Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Some kind of monitoring malware


  • This topic is locked This topic is locked
9 replies to this topic

#1 Skolnick

Skolnick

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 09 April 2012 - 10:59 AM

There is some kind of monitoring keylogger or something similar on my computer several extremely secure passwords have been stolen remotely and accounts accessed. I believe it is operating below the level of the OS as a complete reformat and re-install is not fixing the issue. This type of malware cannot be detected though the normal ways of scanning but I guess I will start here to see what we find.

Thank you

Here is the HijackThis log:


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:47:52 AM, on 4/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe
C:\Program Files\Belkin\F5D7000v7032\Belkinwcui.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: ZoneAlarm Security Engine Registrar - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\10.2.0.3\AVG Secure Search_toolbar.dll
O3 - Toolbar: ZoneAlarm Security Engine - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\TrustChecker\bin\TrustCheckerIEPlugin.dll
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe /icon="hidden"
O4 - HKLM\..\Run: [ZoneAlarm] "C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [GoTrusted] C:\Program Files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\USER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-21-789336058-861567501-1644491937-1006\..\Run: [GoTrusted] C:\Program Files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe (User 'Daily')
O4 - HKUS\S-1-5-21-789336058-861567501-1644491937-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Daily')
O4 - HKUS\S-1-5-21-789336058-861567501-1644491937-1006\..\Run: [Google Update] "C:\Documents and Settings\Daily\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (User 'Daily')
O4 - S-1-5-21-789336058-861567501-1644491937-1006 Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Daily')
O4 - S-1-5-21-789336058-861567501-1644491937-1006 User Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe (User 'Daily')
O4 - Startup: OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Belkin Wireless G Desktop Card Client Utility.lnk = ?
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\10.2.0\ViProtocol.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: HSIP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\USER\LOCALS~1\Temp\HSIP.exe
O23 - Service: ZoneAlarm LTD Toolbar IswSvc (IswSvc) - Check Point Software Technologies - C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: TYNQOXPXV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\USER\LOCALS~1\Temp\TYNQOXPXV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
O23 - Service: vToolbarUpdater10.2.0 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\10.2.0\ToolbarUpdater.exe

--
End of file - 7903 bytes

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 14 April 2012 - 07:58 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please download and run this DDS Scanning Tool. Nothing will be deleted. It will just give me some additional information about your system.

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
Please note: You may have to disable any script protection running if the scan fails to run.

Please just paste the contents of the DDS.txt log in your next post. DO NOT attach the log.

Please post the logs for my review.

#3 Skolnick

Skolnick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 15 April 2012 - 12:51 PM

