Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser Redirect and Bluescreens - Possible Rootkit?


  • This topic is locked This topic is locked
31 replies to this topic

#1 oscar the grouch

oscar the grouch

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 06 April 2012 - 04:28 PM

Hi, I've been having issues with my computer crashing to a blue screen quite frequently for a few months now, but couldnt figure out what to do about it so i would just ignore it and restart the computer, and then it would work fine for a while. Recently however(2-3 days ago), ive begun having issues with my browser(both IE and firefox) redirecting to random unwanted websites the majority of the time i try to do anything on the internet. At first it was only happening occasionally, but now it happens almost everytime. Today i also heard a weird noise that sounded like a radio broadcast, with no windows open or noticeable source. My computer has become nearly unusable and i dont know how to fix it, AVG isnt picking up anything to fix it. Also, I tried to run the GMER scan twice. Both times it took many hours, and the first time the computer went to a bluescreen before it could complete, and the second time i got a message saying windows was unable to save all the data for the file, the data has been lost. And then the computer froze. Please help!



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by User at 16:23:35 on 2012-04-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3519.2666 [GMT -5:00]
.
AV: AVG Internet Security 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled*
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony\Content Transfer\ContentTransferWMDetector.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgfws.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\10.2.0.3\AVG Secure Search_toolbar.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [Window Washer] c:\program files\webroot\washer\wwDisp.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [ContentTransferWMDetector.exe] c:\program files\sony\content transfer\ContentTransferWMDetector.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [Nero MediaHome 4] "c:\program files\nero\nero mediahome 4\NeroMediaHome.exe" /AUTORUN
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\wordperfect office x3\programs\WPLauncher.hta
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20614.www2.hp.com/ediags/gmd/Install/Cab/hpdetect118.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.100.254
TCP: Interfaces\{A9928F7A-C582-4E20-9408-D642EAC2D4BD} : DhcpNameServer = 192.168.100.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.2.0\ViProtocol.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\user\application data\mozilla\firefox\profiles\4kshqav4.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B09a627d3-8224-4899-8eb1-ea32701d241a%7D&mid=9f17dd86a46f550baa14ee006f37998b-1398b60cbf8cc162abba205a69bb4929bff51bc3&ds=AVG&v=10.0.0.7&lang=en&pr=pr&d=2011-11-25%2022%3A16%3A55&sap=ku&q=
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_228.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\adobe\elements 10 organizer\PhotoshopElementsFileAgent.exe [2011-9-14 169624]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2008-4-13 39936]
R2 avgfws;AVG Firewall;c:\program files\avg\avg2012\avgfws.exe [2011-10-24 2391832]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\10.2.0\ToolbarUpdater.exe [2012-3-12 918880]
R2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-12-8 388936]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [2009-12-2 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [2009-12-2 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2009-12-2 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [2009-12-2 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-30 253600]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2011-5-23 30944]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2011-4-14 27064]
.
=============== Created Last 30 ================
.
2012-04-06 17:39:52 -------- d-sh--w- C:\found.002
2012-04-06 03:43:40 947 ----a-w- c:\documents and settings\all users\application data\cftcaaa.tmp
2012-04-03 17:20:02 937 ----a-w- c:\documents and settings\all users\application data\qgzcaaa.tmp
2012-03-31 02:29:00 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
==================== Find3M ====================
.
2012-03-31 03:26:22 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-27 18:43:35 848 --sha-w- c:\windows\system32\KGyGaAvL.sys
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 16:25:00.50 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 07 April 2012 - 03:27 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 09 April 2012 - 11:22 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 12 April 2012 - 11:42 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 13 April 2012 - 03:12 PM

This topic has been re-opened at the request of the person who originally posted.
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 oscar the grouch

oscar the grouch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 April 2012 - 11:29 AM

Hi Gringo, Thanks for reopening the topic.

The computer is still haveing its browser redirected almost evertime i try to search, and is also feezing a lot. Here is the combofix log. Thanks!

I just tried to post the combofix log, but the site wouldnt let me post it because it was too long. I notice you ask in you're signature for all files to be copy and pasted rather than attached, what should i do?

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 14 April 2012 - 03:33 PM

upload it to mediafire.com and send me the link here


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 oscar the grouch

oscar the grouch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 14 April 2012 - 04:00 PM

Never used mediafire before, but i think i did this right.

http://www.mediafire.com/?08f1lnk4hih09nb


EDIT** you did very well



ComboFix 12-04-14.02 - User 04/14/2012 11:04:13.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3519.2723 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Enabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\cftcaaa.tmp
c:\documents and settings\All Users\Application Data\qgzcaaa.tmp
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\0B4227B4.TMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfapx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgmfarx.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgntdumpx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgrunasx.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\compat.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\htmlayout.dll
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_es.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaconf.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfacz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfada.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaes.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfafr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfage.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfahu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfain.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfait.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfajp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfako.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfams.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfanl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfapt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfask.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfasp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfatr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfavera.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfaverx.txt
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\mfazt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\windows\expl.dat
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
c:\windows\system32\Cache
c:\windows\system32\Cache\1bc72bd4927932dc.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\708e96fbae65595c.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\adceee72dfaed515.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\cac3182074a93cf7.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\dllc.dat
c:\windows\system32\svch.dat
c:\windows\system32\system
c:\windows\system32\winl.dat
.
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\winlogon.exe
.
Infected copy of c:\windows\system32\svchost.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\svchost.exe
.
c:\windows\explorer.exe . . . is infected!!
.
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-13 23:26 . 2012-04-13 23:26 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-08 02:29 . 2012-04-08 02:29 -------- d-----w- c:\program files\iPod
2012-04-08 02:27 . 2012-04-08 02:27 -------- d-----w- c:\program files\Bonjour
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-04-08 02:23 . 2012-04-08 02:23 -------- d-----w- c:\program files\QuickTime
2012-04-07 05:46 . 2012-04-07 05:46 -------- d-sh--w- c:\windows\ftpcache
2012-04-07 01:54 . 2012-04-08 03:35 -------- d-----w- c:\program files\AVG Secure Search
2012-04-06 17:39 . 2012-04-06 17:39 -------- d-----w- C:\found.002
2012-04-06 03:13 . 2012-04-06 03:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2012-04-06 03:10 . 2012-04-06 03:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2012-04-06 03:10 . 2012-04-06 03:10 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2012-04-03 23:58 . 2012-04-03 23:58 -------- d-----w- c:\documents and settings\NeroMediaHomeUser.4\Application Data\Nero
2012-04-03 16:54 . 2012-04-03 16:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-03-31 02:29 . 2012-04-13 23:26 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 23:26 . 2011-05-13 18:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2008-04-14 03:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2008-04-14 03:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-13 22:07 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 16:01 . 2011-09-27 21:24 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2011-09-27 21:24 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 16:26 . 2011-05-02 22:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[7] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\winlogon.exe
[-] 2008-04-14 . 84A84F5183410B4AE206927E63EA8D93 . 545280 . . [5.1.2600.5512] . . c:\windows\system32\winlogon.exe
.
[7] 2008-04-14 . 27C6D03BCDB8CFEB96B716F3D8BE3E18 . 14336 . . [5.1.2600.5512] . . c:\windows\ERDNT\cache\svchost.exe
[-] 2008-04-14 . 29EFA4DFFF4BA6587C65A8260B3351F2 . 39936 . . [5.1.2600.5512] . . c:\windows\system32\svchost.exe
.
[7] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\ERDNT\cache\explorer.exe
[-] 2008-04-14 . 9A5BEC3EF331D6F79717F34404A46D9E . 1058816 . . [6.00.2900.5512] . . c:\windows\explorer.exe
.
((((((((((((((((((((((((((((( SnapShot@2010-02-06_00.12.19 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-04-19 03:51 . 2011-04-19 03:51 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.6161_x-ww_4ddc769f\vcomp90.dll
+ 2011-01-11 15:59 . 2011-01-11 15:59 51024 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.5570_x-ww_214ee422\vcomp90.dll
+ 2009-07-12 05:02 . 2009-07-12 05:02 51008 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_f0ccd4aa\vcomp90.dll
+ 2007-11-07 07:19 . 2007-11-07 07:19 54272 c:\windows\WinSxS\x86_Microsoft.VC90.OpenMP_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_ecc42bd1\vcomp90.dll
hf_mig$\KB2416400-IE8\SP3QFE\ieframe.dll
+ 2010-09-10 16:27 . 2010-09-10 16:27 11082240 c:\windows\$hf_mig$\KB2360131-IE8\SP3QFE\ieframe.dll
+ 2010-08-12 03:28 . 2010-06-24 12:24 11079168 c:\windows\$hf_mig$\KB2183461-IE8\SP3QFE\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-08 03:35 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-04-08 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-08-09 1261384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-08 982880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2009-06-23 4891944]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 04:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-12-07 04:43 3305248 ----a-w- c:\documents and settings\User\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 08:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero MediaHome 4]
2009-06-23 20:59 4891944 ----a-w- c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-31 06:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-31 06:35 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 06:35 1622016 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2006-07-05 05:01 77892 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-05 08:08 16380416 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 2:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 295248]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [9/14/2011 11:06 PM 169624]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 10:42 PM 39936]
R2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [10/24/2011 9:29 PM 2391832]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 7:09 AM 192776]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/12/2012 4:34 PM 918880]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [12/8/2009 4:54 PM 388936]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 2:03 AM 30944]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 2:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 2:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 7:21 AM 16720]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 9:29 PM 253088]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 2:03 AM 30944]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/14/2011 1:53 PM 27064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 23:26]
.
2012-04-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-OWNER-9EC4BBE27-User.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-16 22:43]
.
2012-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-14 c:\windows\Tasks\User_Feed_Synchronization-{8995B448-1C0E-403D-BF80-FDE9BAC61444}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
TCP: DhcpNameServer = 192.168.100.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4kshqav4.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B09a627d3-8224-4899-8eb1-ea32701d241a%7D&mid=9f17dd86a46f550baa14ee006f37998b-1398b60cbf8cc162abba205a69bb4929bff51bc3&ds=AVG&v=10.0.0.7&lang=en&pr=pr&d=2011-11-25%2022%3A16%3A55&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
HKLM-Run-dplaysvr - c:\documents and settings\User\Application Data\dplaysvr.exe
HKU-Default-Run-dplaysvr - c:\documents and settings\User\Application Data\dplaysvr.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-14 11:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,ee,16,ad,37,d8,a8,45,b8,9c,9c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,ee,16,ad,37,d8,a8,45,b8,9c,9c,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(748)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\AVG\AVG2012\avgrsx.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Nero\Nero MediaHome 4\NMMediaServerService.exe
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG2012\avgnsx.exe
c:\windows\system32\HPZipm12.exe
c:\program files\AVG\AVG2012\avgcsrvx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\AVG\AVG2012\avgdiagex.exe
.
**************************************************************************
.
Completion time: 2012-04-14 11:15:34 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-14 16:15
ComboFix2.txt 2010-02-06 00:15
.
Pre-Run: 129,158,713,344 bytes free
Post-Run: 130,303,778,816 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
.
- - End Of File - - FEFF62DE46AC2CDC206C5A947D0D3077

