f495c95b50533731129) C:\WINDOWS\system32\Drivers\PdiPorts.sys
10:14:48.0702 5848 PdiPorts - ok
10:14:48.0702 5848 PdiService (db7069a1984443efe38e8e172e9d746a) C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
10:14:48.0702 5848 PdiService - ok
10:14:48.0717 5848 PDRELI - ok
10:14:48.0717 5848 PDRFRAME - ok
10:14:48.0733 5848 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:14:48.0733 5848 perc2 - ok
10:14:48.0748 5848 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:14:48.0748 5848 perc2hib - ok
10:14:48.0764 5848 Pivot (68c6ade0da199e7c00b6083da4605cb8) C:\WINDOWS\system32\drivers\pivot.sys
10:14:48.0780 5848 Pivot - ok
10:14:48.0780 5848 pivotmou (552a7a474fd47bc634113b169494dfbb) C:\WINDOWS\system32\drivers\pivotmou.sys
10:14:48.0795 5848 pivotmou - ok
10:14:48.0827 5848 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:14:48.0827 5848 PlugPlay - ok
10:14:48.0842 5848 Pml Driver HPZ12 (bafc9706bdf425a02b66468ab2605c59) C:\WINDOWS\system32\HPZipm12.dll
10:14:48.0858 5848 Pml Driver HPZ12 - ok
10:14:48.0873 5848 PMShellSrv (d858c1b9c6b4726993c1baffc27f49e6) C:\Program Files\Panda Software\AVTC\PSKMsSvc.exe
10:14:48.0873 5848 PMShellSrv - ok
10:14:48.0889 5848 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:14:48.0889 5848 PolicyAgent - ok
10:14:48.0889 5848 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:14:48.0889 5848 PptpMiniport - ok
10:14:48.0905 5848 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:14:48.0905 5848 ProtectedStorage - ok
10:14:48.0920 5848 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:14:48.0920 5848 PSched - ok
10:14:48.0936 5848 PsImSvc (935581107fd5b40b61d3908cae0c4e53) C:\Program Files\Panda Software\AVTC\PsImSvc.exe
10:14:48.0936 5848 PsImSvc - ok
10:14:48.0967 5848 PskSvc (7f0f38bc0236fbb9469281e0826d862e) C:\Program Files\Panda Software\AVTC\PskSvc.exe
10:14:48.0967 5848 PskSvc - ok
10:14:48.0983 5848 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:14:48.0983 5848 Ptilink - ok
10:14:49.0014 5848 PxHelp20 (03e0fe281823ba64b3782f5b38950e73) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:14:49.0014 5848 PxHelp20 - ok
10:14:49.0030 5848 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:14:49.0030 5848 ql1080 - ok
10:14:49.0045 5848 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:14:49.0045 5848 Ql10wnt - ok
10:14:49.0045 5848 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:14:49.0061 5848 ql12160 - ok
10:14:49.0061 5848 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:14:49.0061 5848 ql1240 - ok
10:14:49.0077 5848 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:14:49.0077 5848 ql1280 - ok
10:14:49.0092 5848 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:14:49.0092 5848 RasAcd - ok
10:14:49.0108 5848 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:14:49.0123 5848 RasAuto - ok
10:14:49.0123 5848 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:14:49.0123 5848 Rasl2tp - ok
10:14:49.0139 5848 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:14:49.0155 5848 RasMan - ok
10:14:49.0155 5848 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:14:49.0155 5848 RasPppoe - ok
10:14:49.0170 5848 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:14:49.0170 5848 Raspti - ok
10:14:49.0186 5848 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:14:49.0186 5848 Rdbss - ok
10:14:49.0202 5848 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:14:49.0202 5848 RDPCDD - ok
10:14:49.0217 5848 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:14:49.0233 5848 rdpdr - ok
10:14:49.0264 5848 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
10:14:49.0264 5848 RDPWD - ok
10:14:49.0295 5848 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:14:49.0311 5848 RDSessMgr - ok
10:14:49.0311 5848 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:14:49.0311 5848 redbook - ok
10:14:49.0326 5848 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:14:49.0326 5848 RemoteAccess - ok
10:14:49.0342 5848 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
10:14:49.0358 5848 RemoteRegistry - ok
10:14:49.0373 5848 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:14:49.0373 5848 RpcLocator - ok
10:14:49.0405 5848 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
10:14:49.0405 5848 RpcSs - ok
10:14:49.0483 5848 RSMWebServer (a3ee8ecc10c4f54e3c417366991e5f00) C:\Program Files\N-able Technologies\NRM\RSMWinService.exe
10:14:49.0483 5848 RSMWebServer - ok
10:14:49.0514 5848 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:14:49.0514 5848 RSVP - ok
10:14:49.0530 5848 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:14:49.0530 5848 SamSs - ok
10:14:49.0592 5848 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
10:14:49.0592 5848 SASDIFSV - ok
10:14:49.0608 5848 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
10:14:49.0608 5848 SASKUTIL - ok
10:14:49.0639 5848 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:14:49.0639 5848 SCardSvr - ok
10:14:49.0655 5848 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:14:49.0655 5848 Schedule - ok
10:14:49.0670 5848 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:14:49.0686 5848 Secdrv - ok