12:45:13.0609 3596 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
12:45:15.0609 3596 ============================================================
12:45:15.0609 3596 Current date / time: 2012/04/15 12:45:15.0609
12:45:15.0609 3596 SystemInfo:
12:45:15.0609 3596
12:45:15.0609 3596 OS Version: 5.1.2600 ServicePack: 3.0
12:45:15.0609 3596 Product type: Workstation
12:45:15.0609 3596 ComputerName: OWNER-417783567
12:45:15.0609 3596 UserName: USER
12:45:15.0609 3596 Windows directory: C:\WINDOWS
12:45:15.0609 3596 System windows directory: C:\WINDOWS
12:45:15.0609 3596 Processor architecture: Intel x86
12:45:15.0609 3596 Number of processors: 2
12:45:15.0609 3596 Page size: 0x1000
12:45:15.0609 3596 Boot type: Normal boot
12:45:15.0609 3596 ============================================================
12:45:16.0937 3596 Drive \Device\Harddisk0\DR0 - Size: 0x25432CDE00 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x50C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
12:45:17.0062 3596 \Device\Harddisk0\DR0:
12:45:17.0062 3596 MBR used
12:45:17.0062 3596 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A14BC1
12:45:17.0109 3596 Initialize success
12:45:17.0109 3596 ============================================================
12:45:20.0218 3656 ============================================================
12:45:20.0218 3656 Scan started
12:45:20.0218 3656 Mode: Manual;
12:45:20.0218 3656 ============================================================
12:45:20.0812 3656 Abiosdsk - ok
12:45:20.0828 3656 abp480n5 - ok
12:45:20.0890 3656 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:45:20.0890 3656 ACPI - ok
12:45:20.0953 3656 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:45:20.0953 3656 ACPIEC - ok
12:45:20.0953 3656 adpu160m - ok
12:45:21.0000 3656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:45:21.0015 3656 aec - ok
12:45:21.0062 3656 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:45:21.0062 3656 AFD - ok
12:45:21.0140 3656 AgereSoftModem (994a42d273c35b43ee9d1e8a5d8bc639) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
12:45:21.0156 3656 AgereSoftModem - ok
12:45:21.0218 3656 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
12:45:21.0218 3656 agp440 - ok
12:45:21.0234 3656 Aha154x - ok
12:45:21.0250 3656 aic78u2 - ok
12:45:21.0265 3656 aic78xx - ok
12:45:21.0359 3656 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
12:45:21.0421 3656 ALCXWDM - ok
12:45:21.0453 3656 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
12:45:21.0453 3656 Alerter - ok
12:45:21.0484 3656 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
12:45:21.0484 3656 ALG - ok
12:45:21.0609 3656 AliIde - ok
12:45:21.0671 3656 amsint - ok
12:45:21.0859 3656 AppMgmt - ok
12:45:21.0937 3656 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
12:45:21.0937 3656 Arp1394 - ok
12:45:22.0046 3656 asc - ok
12:45:22.0125 3656 asc3350p - ok
12:45:22.0187 3656 asc3550 - ok
12:45:22.0234 3656 aspnet_state (d33c507942299753868204cc7642fa27) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:45:22.0234 3656 aspnet_state - ok
12:45:22.0265 3656 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:45:22.0265 3656 AsyncMac - ok
12:45:22.0296 3656 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:45:22.0296 3656 atapi - ok
12:45:22.0312 3656 Atdisk - ok
12:45:22.0390 3656 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:45:22.0390 3656 ati2mtag - ok
12:45:22.0421 3656 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:45:22.0421 3656 Atmarpc - ok
12:45:22.0437 3656 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
12:45:22.0437 3656 AudioSrv - ok
12:45:22.0484 3656 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:45:22.0484 3656 audstub - ok
12:45:22.0500 3656 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:45:22.0500 3656 Beep - ok
12:45:22.0562 3656 Belkin700F (1d26e3a3ea0234d54d14d4e45e2a84e9) C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys
12:45:22.0578 3656 Belkin700F - ok
12:45:22.0640 3656 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
12:45:22.0671 3656 BITS - ok
12:45:22.0718 3656 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
12:45:22.0734 3656 Browser - ok
12:45:22.0765 3656 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:45:22.0765 3656 cbidf2k - ok
12:45:22.0781 3656 cd20xrnt - ok
12:45:22.0812 3656 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:45:22.0812 3656 Cdaudio - ok
12:45:22.0875 3656 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:45:22.0875 3656 Cdfs - ok
12:45:22.0921 3656 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:45:22.0921 3656 Cdrom - ok
12:45:22.0937 3656 Changer - ok
12:45:22.0968 3656 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
12:45:22.0968 3656 CiSvc - ok
12:45:22.0984 3656 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
12:45:22.0984 3656 ClipSrv - ok
12:45:23.0046 3656 clr_optimization_v2.0.50727_32 (3c4d595e7f9b747325aef28b4adcaae5) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:45:23.0046 3656 clr_optimization_v2.0.50727_32 - ok
12:45:23.0062 3656 CmdIde - ok
12:45:23.0078 3656 COMSysApp - ok
12:45:23.0109 3656 Cpqarray - ok
12:45:23.0156 3656 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
12:45:23.0156 3656 CryptSvc - ok
12:45:23.0171 3656 dac2w2k - ok
12:45:23.0187 3656 dac960nt - ok
12:45:23.0250 3656 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:45:23.0281 3656 DcomLaunch - ok
12:45:23.0296 3656 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
12:45:23.0296 3656 Dhcp - ok
12:45:23.0343 3656 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:45:23.0343 3656 Disk - ok
12:45:23.0359 3656 dmadmin - ok
12:45:23.0421 3656 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:45:23.0437 3656 dmboot - ok
12:45:23.0453 3656 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:45:23.0453 3656 dmio - ok
12:45:23.0484 3656 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:45:23.0484 3656 dmload - ok
12:45:23.0500 3656 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
12:45:23.0515 3656 dmserver - ok
12:45:23.0546 3656 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:45:23.0546 3656 DMusic - ok
12:45:23.0593 3656 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
12:45:23.0609 3656 Dnscache - ok
12:45:23.0671 3656 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:45:23.0671 3656 Dot3svc - ok