Edited by gringo_pr, 14 April 2012 - 06:14 PM.


#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 14 April 2012 - 06:26 PM

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

FCopy::
c:\windows\ERDNT\cache\winlogon.exe | c:\windows\system32\winlogon.exe
c:\windows\ERDNT\cache\svchost.exe | c:\windows\system32\svchost.exe
c:\windows\ERDNT\cache\explorer.exe | c:\windows\explorer.exe

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 16 April 2012 - 11:29 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 oscar the grouch

oscar the grouch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 18 April 2012 - 03:36 PM

Hi Gringo,

Sorry i havent replied, ive been pretty busy. I ran the combofix script as you suggested, and it seems to have fixed the redirect issue. However the computer still seems to be a mess, AVG keeps picking up trojans but it cant seem to fix them for some reason. Im getting popups with "multiple threat detection" where it has a list of a dozen or more virues. Also, the night after i ran the combofix script, my computer crashed to a bluescreen again. Im not sure if it might mean anything to you or not, but the text at the bottom of it said "catchme.sys-Address B3C65F84 base at B3C63000 datestamp 49d3495d" I have no idea what if anything this means, but i thought id write it down incase.

Please let me know if theres any programs i should run or any logs i should send you. Cheers.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 18 April 2012 - 04:19 PM

Hello

"multiple threat detection" where it has a list of a dozen or more virues. Also, the night after i ran the combofix script, my computer crashed to a bluescreen again. Im not sure if it might mean anything to you or not, but the text at the bottom of it said "catchme.sys-Address B3C65F84 base at B3C63000 datestamp 49d3495d" I have no idea what if anything this means, but i thought id write it down incase.

all of this is from combofix

I would like to see that last report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 oscar the grouch

oscar the grouch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 18 April 2012 - 05:34 PM

Hello Gringo,

Here is the report.