10:14:49.0701 5848 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:14:49.0701 5848 seclogon - ok
10:14:49.0733 5848 SecureStorageService (e396fbc469df73692318dc90ad13ce86) C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
10:14:49.0780 5848 SecureStorageService - ok
10:14:49.0780 5848 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:14:49.0780 5848 SENS - ok
10:14:49.0795 5848 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:14:49.0795 5848 Serenum - ok
10:14:49.0811 5848 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:14:49.0826 5848 Serial - ok
10:14:49.0873 5848 ServiceLayer (f31e9531af225ca25350d5e87e999b31) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
10:14:49.0920 5848 ServiceLayer - ok
10:14:49.0967 5848 SFAUDIO (b6401608579b6431994425ba7653f774) C:\WINDOWS\system32\drivers\sfaudio.sys
10:14:49.0967 5848 SFAUDIO - ok
10:14:49.0983 5848 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:14:49.0983 5848 Sfloppy - ok
10:14:49.0998 5848 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
10:14:49.0998 5848 SharedAccess - ok
10:14:50.0030 5848 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:14:50.0030 5848 ShellHWDetection - ok
10:14:50.0061 5848 ShldDrv (32d6f7632234f0354c79e915ca4613d4) C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys
10:14:50.0061 5848 ShldDrv - ok
10:14:50.0061 5848 Simbad - ok
10:14:50.0076 5848 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:14:50.0076 5848 sisagp - ok
10:14:50.0139 5848 SkypeUpdate (6128e98eaaed364ed1a32708d2fd22cb) C:\Program Files\Skype\Updater\Updater.exe
10:14:50.0436 5848 SkypeUpdate - ok
10:14:50.0451 5848 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:14:50.0451 5848 Sparrow - ok
10:14:50.0483 5848 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:14:50.0483 5848 splitter - ok
10:14:50.0530 5848 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
10:14:50.0530 5848 Spooler - ok
10:14:50.0530 5848 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:14:50.0530 5848 sr - ok
10:14:50.0545 5848 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:14:50.0561 5848 srservice - ok
10:14:50.0576 5848 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:14:50.0576 5848 Srv - ok
10:14:50.0592 5848 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:14:50.0592 5848 SSDPSRV - ok
10:14:50.0608 5848 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:14:50.0608 5848 stisvc - ok
10:14:50.0655 5848 stllssvr (e476c66713c842f58e61a95826ed1d57) c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
10:14:50.0655 5848 stllssvr - ok
10:14:50.0670 5848 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:14:50.0670 5848 swenum - ok
10:14:50.0686 5848 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:14:50.0686 5848 swmidi - ok
10:14:50.0701 5848 SwPrv - ok
10:14:50.0701 5848 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:14:50.0701 5848 symc810 - ok
10:14:50.0717 5848 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:14:50.0717 5848 symc8xx - ok
10:14:50.0733 5848 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:14:50.0733 5848 sym_hi - ok
10:14:50.0733 5848 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:14:50.0733 5848 sym_u3 - ok
10:14:50.0764 5848 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:14:50.0764 5848 sysaudio - ok
10:14:50.0795 5848 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:14:50.0795 5848 SysmonLog - ok
10:14:50.0795 5848 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:14:50.0811 5848 TapiSrv - ok
10:14:50.0826 5848 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:14:50.0842 5848 Tcpip - ok
10:14:50.0889 5848 tcsd_win32.exe (69f1a38a6dbfe682491cb61a596662e3) C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
10:14:50.0905 5848 tcsd_win32.exe - ok
10:14:50.0951 5848 TdmService (a405d39f4dd131954c39114fba31a5e0) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
10:14:50.0967 5848 TdmService - ok
10:14:50.0967 5848 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:14:50.0967 5848 TDPIPE - ok
10:14:50.0983 5848 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:14:50.0983 5848 TDTCP - ok
10:14:50.0998 5848 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:14:51.0014 5848 TermDD - ok
10:14:51.0014 5848 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:14:51.0030 5848 TermService - ok
10:14:51.0061 5848 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:14:51.0061 5848 Themes - ok
10:14:51.0076 5848 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
10:14:51.0076 5848 TlntSvr - ok
10:14:51.0092 5848 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:14:51.0092 5848 TosIde - ok
10:14:51.0108 5848 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:14:51.0108 5848 TrkWks - ok
10:14:51.0123 5848 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:14:51.0123 5848 Udfs - ok
10:14:51.0139 5848 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:14:51.0139 5848 ultra - ok
10:14:51.0170 5848 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:14:51.0170 5848 Update - ok
10:14:51.0186 5848 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:14:51.0186 5848 upnphost - ok