12:45:23.0687 3656 dpti2o - ok
12:45:23.0703 3656 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:45:23.0703 3656 drmkaud - ok
12:45:23.0734 3656 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:45:23.0734 3656 EapHost - ok
12:45:23.0765 3656 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
12:45:23.0765 3656 ERSvc - ok
12:45:23.0812 3656 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:45:23.0812 3656 Eventlog - ok
12:45:23.0859 3656 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
12:45:23.0859 3656 EventSystem - ok
12:45:23.0906 3656 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:45:23.0906 3656 Fastfat - ok
12:45:23.0968 3656 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:45:23.0968 3656 FastUserSwitchingCompatibility - ok
12:45:23.0984 3656 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:45:23.0984 3656 Fdc - ok
12:45:24.0015 3656 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:45:24.0015 3656 Fips - ok
12:45:24.0031 3656 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:45:24.0031 3656 Flpydisk - ok
12:45:24.0078 3656 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:45:24.0078 3656 FltMgr - ok
12:45:24.0109 3656 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:45:24.0109 3656 Fs_Rec - ok
12:45:24.0140 3656 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:45:24.0140 3656 Ftdisk - ok
12:45:24.0171 3656 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:45:24.0171 3656 Gpc - ok
12:45:24.0203 3656 gttap1 (696099dee7610b726f61e26e4ec92aaf) C:\WINDOWS\system32\DRIVERS\gttap1.sys
12:45:24.0203 3656 gttap1 - ok
12:45:24.0265 3656 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:45:24.0265 3656 helpsvc - ok
12:45:24.0296 3656 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
12:45:24.0296 3656 HidServ - ok
12:45:24.0343 3656 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:45:24.0343 3656 hidusb - ok
12:45:24.0390 3656 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:45:24.0390 3656 hkmsvc - ok
12:45:24.0390 3656 hpn - ok
12:45:24.0437 3656 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:45:24.0437 3656 HPZid412 - ok
12:45:24.0468 3656 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:45:24.0468 3656 HPZipr12 - ok
12:45:24.0515 3656 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:45:24.0515 3656 HPZius12 - ok
12:45:24.0578 3656 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:45:24.0578 3656 HTTP - ok
12:45:24.0625 3656 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
12:45:24.0625 3656 HTTPFilter - ok
12:45:24.0640 3656 i2omgmt - ok
12:45:24.0656 3656 i2omp - ok
12:45:24.0703 3656 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:45:24.0703 3656 i8042prt - ok
12:45:24.0734 3656 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:45:24.0734 3656 Imapi - ok
12:45:24.0765 3656 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
12:45:24.0765 3656 ImapiService - ok
12:45:24.0781 3656 ini910u - ok
12:45:24.0843 3656 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:45:24.0843 3656 IntelIde - ok
12:45:24.0890 3656 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:45:24.0890 3656 intelppm - ok
12:45:24.0921 3656 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:45:24.0921 3656 Ip6Fw - ok
12:45:24.0953 3656 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:45:24.0953 3656 IpFilterDriver - ok
12:45:24.0968 3656 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:45:24.0968 3656 IpInIp - ok
12:45:25.0000 3656 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:45:25.0015 3656 IpNat - ok
12:45:25.0062 3656 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:45:25.0062 3656 IPSec - ok
12:45:25.0093 3656 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:45:25.0093 3656 IRENUM - ok
12:45:25.0140 3656 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:45:25.0140 3656 isapnp - ok
12:45:25.0234 3656 ISWKL (d068bf274c6fc880e43d7b4a7740c451) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
12:45:25.0234 3656 ISWKL - ok
12:45:25.0265 3656 IswSvc (02ddbb7a11f5ecc1da782790e3f57cef) C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
12:45:25.0265 3656 IswSvc - ok
12:45:25.0328 3656 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
12:45:25.0328 3656 JavaQuickStarterService - ok
12:45:25.0359 3656 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:45:25.0359 3656 Kbdclass - ok
12:45:25.0421 3656 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:45:25.0421 3656 kbdhid - ok
12:45:25.0500 3656 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:45:25.0500 3656 kmixer - ok
12:45:25.0546 3656 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:45:25.0546 3656 KSecDD - ok
12:45:25.0609 3656 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
12:45:25.0609 3656 LanmanServer - ok
12:45:25.0656 3656 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
12:45:25.0671 3656 lanmanworkstation - ok
12:45:25.0687 3656 lbrtfdc - ok
12:45:25.0734 3656 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
12:45:25.0750 3656 LmHosts - ok
12:45:25.0781 3656 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
12:45:25.0781 3656 Messenger - ok
12:45:25.0812 3656 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:45:25.0812 3656 mnmdd - ok
12:45:25.0859 3656 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
12:45:25.0859 3656 mnmsrvc - ok
12:45:25.0890 3656 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:45:25.0890 3656 Modem - ok
12:45:25.0921 3656 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:45:25.0921 3656 Mouclass - ok
12:45:25.0968 3656 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:45:25.0968 3656 mouhid - ok
12:45:25.0984 3656 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:45:26.0000 3656 MountMgr - ok
12:45:26.0000 3656 mraid35x - ok
12:45:26.0031 3656 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:45:26.0031 3656 MRxDAV - ok
12:45:26.0093 3656 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:45:26.0109 3656 MRxSmb - ok
12:45:26.0156 3656 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
12:45:26.0156 3656 MSDTC - ok
12:45:26.0171 3656 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:45:26.0171 3656 Msfs - ok
12:45:26.0203 3656 MSIServer - ok
12:45:26.0250 3656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:45:26.0250 3656 MSKSSRV - ok
