Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Happili rootkit removal help


  • This topic is locked This topic is locked
18 replies to this topic

#1 boostdemon

boostdemon

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 April 2012 - 11:07 AM

Been working on trying to remove the happili redirect and I'm not having any luck. Tried malwarbytes and that didnt do a bunch of anything. This PC currently has Norton/Symantec Endpoint protection running (this is a work laptop).
Windows XP SP3

I followed the instructions in the prep guide here

Here are the following logs from dds and gmer:



.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by ad at 11:26:17 on 2012-04-15
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2909.552 [GMT -4:00]
.
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\ips\IPSBHO.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_2_202_228_ActiveX.exe -update activex
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {071B764E-14E9-43F6-A031-4892D6D8F648} - hxxp://192.168.4.2/browserclient/BrowserClient.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2B3856EE-C122-4A12-B9E8-6C99DCE23624} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
Notify: PCANotify - PCANotify.dll
Notify: SEP - c:\program files\symantec\symantec endpoint protection\12.1.671.4971.105\bin\WinLogoutNotifier.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-04-12 02:08:14 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 19:54:31 94128 ----a-w- c:\windows\system32\FwsVpn.dll
2012-04-10 19:54:31 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2012-04-10 19:54:08 -------- d-----w- c:\windows\system32\drivers\sep\0c01029f\136b.105\x86
2012-04-10 19:54:08 -------- d-----w- c:\windows\system32\drivers\sep\0c01029f\136B.105
2012-04-10 19:54:08 -------- d-----w- c:\windows\system32\drivers\sep\0C01029F
2012-04-10 19:54:08 -------- d-----w- c:\windows\system32\drivers\SEP
2012-04-10 17:19:26 -------- d-sh--w- c:\documents and settings\adesjeunes\IECompatCache
2012-04-10 14:55:44 98816 ----a-w- c:\windows\sed.exe
2012-04-10 14:55:44 518144 ----a-w- c:\windows\SWREG.exe
2012-04-10 14:55:44 256000 ----a-w- c:\windows\PEV.exe
2012-04-10 14:55:44 208896 ----a-w- c:\windows\MBR.exe
2012-04-08 16:07:03 -------- d-----w- c:\documents and settings\adesjeunes\application data\Malwarebytes
2012-04-08 16:02:14 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-08 15:46:00 -------- d-----w- c:\windows\pss
.
==================== Find3M ====================
.
2012-04-12 02:08:14 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-10 19:55:12 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-10 19:55:12 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-10 19:54:31 240048 ----a-w- c:\windows\system32\SymVPN.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK3255GSX rev.FG011M -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; MOV CX, 0x4; MOV BP, 0x7be; CMP BYTE [BP+0x0], 0x0; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9712C6
user & kernel MBR OK
.
============= FINISH: 11:32:32.78 ===============













GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-15 11:48:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 TOSHIBA_MK3255GSX rev.FG011M
Running: gmer.exe; Driver: C:\DOCUME~1\ADESJE~1\LOCALS~1\Temp\ugldapog.sys


---- System - GMER 1.0.15 ----

SSDT 876C66E0 ZwAlertResumeThread
SSDT 876C67C0 ZwAlertThread
SSDT 87DAC5A0 ZwAllocateVirtualMemory
SSDT 87E0DAF0 ZwAssignProcessToJobObject
SSDT 87E36590 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA81E0980]
SSDT 87D1CA58 ZwCreateMutant
SSDT 87E0D910 ZwCreateSymbolicLinkObject
SSDT 87DC6520 ZwCreateThread
SSDT 87DF28A8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA81E0C00]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA81E0F10]
SSDT 87DC5630 ZwDuplicateObject
SSDT 87E1F200 ZwFreeVirtualMemory
SSDT 876C6520 ZwImpersonateAnonymousToken
SSDT 876C6600 ZwImpersonateThread
SSDT 87E36518 ZwLoadDriver
SSDT 87E1F120 ZwMapViewOfSection
SSDT 87D1C978 ZwOpenEvent
SSDT 87DAD510 ZwOpenProcess
SSDT 87DC5550 ZwOpenProcessToken
SSDT 87DF2AB0 ZwOpenSection
SSDT 87DAD420 ZwOpenThread
SSDT 87E0DA00 ZwProtectVirtualMemory
SSDT 877664C8 ZwResumeThread
SSDT 87768098 ZwSetContextThread
SSDT 87768178 ZwSetInformationProcess
SSDT 87DF2988 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA81E1160]
SSDT 87D1C898 ZwSuspendProcess
SSDT 877665A8 ZwSuspendThread
SSDT 87DC6620 ZwTerminateProcess
SSDT 87766688 ZwTerminateThread
SSDT 87768008 ZwUnmapViewOfSection
SSDT 87DAC4B0 ZwWriteVirtualMemory

INT 0x01 \??\C:\DOCUME~1\ADESJE~1\LOCALS~1\Temp\mbr.sys BA419C42

---- Kernel code sections - GMER 1.0.15 ----

? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? C:\DOCUME~1\ADESJE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1744] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0096000C
.text C:\WINDOWS\System32\svchost.exe[1744] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 018A000A
.text C:\WINDOWS\System32\svchost.exe[1744] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 018B000A
.text C:\WINDOWS\System32\svchost.exe[1744] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 018C000A
.text C:\WINDOWS\System32\svchost.exe[1744] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00E3000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3908] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4372] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A9712C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A9712C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A9712C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A9712C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A9712C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A9712C6

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Cookies\6DMF6HIL.txt 0 bytes
File C:\Documents and Settings\NetworkService\Cookies\X7J1DIER.txt 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 15 April 2012 - 11:37 AM

sorry forgot to mention, winxp 32 bit

#3 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 16 April 2012 - 02:49 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#4 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 07:56 AM

running combofix. heres the security log:

Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
Symantec Endpoint Protection
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Adobe Reader X 10.0.1 Adobe Reader out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Norton ccSvcHst.exe
``````````End of Log````````````

#5 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 16 April 2012 - 12:02 PM

let me have the report when complete


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#6 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 16 April 2012 - 03:33 PM

combofix finished. heres the report:

ComboFix 12-04-16.01 - adesjeunes 04/16/2012 9:04.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2909.1331 [GMT -4:00]
Running from: c:\documents and settings\adesjeunes\Desktop\virus removal\ComboFix.exe
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\awgina.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))
.
.
2012-04-12 02:08 . 2012-04-12 02:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2012-04-12 02:08 . 2012-04-12 02:08 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 19:54 . 2012-04-10 19:54 94128 ----a-w- c:\windows\system32\FwsVpn.dll
2012-04-10 19:54 . 2012-04-10 19:54 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2012-04-10 19:54 . 2012-04-10 19:54 -------- d-----w- c:\windows\system32\drivers\SEP
2012-04-10 17:55 . 2012-04-10 17:55 -------- d-----w- c:\documents and settings\informationsystems\Application Data\Malwarebytes
2012-04-10 17:19 . 2012-04-10 17:19 -------- d-sh--w- c:\documents and settings\adesjeunes\IECompatCache
2012-04-10 14:36 . 2012-04-10 14:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2012-04-09 17:54 . 2012-04-09 17:54 -------- d-----w- c:\documents and settings\administrator.PIW-DC
2012-04-09 17:46 . 2012-04-09 17:46 -------- d-----w- c:\documents and settings\informationsystems\Application Data\Apple Computer
2012-04-08 16:07 . 2012-04-08 16:07 -------- d-----w- c:\documents and settings\adesjeunes\Application Data\Malwarebytes
2012-04-08 16:02 . 2012-04-08 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-03-22 13:51 . 2012-03-22 13:51 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 02:08 . 2011-08-02 15:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-10 19:55 . 2010-03-24 17:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-10 19:55 . 2010-03-24 17:43 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-10 19:54 . 2010-01-14 16:35 240048 ----a-w- c:\windows\system32\SymVPN.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2001-11-02 15:50 24636 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys [5/2/2011 9:18 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys [5/17/2011 10:32 PM 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120402.011\BHDrvx86.sys [4/2/2012 11:42 PM 821880]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys [5/10/2011 10:54 PM 136312]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [6/14/2011 6:31 PM 137224]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [1/31/2008 8:18 PM 732160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2012 10:46 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120413.001\IDSXpx86.sys [4/15/2012 12:45 PM 356280]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [10/16/2011 8:32 PM 136176]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 10:08 PM 253600]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/11/2010 10:44 AM 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [10/16/2011 8:32 PM 136176]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/22/2011 2:39 PM 109568]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [3/21/2011 11:03 AM 187392]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/24/2010 1:11 PM 992256]
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 02:08]
.
2012-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-17 00:32]
.
2012-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-10-17 00:32]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
DPF: {071B764E-14E9-43F6-A031-4892D6D8F648} - hxxp://192.168.4.2/browserclient/BrowserClient.cab
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Notify-SEP - c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\WinLogoutNotifier.dll
SafeBoot-ccEvtMgr
SafeBoot-ccSetMgr
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-16 16:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_MK3255GSX rev.FG011M -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A74D2C6
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1328)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(5424)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Symantec\pcAnywhere\awhost32.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
.
**************************************************************************
.
Completion time: 2012-04-16 16:16:44 - machine was rebooted
ComboFix-quarantined-files.txt 2012-04-16 20:16
ComboFix2.txt 2012-04-10 15:13
.
Pre-Run: 245,132,345,344 bytes free
Post-Run: 245,362,413,568 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - D6707659B191E751ED971CABEC0DCB1E

#7 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 16 April 2012 - 08:59 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#8 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 18 April 2012 - 10:04 PM

TDDS Killer Report:

22:16:18.0203 5876 TDSS rootkit removing tool 2.7.29.0 Apr 18 2012 16:44:20
22:16:18.0500 5876 ============================================================
22:16:18.0500 5876 Current date / time: 2012/04/18 22:16:18.0500
22:16:18.0500 5876 SystemInfo:
22:16:18.0500 5876
22:16:18.0500 5876 OS Version: 5.1.2600 ServicePack: 3.0
22:16:18.0500 5876 Product type: Workstation
22:16:18.0500 5876 ComputerName: PIWXP406L
22:16:18.0500 5876 UserName: adesjeunes
22:16:18.0500 5876 Windows directory: C:\WINDOWS
22:16:18.0500 5876 System windows directory: C:\WINDOWS
22:16:18.0500 5876 Processor architecture: Intel x86
22:16:18.0500 5876 Number of processors: 2
22:16:18.0500 5876 Page size: 0x1000
22:16:18.0500 5876 Boot type: Normal boot
22:16:18.0500 5876 ============================================================
22:16:20.0875 5876 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:16:20.0875 5876 \Device\Harddisk0\DR0:
22:16:20.0875 5876 MBR partitions:
22:16:20.0875 5876 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x2542D800
22:16:21.0140 5876 C: <-> \Device\Harddisk0\DR0\Partition0
22:16:21.0140 5876 Initialize success