ComboFix 12-04-14.02 - User 04/14/2012 18:54:46.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3519.2772 [GMT -5:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\User\Desktop\CFScript.txt
AV: AVG Internet Security 2012 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\User\LOCALS~1\Temp\win2.tmp
c:\docume~1\User\LOCALS~1\Temp\win4.tmp
c:\documents and settings\User\Local Settings\temp\win2.tmp
c:\documents and settings\User\Local Settings\temp\win4.tmp
.
.
--------------- FCopy ---------------
.
c:\windows\ERDNT\cache\winlogon.exe --> c:\windows\system32\winlogon.exe
c:\windows\ERDNT\cache\svchost.exe --> c:\windows\system32\svchost.exe
c:\windows\ERDNT\cache\explorer.exe --> c:\windows\explorer.exe
.
((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))
.
.
2012-04-13 23:26 . 2012-04-13 23:26 4139680 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
2012-04-08 02:29 . 2012-04-08 02:29 -------- d-----w- c:\program files\iPod
2012-04-08 02:27 . 2012-04-08 02:27 -------- d-----w- c:\program files\Bonjour
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin7.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin6.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin5.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin4.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin3.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin2.dll
2012-04-08 02:23 . 2012-04-08 02:23 159744 ----a-w- c:\program files\Internet Explorer\Plugins\npqtplugin.dll
2012-04-08 02:23 . 2012-04-08 02:23 -------- d-----w- c:\program files\QuickTime
2012-04-07 05:46 . 2012-04-07 05:46 -------- d-sh--w- c:\windows\ftpcache
2012-04-07 01:54 . 2012-04-08 03:35 -------- d-----w- c:\program files\AVG Secure Search
2012-04-06 17:39 . 2012-04-06 17:39 -------- d-----w- C:\found.002
2012-04-06 03:13 . 2012-04-06 03:13 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple
2012-04-06 03:10 . 2012-04-06 03:12 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Apple Computer
2012-04-06 03:10 . 2012-04-06 03:10 -------- d-----w- c:\windows\system32\config\systemprofile\Local Settings\Application Data\Apple Computer
2012-04-03 23:58 . 2012-04-03 23:58 -------- d-----w- c:\documents and settings\NeroMediaHomeUser.4\Application Data\Nero
2012-04-03 16:54 . 2012-04-03 16:54 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2012-03-31 02:29 . 2012-04-13 23:26 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-13 23:26 . 2011-05-13 18:44 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 11:01 . 2008-04-14 03:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-03-01 11:01 . 2008-04-14 03:42 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2008-04-14 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-29 14:10 . 2008-04-14 03:42 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2008-04-14 03:41 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2008-04-13 22:07 385024 ----a-w- c:\windows\system32\html.iec
2012-02-15 16:01 . 2011-09-27 21:24 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2011-09-27 21:24 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-03 09:22 . 2008-04-13 23:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2011-04-14 16:26 . 2011-05-02 22:31 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot_2012-04-14_16.10.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 03:42 . 2008-04-14 03:42 14336 c:\windows\system32\dllcache\svchost.exe
+ 2008-04-14 03:42 . 2008-04-14 03:42 507904 c:\windows\system32\dllcache\winlogon.exe
+ 2008-04-14 03:42 . 2008-04-14 03:42 1033728 c:\windows\system32\dllcache\explorer.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-08 03:35 1869152 ----a-w- c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll" [2012-04-08 1869152]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Window Washer"="c:\program files\Webroot\Washer\wwDisp.exe" [2007-08-09 1261384]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ContentTransferWMDetector.exe"="c:\program files\Sony\Content Transfer\ContentTransferWMDetector.exe" [2009-11-19 583016]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-01-24 2416480]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-08 982880]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"AdobeAAMUpdater-1.0"="c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe" [2011-06-16 499608]
"Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2009-06-23 4891944]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 16:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-01-04 04:51 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface]
2011-12-07 04:43 3305248 ----a-w- c:\documents and settings\User\Local Settings\Application Data\Akamai\netsession_win.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 03:42 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 08:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-03-27 10:09 421736 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 04:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero MediaHome 4]
2009-06-23 20:59 4891944 ----a-w- c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2006-10-31 06:35 7634944 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2006-10-31 06:35 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2006-10-31 06:35 1622016 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickFinder Scheduler]
2006-07-05 05:01 77892 ----a-w- c:\program files\WordPerfect Office X3\Programs\QFSCHD130.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2011-10-24 19:28 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-07-05 08:08 16380416 ----a-r- c:\windows\RTHDCPL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 18:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Nero\\Nero MediaHome 4\\NMMediaServerService.exe"=
"c:\\Documents and Settings\\User\\Local Settings\\Application Data\\Akamai\\netsession_win.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgmfapx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgnsx.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG2012\\avgemcx.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [7/11/2011 2:14 AM 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [9/13/2011 7:30 AM 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [10/7/2011 7:23 AM 230608]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [7/11/2011 2:14 AM 295248]
R2 AdobeActiveFileMonitor10.0;Adobe Active File Monitor V10;c:\program files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe [9/14/2011 11:06 PM 169624]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [4/13/2008 10:42 PM 14336]
R2 avgwd;AVG WatchDog;c:\program files\AVG\AVG2012\avgwdsvc.exe [8/2/2011 7:09 AM 192776]
R2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [1/4/2012 3:22 PM 822624]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [10/1/2011 9:30 AM 508776]
R2 vToolbarUpdater10.2.0;vToolbarUpdater10.2.0;c:\program files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe [3/12/2012 4:34 PM 918880]
R2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [12/8/2009 4:54 PM 388936]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 2:03 AM 30944]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [7/11/2011 2:14 AM 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [7/11/2011 2:14 AM 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [10/4/2011 7:21 AM 16720]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfsxp.sys [12/2/2009 10:23 PM 584680]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplayxp.sys [12/2/2009 10:23 PM 209512]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [12/2/2009 10:23 PM 20584]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvolxp.sys [12/2/2009 10:23 PM 18280]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [10/1/2011 9:30 AM 219496]
S2 avgfws;AVG Firewall;c:\program files\AVG\AVG2012\avgfws.exe [10/24/2011 9:29 PM 2391832]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG2012\AVGIDSAgent.exe [10/12/2011 7:25 AM 4433248]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/30/2012 9:29 PM 253088]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [5/23/2011 2:03 AM 30944]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/14/2011 1:53 PM 27064]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-31 23:26]
.
2012-04-14 c:\windows\Tasks\AdobeAAMUpdater-1.0-OWNER-9EC4BBE27-User.job
- c:\program files\Common Files\Adobe\OOBE\PDApp\UWA\updaterstartuputility.exe [2011-06-16 22:43]
.
2012-04-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-04-14 c:\windows\Tasks\User_Feed_Synchronization-{8995B448-1C0E-403D-BF80-FDE9BAC61444}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with WordPerfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta
TCP: DhcpNameServer = 192.168.100.254
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\4kshqav4.default\
FF - prefs.js: keyword.URL - hxxp://isearch.avg.com/search?cid=%7B09a627d3-8224-4899-8eb1-ea32701d241a%7D&mid=9f17dd86a46f550baa14ee006f37998b-1398b60cbf8cc162abba205a69bb4929bff51bc3&ds=AVG&v=10.0.0.7&lang=en&pr=pr&d=2011-11-25%2022%3A16%3A55&sap=ku&q=
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-14 18:57
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_6c825ce.dll"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,ee,16,ad,37,d8,a8,45,b8,9c,9c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,9c,ee,16,ad,37,d8,a8,45,b8,9c,9c,\
.
Completion time: 2012-04-14 18:59:06
ComboFix-quarantined-files.txt 2012-04-14 23:59
ComboFix2.txt 2012-04-14 16:15
ComboFix3.txt 2010-02-06 00:15
.
Pre-Run: 130,189,295,616 bytes free
Post-Run: 130,179,301,376 bytes free
.
- - End Of File - - 08D9C20C1D86846E0E007558CDE3942F

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:56 AM

Posted 18 April 2012 - 05:46 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 oscar the grouch

oscar the grouch
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:08:56 AM

Posted 18 April 2012 - 08:07 PM

Hi Gringo,

Here are the reports.