10:14:51.0217 5848 upperdev (47f5f9d837d80ffd5882a14db9da0a67) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
10:14:51.0217 5848 upperdev - ok
10:14:51.0233 5848 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:14:51.0233 5848 UPS - ok
10:14:51.0264 5848 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:14:51.0264 5848 usbccgp - ok
10:14:51.0295 5848 usbehci (4bac8df07f1d8434fc640e677a62204e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:14:51.0295 5848 usbehci - ok
10:14:51.0311 5848 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:14:51.0326 5848 usbhub - ok
10:14:51.0342 5848 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\DRIVERS\usbser.sys
10:14:51.0342 5848 usbser - ok
10:14:51.0358 5848 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:14:51.0358 5848 USBSTOR - ok
10:14:51.0373 5848 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:14:51.0373 5848 usbuhci - ok
10:14:51.0483 5848 uvnc_service (b840c0d1a043bd4f3d98ee0c8bd8de72) C:\Program Files\UltraVNC\WinVNC.exe
10:14:51.0498 5848 uvnc_service - ok
10:14:51.0514 5848 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:14:51.0514 5848 VgaSave - ok
10:14:51.0530 5848 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
10:14:51.0530 5848 viaagp - ok
10:14:51.0545 5848 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:14:51.0545 5848 ViaIde - ok
10:14:51.0561 5848 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:14:51.0561 5848 VolSnap - ok
10:14:51.0576 5848 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:14:51.0592 5848 VSS - ok
10:14:51.0608 5848 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:14:51.0608 5848 w32time - ok
10:14:51.0623 5848 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:14:51.0623 5848 Wanarp - ok
10:14:51.0655 5848 WavxDMgr (81f117b7834fa0b78c2354208d185528) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
10:14:51.0655 5848 WavxDMgr - ok
10:14:51.0670 5848 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:14:51.0686 5848 Wdf01000 - ok
10:14:51.0686 5848 WDICA - ok
10:14:51.0717 5848 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:14:51.0733 5848 wdmaud - ok
10:14:51.0748 5848 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:14:51.0748 5848 WebClient - ok
10:14:51.0795 5848 Windows Agent Maintenance Service (f6af9d2c5d5e607e72428a5647772805) C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
10:14:51.0811 5848 Windows Agent Maintenance Service - ok
10:14:51.0842 5848 Windows Agent Service (515d97d7d4b01a97f3f4e691cf574707) C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
10:14:51.0842 5848 Windows Agent Service - ok
10:14:51.0889 5848 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:14:51.0889 5848 winmgmt - ok
10:14:51.0936 5848 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
10:14:51.0951 5848 WinRM - ok
10:14:51.0983 5848 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
10:14:51.0998 5848 WmdmPmSN - ok
10:14:52.0030 5848 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
10:14:52.0030 5848 Wmi - ok
10:14:52.0061 5848 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
10:14:52.0061 5848 WmiAcpi - ok
10:14:52.0076 5848 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:14:52.0076 5848 WmiApSrv - ok
10:14:52.0123 5848 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:14:52.0139 5848 WMPNetworkSvc - ok
10:14:52.0233 5848 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:14:52.0248 5848 WPFFontCache_v0400 - ok
10:14:52.0264 5848 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:14:52.0264 5848 WS2IFSL - ok
10:14:52.0295 5848 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
10:14:52.0295 5848 wscsvc - ok
10:14:52.0295 5848 WSearch - ok
10:14:52.0311 5848 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
10:14:52.0311 5848 wuauserv - ok
10:14:52.0342 5848 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:14:52.0342 5848 WudfPf - ok
10:14:52.0373 5848 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:14:52.0373 5848 WudfRd - ok
10:14:52.0389 5848 WudfSvc (ddee3682fe97037c45f4d7ab467cb8b6) C:\WINDOWS\System32\WUDFSvc.dll
10:14:52.0389 5848 WudfSvc - ok
10:14:52.0405 5848 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:14:52.0420 5848 WZCSVC - ok
10:14:52.0436 5848 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:14:52.0451 5848 xmlprov - ok
10:14:52.0467 5848 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
10:14:52.0530 5848 \Device\Harddisk0\DR0 - ok
10:14:52.0530 5848 Boot (0x1200) (4922bededa6dcd8c968c0c0273fdbde9) \Device\Harddisk0\DR0\Partition0
10:14:52.0530 5848 \Device\Harddisk0\DR0\Partition0 - ok
10:14:52.0530 5848 ============================================================
10:14:52.0530 5848 Scan finished
10:14:52.0530 5848 ============================================================
10:14:52.0545 5840 Detected object count: 1
10:14:52.0545 5840 Actual detected object count: 1
10:15:12.0654 5840 C:\WINDOWS\system32\DRIVERS\ACPI.sys - copied to quarantine
10:15:12.0966 5840 Backup copy found, using it..
10:15:12.0982 5840 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured on reboot
10:15:12.0982 5840 ACPI ( Virus.Win32.Rloader.a ) - User select action: Cure
10:15:34.0559 5792 Deinitialize success




aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-09 10:21:22
-----------------------------
10:21:22.867 OS Version: Windows 5.1.2600 Service Pack 3
10:21:22.867 Number of processors: 2 586 0x1A05
10:21:22.867 ComputerName: T3500_JACK UserName:
10:21:23.728 Initialize success
10:23:23.733 AVAST engine defs: 12040900
10:23:30.000 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:23:30.000 Disk 0 Vendor: WDC_WD50 05.0 Size: 476940MB BusType: 8
10:23:30.000 Disk 0 MBR read successfully
10:23:30.016 Disk 0 MBR scan
10:23:30.047 Disk 0 Windows VISTA default MBR code
10:23:30.047 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
10:23:30.079 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 476898 MB offset 80325
10:23:30.079 Disk 0 scanning sectors +976768065
10:23:30.157 Disk 0 scanning C:\WINDOWS\system32\drivers
10:23:36.393 Service scanning
10:23:50.178 Modules scanning
10:23:52.663 Disk 0 trace - called modules:
10:23:52.679 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
10:23:52.679 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4c9030]
10:23:52.679 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8a4fa028]
10:23:53.695 AVAST engine scan C:\WINDOWS
10:24:15.560 AVAST engine scan C:\WINDOWS\system32
10:26:39.102 AVAST engine scan C:\WINDOWS\system32\drivers
10:26:54.825 AVAST engine scan C:\Documents and Settings\jmaludzinski
10:28:51.484 AVAST engine scan C:\Documents and Settings\All Users
10:29:32.582 Scan finished successfully
10:30:41.214 Disk 0 MBR has been saved successfully to "C:\TEMP\MBR.dat"
10:30:41.229 The log file has been saved successfully to "C:\TEMP\aswMBR.txt"