22:16:21.0140 5876 ============================================================
22:16:23.0031 6132 ============================================================
22:16:23.0031 6132 Scan started
22:16:23.0031 6132 Mode: Manual;
22:16:23.0031 6132 ============================================================
22:16:23.0890 6132 Abiosdsk - ok
22:16:23.0906 6132 abp480n5 - ok
22:16:23.0968 6132 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:16:23.0968 6132 ACPI - ok
22:16:23.0984 6132 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:16:23.0984 6132 ACPIEC - ok
22:16:24.0062 6132 AdobeFlashPlayerUpdateSvc (0d4c486a24a711a45fd83acdf4d18506) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
22:16:24.0062 6132 AdobeFlashPlayerUpdateSvc - ok
22:16:24.0078 6132 adpu160m - ok
22:16:24.0109 6132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:16:24.0109 6132 aec - ok
22:16:24.0156 6132 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:16:24.0156 6132 AFD - ok
22:16:24.0281 6132 Aha154x - ok
22:16:24.0281 6132 aic78u2 - ok
22:16:24.0296 6132 aic78xx - ok
22:16:24.0328 6132 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
22:16:24.0328 6132 Alerter - ok
22:16:24.0343 6132 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
22:16:24.0343 6132 ALG - ok
22:16:24.0343 6132 AliIde - ok
22:16:24.0421 6132 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
22:16:24.0453 6132 Ambfilt - ok
22:16:24.0531 6132 amsint - ok
22:16:24.0578 6132 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
22:16:24.0593 6132 AppMgmt - ok
22:16:24.0625 6132 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:16:24.0625 6132 Arp1394 - ok
22:16:24.0640 6132 asc - ok
22:16:24.0640 6132 asc3350p - ok
22:16:24.0656 6132 asc3550 - ok
22:16:24.0718 6132 aspnet_state (a986fcfdac587e68478db51547b90800) C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
22:16:24.0734 6132 aspnet_state - ok
22:16:24.0812 6132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:16:24.0812 6132 AsyncMac - ok
22:16:24.0875 6132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:16:24.0875 6132 atapi - ok
22:16:24.0875 6132 Atdisk - ok
22:16:24.0906 6132 AtiHdmiService (d9bc8892b9440a2551b8148c57aa039e) C:\WINDOWS\system32\drivers\AtiHdmi.sys
22:16:24.0921 6132 AtiHdmiService - ok
22:16:24.0953 6132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:16:24.0968 6132 Atmarpc - ok
22:16:25.0015 6132 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
22:16:25.0015 6132 AudioSrv - ok
22:16:25.0109 6132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:16:25.0109 6132 audstub - ok
22:16:25.0234 6132 awhost32 (967fc210a533a49993fd5ac147fa0f8f) C:\Program Files\Symantec\pcAnywhere\awhost32.exe
22:16:25.0234 6132 awhost32 - ok
22:16:25.0296 6132 awlegacy (f7e75c620a04963c9a53c3b47da80405) C:\WINDOWS\System32\Drivers\awlegacy.sys
22:16:25.0296 6132 awlegacy - ok
22:16:25.0390 6132 AW_HOST (e3f3b6875d2ead9c03d04fe66dcd84c8) C:\WINDOWS\system32\drivers\aw_host5.sys
22:16:25.0406 6132 AW_HOST - ok
22:16:25.0453 6132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:16:25.0453 6132 Beep - ok
22:16:25.0843 6132 BHDrvx86 (a503d32ae26f77cb942aed530112edaa) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120402.011\BHDrvx86.sys
22:16:25.0968 6132 BHDrvx86 - ok
22:16:26.0187 6132 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
22:16:26.0234 6132 BITS - ok
22:16:26.0281 6132 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
22:16:26.0296 6132 Browser - ok
22:16:26.0312 6132 catchme - ok
22:16:26.0406 6132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:16:26.0421 6132 cbidf2k - ok
22:16:26.0453 6132 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
22:16:26.0453 6132 CCDECODE - ok
22:16:26.0468 6132 cd20xrnt - ok
22:16:26.0484 6132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:16:26.0484 6132 Cdaudio - ok
22:16:26.0609 6132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:16:26.0609 6132 Cdfs - ok
22:16:26.0671 6132 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:16:26.0671 6132 Cdrom - ok
22:16:26.0671 6132 Changer - ok
22:16:26.0718 6132 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
22:16:26.0718 6132 CiSvc - ok
22:16:26.0734 6132 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
22:16:26.0750 6132 ClipSrv - ok
22:16:26.0875 6132 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:16:26.0875 6132 CmBatt - ok
22:16:26.0875 6132 CmdIde - ok
22:16:26.0953 6132 CnxtHdAudAddService (2d783d33cd64ddbb2171ecfa56249c50) C:\WINDOWS\system32\drivers\CHDAud.sys
22:16:26.0953 6132 CnxtHdAudAddService - ok
22:16:27.0000 6132 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:16:27.0000 6132 Compbatt - ok
22:16:27.0078 6132 COMSysApp - ok
22:16:27.0093 6132 Cpqarray - ok
22:16:27.0187 6132 cpudrv (d01f685f8b4598d144b0cce9ff95d8d5) C:\Program Files\SystemRequirementsLab\cpudrv.sys
22:16:27.0187 6132 cpudrv - ok
22:16:27.0234 6132 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
22:16:27.0234 6132 CryptSvc - ok
22:16:27.0250 6132 dac2w2k - ok
22:16:27.0359 6132 dac960nt - ok
22:16:27.0421 6132 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
22:16:27.0421 6132 DcomLaunch - ok
22:16:27.0468 6132 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
22:16:27.0468 6132 Dhcp - ok
22:16:27.0515 6132 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:16:27.0515 6132 Disk - ok
22:16:27.0609 6132 dmadmin - ok
22:16:27.0671 6132 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:16:27.0703 6132 dmboot - ok
22:16:27.0718 6132 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:16:27.0734 6132 dmio - ok
22:16:27.0843 6132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:16:27.0843 6132 dmload - ok
22:16:27.0875 6132 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
22:16:27.0875 6132 dmserver - ok
22:16:27.0890 6132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:16:27.0890 6132 DMusic - ok
22:16:27.0937 6132 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
22:16:27.0937 6132 Dnscache - ok
22:16:27.0968 6132 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
22:16:27.0984 6132 Dot3svc - ok
22:16:28.0000 6132 dpti2o - ok
22:16:28.0000 6132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:16:28.0000 6132 drmkaud - ok
22:16:28.0031 6132 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
22:16:28.0046 6132 EapHost - ok
22:16:28.0156 6132 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
22:16:28.0156 6132 eeCtrl - ok
22:16:28.0203 6132 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