12:45:26.0281 3656 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:45:26.0281 3656 MSPCLOCK - ok
12:45:26.0312 3656 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:45:26.0312 3656 MSPQM - ok
12:45:26.0359 3656 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:45:26.0359 3656 mssmbios - ok
12:45:26.0390 3656 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:45:26.0390 3656 Mup - ok
12:45:26.0421 3656 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:45:26.0437 3656 napagent - ok
12:45:26.0484 3656 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:45:26.0484 3656 NDIS - ok
12:45:26.0500 3656 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:45:26.0500 3656 NdisTapi - ok
12:45:26.0515 3656 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:45:26.0531 3656 Ndisuio - ok
12:45:26.0546 3656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:45:26.0546 3656 NdisWan - ok
12:45:26.0593 3656 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:45:26.0593 3656 NDProxy - ok
12:45:26.0640 3656 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:45:26.0640 3656 NetBIOS - ok
12:45:26.0703 3656 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:45:26.0703 3656 NetBT - ok
12:45:26.0750 3656 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:45:26.0750 3656 NetDDE - ok
12:45:26.0750 3656 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:45:26.0765 3656 NetDDEdsdm - ok
12:45:26.0796 3656 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:45:26.0796 3656 Netlogon - ok
12:45:26.0812 3656 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
12:45:26.0828 3656 Netman - ok
12:45:26.0843 3656 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
12:45:26.0843 3656 NIC1394 - ok
12:45:26.0906 3656 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
12:45:26.0906 3656 Nla - ok
12:45:26.0937 3656 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:45:26.0937 3656 Npfs - ok
12:45:26.0968 3656 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:45:26.0984 3656 Ntfs - ok
12:45:27.0000 3656 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:45:27.0000 3656 NtLmSsp - ok
12:45:27.0031 3656 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
12:45:27.0062 3656 NtmsSvc - ok
12:45:27.0093 3656 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:45:27.0093 3656 Null - ok
12:45:27.0140 3656 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:45:27.0140 3656 NwlnkFlt - ok
12:45:27.0156 3656 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:45:27.0156 3656 NwlnkFwd - ok
12:45:27.0203 3656 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
12:45:27.0203 3656 ohci1394 - ok
12:45:27.0250 3656 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:45:27.0250 3656 Parport - ok
12:45:27.0265 3656 Partizan - ok
12:45:27.0296 3656 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:45:27.0312 3656 PartMgr - ok
12:45:27.0343 3656 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:45:27.0343 3656 ParVdm - ok
12:45:27.0359 3656 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:45:27.0375 3656 PCI - ok
12:45:27.0375 3656 PCIDump - ok
12:45:27.0421 3656 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
12:45:27.0421 3656 PCIIde - ok
12:45:27.0453 3656 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:45:27.0453 3656 Pcmcia - ok
12:45:27.0484 3656 PDCOMP - ok
12:45:27.0500 3656 PDFRAME - ok
12:45:27.0515 3656 PDRELI - ok
12:45:27.0531 3656 PDRFRAME - ok
12:45:27.0546 3656 perc2 - ok
12:45:27.0578 3656 perc2hib - ok
12:45:27.0656 3656 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:45:27.0671 3656 PlugPlay - ok
12:45:27.0703 3656 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:45:27.0703 3656 PolicyAgent - ok
12:45:27.0734 3656 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:45:27.0734 3656 PptpMiniport - ok
12:45:27.0750 3656 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:45:27.0750 3656 ProtectedStorage - ok
12:45:27.0765 3656 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:45:27.0781 3656 PSched - ok
12:45:27.0796 3656 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:45:27.0812 3656 Ptilink - ok
12:45:27.0828 3656 ql1080 - ok
12:45:27.0843 3656 Ql10wnt - ok
12:45:27.0859 3656 ql12160 - ok
12:45:27.0875 3656 ql1240 - ok
12:45:27.0890 3656 ql1280 - ok
12:45:27.0921 3656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:45:27.0921 3656 RasAcd - ok
12:45:27.0968 3656 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
12:45:27.0968 3656 RasAuto - ok
12:45:28.0015 3656 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:45:28.0015 3656 Rasl2tp - ok
12:45:28.0046 3656 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
12:45:28.0046 3656 RasMan - ok
12:45:28.0062 3656 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:45:28.0062 3656 RasPppoe - ok
12:45:28.0078 3656 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:45:28.0078 3656 Raspti - ok
12:45:28.0109 3656 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:45:28.0156 3656 Rdbss - ok
12:45:28.0296 3656 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:45:28.0296 3656 RDPCDD - ok
12:45:28.0359 3656 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
12:45:28.0359 3656 RDPWD - ok
12:45:28.0406 3656 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
12:45:28.0406 3656 RDSessMgr - ok
12:45:28.0437 3656 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:45:28.0437 3656 redbook - ok
12:45:28.0484 3656 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\system32\Drivers\regguard.sys
12:45:28.0484 3656 RegGuard - ok
12:45:28.0546 3656 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
12:45:28.0546 3656 RemoteAccess - ok
12:45:28.0578 3656 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
12:45:28.0578 3656 RpcLocator - ok
12:45:28.0625 3656 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:45:28.0625 3656 RpcSs - ok
12:45:28.0687 3656 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:45:28.0687 3656 RSVP - ok
12:45:28.0765 3656 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
12:45:28.0765 3656 rtl8139 - ok
12:45:28.0812 3656 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:45:28.0812 3656 SamSs - ok
12:45:28.0859 3656 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
12:45:28.0859 3656 SCardSvr - ok
12:45:28.0906 3656 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
12:45:28.0921 3656 Schedule - ok