18:20:21.0890 0176 TDSS rootkit removing tool 2.7.29.0 Apr 18 2012 16:44:20
18:20:22.0937 0176 ============================================================
18:20:22.0937 0176 Current date / time: 2012/04/18 18:20:22.0937
18:20:22.0937 0176 SystemInfo:
18:20:22.0937 0176
18:20:22.0937 0176 OS Version: 5.1.2600 ServicePack: 3.0
18:20:22.0937 0176 Product type: Workstation
18:20:22.0937 0176 ComputerName: OWNER-9EC4BBE27
18:20:22.0937 0176 UserName: User
18:20:22.0937 0176 Windows directory: C:\WINDOWS
18:20:22.0937 0176 System windows directory: C:\WINDOWS
18:20:22.0937 0176 Processor architecture: Intel x86
18:20:22.0937 0176 Number of processors: 2
18:20:22.0937 0176 Page size: 0x1000
18:20:22.0937 0176 Boot type: Normal boot
18:20:22.0937 0176 ============================================================
18:20:24.0093 0176 Drive \Device\Harddisk0\DR0 - Size: 0x7470AFDE00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
18:20:24.0125 0176 \Device\Harddisk0\DR0:
18:20:24.0125 0176 MBR partitions:
18:20:24.0125 0176 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
18:20:24.0156 0176 C: <-> \Device\Harddisk0\DR0\Partition0
18:20:24.0156 0176 Initialize success
18:20:24.0156 0176 ============================================================
18:20:38.0531 5120 ============================================================
18:20:38.0531 5120 Scan started
18:20:38.0531 5120 Mode: Manual;
18:20:38.0531 5120 ============================================================
18:20:39.0390 5120 a016mgmt - ok
18:20:39.0406 5120 Abiosdsk - ok
18:20:39.0421 5120 abp480n5 - ok
18:20:39.0468 5120 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:20:39.0468 5120 ACPI - ok
18:20:39.0500 5120 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
18:20:39.0500 5120 ACPIEC - ok
18:20:39.0500 5120 adihdaudaddservice - ok
18:20:39.0515 5120 admjoy - ok
18:20:39.0593 5120 AdobeActiveFileMonitor10.0 (047bd1eb681453a7fe492a71802ac9f3) C:\Program Files\Adobe\Elements 10 Organizer\PhotoshopElementsFileAgent.exe
18:20:39.0593 5120 AdobeActiveFileMonitor10.0 - ok
18:20:39.0640 5120 AdobeFlashPlayerUpdateSvc (459ac130c6ab892b1cd5d7544626efc5) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
18:20:39.0640 5120 AdobeFlashPlayerUpdateSvc - ok
18:20:39.0640 5120 adobeversioncue - ok
18:20:39.0656 5120 adpu160m - ok
18:20:39.0656 5120 AEADIFilters - ok
18:20:39.0703 5120 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:20:39.0718 5120 aec - ok
18:20:39.0750 5120 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:20:39.0750 5120 AFD - ok
18:20:39.0750 5120 Aha154x - ok
18:20:39.0765 5120 aic78u2 - ok
18:20:39.0765 5120 aic78xx - ok
18:20:39.0921 5120 Akamai (1125c7d9fb8898015829c387c1bc87c7) c:\program files\common files\akamai/netsession_win_6c825ce.dll
18:20:39.0921 5120 Suspicious file (Hidden): c:\program files\common files\akamai/netsession_win_6c825ce.dll. md5: 1125c7d9fb8898015829c387c1bc87c7
18:20:39.0921 5120 Akamai ( HiddenFile.Multi.Generic ) - warning
18:20:39.0921 5120 Akamai - detected HiddenFile.Multi.Generic (1)
18:20:39.0968 5120 akshhl - ok
18:20:40.0000 5120 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:20:40.0000 5120 Alerter - ok
18:20:40.0000 5120 alertservice - ok
18:20:40.0031 5120 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:20:40.0031 5120 ALG - ok
18:20:40.0046 5120 AliIde - ok
18:20:40.0093 5120 AmdK8 (0a4d13b388c814560bd69c3a496ecfa8) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
18:20:40.0093 5120 AmdK8 - ok
18:20:40.0109 5120 amsint - ok
18:20:40.0109 5120 amusbprt - ok
18:20:40.0203 5120 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:20:40.0218 5120 Apple Mobile Device - ok
18:20:40.0218 5120 AppMgmt - ok
18:20:40.0218 5120 ARPolicy - ok
18:20:40.0234 5120 asapiw2k - ok
18:20:40.0234 5120 asc - ok
18:20:40.0250 5120 asc3350p - ok
18:20:40.0250 5120 asc3550 - ok
18:20:40.0265 5120 ASFWHide - ok
18:20:40.0281 5120 asp.net_1.1.4322 - ok
18:20:40.0359 5120 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:20:40.0359 5120 aspnet_state - ok
18:20:40.0375 5120 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:20:40.0375 5120 AsyncMac - ok
18:20:40.0421 5120 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:20:40.0421 5120 atapi - ok
18:20:40.0421 5120 Atdisk - ok
18:20:40.0437 5120 atimpab - ok
18:20:40.0437 5120 atitunep - ok
18:20:40.0453 5120 atixsaudio - ok
18:20:40.0468 5120 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:20:40.0468 5120 Atmarpc - ok
18:20:40.0515 5120 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:20:40.0515 5120 AudioSrv - ok
18:20:40.0562 5120 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:20:40.0562 5120 audstub - ok
18:20:40.0625 5120 Avgfwdx (841b0a982065bffc7d7e84009f2fa76f) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
18:20:40.0625 5120 Avgfwdx - ok
18:20:40.0625 5120 Avgfwfd (841b0a982065bffc7d7e84009f2fa76f) C:\WINDOWS\system32\DRIVERS\avgfwdx.sys
18:20:40.0625 5120 Avgfwfd - ok
18:20:40.0750 5120 avgfws (5cd22eb540f82c70e33e530003f3903b) C:\Program Files\AVG\AVG2012\avgfws.exe
18:20:40.0765 5120 avgfws - ok
18:20:41.0078 5120 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
18:20:41.0109 5120 AVGIDSAgent - ok
18:20:41.0140 5120 AVGIDSDriver (4fa401b33c1b50c816486f6951244a14) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
18:20:41.0140 5120 AVGIDSDriver - ok
18:20:41.0140 5120 AVGIDSEH (69578bc9d43d614c6b3455db4af19762) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
18:20:41.0140 5120 AVGIDSEH - ok
18:20:41.0156 5120 AVGIDSFilter (6df528406aa22201f392b9b19121cd6f) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
18:20:41.0156 5120 AVGIDSFilter - ok
18:20:41.0171 5120 AVGIDSShim (1e01c2166b5599802bcd61b9691f7476) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
18:20:41.0171 5120 AVGIDSShim - ok
18:20:41.0187 5120 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
18:20:41.0187 5120 Avgldx86 - ok
18:20:41.0203 5120 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
18:20:41.0203 5120 Avgmfx86 - ok
18:20:41.0203 5120 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
18:20:41.0203 5120 Avgrkx86 - ok
18:20:41.0218 5120 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
18:20:41.0218 5120 Avgtdix - ok
18:20:41.0250 5120 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
18:20:41.0250 5120 avgwd - ok
18:20:41.0250 5120 avhook - ok
18:20:41.0265 5120 axinstsv - ok
18:20:41.0296 5120 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:20:41.0296 5120 Beep - ok
18:20:41.0343 5120 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:20:41.0359 5120 BITS - ok
18:20:41.0421 5120 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
18:20:41.0421 5120 Bonjour Service - ok
18:20:41.0437 5120 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:20:41.0453 5120 Browser - ok
18:20:41.0453 5120 BrSerIf - ok
18:20:41.0453 5120 btaudio - ok
18:20:41.0468 5120 bthenum - ok
18:20:41.0468 5120 bwmservice - ok
18:20:41.0484 5120 C-Dilla - ok
18:20:41.0484 5120 Cap7134 - ok
18:20:41.0500 5120 carboniteservice - ok
18:20:41.0515 5120 catchme - ok
18:20:41.0531 5120 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:20:41.0531 5120 cbidf2k - ok
18:20:41.0531 5120 cd20xrnt - ok
18:20:41.0562 5120 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:20:41.0562 5120 Cdaudio - ok
18:20:41.0593 5120 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:20:41.0609 5120 Cdfs - ok
18:20:41.0609 5120 cdralw2k - ok
18:20:41.0609 5120 Changer - ok
18:20:41.0625 5120 Cinemsup - ok
18:20:41.0640 5120 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:20:41.0640 5120 CiSvc - ok
18:20:41.0656 5120 client32 - ok
18:20:41.0656 5120 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:20:41.0656 5120 ClipSrv - ok
18:20:41.0671 5120 clmtomcatstartersvc - ok
18:20:41.0750 5120 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:20:41.0750 5120 clr_optimization_v2.0.50727_32 - ok
18:20:41.0750 5120 CmdIde - ok
18:20:41.0750 5120 CnxTrLan - ok
18:20:41.0765 5120 COMSysApp - ok
18:20:41.0781 5120 Cpqarray - ok
18:20:41.0781 5120 cpucoolserver - ok
18:20:41.0781 5120 cqmgstor - ok
18:20:41.0812 5120 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:20:41.0812 5120 CryptSvc - ok
18:20:41.0812 5120 CTSBLFX.DLL - ok
18:20:41.0953 5120 cvhsvc (72794d112cbaff3bc0c29bf7350d4741) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
18:20:41.0968 5120 cvhsvc - ok
18:20:41.0984 5120 cwafeventrouter - ok
18:20:41.0984 5120 CX88ENC - ok
18:20:42.0000 5120 dac2w2k - ok
18:20:42.0000 5120 dac960nt - ok
18:20:42.0015 5120 datasvr2 - ok
18:20:42.0015 5120 db2governor - ok
18:20:42.0015 5120 dcevt32 - ok
18:20:42.0031 5120 DCFS2K - ok
18:20:42.0062 5120 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:20:42.0078 5120 DcomLaunch - ok
18:20:42.0078 5120 Defrag32b - ok
18:20:42.0078 5120 deltafw - ok
18:20:42.0140 5120 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:20:42.0140 5120 Dhcp - ok
18:20:42.0156 5120 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:20:42.0171 5120 Disk - ok
18:20:42.0171 5120 dm1service - ok
18:20:42.0171 5120 dmadmin - ok
18:20:42.0218 5120 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:20:42.0234 5120 dmboot - ok
18:20:42.0250 5120 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:20:42.0250 5120 dmio - ok
18:20:42.0281 5120 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:20:42.0281 5120 dmload - ok
18:20:42.0296 5120 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:20:42.0296 5120 dmserver - ok
18:20:42.0312 5120 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:20:42.0328 5120 DMusic - ok
18:20:42.0375 5120 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:20:42.0375 5120 Dnscache - ok
18:20:42.0375 5120 dntus26 - ok