22:16:28.0203 6132 EraserUtilRebootDrv - ok
22:16:28.0328 6132 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
22:16:28.0328 6132 ERSvc - ok
22:16:28.0390 6132 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:16:28.0390 6132 Eventlog - ok
22:16:28.0437 6132 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
22:16:28.0453 6132 EventSystem - ok
22:16:28.0484 6132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:16:28.0578 6132 Fastfat - ok
22:16:28.0703 6132 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:16:28.0703 6132 FastUserSwitchingCompatibility - ok
22:16:28.0750 6132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
22:16:28.0750 6132 Fdc - ok
22:16:28.0750 6132 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:16:28.0765 6132 Fips - ok
22:16:28.0765 6132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:16:28.0796 6132 Flpydisk - ok
22:16:28.0828 6132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
22:16:28.0828 6132 FltMgr - ok
22:16:28.0828 6132 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:16:28.0828 6132 Fs_Rec - ok
22:16:28.0921 6132 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:16:28.0921 6132 Ftdisk - ok
22:16:28.0937 6132 Gernuwa (ba294768509fa03fcfe766962dee3cad) C:\WINDOWS\system32\drivers\Gernuwa.sys
22:16:28.0937 6132 Gernuwa - ok
22:16:28.0968 6132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:16:28.0968 6132 Gpc - ok
22:16:29.0093 6132 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
22:16:29.0109 6132 gupdate - ok
22:16:29.0109 6132 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
22:16:29.0109 6132 gupdatem - ok
22:16:29.0156 6132 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
22:16:29.0171 6132 gusvc - ok
22:16:29.0281 6132 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:16:29.0296 6132 HDAudBus - ok
22:16:29.0375 6132 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
22:16:29.0375 6132 helpsvc - ok
22:16:29.0406 6132 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
22:16:29.0421 6132 HidServ - ok
22:16:29.0437 6132 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:16:29.0453 6132 hidusb - ok
22:16:29.0515 6132 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
22:16:29.0515 6132 hkmsvc - ok
22:16:29.0625 6132 hpn - ok
22:16:29.0703 6132 HSFHWAZL (290cdbb05903742ea06b7203c5a662f5) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
22:16:29.0703 6132 HSFHWAZL - ok
22:16:29.0750 6132 HSFHWBS2 (ac04fc91b57b27086ccf02086fd3f4cb) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
22:16:29.0750 6132 HSFHWBS2 - ok
22:16:29.0859 6132 HSF_DPV (7ab812355f98858b9ecdd46e6fcc221f) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
22:16:29.0875 6132 HSF_DPV - ok
22:16:29.0937 6132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:16:29.0937 6132 HTTP - ok
22:16:30.0093 6132 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
22:16:30.0093 6132 HTTPFilter - ok
22:16:30.0109 6132 i2omgmt - ok
22:16:30.0109 6132 i2omp - ok
22:16:30.0156 6132 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:16:30.0171 6132 i8042prt - ok
22:16:30.0390 6132 ialm (66a685b05066683621920bc14a45cfe8) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
22:16:30.0593 6132 ialm - ok
22:16:30.0718 6132 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
22:16:30.0734 6132 IDriverT - ok
22:16:31.0000 6132 IDSxpx86 (cfbc1ce72e5353d428704659199147b1) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120416.001\IDSxpx86.sys
22:16:31.0000 6132 IDSxpx86 - ok
22:16:31.0125 6132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:16:31.0125 6132 Imapi - ok
22:16:31.0171 6132 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
22:16:31.0187 6132 ImapiService - ok
22:16:31.0187 6132 ini910u - ok
22:16:31.0390 6132 IntcAzAudAddService (553fee1d64acb826a30563dbacc73fa5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:16:31.0609 6132 IntcAzAudAddService - ok
22:16:31.0750 6132 IntcHdmiAddService (f32a62c765885bd8e4352a1565f702a6) C:\WINDOWS\system32\drivers\IntcHdmi.sys
22:16:31.0750 6132 IntcHdmiAddService - ok
22:16:31.0750 6132 IntelIde - ok
22:16:31.0796 6132 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:16:31.0796 6132 intelppm - ok
22:16:31.0828 6132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
22:16:31.0828 6132 Ip6Fw - ok
22:16:31.0875 6132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:16:31.0875 6132 IpFilterDriver - ok
22:16:31.0890 6132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:16:31.0890 6132 IpInIp - ok
22:16:31.0921 6132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:16:31.0921 6132 IpNat - ok
22:16:31.0968 6132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:16:31.0968 6132 IPSec - ok
22:16:31.0968 6132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:16:31.0968 6132 IRENUM - ok
22:16:32.0000 6132 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:16:32.0015 6132 isapnp - ok
22:16:32.0109 6132 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:16:32.0109 6132 Kbdclass - ok
22:16:32.0156 6132 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
22:16:32.0156 6132 kbdhid - ok
22:16:32.0203 6132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:16:32.0203 6132 kmixer - ok
22:16:32.0218 6132 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:16:32.0218 6132 KSecDD - ok
22:16:32.0250 6132 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
22:16:32.0250 6132 LanmanServer - ok
22:16:32.0312 6132 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
22:16:32.0312 6132 lanmanworkstation - ok
22:16:32.0406 6132 lbrtfdc - ok
22:16:32.0640 6132 LiveUpdate (8098bb044fa73ff8f9eb3ac5128d3b11) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
22:16:32.0734 6132 LiveUpdate - ok
22:16:32.0859 6132 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
22:16:32.0859 6132 LmHosts - ok
22:16:32.0953 6132 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
22:16:32.0953 6132 MDM - ok
22:16:33.0000 6132 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
22:16:33.0000 6132 mdmxsdk - ok
22:16:33.0046 6132 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
22:16:33.0062 6132 Messenger - ok
22:16:33.0187 6132 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:16:33.0187 6132 mnmdd - ok
22:16:33.0234 6132 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
22:16:33.0250 6132 mnmsrvc - ok
22:16:33.0265 6132 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:16:33.0265 6132 Modem - ok
22:16:33.0343 6132 monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\monfilt.sys