I noticed after running those 2 tools I am now able to get to google.ca, bing.com, etc. and search successfully. One thing I find interesting is that Adminsitrative Tools via the control panel is empty.

Thanks

Edited by totalstu, 09 April 2012 - 10:00 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 09 April 2012 - 01:07 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 09 April 2012 - 01:38 PM

Hi,

The report follows: Other than the empty "Administrative Tools" folder it looks like all else is good.


ComboFix 12-04-07.03 - jmaludzinski 09/04/2012 14:22:30.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2341 [GMT -4:00]
Running from: c:\temp\ComboFix.exe
Command switches used :: c:\temp\CFScript.txt
AV: Endpoint Security Manager *Enabled/Updated* {208F4477-D1F0-411A-8D21-0367EC0D3D43}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-09 to 2012-04-09 )))))))))))))))))))))))))))))))
.
.
2012-04-08 00:42 . 2012-04-08 00:45 -------- d-----w- c:\documents and settings\admin.stuart
2012-04-03 21:38 . 2012-04-03 21:38 -------- d-----w- c:\program files\ESET
2012-04-03 18:21 . 2012-04-03 18:21 -------- d-----w- c:\windows\system32\wbem\Repository
2012-04-02 13:39 . 2012-04-02 14:29 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-29 02:45 . 2012-03-29 02:45 -------- d-----w- c:\documents and settings\jmaludzinski\Local Settings\Application Data\Mozilla
2012-03-29 02:40 . 2012-04-08 03:52 -------- d-----w- c:\documents and settings\LocalService\Application Data\ntr
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\documents and settings\jmaludzinski\Application Data\SUPERAntiSpyware.com
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-28 23:40 . 2012-03-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-03-28 23:19 . 2012-03-28 23:19 -------- d-----w- c:\program files\Trend Micro
2012-03-27 14:02 . 2012-03-27 14:02 -------- d-----w- c:\program files\Common Files\Skype
2012-03-27 14:02 . 2012-03-27 14:02 -------- d-----w- c:\program files\Common Files\Cisco Systems
2012-03-16 03:45 . 2012-03-27 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Sentinel
2012-03-16 03:45 . 2010-07-14 09:48 59080 ----a-w- c:\windows\system32\drivers\amm8651.sys
2012-03-16 03:45 . 2010-06-11 11:03 165184 ----a-w- c:\windows\system32\TpUtil.dll
2012-03-16 03:45 . 2010-06-11 11:02 296256 ----a-w- c:\windows\system32\PavSHook.dll
2012-03-16 03:45 . 2010-06-11 11:02 62784 ----a-w- c:\windows\system32\pavipc.dll
2012-03-16 03:45 . 2010-05-06 14:11 163848 ----a-w- c:\windows\system32\drivers\rkpavproc.sys
2012-03-16 03:45 . 2008-05-23 08:37 55096 ----a-w- c:\windows\system32\drivers\npaflt.sys
2012-03-16 03:45 . 2007-03-08 19:45 107568 ----a-w- c:\windows\system32\SYSTOOLS.dll
2012-03-16 03:45 . 2012-03-16 03:45 -------- d-----w- c:\program files\Common Files\Panda Software
2012-03-16 03:45 . 2011-02-21 11:38 37448 ----a-w- c:\windows\system32\drivers\Shldrv51.sys
2012-03-16 03:45 . 2010-05-06 14:11 163848 ----a-w- c:\windows\system32\drivers\PavProc.sys
2012-03-16 03:11 . 2008-04-14 12:00 26624 ----a-w- c:\documents and settings\LocalService\Application Data\Microsoft\UPnP Device Host\upnphost\udhisapi.dll
2012-03-16 01:29 . 2012-03-16 01:29 -------- d-----w- c:\program files\Common Files\Java
2012-03-16 01:28 . 2012-03-16 01:28 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-16 00:54 . 2012-03-16 00:54 -------- d-----w- c:\program files\Windows Media Connect 2
2012-03-15 23:40 . 2012-03-15 23:40 -------- d-----w- C:\_OTL
2012-03-15 21:39 . 2012-03-15 21:39 -------- d-----w- c:\documents and settings\jmaludzinski\Application Data\Malwarebytes
2012-03-15 21:38 . 2012-03-15 21:42 -------- d-----w- c:\program files\UltraVNC
2012-03-15 21:08 . 2012-03-15 21:39 -------- d-----w- c:\program files\IIS Express
2012-03-15 21:03 . 2012-03-15 21:03 -------- d-----w- c:\program files\Microsoft.NET
2012-03-15 20:38 . 2012-03-27 14:02 -------- d-----w- c:\program files\Panda Software
2012-03-15 19:18 . 2012-04-03 21:16 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-15 19:18 . 2012-03-15 21:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-14 18:47 . 2012-03-14 18:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-14 18:47 . 2012-03-14 18:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-03-14 18:47 . 2011-12-10 19:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-09 18:11 . 2010-09-30 14:24 0 ----a-w- c:\documents and settings\jmaludzinski\Local Settings\Application Data\WavXMapDrive.bat
2012-04-09 14:16 . 2008-04-14 00:06 187776 ----a-w- c:\windows\system32\drivers\acpi.sys
2012-04-02 14:29 . 2011-08-23 13:36 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-16 01:28 . 2010-09-22 17:27 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:26 . 2008-04-25 16:16 1869184 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-16 17:12 3072 ------w- c:\windows\system32\iacenc.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-08_02.51.50 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-09 14:17 . 2012-04-09 14:17 16384 c:\windows\Temp\Perflib_Perfdata_118.dat
- 2008-04-25 16:16 . 2012-04-08 02:36 96766 c:\windows\system32\perfc009.dat
+ 2008-04-25 16:16 . 2012-04-09 14:21 96766 c:\windows\system32\perfc009.dat