12:45:28.0937 3656 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:45:28.0937 3656 Secdrv - ok
12:45:28.0984 3656 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
12:45:28.0984 3656 seclogon - ok
12:45:29.0000 3656 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
12:45:29.0000 3656 SENS - ok
12:45:29.0046 3656 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:45:29.0046 3656 serenum - ok
12:45:29.0062 3656 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:45:29.0062 3656 Serial - ok
12:45:29.0093 3656 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:45:29.0093 3656 Sfloppy - ok
12:45:29.0140 3656 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
12:45:29.0156 3656 SharedAccess - ok
12:45:29.0218 3656 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:45:29.0218 3656 ShellHWDetection - ok
12:45:29.0234 3656 Simbad - ok
12:45:29.0250 3656 Sparrow - ok
12:45:29.0296 3656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:45:29.0312 3656 splitter - ok
12:45:29.0375 3656 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
12:45:29.0375 3656 Spooler - ok
12:45:29.0421 3656 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:45:29.0421 3656 sr - ok
12:45:29.0453 3656 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
12:45:29.0453 3656 srservice - ok
12:45:29.0515 3656 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:45:29.0515 3656 Srv - ok
12:45:29.0562 3656 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
12:45:29.0562 3656 SSDPSRV - ok
12:45:29.0578 3656 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
12:45:29.0593 3656 stisvc - ok
12:45:29.0640 3656 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:45:29.0640 3656 swenum - ok
12:45:29.0687 3656 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:45:29.0687 3656 swmidi - ok
12:45:29.0703 3656 SwPrv - ok
12:45:29.0718 3656 symc810 - ok
12:45:29.0734 3656 symc8xx - ok
12:45:29.0750 3656 sym_hi - ok
12:45:29.0765 3656 sym_u3 - ok
12:45:29.0828 3656 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:45:29.0828 3656 sysaudio - ok
12:45:29.0859 3656 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
12:45:29.0859 3656 SysmonLog - ok
12:45:29.0890 3656 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
12:45:29.0906 3656 TapiSrv - ok
12:45:29.0953 3656 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:45:29.0968 3656 Tcpip - ok
12:45:30.0031 3656 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:45:30.0031 3656 TDPIPE - ok
12:45:30.0031 3656 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:45:30.0046 3656 TDTCP - ok
12:45:30.0093 3656 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:45:30.0093 3656 TermDD - ok
12:45:30.0125 3656 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
12:45:30.0140 3656 TermService - ok
12:45:30.0187 3656 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:45:30.0187 3656 Themes - ok
12:45:30.0203 3656 TosIde - ok
12:45:30.0250 3656 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
12:45:30.0265 3656 TrkWks - ok
12:45:30.0328 3656 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:45:30.0328 3656 Udfs - ok
12:45:30.0343 3656 ultra - ok
12:45:30.0390 3656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:45:30.0406 3656 Update - ok
12:45:30.0437 3656 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
12:45:30.0453 3656 upnphost - ok
12:45:30.0453 3656 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
12:45:30.0468 3656 UPS - ok
12:45:30.0515 3656 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:45:30.0515 3656 usbccgp - ok
12:45:30.0562 3656 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:45:30.0562 3656 usbehci - ok
12:45:30.0593 3656 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:45:30.0609 3656 usbhub - ok
12:45:30.0656 3656 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:45:30.0656 3656 usbprint - ok
12:45:30.0718 3656 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:45:30.0718 3656 usbscan - ok
12:45:30.0781 3656 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:45:30.0781 3656 USBSTOR - ok
12:45:30.0796 3656 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:45:30.0796 3656 usbuhci - ok
12:45:30.0859 3656 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:45:30.0859 3656 VgaSave - ok
12:45:30.0875 3656 ViaIde - ok
12:45:30.0921 3656 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:45:30.0921 3656 VolSnap - ok
12:45:30.0984 3656 Vsdatant (265c7cb9611e8ce0e9115cda45f109b2) C:\WINDOWS\system32\vsdatant.sys
12:45:31.0000 3656 Vsdatant - ok
12:45:31.0046 3656 vsmon - ok
12:45:31.0109 3656 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
12:45:31.0140 3656 VSS - ok
12:45:31.0203 3656 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
12:45:31.0203 3656 W32Time - ok
12:45:31.0281 3656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:45:31.0281 3656 Wanarp - ok
12:45:31.0296 3656 WDICA - ok
12:45:31.0343 3656 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:45:31.0343 3656 wdmaud - ok
12:45:31.0375 3656 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
12:45:31.0375 3656 WebClient - ok
12:45:31.0437 3656 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:45:31.0437 3656 winmgmt - ok
12:45:31.0484 3656 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
12:45:31.0500 3656 WmdmPmSN - ok
12:45:31.0546 3656 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:45:31.0546 3656 WmiApSrv - ok
12:45:31.0609 3656 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
12:45:31.0640 3656 wscsvc - ok
12:45:31.0687 3656 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
12:45:31.0687 3656 wuauserv - ok
12:45:31.0734 3656 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
12:45:31.0750 3656 WZCSVC - ok
12:45:31.0781 3656 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
12:45:31.0796 3656 xmlprov - ok
12:45:31.0890 3656 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:45:32.0093 3656 \Device\Harddisk0\DR0 - ok
12:45:32.0093 3656 Boot (0x1200) (fba017986c97e244b4c6d2c2900ed3e7) \Device\Harddisk0\DR0\Partition0
12:45:32.0093 3656 \Device\Harddisk0\DR0\Partition0 - ok
12:45:32.0093 3656 ============================================================
12:45:32.0093 3656 Scan finished
12:45:32.0093 3656 ============================================================
12:45:32.0125 3648 Detected object count: 0
12:45:32.0125 3648 Actual detected object count: 0