22:16:33.0390 6132 monfilt - ok
22:16:33.0546 6132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:16:33.0562 6132 Mouclass - ok
22:16:33.0609 6132 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:16:33.0609 6132 mouhid - ok
22:16:33.0906 6132 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:16:33.0906 6132 MountMgr - ok
22:16:34.0000 6132 mraid35x - ok
22:16:34.0046 6132 MRxDAV (e3f17e1ea5256709d4e97ef0da04b3c9) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:16:34.0046 6132 MRxDAV - ok
22:16:34.0109 6132 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:16:34.0109 6132 MRxSmb - ok
22:16:34.0140 6132 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
22:16:34.0156 6132 MSDTC - ok
22:16:34.0156 6132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:16:34.0156 6132 Msfs - ok
22:16:34.0171 6132 MSIServer - ok
22:16:34.0203 6132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:16:34.0203 6132 MSKSSRV - ok
22:16:34.0218 6132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:16:34.0218 6132 MSPCLOCK - ok
22:16:34.0328 6132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:16:34.0328 6132 MSPQM - ok
22:16:34.0359 6132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:16:34.0359 6132 mssmbios - ok
22:16:34.0390 6132 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
22:16:34.0390 6132 MSTEE - ok
22:16:34.0437 6132 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:16:34.0437 6132 Mup - ok
22:16:34.0453 6132 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
22:16:34.0468 6132 NABTSFEC - ok
22:16:34.0578 6132 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
22:16:34.0593 6132 napagent - ok
22:16:34.0875 6132 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120416.018\NAVENG.SYS
22:16:34.0875 6132 NAVENG - ok
22:16:34.0937 6132 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\VirusDefs\20120416.018\NAVEX15.SYS
22:16:34.0953 6132 NAVEX15 - ok
22:16:35.0078 6132 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:16:35.0078 6132 NDIS - ok
22:16:35.0125 6132 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
22:16:35.0125 6132 NdisIP - ok
22:16:35.0171 6132 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:16:35.0171 6132 NdisTapi - ok
22:16:35.0203 6132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:16:35.0203 6132 Ndisuio - ok
22:16:35.0312 6132 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:16:35.0312 6132 NdisWan - ok
22:16:35.0328 6132 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:16:35.0328 6132 NDProxy - ok
22:16:35.0609 6132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:16:35.0609 6132 NetBIOS - ok
22:16:35.0750 6132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:16:35.0750 6132 NetBT - ok
22:16:35.0796 6132 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:16:35.0890 6132 NetDDE - ok
22:16:35.0890 6132 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
22:16:35.0906 6132 NetDDEdsdm - ok
22:16:35.0984 6132 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:16:36.0000 6132 Netlogon - ok
22:16:36.0046 6132 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
22:16:36.0046 6132 Netman - ok
22:16:36.0218 6132 NETw5x32 (91f027c242d3ff6e5c09f92a0518297f) C:\WINDOWS\system32\DRIVERS\NETw5x32.sys
22:16:36.0359 6132 NETw5x32 - ok
22:16:36.0500 6132 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:16:36.0500 6132 NIC1394 - ok
22:16:36.0531 6132 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
22:16:36.0546 6132 Nla - ok
22:16:36.0562 6132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:16:36.0562 6132 Npfs - ok
22:16:36.0625 6132 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:16:36.0640 6132 Ntfs - ok
22:16:36.0843 6132 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:16:36.0843 6132 NtLmSsp - ok
22:16:36.0890 6132 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
22:16:36.0906 6132 NtmsSvc - ok
22:16:36.0937 6132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:16:36.0953 6132 Null - ok
22:16:36.0968 6132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:16:36.0968 6132 NwlnkFlt - ok
22:16:37.0062 6132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:16:37.0062 6132 NwlnkFwd - ok
22:16:37.0125 6132 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:16:37.0125 6132 ohci1394 - ok
22:16:37.0218 6132 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
22:16:37.0234 6132 ose - ok
22:16:37.0328 6132 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:16:37.0343 6132 Parport - ok
22:16:37.0359 6132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:16:37.0359 6132 PartMgr - ok
22:16:37.0375 6132 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:16:37.0390 6132 ParVdm - ok
22:16:37.0421 6132 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:16:37.0437 6132 PCI - ok
22:16:37.0468 6132 PCIDump - ok
22:16:37.0531 6132 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:16:37.0531 6132 PCIIde - ok
22:16:37.0546 6132 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
22:16:37.0562 6132 Pcmcia - ok
22:16:37.0609 6132 PDCOMP - ok
22:16:37.0609 6132 PDFRAME - ok
22:16:37.0625 6132 PDRELI - ok
22:16:37.0625 6132 PDRFRAME - ok
22:16:37.0625 6132 perc2 - ok
22:16:37.0640 6132 perc2hib - ok
22:16:37.0687 6132 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
22:16:37.0687 6132 PlugPlay - ok
22:16:37.0718 6132 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:16:37.0718 6132 PolicyAgent - ok
22:16:37.0781 6132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:16:37.0781 6132 PptpMiniport - ok
22:16:37.0796 6132 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
22:16:37.0796 6132 Processor - ok
22:16:37.0843 6132 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:16:37.0843 6132 ProtectedStorage - ok
22:16:37.0843 6132 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:16:37.0843 6132 PSched - ok
22:16:37.0906 6132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:16:37.0906 6132 Ptilink - ok
22:16:37.0953 6132 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:16:37.0953 6132 PxHelp20 - ok
22:16:38.0000 6132 ql1080 - ok
22:16:38.0031 6132 Ql10wnt - ok
22:16:38.0046 6132 ql12160 - ok
22:16:38.0046 6132 ql1240 - ok
22:16:38.0046 6132 ql1280 - ok
22:16:38.0078 6132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:16:38.0078 6132 RasAcd - ok
22:16:38.0125 6132 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
22:16:38.0140 6132 RasAuto - ok