18:20:42.0406 5120 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:20:42.0406 5120 Dot3svc - ok
18:20:42.0421 5120 dpti2o - ok
18:20:42.0421 5120 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:20:42.0421 5120 drmkaud - ok
18:20:42.0437 5120 drvmcdb - ok
18:20:42.0437 5120 ds1 - ok
18:20:42.0453 5120 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:20:42.0453 5120 EapHost - ok
18:20:42.0468 5120 EMATCORE - ok
18:20:42.0468 5120 EMCFILT - ok
18:20:42.0484 5120 emclisrv - ok
18:20:42.0484 5120 emproxy - ok
18:20:42.0515 5120 ENTECH (fd9fc82f134b1c91004ffc76a5ae494b) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
18:20:42.0531 5120 ENTECH - ok
18:20:42.0562 5120 entertainment (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\fontcache3.0.0.0.dll
18:20:42.0578 5120 Suspicious file (NoAccess): C:\WINDOWS\system32\fontcache3.0.0.0.dll. md5: 11028c6a84a967070cb1286550f2058f
18:20:42.0578 5120 entertainment ( Backdoor.Multi.ZAccess.gen ) - infected
18:20:42.0578 5120 entertainment - detected Backdoor.Multi.ZAccess.gen (0)
18:20:42.0609 5120 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:20:42.0609 5120 ERSvc - ok
18:20:42.0625 5120 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:20:42.0625 5120 Eventlog - ok
18:20:42.0671 5120 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:20:42.0687 5120 EventSystem - ok
18:20:42.0687 5120 F700isw - ok
18:20:42.0718 5120 fah@c:+fah+fah-service+fah502-console.exe (c62f76344cd3a3a6314055b4929e529d) C:\WINDOWS\system32\BrSerIf.dll
18:20:42.0734 5120 fah@c:+fah+fah-service+fah502-console.exe - ok
18:20:42.0750 5120 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:20:42.0750 5120 Fastfat - ok
18:20:42.0781 5120 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:20:42.0781 5120 FastUserSwitchingCompatibility - ok
18:20:42.0828 5120 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
18:20:42.0843 5120 Fax - ok
18:20:42.0859 5120 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:20:42.0859 5120 Fdc - ok
18:20:42.0859 5120 fgdxbus - ok
18:20:42.0875 5120 filterservice - ok
18:20:42.0921 5120 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:20:42.0921 5120 Fips - ok
18:20:42.0921 5120 FirePM - ok
18:20:42.0921 5120 FlexBios - ok
18:20:42.0937 5120 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:20:42.0937 5120 Flpydisk - ok
18:20:43.0000 5120 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:20:43.0000 5120 FltMgr - ok
18:20:43.0078 5120 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:20:43.0078 5120 FontCache3.0.0.0 - ok
18:20:43.0078 5120 fsdfwd - ok
18:20:43.0187 5120 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:20:43.0187 5120 Fs_Rec - ok
18:20:43.0203 5120 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:20:43.0203 5120 Ftdisk - ok
18:20:43.0218 5120 gagp30kx - ok
18:20:43.0234 5120 gdrv (54789f9ba0d59072cdd4e7c200e122c4) C:\WINDOWS\gdrv.sys
18:20:43.0234 5120 gdrv - ok
18:20:43.0265 5120 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
18:20:43.0265 5120 GEARAspiWDM - ok
18:20:43.0281 5120 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:20:43.0281 5120 Gpc - ok
18:20:43.0281 5120 grmnusb - ok
18:20:43.0281 5120 GT890x - ok
18:20:43.0296 5120 hcwPP2 - ok
18:20:43.0328 5120 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:20:43.0328 5120 HDAudBus - ok
18:20:43.0375 5120 helpsvc - ok
18:20:43.0406 5120 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:20:43.0421 5120 HidServ - ok
18:20:43.0453 5120 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:20:43.0453 5120 hidusb - ok
18:20:43.0484 5120 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:20:43.0484 5120 hkmsvc - ok
18:20:43.0484 5120 HPFXBULK - ok
18:20:43.0500 5120 hpn - ok
18:20:43.0531 5120 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
18:20:43.0531 5120 HPZid412 - ok
18:20:43.0531 5120 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
18:20:43.0546 5120 HPZipr12 - ok
18:20:43.0562 5120 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
18:20:43.0562 5120 HPZius12 - ok
18:20:43.0562 5120 HssSrv - ok
18:20:43.0609 5120 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:20:43.0609 5120 HTTP - ok
18:20:43.0640 5120 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:20:43.0656 5120 HTTPFilter - ok
18:20:43.0656 5120 hwpsgt - ok
18:20:43.0671 5120 i2omgmt - ok
18:20:43.0671 5120 i2omp - ok
18:20:43.0703 5120 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:20:43.0703 5120 i8042prt - ok
18:20:43.0703 5120 icm10blk - ok
18:20:43.0781 5120 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:20:43.0796 5120 idsvc - ok
18:20:43.0812 5120 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:20:43.0812 5120 Imapi - ok
18:20:43.0859 5120 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:20:43.0859 5120 ImapiService - ok
18:20:43.0875 5120 incdsrv - ok
18:20:43.0875 5120 ini910u - ok
18:20:43.0890 5120 inotask - ok
18:20:44.0031 5120 IntcAzAudAddService (c4006af18682fca0d8a011a0a21070f8) C:\WINDOWS\system32\drivers\RtkHDAud.sys
18:20:44.0218 5120 IntcAzAudAddService - ok
18:20:44.0234 5120 IntelIde - ok
18:20:44.0234 5120 iolodmv - ok
18:20:44.0281 5120 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:20:44.0281 5120 Ip6Fw - ok
18:20:44.0328 5120 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:20:44.0328 5120 IpFilterDriver - ok
18:20:44.0328 5120 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:20:44.0343 5120 IpInIp - ok
18:20:44.0375 5120 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:20:44.0375 5120 IpNat - ok
18:20:44.0468 5120 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
18:20:44.0500 5120 iPod Service - ok
18:20:44.0515 5120 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:20:44.0531 5120 IPSec - ok
18:20:44.0562 5120 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:20:44.0562 5120 IRENUM - ok
18:20:44.0625 5120 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:20:44.0625 5120 isapnp - ok
18:20:44.0734 5120 JavaQuickStarterService (381b25dc8e958d905b33130d500bbf29) C:\Program Files\Java\jre6\bin\jqs.exe
18:20:44.0750 5120 JavaQuickStarterService - ok
18:20:44.0750 5120 JL2005C - ok
18:20:44.0765 5120 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:20:44.0765 5120 Kbdclass - ok
18:20:44.0812 5120 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:20:44.0812 5120 kmixer - ok
18:20:44.0828 5120 KR10I - ok
18:20:44.0828 5120 KS0108 - ok
18:20:44.0859 5120 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:20:44.0859 5120 KSecDD - ok
18:20:44.0890 5120 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:20:44.0906 5120 LanmanServer - ok
18:20:44.0937 5120 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:20:44.0953 5120 lanmanworkstation - ok
18:20:44.0953 5120 lbrtfdc - ok
18:20:44.0968 5120 lilsgt - ok
18:20:44.0968 5120 lmab_device - ok
18:20:45.0031 5120 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:20:45.0031 5120 LmHosts - ok
18:20:45.0046 5120 lvprcsrv - ok
18:20:45.0046 5120 lxbt_device - ok
18:20:45.0062 5120 lxcgcustomerconnect - ok
18:20:45.0062 5120 lxcg_device - ok
18:20:45.0078 5120 macformatservice - ok
18:20:45.0078 5120 MaRdPnp - ok
18:20:45.0093 5120 mbr - ok
18:20:45.0093 5120 mcmispupdmgr - ok
18:20:45.0109 5120 mcshield - ok
18:20:45.0125 5120 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:20:45.0125 5120 Messenger - ok
18:20:45.0125 5120 mfesmfk - ok
18:20:45.0156 5120 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:20:45.0156 5120 mnmdd - ok
18:20:45.0171 5120 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:20:45.0187 5120 mnmsrvc - ok
18:20:45.0203 5120 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:20:45.0203 5120 Modem - ok
18:20:45.0234 5120 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
18:20:45.0250 5120 motmodem - ok
18:20:45.0250 5120 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:20:45.0250 5120 Mouclass - ok
18:20:45.0265 5120 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:20:45.0265 5120 mouhid - ok
18:20:45.0265 5120 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:20:45.0265 5120 MountMgr - ok
18:20:45.0281 5120 mr2kserv - ok
18:20:45.0281 5120 mraid35x - ok
18:20:45.0296 5120 MRENDIS5 - ok
18:20:45.0312 5120 MRV6X32P - ok
18:20:45.0328 5120 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:20:45.0343 5120 MRxDAV - ok
18:20:45.0359 5120 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:20:45.0375 5120 MRxSmb - ok
18:20:45.0421 5120 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:20:45.0421 5120 MSDTC - ok
18:20:45.0453 5120 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:20:45.0453 5120 Msfs - ok
18:20:45.0453 5120 MSIServer - ok
18:20:45.0500 5120 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:20:45.0500 5120 MSKSSRV - ok
18:20:45.0515 5120 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:20:45.0515 5120 MSPCLOCK - ok
18:20:45.0515 5120 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:20:45.0515 5120 MSPQM - ok
18:20:45.0562 5120 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:20:45.0562 5120 mssmbios - ok
18:20:45.0562 5120 mssql$soshome22 - ok
18:20:45.0578 5120 MTDVC2_ENUM - ok
18:20:45.0609 5120 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:20:45.0609 5120 Mup - ok
18:20:45.0625 5120 MxlW2k - ok
18:20:45.0656 5120 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:20:45.0671 5120 napagent - ok
18:20:45.0671 5120 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:20:45.0687 5120 NDIS - ok
18:20:45.0703 5120 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:20:45.0718 5120 NdisTapi - ok
18:20:45.0765 5120 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:20:45.0765 5120 Ndisuio - ok