+ 2012-03-15 23:48 . 2012-04-09 14:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-15 23:48 . 2012-03-16 03:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-09-30 14:10 . 2012-04-09 14:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-09-30 14:10 . 2012-03-16 03:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2012-04-09 14:12 . 2012-04-09 14:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-04-25 16:16 . 2012-04-09 14:21 526310 c:\windows\system32\perfh009.dat
- 2008-04-25 16:16 . 2012-04-08 02:36 526310 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 17:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2009-01-19 1044480]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-20 13586432]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-02-11 186904]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"WavXMgr"="c:\program files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe" [2010-07-21 159616]
"USCService"="c:\program files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe" [2010-06-22 34232]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe" [2009-03-03 694824]
"DT PLP"="c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe" [2010-01-28 92784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"Panda Controller Client"="c:\program files\Panda Software\AVTC\PSCtrlC.exe" [2010-07-16 152896]
.
c:\documents and settings\jmaludzinski\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2010-2-8 1338224]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= dword:00000003
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^jmaludzinski^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\jmaludzinski\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Panda Controller Client]
2010-07-16 12:11 152896 ----a-w- c:\program files\Panda Software\AVTC\PSCtrlC.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 SFAUDIO;Sonic Focus DSP Driver;c:\windows\system32\drivers\sfaudio.sys [22/09/2010 4:09 PM 24064]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 12:27 PM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 5:55 PM 67664]
R1 ShldDrv;Panda File Shield Driver;c:\windows\system32\drivers\Shldrv51.sys [15/03/2012 11:45 PM 37448]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [11/08/2011 7:38 PM 116608]
R2 AmFSM;AmFSM;c:\windows\system32\drivers\amm8651.sys [15/03/2012 11:45 PM 59080]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [08/02/2010 5:20 PM 376688]
R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [11/12/2008 3:08 PM 3575808]
R2 PavProc;Panda Process Protection Driver;c:\windows\system32\drivers\PavProc.sys [15/03/2012 11:45 PM 163848]
R2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [05/01/2011 3:56 PM 109168]
R2 PskSvc;Panda Kernel Service;c:\program files\Panda Software\AVTC\psksvc.exe [15/03/2012 11:45 PM 27968]
R2 RSMWebServer;RSMWebServer;c:\program files\N-able Technologies\NRM\RSMWinService.exe [15/03/2012 5:08 PM 66048]
R2 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [15/03/2012 4:32 PM 1830856]
R2 Windows Agent Maintenance Service;Windows Agent Maintenance Service;c:\program files\N-able Technologies\Windows Agent\bin\AgentMaint.exe [09/12/2011 5:57 PM 28672]
R2 Windows Agent Service;Windows Agent Service;c:\program files\N-able Technologies\Windows Agent\bin\agent.exe [09/12/2011 5:57 PM 204800]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 PM 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [06/10/2010 2:40 PM 136176]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [29/02/2012 8:50 AM 158856]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [02/04/2012 9:39 AM 253600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [06/10/2010 2:40 PM 136176]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [25/04/2008 12:16 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 75015775
*NewlyCreated* - ASWMBR
*Deregistered* - 75015775
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-09 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-02 14:29]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 18:40]
.
2012-04-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-06 18:40]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
IE: {{91d9cee5-3906-40f7-b51a-9b013b59c826} - {836ece4e-a83a-404a-9433-6b15a66cb0fc} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
IE: {{9d2169e0-0775-4080-9b4e-90fce9945b4a} - {2741ca04-5b65-4b10-afc0-4e8387fe6bde} - c:\progra~1\LEXISN~1\PCLaw\plietool.dll
Trusted Zone: google.ca
TCP: DhcpNameServer = 10.1.2.3
TCP: Interfaces\{52304729-E6F7-4695-B445-03544C1119DB}: NameServer = 4.2.2.1,10.1.2.3
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-75015775.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-09 14:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_046d&Pid_c05a\6&34e5fed1&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(704)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\l3codeca.acm
c:\windows\system32\sirenacm.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(760)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2436)
c:\windows\system32\WININET.dll
c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Portrait Displays\Pivot Software\winphook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-04-09 14:29:23
ComboFix-quarantined-files.txt 2012-04-09 18:29
.
Pre-Run: 477,611,999,232 bytes free
Post-Run: 477,654,532,096 bytes free
.
- - End Of File - - 9678BD378230BE9D46BF1800BBCE09E2