22:16:38.0187 6132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:16:38.0187 6132 Rasl2tp - ok
22:16:38.0250 6132 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
22:16:38.0250 6132 RasMan - ok
22:16:38.0296 6132 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:16:38.0296 6132 RasPppoe - ok
22:16:38.0328 6132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:16:38.0343 6132 Raspti - ok
22:16:38.0390 6132 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:16:38.0406 6132 Rdbss - ok
22:16:38.0453 6132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:16:38.0468 6132 RDPCDD - ok
22:16:38.0500 6132 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:16:38.0515 6132 rdpdr - ok
22:16:38.0625 6132 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:16:38.0640 6132 RDPWD - ok
22:16:38.0718 6132 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
22:16:38.0781 6132 RDSessMgr - ok
22:16:38.0906 6132 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:16:38.0906 6132 redbook - ok
22:16:38.0968 6132 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
22:16:38.0968 6132 RemoteAccess - ok
22:16:39.0015 6132 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
22:16:39.0031 6132 RemoteRegistry - ok
22:16:39.0140 6132 Roxio UPnP Renderer 9 (b7de9448bec48d129b4d4380230331c7) C:\Program Files\Common Files\Sonic Shared\RoxioUPnPRenderer9.exe
22:16:39.0156 6132 Roxio UPnP Renderer 9 - ok
22:16:39.0187 6132 Roxio Upnp Server 9 (f6e56be903a2f51a7fb69d522193f056) C:\Program Files\Common Files\Sonic Shared\RoxioUpnpService9.exe
22:16:39.0203 6132 Roxio Upnp Server 9 - ok
22:16:39.0296 6132 RoxLiveShare9 (15b8f0bfaa206ab949184fb770670e15) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
22:16:39.0328 6132 RoxLiveShare9 - ok
22:16:39.0500 6132 RoxMediaDB9 (adf1bab5dc95112e9dd336e32266ee9f) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
22:16:39.0515 6132 RoxMediaDB9 - ok
22:16:39.0671 6132 RoxWatch9 (10144b72619330adf2238222ed99f32f) C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
22:16:39.0703 6132 RoxWatch9 - ok
22:16:39.0812 6132 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
22:16:39.0828 6132 RpcLocator - ok
22:16:39.0890 6132 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
22:16:39.0890 6132 RpcSs - ok
22:16:39.0984 6132 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
22:16:40.0109 6132 RSVP - ok
22:16:40.0234 6132 RTL8167 (6465166dd9b2f841dabad16abdadbe98) C:\WINDOWS\system32\DRIVERS\Rt86win7.sys
22:16:40.0234 6132 RTL8167 - ok
22:16:40.0281 6132 RTLE8023xp (bc34024636b0b47f6bbf96da525e307a) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
22:16:40.0281 6132 RTLE8023xp - ok
22:16:40.0296 6132 RxFilter (169dde0ac1db333e308cf7975ae0f4cf) C:\WINDOWS\system32\DRIVERS\RxFilter.sys
22:16:40.0312 6132 RxFilter - ok
22:16:40.0375 6132 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
22:16:40.0375 6132 SamSs - ok
22:16:40.0468 6132 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
22:16:40.0515 6132 SCardSvr - ok
22:16:40.0531 6132 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
22:16:40.0531 6132 Schedule - ok
22:16:40.0687 6132 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
22:16:40.0687 6132 sdbus - ok
22:16:40.0718 6132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:16:40.0718 6132 Secdrv - ok
22:16:40.0750 6132 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
22:16:40.0765 6132 seclogon - ok
22:16:40.0781 6132 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
22:16:40.0781 6132 SENS - ok
22:16:40.0937 6132 SepMasterService (7e2c360b6cc0d87b8ef38439b53dfc71) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe
22:16:40.0937 6132 SepMasterService - ok
22:16:41.0062 6132 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:16:41.0078 6132 Serial - ok
22:16:41.0109 6132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
22:16:41.0125 6132 Sfloppy - ok
22:16:41.0171 6132 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
22:16:41.0171 6132 SharedAccess - ok
22:16:41.0281 6132 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:16:41.0281 6132 ShellHWDetection - ok
22:16:41.0281 6132 Simbad - ok
22:16:41.0328 6132 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
22:16:41.0328 6132 SLIP - ok
22:16:41.0531 6132 SmcService (9fffea13a6181f1a92edbf023cdb6efd) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe
22:16:41.0578 6132 SmcService - ok
22:16:41.0625 6132 SNAC (c83d26a2f51d8887b99acf86b7299716) C:\Program Files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\snac.exe
22:16:41.0671 6132 SNAC - ok
22:16:41.0750 6132 Sparrow - ok
22:16:41.0796 6132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:16:41.0796 6132 splitter - ok
22:16:41.0812 6132 Spooler - ok
22:16:41.0812 6132 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:16:41.0828 6132 sr - ok
22:16:41.0890 6132 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
22:16:41.0890 6132 srservice - ok
22:16:41.0984 6132 SRTSP (d1646b3db1e401a7fce2f82547d0ce32) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSP.SYS
22:16:42.0000 6132 SRTSP - ok
22:16:42.0203 6132 SRTSPX (ab26657d755cc81f073892d833de426b) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SRTSPX.SYS
22:16:42.0203 6132 SRTSPX - ok
22:16:42.0265 6132 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:16:42.0265 6132 Srv - ok
22:16:42.0312 6132 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
22:16:42.0312 6132 SSDPSRV - ok
22:16:42.0375 6132 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
22:16:42.0390 6132 stisvc - ok
22:16:42.0421 6132 stllssvr (4173a9cd59f15a64f54b3242c3232731) C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
22:16:42.0437 6132 stllssvr - ok
22:16:42.0546 6132 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
22:16:42.0562 6132 streamip - ok
22:16:42.0625 6132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:16:42.0625 6132 swenum - ok
22:16:42.0640 6132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:16:42.0640 6132 swmidi - ok
22:16:42.0656 6132 SwPrv - ok
22:16:42.0656 6132 symc810 - ok
22:16:42.0656 6132 symc8xx - ok
22:16:42.0765 6132 SymDS (4f52d56310fef75249914f352dde7d13) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMDS.SYS
22:16:42.0765 6132 SymDS - ok
22:16:42.0921 6132 SymEFA (6c30d676b806ed0324124c85146b46bc) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMEFA.SYS
22:16:42.0953 6132 SymEFA - ok
22:16:42.0984 6132 SymEvent (98d28d08e68145fb550ee7670b43baf2) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