18:20:45.0765 5120 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:20:45.0765 5120 NdisWan - ok
18:20:45.0812 5120 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:20:45.0812 5120 NDProxy - ok
18:20:45.0921 5120 NeroMediaHomeService.4 (b6eb664bd5e25413e730bcb54cf64272) C:\Program Files\Nero\Nero MediaHome 4\NMMediaServerService.exe
18:20:45.0921 5120 NeroMediaHomeService.4 - ok
18:20:45.0937 5120 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:20:45.0937 5120 NetBIOS - ok
18:20:45.0984 5120 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:20:45.0984 5120 NetBT - ok
18:20:46.0015 5120 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:46.0015 5120 NetDDE - ok
18:20:46.0015 5120 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:20:46.0015 5120 NetDDEdsdm - ok
18:20:46.0062 5120 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:46.0062 5120 Netlogon - ok
18:20:46.0109 5120 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:20:46.0109 5120 Netman - ok
18:20:46.0218 5120 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:20:46.0218 5120 NetTcpPortSharing - ok
18:20:46.0234 5120 nfmservice - ok
18:20:46.0234 5120 nhcDriverDevice - ok
18:20:46.0250 5120 NICM - ok
18:20:46.0296 5120 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:20:46.0296 5120 Nla - ok
18:20:46.0343 5120 NMIndexingService - ok
18:20:46.0359 5120 nmservice - ok
18:20:46.0359 5120 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:20:46.0375 5120 Npfs - ok
18:20:46.0375 5120 nsausvc - ok
18:20:46.0406 5120 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:20:46.0406 5120 Ntfs - ok
18:20:46.0421 5120 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:46.0421 5120 NtLmSsp - ok
18:20:46.0453 5120 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:20:46.0484 5120 NtmsSvc - ok
18:20:46.0500 5120 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:20:46.0515 5120 Null - ok
18:20:46.0625 5120 nv (eb2858f920b8135b807b5ccaa3ed73dc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
18:20:46.0750 5120 nv - ok
18:20:46.0812 5120 nvata (ef9941593b2e9b436f64a87ddb570d1a) C:\WINDOWS\system32\DRIVERS\nvata.sys
18:20:46.0812 5120 nvata - ok
18:20:46.0859 5120 NVENETFD (0ae6258709d58fb53638e8d28f4480d4) C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
18:20:46.0859 5120 NVENETFD - ok
18:20:46.0906 5120 nvnetbus (1296b33c223a58485d5eaa779752216a) C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
18:20:46.0906 5120 nvnetbus - ok
18:20:46.0937 5120 nvsmu (6ae16e3191823e1af2ddce6d759864a1) C:\WINDOWS\system32\LPDSVC.dll
18:20:46.0937 5120 nvsmu - ok
18:20:46.0968 5120 NVSvc (36032035fa55f030d55237d5c639a81d) C:\WINDOWS\system32\nvsvc32.exe
18:20:46.0968 5120 NVSvc - ok
18:20:47.0140 5120 NVTCP - ok
18:20:47.0187 5120 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:20:47.0187 5120 NwlnkFlt - ok
18:20:47.0187 5120 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:20:47.0187 5120 NwlnkFwd - ok
18:20:47.0203 5120 nwlnkipx - ok
18:20:47.0203 5120 oracleorahome92pagingserver - ok
18:20:47.0218 5120 oracleorahomeagent - ok
18:20:47.0218 5120 oracle_load_balancer_60_server-forms6ip14 - ok
18:20:47.0312 5120 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:20:47.0312 5120 ose - ok
18:20:47.0421 5120 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
18:20:47.0531 5120 osppsvc - ok
18:20:47.0546 5120 p17xfilt - ok
18:20:47.0546 5120 PAC7302 - ok
18:20:47.0578 5120 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:20:47.0578 5120 Parport - ok
18:20:47.0625 5120 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:20:47.0625 5120 PartMgr - ok
18:20:47.0671 5120 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:20:47.0671 5120 ParVdm - ok
18:20:47.0687 5120 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:20:47.0687 5120 PCI - ok
18:20:47.0687 5120 PCIDump - ok
18:20:47.0718 5120 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:20:47.0718 5120 PCIIde - ok
18:20:47.0750 5120 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
18:20:47.0765 5120 Pcmcia - ok
18:20:47.0765 5120 PDCOMP - ok
18:20:47.0781 5120 PDFRAME - ok
18:20:47.0781 5120 PdiPorts - ok
18:20:47.0796 5120 pdlnacom - ok
18:20:47.0796 5120 pdlncbas - ok
18:20:47.0812 5120 pdlnebas - ok
18:20:47.0812 5120 pdlnslea - ok
18:20:47.0828 5120 PDRELI - ok
18:20:47.0828 5120 PDRFRAME - ok
18:20:47.0843 5120 perc2 - ok
18:20:47.0843 5120 perc2hib - ok
18:20:47.0859 5120 persfw - ok
18:20:47.0890 5120 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:20:47.0890 5120 PlugPlay - ok
18:20:47.0937 5120 Pml Driver HPZ12 (2d091a99624fb9e7eef0a86d872ec0c3) C:\WINDOWS\system32\HPZipm12.exe
18:20:47.0937 5120 Pml Driver HPZ12 - ok
18:20:47.0953 5120 pmounter - ok
18:20:47.0953 5120 pnrouter - ok
18:20:47.0968 5120 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:47.0968 5120 PolicyAgent - ok
18:20:48.0031 5120 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:20:48.0031 5120 PptpMiniport - ok
18:20:48.0031 5120 prevxagent - ok
18:20:48.0046 5120 prfldsvc - ok
18:20:48.0093 5120 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
18:20:48.0093 5120 Processor - ok
18:20:48.0109 5120 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:48.0109 5120 ProtectedStorage - ok
18:20:48.0109 5120 ps2 - ok
18:20:48.0125 5120 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:20:48.0125 5120 PSched - ok
18:20:48.0125 5120 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:20:48.0140 5120 Ptilink - ok
18:20:48.0140 5120 purendis - ok
18:20:48.0156 5120 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
18:20:48.0156 5120 PxHelp20 - ok
18:20:48.0171 5120 qcdonner - ok
18:20:48.0171 5120 qhwscsvc - ok
18:20:48.0187 5120 ql1080 - ok
18:20:48.0187 5120 Ql10wnt - ok
18:20:48.0203 5120 ql12160 - ok
18:20:48.0203 5120 ql1240 - ok
18:20:48.0218 5120 ql1280 - ok
18:20:48.0218 5120 R300 - ok
18:20:48.0234 5120 radiosvr - ok
18:20:48.0265 5120 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:20:48.0265 5120 RasAcd - ok
18:20:48.0281 5120 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:20:48.0281 5120 RasAuto - ok
18:20:48.0312 5120 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:20:48.0328 5120 Rasl2tp - ok
18:20:48.0359 5120 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:20:48.0359 5120 RasMan - ok
18:20:48.0375 5120 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:20:48.0375 5120 RasPppoe - ok
18:20:48.0390 5120 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:20:48.0390 5120 Raspti - ok
18:20:48.0406 5120 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:20:48.0421 5120 Rdbss - ok
18:20:48.0437 5120 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:20:48.0437 5120 RDPCDD - ok
18:20:48.0484 5120 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
18:20:48.0484 5120 RDPWD - ok
18:20:48.0531 5120 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:20:48.0531 5120 RDSessMgr - ok
18:20:48.0578 5120 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:20:48.0578 5120 redbook - ok
18:20:48.0609 5120 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:20:48.0609 5120 RemoteAccess - ok
18:20:48.0656 5120 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
18:20:48.0656 5120 Revoflt - ok
18:20:48.0671 5120 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
18:20:48.0687 5120 RimUsb - ok
18:20:48.0687 5120 rksample - ok
18:20:48.0734 5120 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:20:48.0734 5120 RpcLocator - ok
18:20:48.0781 5120 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
18:20:48.0781 5120 RpcSs - ok
18:20:48.0781 5120 RSAFAL - ok
18:20:48.0828 5120 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:20:48.0828 5120 RSVP - ok
18:20:48.0843 5120 rt2500usb - ok
18:20:48.0843 5120 s125mdfl - ok
18:20:48.0859 5120 s217nd5 - ok
18:20:48.0859 5120 s217unic - ok
18:20:48.0875 5120 s24eventmonitor - ok
18:20:48.0875 5120 s616nd5 - ok
18:20:48.0906 5120 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:20:48.0921 5120 SamSs - ok
18:20:48.0921 5120 SbieDrv - ok
18:20:48.0921 5120 scarddrv - ok
18:20:48.0937 5120 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:20:48.0937 5120 SCardSvr - ok
18:20:48.0968 5120 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:20:48.0984 5120 Schedule - ok
18:20:48.0984 5120 SE27mdm - ok
18:20:48.0984 5120 se58obex - ok
18:20:49.0000 5120 se59mdm - ok
18:20:49.0015 5120 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:20:49.0015 5120 Secdrv - ok
18:20:49.0046 5120 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:20:49.0046 5120 seclogon - ok
18:20:49.0062 5120 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\System32\sens.dll
18:20:49.0078 5120 SENS - ok
18:20:49.0078 5120 ser2plms - ok
18:20:49.0125 5120 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:20:49.0125 5120 serenum - ok
18:20:49.0140 5120 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:20:49.0140 5120 Serial - ok
18:20:49.0156 5120 sfhlp02 - ok
18:20:49.0203 5120 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:20:49.0203 5120 Sfloppy - ok
18:20:49.0218 5120 Sftfs (0692e5bf83b1f10102ba9bd240110b4e) C:\WINDOWS\system32\DRIVERS\Sftfsxp.sys
18:20:49.0234 5120 Sftfs - ok
18:20:49.0375 5120 sftlist (cb73bc422c07fb611f194da18d1e7f36) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
18:20:49.0390 5120 sftlist - ok
18:20:49.0437 5120 Sftplay (07bec1b450fd93dfce7341d41d422ab1) C:\WINDOWS\system32\DRIVERS\Sftplayxp.sys
18:20:49.0437 5120 Sftplay - ok
18:20:49.0453 5120 Sftredir (3e65185232697f2190bd618ad050034a) C:\WINDOWS\system32\DRIVERS\Sftredirxp.sys
18:20:49.0453 5120 Sftredir - ok
18:20:49.0468 5120 Sftvol (f372506bc97f14a41fb81bbe3223906b) C:\WINDOWS\system32\DRIVERS\Sftvolxp.sys
18:20:49.0468 5120 Sftvol - ok