Thanks

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 09 April 2012 - 03:19 PM

Hello


Glad things are doing better. :thumbsup:


Lets see if this will help with what is missing.

run this first - http://download.bleepingcomputer.com/grinler/unhide.exe

then run this - http://download.bleepingcomputer.com/grinler/fakehdd/winxp-pro-32bit-sm-reset.exe



These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

WAV to MP3 Encoder [/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.




Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

Edited by gringo_pr, 09 April 2012 - 03:20 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 09 April 2012 - 04:40 PM

Logs, as requested.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.09.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
jmaludzinski :: T3500_JACK [administrator]

09/04/2012 5:07:15 PM
mbam-log-2012-04-09 (17-07-15).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 280667
Time elapsed: 4 minute(s), 40 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 5:19:51 PM, on 09/04/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\AVTC\PskSvc.exe
C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
C:\Program Files\Panda Software\AVTC\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Software\AVTC\PsImSvc.exe
C:\Program Files\N-able Technologies\NRM\RSMWinService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Program Files\IIS Express\iisexpress.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe
C:\WINDOWS\system32\SearchIndexer.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Panda Software\AVTC\PSCtrlC.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Philips Display\SmartControl\DTHtml.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Portrait Displays\Pivot Software\floater.exe
C:\Program Files\Common Files\Portrait Displays\Shared\HookManager.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\SearchProtocolHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://g.msn.com/USREL/23
O3 - Toolbar: PCLaw Web Timer - {0E1230F8-EA50-42A9-983C-D22ABC2EED4B} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [DellControlPoint] "c:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
O4 - HKLM\..\Run: [WavXMgr] C:\Program Files\Wave Systems Corp\Services Manager\Docmgr\bin\WavXDocMgr.exe
O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT PLP] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -PLP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Panda Controller Client] "C:\Program Files\Panda Software\AVTC\PSCtrlC.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
O4 - Startup: TdmNotify.lnk = C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
O4 - Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: (no name) - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer Help - {91d9cee5-3906-40f7-b51a-9b013b59c826} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: (no name) - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra 'Tools' menuitem: PCLaw Web Timer - {9d2169e0-0775-4080-9b4e-90fce9945b4a} - C:\PROGRA~1\LEXISN~1\PCLaw\plietool.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = IpacsLawOffice.local
O17 - HKLM\Software\..\Telephony: DomainName = IpacsLawOffice.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{52304729-E6F7-4695-B445-03544C1119DB}: NameServer = 4.2.2.1,10.1.2.3
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = IpacsLawOffice.local
O17 - HKLM\System\CS1\Services\Tcpip\..\{52304729-E6F7-4695-B445-03544C1119DB}: NameServer = 4.2.2.1,10.1.2.3
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: Dell ControlPoint System Manager (dcpsysmgrsvc) - Dell Inc. - c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Common Files\Portrait Displays\Shared\DTSRVC.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Performance Driver Service - Unknown owner - C:\Program Files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Security - C:\Program Files\Panda Software\AVTC\PsCtrlS.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda Antivirus Report Service (PavReport) - Panda Security, S.L. - C:\Program Files\Panda Software\Panda Administrator 3\PavReport\PavReport.exe
O23 - Service: Panda Antivirus Service (PavSrv) - Panda Security, S.L. - C:\Program Files\Panda Software\AVTC\PavSrvX86.exe
O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
O23 - Service: Panda AntiSpam Engine (PMShellSrv) - Panda Software International - C:\Program Files\Panda Software\AVTC\PSKMsSvc.exe
O23 - Service: Panda IManager Service (PsImSvc) - Panda Security S.L. - C:\Program Files\Panda Software\AVTC\PsImSvc.exe
O23 - Service: Panda Kernel Service (PskSvc) - Panda Software International - C:\Program Files\Panda Software\AVTC\PskSvc.exe
O23 - Service: RSMWebServer - N-able Technologies Inc. - C:\Program Files\N-able Technologies\NRM\RSMWinService.exe
O23 - Service: SecureStorageService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: NTRU TSS v1.2.1.29 TCS (tcsd_win32.exe) - Unknown owner - C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
O23 - Service: TdmService - Wave Systems Corp. - C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
O23 - Service: uvnc_service - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
O23 - Service: Windows Agent Maintenance Service - N-able Technologies - C:\Program Files\N-able Technologies\Windows Agent\bin\AgentMaint.exe
O23 - Service: Windows Agent Service - N-able Technologies - C:\Program Files\N-able Technologies\Windows Agent\bin\agent.exe