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-15 12:47:23
-----------------------------
12:47:23.484 OS Version: Windows 5.1.2600 Service Pack 3
12:47:23.484 Number of processors: 2 586 0x304
12:47:23.484 ComputerName: OWNER-417783567 UserName: USER
12:47:24.000 Initialize success
12:47:55.703 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:47:55.703 Disk 0 Vendor: WDC_WD1600AAJB-00J3A0 01.03E01 Size: 152626MB BusType: 3
12:47:55.718 Disk 0 MBR read successfully
12:47:55.718 Disk 0 MBR scan
12:47:55.734 Disk 0 Windows XP default MBR code
12:47:55.734 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 152617 MB offset 63
12:47:55.734 Disk 0 scanning sectors +312560640
12:47:55.843 Disk 0 scanning C:\WINDOWS\system32\drivers
12:48:00.296 Service scanning
12:48:07.203 Modules scanning
12:48:17.187 Disk 0 trace - called modules:
12:48:17.203 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys
12:48:17.203 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86772ab8]
12:48:17.218 3 CLASSPNP.SYS[f788ffd7] -> nt!IofCallDriver -> \Device\0000005b[0x8671ff18]
12:48:17.718 5 ACPI.sys[f77e6620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8671e940]
12:48:17.718 Scan finished successfully
12:48:29.875 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\USER\Desktop\MBR.dat"
12:48:29.906 The log file has been saved successfully to "C:\Documents and Settings\USER\Desktop\aswMBR.txt"