22:16:42.0984 6132 SymEvent - ok
22:16:43.0062 6132 SymIRON (057ac299d7a61bab2a1bdc483280ae57) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\Ironx86.SYS
22:16:43.0062 6132 SymIRON - ok
22:16:43.0250 6132 SYMTDI (336cace58f0359d5cbb1ae6b8a2fb205) C:\WINDOWS\system32\Drivers\SEP\0C01029F\136B.105\x86\SYMTDI.SYS
22:16:43.0250 6132 SYMTDI - ok
22:16:43.0250 6132 sym_hi - ok
22:16:43.0265 6132 sym_u3 - ok
22:16:43.0296 6132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:16:43.0296 6132 sysaudio - ok
22:16:43.0343 6132 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
22:16:43.0359 6132 SysmonLog - ok
22:16:43.0453 6132 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
22:16:43.0453 6132 TapiSrv - ok
22:16:43.0484 6132 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:16:43.0515 6132 Tcpip - ok
22:16:43.0531 6132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:16:43.0546 6132 TDPIPE - ok
22:16:43.0656 6132 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:16:43.0656 6132 TDTCP - ok
22:16:43.0703 6132 Teefer2 (d3b7576c97ebe31f456caeb2d8141338) C:\WINDOWS\system32\DRIVERS\teefer.sys
22:16:43.0703 6132 Teefer2 - ok
22:16:43.0734 6132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:16:43.0750 6132 TermDD - ok
22:16:43.0796 6132 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
22:16:43.0796 6132 TermService - ok
22:16:44.0031 6132 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
22:16:44.0031 6132 Themes - ok
22:16:44.0046 6132 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
22:16:44.0125 6132 TlntSvr - ok
22:16:44.0156 6132 TosIde - ok
22:16:44.0218 6132 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
22:16:44.0218 6132 TrkWks - ok
22:16:44.0343 6132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:16:44.0359 6132 Udfs - ok
22:16:44.0359 6132 UIUSys - ok
22:16:44.0359 6132 ultra - ok
22:16:44.0406 6132 UMWdf (ebc6ace28e58ba5be4a8190b613b6f02) C:\WINDOWS\system32\wdfmgr.exe
22:16:44.0406 6132 UMWdf - ok
22:16:44.0421 6132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:16:44.0437 6132 Update - ok
22:16:44.0562 6132 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
22:16:44.0578 6132 upnphost - ok
22:16:44.0609 6132 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
22:16:44.0625 6132 UPS - ok
22:16:44.0671 6132 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:16:44.0671 6132 usbccgp - ok
22:16:44.0718 6132 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:16:44.0734 6132 usbehci - ok
22:16:44.0828 6132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:16:44.0828 6132 usbhub - ok
22:16:44.0890 6132 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
22:16:44.0890 6132 usbohci - ok
22:16:44.0937 6132 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:16:44.0937 6132 USBSTOR - ok
22:16:44.0984 6132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:16:44.0984 6132 usbuhci - ok
22:16:45.0046 6132 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
22:16:45.0046 6132 usbvideo - ok
22:16:45.0140 6132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:16:45.0140 6132 VgaSave - ok
22:16:45.0218 6132 VIAHdAudAddService (ae9cd6196229cec1e6bc566165a16b4b) C:\WINDOWS\system32\drivers\viahduaa.sys
22:16:45.0234 6132 VIAHdAudAddService - ok
22:16:45.0234 6132 ViaIde - ok
22:16:45.0265 6132 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:16:45.0265 6132 VolSnap - ok
22:16:45.0359 6132 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
22:16:45.0375 6132 VSS - ok
22:16:45.0437 6132 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
22:16:45.0437 6132 W32Time - ok
22:16:45.0484 6132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:16:45.0484 6132 Wanarp - ok
22:16:45.0515 6132 WDICA - ok
22:16:45.0562 6132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:16:45.0562 6132 wdmaud - ok
22:16:45.0625 6132 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
22:16:45.0625 6132 WebClient - ok
22:16:45.0796 6132 winachsf (a8596cf86d445269a42ecc08b7066a4c) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
22:16:45.0812 6132 winachsf - ok
22:16:45.0890 6132 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
22:16:45.0906 6132 winmgmt - ok
22:16:45.0968 6132 WmdmPmSN (051b1bdecd6dee18c771b5d5ec7f044d) C:\WINDOWS\system32\MsPMSNSv.dll
22:16:45.0968 6132 WmdmPmSN - ok
22:16:46.0031 6132 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
22:16:46.0046 6132 Wmi - ok
22:16:46.0203 6132 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
22:16:46.0203 6132 WmiAcpi - ok
22:16:46.0265 6132 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
22:16:46.0281 6132 WmiApSrv - ok
22:16:46.0328 6132 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:16:46.0328 6132 WS2IFSL - ok
22:16:46.0406 6132 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
22:16:46.0406 6132 wscsvc - ok
22:16:46.0468 6132 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
22:16:46.0468 6132 WSTCODEC - ok
22:16:46.0500 6132 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
22:16:46.0500 6132 wuauserv - ok
22:16:46.0546 6132 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
22:16:46.0546 6132 WZCSVC - ok
22:16:46.0593 6132 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
22:16:46.0609 6132 xmlprov - ok
22:16:46.0718 6132 yukonwxp (10cb956fa629fd3803a9a40b86f62fa4) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
22:16:46.0718 6132 yukonwxp - ok
22:16:46.0734 6132 MBR (0x1B8) (e9f67288208d53ef770f82e186904857) \Device\Harddisk0\DR0
22:16:46.0765 6132 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
22:16:46.0765 6132 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
22:16:46.0796 6132 Boot (0x1200) (4cb09055e0d824a912531e3bf5638e54) \Device\Harddisk0\DR0\Partition0
22:16:46.0796 6132 \Device\Harddisk0\DR0\Partition0 - ok
22:16:46.0796 6132 ============================================================
22:16:46.0796 6132 Scan finished
22:16:46.0796 6132 ============================================================
22:16:46.0796 5320 Detected object count: 1
22:16:46.0796 5320 Actual detected object count: 1
22:17:06.0328 5320 \Device\Harddisk0\DR0\# - copied to quarantine
22:17:06.0328 5320 \Device\Harddisk0\DR0 - copied to quarantine
22:17:06.0343 5320 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
22:17:06.0359 5320 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
22:17:06.0359 5320 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
22:17:06.0359 5320 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