18:20:49.0484 5120 sftvsa (a5812f0281ca5081bf696626f9bf324d) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
18:20:49.0484 5120 sftvsa - ok
18:20:49.0531 5120 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
18:20:49.0546 5120 SharedAccess - ok
18:20:49.0578 5120 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:20:49.0578 5120 ShellHWDetection - ok
18:20:49.0593 5120 Simbad - ok
18:20:49.0593 5120 smsmdd - ok
18:20:49.0609 5120 snapman380 - ok
18:20:49.0609 5120 snareiis - ok
18:20:49.0625 5120 Sparrow - ok
18:20:49.0625 5120 spbbcsvc - ok
18:20:49.0625 5120 SPCtl - ok
18:20:49.0671 5120 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:20:49.0671 5120 splitter - ok
18:20:49.0703 5120 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:20:49.0703 5120 Spooler - ok
18:20:49.0718 5120 spsslm - ok
18:20:49.0718 5120 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:20:49.0718 5120 sr - ok
18:20:49.0734 5120 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:20:49.0734 5120 srservice - ok
18:20:49.0750 5120 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:20:49.0750 5120 Srv - ok
18:20:49.0781 5120 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:20:49.0781 5120 SSDPSRV - ok
18:20:49.0781 5120 sskbfd - ok
18:20:49.0796 5120 ssm_bus - ok
18:20:49.0796 5120 ss_mdm - ok
18:20:49.0843 5120 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:20:49.0843 5120 stisvc - ok
18:20:49.0843 5120 StreamDispatcher - ok
18:20:49.0859 5120 STV672 - ok
18:20:49.0890 5120 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:20:49.0890 5120 swenum - ok
18:20:49.0921 5120 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:20:49.0921 5120 swmidi - ok
18:20:49.0937 5120 SWNC8U51 - ok
18:20:49.0937 5120 SwPrv - ok
18:20:49.0953 5120 symc810 - ok
18:20:49.0953 5120 symc8xx - ok
18:20:50.0000 5120 sym_hi - ok
18:20:50.0015 5120 sym_u3 - ok
18:20:50.0062 5120 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:20:50.0062 5120 sysaudio - ok
18:20:50.0078 5120 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:20:50.0093 5120 SysmonLog - ok
18:20:50.0125 5120 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:20:50.0140 5120 TapiSrv - ok
18:20:50.0156 5120 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:20:50.0156 5120 Tcpip - ok
18:20:50.0203 5120 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:20:50.0203 5120 TDPIPE - ok
18:20:50.0218 5120 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:20:50.0218 5120 TDTCP - ok
18:20:50.0218 5120 TeamViewer - ok
18:20:50.0234 5120 teefer2 - ok
18:20:50.0265 5120 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:20:50.0265 5120 TermDD - ok
18:20:50.0296 5120 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:20:50.0296 5120 TermService - ok
18:20:50.0328 5120 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:20:50.0343 5120 Themes - ok
18:20:50.0343 5120 tomcatcws3 - ok
18:20:50.0359 5120 toscosrv - ok
18:20:50.0359 5120 TosIde - ok
18:20:50.0375 5120 tossmbnt - ok
18:20:50.0375 5120 transbaseservice - ok
18:20:50.0390 5120 transcode360 - ok
18:20:50.0421 5120 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:20:50.0421 5120 TrkWks - ok
18:20:50.0421 5120 tsmapip - ok
18:20:50.0453 5120 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:20:50.0453 5120 Udfs - ok
18:20:50.0453 5120 uiusys - ok
18:20:50.0468 5120 ultra - ok
18:20:50.0468 5120 UMPass - ok
18:20:50.0500 5120 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:20:50.0500 5120 Update - ok
18:20:50.0531 5120 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:20:50.0531 5120 upnphost - ok
18:20:50.0546 5120 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:20:50.0546 5120 UPS - ok
18:20:50.0593 5120 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
18:20:50.0609 5120 USBAAPL - ok
18:20:50.0656 5120 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
18:20:50.0656 5120 usbaudio - ok
18:20:50.0703 5120 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:20:50.0703 5120 usbccgp - ok
18:20:50.0703 5120 USBDeviceService - ok
18:20:50.0718 5120 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:20:50.0718 5120 usbehci - ok
18:20:50.0734 5120 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:20:50.0734 5120 usbhub - ok
18:20:50.0781 5120 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
18:20:50.0781 5120 usbohci - ok
18:20:50.0828 5120 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
18:20:50.0828 5120 usbprint - ok
18:20:50.0875 5120 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
18:20:50.0875 5120 usbscan - ok
18:20:50.0906 5120 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:20:50.0906 5120 usbstor - ok
18:20:50.0921 5120 UWProSys - ok
18:20:50.0921 5120 VAIOMediaPlatform-VideoServer-UPnP - ok
18:20:50.0937 5120 VC4CB104 - ok
18:20:50.0937 5120 VC6SecS - ok
18:20:50.0953 5120 vds - ok
18:20:50.0968 5120 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:20:50.0968 5120 VgaSave - ok
18:20:50.0984 5120 ViaIde - ok
18:20:50.0984 5120 VIAPFD - ok
18:20:51.0000 5120 Video3D - ok
18:20:51.0015 5120 vmnetuserif - ok
18:20:51.0015 5120 vncmirror - ok
18:20:51.0046 5120 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:20:51.0046 5120 VolSnap - ok
18:20:51.0046 5120 vpnva - ok
18:20:51.0062 5120 VSP1284D - ok
18:20:51.0078 5120 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:20:51.0078 5120 VSS - ok
18:20:51.0203 5120 vToolbarUpdater10.2.0 (3080f1f093869a19fb3d1f0226c73809) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
18:20:51.0203 5120 vToolbarUpdater10.2.0 - ok
18:20:51.0218 5120 vulfnths - ok
18:20:51.0218 5120 vzfw - ok
18:20:51.0265 5120 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:20:51.0265 5120 W32Time - ok
18:20:51.0281 5120 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:20:51.0281 5120 Wanarp - ok
18:20:51.0296 5120 wanusb - ok
18:20:51.0296 5120 WBHWDOCT - ok
18:20:51.0328 5120 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
18:20:51.0328 5120 Wdf01000 - ok
18:20:51.0343 5120 WDICA - ok
18:20:51.0375 5120 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:20:51.0390 5120 wdmaud - ok
18:20:51.0390 5120 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:20:51.0390 5120 WebClient - ok
18:20:51.0406 5120 websenselogserver - ok
18:20:51.0406 5120 WINFLASH - ok
18:20:51.0500 5120 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:20:51.0500 5120 winmgmt - ok
18:20:51.0515 5120 wlluc48 - ok
18:20:51.0546 5120 wmconnectcds (11028c6a84a967070cb1286550f2058f) C:\WINDOWS\system32\sglogplayer.dll
18:20:51.0546 5120 Suspicious file (NoAccess): C:\WINDOWS\system32\sglogplayer.dll. md5: 11028c6a84a967070cb1286550f2058f
18:20:51.0546 5120 wmconnectcds ( Backdoor.Multi.ZAccess.gen ) - infected
18:20:51.0546 5120 wmconnectcds - detected Backdoor.Multi.ZAccess.gen (0)
18:20:51.0578 5120 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:20:51.0593 5120 WmdmPmSN - ok
18:20:51.0609 5120 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:20:51.0609 5120 WmiApSrv - ok
18:20:51.0687 5120 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:20:51.0703 5120 WMPNetworkSvc - ok
18:20:51.0750 5120 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
18:20:51.0765 5120 WpdUsb - ok
18:20:51.0765 5120 wps - ok
18:20:51.0796 5120 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:20:51.0796 5120 WS2IFSL - ok
18:20:51.0796 5120 WSIMD - ok
18:20:51.0812 5120 wtwservice - ok
18:20:51.0828 5120 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:20:51.0828 5120 wuauserv - ok
18:20:51.0875 5120 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:20:51.0875 5120 WudfPf - ok
18:20:51.0875 5120 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:20:51.0875 5120 WudfRd - ok
18:20:51.0921 5120 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:20:51.0921 5120 WudfSvc - ok
18:20:51.0937 5120 WUSB54GCSVC - ok
18:20:52.0031 5120 wwEngineSvc (1f4d13fa3a0c4f0f7419ac7814ea8a8e) C:\Program Files\Webroot\Washer\WasherSvc.exe
18:20:52.0031 5120 wwEngineSvc - ok
18:20:52.0093 5120 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:20:52.0109 5120 WZCSVC - ok
18:20:52.0140 5120 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:20:52.0140 5120 xmlprov - ok
18:20:52.0156 5120 xnacc - ok
18:20:52.0156 5120 z800mdm - ok
18:20:52.0171 5120 zpcollector - ok
18:20:52.0187 5120 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:20:52.0250 5120 \Device\Harddisk0\DR0 - ok
18:20:52.0250 5120 Boot (0x1200) (c3a49d0695355c4c8dc64812b6237ec6) \Device\Harddisk0\DR0\Partition0
18:20:52.0250 5120 \Device\Harddisk0\DR0\Partition0 - ok
18:20:52.0250 5120 ============================================================
18:20:52.0250 5120 Scan finished
18:20:52.0250 5120 ============================================================
18:20:52.0265 0408 Detected object count: 3
18:20:52.0265 0408 Actual detected object count: 3
18:21:45.0937 0408 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
18:21:45.0937 0408 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip
18:21:46.0078 0408 C:\WINDOWS\system32\fontcache3.0.0.0.dll - copied to quarantine
18:21:46.0093 0408 HKLM\SYSTEM\ControlSet001\services\entertainment - will be deleted on reboot
18:21:46.0093 0408 C:\WINDOWS\system32\fontcache3.0.0.0.dll - will be deleted on reboot
18:21:46.0093 0408 entertainment ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
18:21:46.0125 0408 C:\WINDOWS\system32\sglogplayer.dll - copied to quarantine
18:21:46.0125 0408 HKLM\SYSTEM\ControlSet001\services\wmconnectcds - will be deleted on reboot
18:21:46.0125 0408 C:\WINDOWS\system32\sglogplayer.dll - will be deleted on reboot
18:21:46.0125 0408 wmconnectcds ( Backdoor.Multi.ZAccess.gen ) - User select action: Delete
18:21:54.0468 4508 Deinitialize success






aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-18 19:33:57
-----------------------------
19:33:57.156 OS Version: Windows 5.1.2600 Service Pack 3
19:33:57.156 Number of processors: 2 586 0x6B02
19:33:57.156 ComputerName: OWNER-9EC4BBE27 UserName: User
19:33:57.984 Initialize success
19:39:32.218 AVAST engine defs: 12041802
19:53:18.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000063
19:53:18.546 Disk 0 Vendor: WDC_WD5000AAKS-22A7B2 01.03B01 Size: 476938MB BusType: 3
19:53:18.562 Disk 0 MBR read successfully
19:53:18.562 Disk 0 MBR scan
19:53:18.593 Disk 0 Windows XP default MBR code
19:53:18.593 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
19:53:18.593 Disk 0 scanning sectors +976768065
19:53:18.687 Disk 0 scanning C:\WINDOWS\system32\drivers
19:53:22.046 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Aluroot-C [Rtk]
19:53:42.828 Disk 0 trace - called modules:
19:53:42.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
19:53:42.859 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8af84ab8]
19:53:42.859 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\00000065[0x8ae82f18]
19:53:42.859 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\00000063[0x8af84030]
19:53:43.562 AVAST engine scan C:\WINDOWS
19:54:01.546 AVAST engine scan C:\WINDOWS\system32
19:58:44.953 AVAST engine scan C:\WINDOWS\system32\drivers
19:58:46.500 File: C:\WINDOWS\system32\drivers\cdrom.sys **INFECTED** Win32:Aluroot-C [Rtk]
19:59:03.968 AVAST engine scan C:\Documents and Settings\User
20:06:41.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
20:06:41.828 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users