.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by USER at 12:49:42 on 2012-04-15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.584 [GMT -5:00]
.
FW: ZoneAlarm Free Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe
C:\Program Files\Belkin\F5D7000v7032\Belkinwcui.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\USER\My Documents\Downloads\tdsskiller\TDSSKiller.exe
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [GoTrusted] c:\program files\gotrusted.com\gotrusted secure tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe
uRun: [Google Update] "c:\documents and settings\user\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISW] c:\program files\checkpoint\zaforcefield\ForceField.exe /icon="hidden"
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\belkin~1.lnk - c:\program files\belkin\f5d7000v7032\Belkinwcui.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5619C12E-2263-4F9E-A2FF-B740322887B3} : DhcpNameServer = 192.168.1.1
.
============= SERVICES / DRIVERS ===============
.
R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2012-3-19 525840]
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2012-3-16 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2012-3-16 497280]
R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]
R3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys [2008-3-18 20480]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [2012-1-30 303616]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2012-4-2 24416]
.
=============== Created Last 30 ================
.
2012-04-09 19:52:18 -------- d-----w- c:\documents and settings\user\local settings\application data\NPE
2012-04-09 19:52:18 -------- d-----w- c:\documents and settings\all users\application data\Norton
2012-04-09 16:13:05 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-09 15:47:26 388096 ----a-r- c:\documents and settings\user\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-04-09 15:47:25 -------- d-----w- c:\program files\Trend Micro
2012-04-08 23:01:01 -------- d-----w- c:\documents and settings\all users\application data\Sophos
2012-04-06 23:39:11 -------- d-----w- c:\documents and settings\user\local settings\application data\Google
2012-04-06 23:38:56 -------- d-----w- c:\documents and settings\user\local settings\application data\Deployment
2012-04-05 19:21:10 -------- d-----w- c:\documents and settings\user\application data\Malwarebytes
2012-04-05 19:20:59 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-05 19:20:58 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-05 19:20:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-04 14:48:19 315904 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp70w.dll
2012-04-04 14:48:18 123904 ----a-w- c:\windows\system32\hpf3l70w.dll
2012-04-04 14:47:56 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-04-04 14:47:56 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-04-04 14:47:16 -------- d-----w- c:\program files\common files\HP
2012-04-04 14:47:13 -------- d-----w- c:\program files\common files\Hewlett-Packard
2012-04-04 14:46:46 -------- d-----w- c:\windows\hpoj4500g510a-f
2012-04-04 14:46:28 966656 ----a-w- c:\windows\system32\hpwtiop6.dll
2012-04-04 14:46:28 716288 ----a-w- c:\windows\system32\hpwwiax7.dll
2012-04-04 14:46:28 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2012-04-04 14:46:27 315392 ----a-w- c:\windows\system32\hpwvst01.dll
2012-04-04 14:46:27 309760 ----a-w- c:\windows\system32\difxapi.dll
2012-04-04 14:46:26 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2012-04-04 14:46:24 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2012-04-04 14:46:23 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2012-04-04 14:46:22 452408 ----a-w- c:\windows\system32\hpzids01.dll
2012-04-04 14:46:08 -------- d-----w- c:\program files\HP
2012-04-02 19:20:13 -------- d-----w- c:\windows\IswTmp
2012-04-02 10:36:30 -------- d-----w- c:\documents and settings\user\local settings\application data\GoTrusted.com
2012-04-02 10:36:05 -------- d-----w- c:\program files\GoTrusted.com
2012-04-02 10:14:07 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-04-02 10:08:12 2 --shatr- c:\windows\winstart.bat
2012-04-02 10:08:05 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-04-02 10:07:59 -------- d-----w- c:\program files\UnHackMe
2012-04-01 00:38:39 -------- d-----w- c:\windows\system32\cache
2012-03-29 13:45:31 -------- d-----w- c:\documents and settings\user\application data\CheckPoint
2012-03-29 13:43:05 -------- d-----w- c:\program files\CheckPoint
2012-03-29 13:42:44 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint
2012-03-24 20:42:57 -------- d-----w- c:\documents and settings\user\local settings\application data\Mozilla
.
==================== Find3M ====================
.
2012-03-24 20:53:40 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 04:37:19 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-09 04:37:18 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-09 04:29:20 205 ----a-w- c:\windows\system32\lsprst7.dll
2012-03-09 04:29:20 1025 ----a-w- c:\windows\system32\sysprs7.dll
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 18:00:00 79360 ----a-w- c:\windows\system32\ff_vfw.dll
.
============= FINISH: 12:50:25.45 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 16 April 2012 - 06:54 AM