--
End of file - 12195 bytes


All tools ran successfully, without issue. The missing items in the "Administrative Tools" folder are now back :)

Thanks

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 09 April 2012 - 06:36 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
      O4 - HKLM\..\Run: [DellControlPoint] "c:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe"
      O4 - HKLM\..\Run: [USCService] C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.exe
      O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
      O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\Portrait Displays\Pivot Software\wpctrl.exe"
      O4 - HKLM\..\Run: [DT PLP] C:\Program Files\Common Files\Portrait Displays\Shared\DT_startup.exe -PLP
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - Startup: Dell ControlPoint System Manager.lnk = C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
      O4 - Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 10 April 2012 - 09:28 AM

Hi,

Below is the contents of the ESET scan:

C:\Documents and Settings\jmaludzinski\Local Settings\TempImages\UpdateInstaller.exe a variant of Win32/Agent.SZW trojan
C:\TEMP\TDSSKiller_Quarantine\09.04.2012_10.14.20\rtkt0000\svc0000\tsk0000.dta Win32/Agent.SUC.Gen trojan


Thanks

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 10 April 2012 - 05:40 PM

Hello

There are some minor things in your online scan that should be removed.


delete files

  • Copy all text in the quote box (below)...to Notepad.

    @echo off
    del /f /s /q "C:\Documents and Settings\jmaludzinski\Local Settings\TempImages\UpdateInstaller.exe"
    del %0

  • Save the Notepad file on your desktop...as delfile.bat... save type as "All Files"
    It should look like this: Posted Image<--XPPosted Image<--vista
  • Double click on delfile.bat to execute it.
    A black CMD window will flash, then disappear...this is normal.
  • The files and folders, if found...will have been deleted and the "delfile.bat" file will also be deleted.


The rest of the Online scan is only reporting backups created during the course of this fix C:\Qoobox\Quarantine\, and/or items located in System Restore's cache C:\System Volume Information\, Whatever is in these folders can't harm you unless you choose to perform a manual restore. the following steps will remove these backups.




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wronge time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standerd today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.

  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo

Edited by gringo_pr, 10 April 2012 - 05:40 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 totalstu

totalstu
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:28 PM

Posted 11 April 2012 - 09:22 AM

Hi Gringo,

All is good. Thanks for the help. I appreciate it. I have forwarded the links you referenced to the person whose computer we were cleaning. Hopefully this won't happen to him again.

Thanks again

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 11 April 2012 - 09:44 AM

you are more than welcome


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:28 PM

Posted 13 April 2012 - 11:51 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users