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#5 Skolnick

Skolnick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 16 April 2012 - 11:39 AM

Please let me know what you see...



ComboFix 12-04-16.01 - USER 04/16/2012 11:25:14.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.588 [GMT -5:00]
Running from: c:\documents and settings\USER\My Documents\Downloads\ComboFix.exe
FW: ZoneAlarm Free Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\5375ad501dbabf08.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\lsprst7.dll
c:\windows\system32\drivers\etc\lmhosts . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-09 19:52 . 2012-04-09 21:15 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\NPE
2012-04-09 19:52 . 2012-04-09 19:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2012-04-09 16:13 . 2012-04-09 16:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-09 15:47 . 2012-04-09 15:47 388096 ----a-r- c:\documents and settings\USER\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-04-09 15:47 . 2012-04-09 15:47 -------- d-----w- c:\program files\Trend Micro
2012-04-08 23:01 . 2012-04-08 23:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2012-04-06 23:39 . 2012-04-06 23:40 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Google
2012-04-06 23:38 . 2012-04-06 23:39 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Deployment
2012-04-06 20:46 . 2012-04-06 20:46 -------- d-----w- c:\program files\Microsoft Silverlight
2012-04-05 19:21 . 2012-04-05 19:21 -------- d-----w- c:\documents and settings\USER\Application Data\Malwarebytes
2012-04-05 19:20 . 2012-04-05 19:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-05 19:20 . 2012-04-05 19:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-05 19:20 . 2011-12-10 20:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-04 14:49 . 2012-04-04 14:49 -------- d-----w- c:\documents and settings\USER\Application Data\HP
2012-04-04 14:48 . 2009-04-20 17:23 315904 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\hpfpp70w.dll
2012-04-04 14:48 . 2009-04-20 17:23 123904 ----a-w- c:\windows\system32\hpf3l70w.dll
2012-04-04 14:47 . 2008-04-14 05:15 15104 -c--a-w- c:\windows\system32\dllcache\usbscan.sys
2012-04-04 14:47 . 2008-04-14 05:15 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2012-04-04 14:47 . 2012-04-04 14:47 -------- d-----w- c:\program files\Common Files\HP
2012-04-04 14:47 . 2012-04-04 14:47 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2012-04-04 14:46 . 2012-04-04 14:46 -------- d-----w- c:\windows\hpoj4500g510a-f
2012-04-04 14:46 . 2009-08-17 18:34 372736 ----a-w- c:\windows\system32\hppldcoi.dll
2012-04-04 14:46 . 2009-08-17 18:27 966656 ----a-w- c:\windows\system32\hpwtiop6.dll
2012-04-04 14:46 . 2009-08-17 18:27 716288 ----a-w- c:\windows\system32\hpwwiax7.dll
2012-04-04 14:46 . 2009-08-17 18:34 309760 ----a-w- c:\windows\system32\difxapi.dll
2012-04-04 14:46 . 2009-08-17 18:27 315392 ----a-w- c:\windows\system32\hpwvst01.dll
2012-04-04 14:46 . 2009-08-17 18:34 21568 ----a-w- c:\windows\system32\drivers\HPZius12.sys
2012-04-04 14:46 . 2009-08-17 18:34 16496 ----a-w- c:\windows\system32\drivers\HPZipr12.sys
2012-04-04 14:46 . 2009-08-17 18:34 49920 ----a-w- c:\windows\system32\drivers\HPZid412.sys
2012-04-04 14:46 . 2009-08-17 18:26 452408 ----a-w- c:\windows\system32\hpzids01.dll
2012-04-04 14:46 . 2012-04-04 14:46 -------- dc----w- c:\windows\system32\DRVSTORE
2012-04-04 14:46 . 2012-04-04 14:46 -------- d-----w- c:\program files\HP
2012-04-02 19:20 . 2012-04-02 19:20 -------- d-----w- c:\windows\IswTmp
2012-04-02 10:36 . 2012-04-02 10:36 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\GoTrusted.com
2012-04-02 10:36 . 2012-04-02 10:36 -------- d-----w- c:\program files\GoTrusted.com
2012-04-02 10:14 . 2012-04-02 10:14 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-04-02 10:08 . 2012-04-02 10:08 2 --shatr- c:\windows\winstart.bat
2012-04-02 10:08 . 2012-01-23 22:01 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-04-02 10:07 . 2012-04-02 10:09 -------- d-----w- c:\program files\UnHackMe
2012-03-29 15:23 . 2012-04-15 17:20 -------- d-----w- c:\documents and settings\Daily
2012-03-29 13:45 . 2012-03-29 13:45 -------- d-----w- c:\documents and settings\USER\Application Data\CheckPoint
2012-03-29 13:43 . 2012-03-29 13:45 -------- d-----w- c:\program files\CheckPoint
2012-03-29 13:42 . 2012-03-29 13:42 -------- d-----w- c:\documents and settings\All Users\Application Data\CheckPoint
2012-03-24 20:42 . 2012-03-24 20:42 -------- d-----w- c:\documents and settings\USER\Local Settings\Application Data\Mozilla
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-24 20:53 . 2012-01-31 01:04 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 04:37 . 2012-03-09 04:37 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-09 04:37 . 2012-01-31 01:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:22 . 2008-04-14 12:00 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-25 18:00 . 2012-01-31 01:27 79360 ----a-w- c:\windows\system32\ff_vfw.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GoTrusted"="c:\program files\GoTrusted.com\GoTrusted Secure Tunnel v2.3.1.5\GoTrusted Secure Tunnel.exe" [2011-08-23 193096]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2012-03-16 738944]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-03-20 73360]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
c:\documents and settings\Daily\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Belkin Wireless G Desktop Card Client Utility.lnk - c:\program files\Belkin\F5D7000v7032\Belkinwcui.exe [2012-1-30 1560576]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\WinWrapIDE.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.exe"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\stats.com"=
"c:\\Program Files\\IBM\\SPSS\\Statistics\\19\\JRE\\bin\\javaw.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
.
R2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [3/16/2012 11:06 AM 27016]
R2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [3/16/2012 11:07 AM 497280]
R3 gttap1;GoTrusted TAP Adapter;c:\windows\system32\drivers\gttap1.sys [3/18/2008 4:23 PM 20480]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;c:\windows\system32\drivers\BLKWGDv7.sys [1/30/2012 11:16 PM 303616]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [4/2/2012 5:14 AM 24416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-861567501-1644491937-1004Core.job
- c:\documents and settings\USER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 23:39]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-861567501-1644491937-1004UA.job
- c:\documents and settings\USER\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 23:39]
.
2012-04-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-861567501-1644491937-1006Core.job
- c:\documents and settings\Daily\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 23:46]
.
2012-04-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-789336058-861567501-1644491937-1006UA.job
- c:\documents and settings\Daily\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-04-06 23:46]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
SafeBoot-42532505.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 11:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(672)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(728)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2324)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\ALCXMNTR.EXE
.
**************************************************************************
.
Completion time: 2012-04-16 11:36:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 16:36
.
Pre-Run: 149,133,004,800 bytes free
Post-Run: 149,962,694,656 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 10BAEFBA2EB8662F950E633F0BD2BB12







Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
ZoneAlarm Firewall
ZoneAlarm Free
ZoneAlarm LTD Toolbar
ZoneAlarm Security
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 31
Adobe Flash Player 11.1.102.63
Adobe Reader X (10.1.2)
````````````````````````````````
Process Check:
objlist.exe by Laurent

CheckPoint ZoneAlarm vsmon.exe
CheckPoint ZoneAlarm zatray.exe
``````````End of Log````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 16 April 2012 - 01:14 PM

Looking good. Any remaining issues?

#7 Skolnick

Skolnick
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:09:54 AM

Posted 16 April 2012 - 01:28 PM

Looking good. Any remaining issues?


I don't know, was there any malware to begin with that you saw?

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 16 April 2012 - 01:34 PM

Only what ComboFix removed.

Do not ask me what it was. I do not know.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 22 April 2012 - 08:24 AM

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,764 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:11:54 AM

Posted 28 April 2012 - 08:28 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users