22:17:06.0375 5320 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
22:17:06.0375 5320 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
22:17:06.0390 5320 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
22:17:06.0390 5320 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
22:17:06.0390 5320 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
22:17:06.0390 5320 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
22:17:06.0390 5320 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
22:17:06.0406 5320 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
22:17:06.0421 5320 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
22:17:06.0421 5320 \Device\Harddisk0\DR0 - ok
22:17:06.0437 5320 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
22:17:56.0859 2576 Deinitialize success


aswMBR Report:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-18 22:40:45
-----------------------------
22:40:45.000 OS Version: Windows 5.1.2600 Service Pack 3
22:40:45.000 Number of processors: 2 586 0x170A
22:40:45.000 ComputerName: PIWXP406L UserName:
22:40:45.578 Initialize success
22:49:13.609 AVAST engine defs: 12041802
22:51:48.031 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
22:51:48.031 Disk 0 Vendor: TOSHIBA_MK3255GSX FG011M Size: 305245MB BusType: 3
22:51:48.046 Disk 0 MBR read successfully
22:51:48.046 Disk 0 MBR scan
22:51:48.078 Disk 0 Windows VISTA default MBR code
22:51:48.093 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 305243 MB offset 2048
22:51:48.093 Disk 0 scanning sectors +625139712
22:51:48.187 Disk 0 scanning C:\WINDOWS\system32\drivers
22:51:55.375 Service scanning
22:52:18.125 Modules scanning
22:52:26.734 Disk 0 trace - called modules:
22:52:26.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
22:52:26.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ad87ab8]
22:52:26.750 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8adcad98]
22:52:27.546 AVAST engine scan C:\WINDOWS
22:52:39.468 AVAST engine scan C:\WINDOWS\system32
22:54:28.937 AVAST engine scan C:\WINDOWS\system32\drivers
22:54:44.640 AVAST engine scan C:\Documents and Settings\adesjeunes
22:57:23.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\adesjeunes\Desktop\MBR.dat"
22:57:23.671 The log file has been saved successfully to "C:\Documents and Settings\adesjeunes\Desktop\aswMBR.txt"

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 18 April 2012 - 10:10 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 21 April 2012 - 07:25 AM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 21 April 2012 - 07:33 PM

so far everything is looking ok. Had some issues with wireless dropping off (basically the wirelesszero service was getting shutdown automatically).. but everything seems to be working better. I'll keep an eye on it and see if theres anything left to do but so far it seems ok.

ComboFix 12-04-16.01 - adesjeunes 04/21/2012 20:25:18.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2909.2165 [GMT -4:00]
Running from: c:\documents and settings\adesjeunes\Desktop\virus removal\ComboFix.exe
Command switches used :: c:\documents and settings\adesjeunes\Desktop\virus removal\cfscript.txt
AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *Disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2012-03-22 to 2012-04-22 )))))))))))))))))))))))))))))))
.
.
2012-04-20 17:56 . 2012-04-20 17:56 -------- d-----w- c:\windows\LastGood
2012-04-19 03:55 . 2012-04-19 03:55 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-04-19 02:17 . 2012-04-19 02:17 -------- d-----w- C:\TDSSKiller_Quarantine
2012-04-12 02:08 . 2012-04-12 02:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2012-04-12 02:08 . 2012-04-19 03:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-10 19:54 . 2012-04-10 19:54 94128 ----a-w- c:\windows\system32\FwsVpn.dll
2012-04-10 19:54 . 2012-04-10 19:54 32208 ----a-w- c:\windows\system32\drivers\WGX.SYS
2012-04-10 19:54 . 2012-04-10 19:54 -------- d-----w- c:\windows\system32\drivers\SEP
2012-04-10 17:55 . 2012-04-10 17:55 -------- d-----w- c:\documents and settings\informationsystems\Application Data\Malwarebytes
2012-04-10 17:19 . 2012-04-10 17:19 -------- d-sh--w- c:\documents and settings\adesjeunes\IECompatCache
2012-04-10 14:36 . 2012-04-10 14:36 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec
2012-04-09 17:54 . 2012-04-09 17:54 -------- d-----w- c:\documents and settings\administrator.PIW-DC
2012-04-09 17:46 . 2012-04-09 17:46 -------- d-----w- c:\documents and settings\informationsystems\Application Data\Apple Computer
2012-04-08 16:07 . 2012-04-08 16:07 -------- d-----w- c:\documents and settings\adesjeunes\Application Data\Malwarebytes
2012-04-08 16:02 . 2012-04-08 16:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 03:55 . 2011-08-02 15:37 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-04-10 19:55 . 2010-03-24 17:43 60872 ----a-w- c:\windows\system32\S32EVNT1.DLL
2012-04-10 19:55 . 2010-03-24 17:43 127096 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2012-04-10 19:54 . 2010-01-14 16:35 240048 ----a-w- c:\windows\system32\SymVPN.dll
2012-03-13 04:39 . 2012-04-19 02:06 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-04-16_20.13.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-04-19 02:24 . 2012-04-19 02:24 16384 c:\windows\TEMP\Perflib_Perfdata_604.dat
- 2011-03-22 18:36 . 2012-04-16 17:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-04-22 00:27 . 2012-04-22 00:27 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2010-03-24 15:33 . 2012-04-22 00:27 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2010-03-24 15:33 . 2012-04-16 17:27 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2012-04-11 18:19 . 2012-04-16 17:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-04-18 18:12 . 2012-04-22 00:27 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-04-20 17:56 . 2010-07-05 13:15 17272 c:\windows\ie8updates\KB2618444-IE8\spmsg.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 26488 c:\windows\ie8updates\KB2618444-IE8\spcustom.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 17272 c:\windows\$NtUninstallKB2618451$\spmsg.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 26488 c:\windows\$NtUninstallKB2618451$\spcustom.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 17272 c:\windows\$NtUninstallKB2603381$\spmsg.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 26488 c:\windows\$NtUninstallKB2603381$\spcustom.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 17272 c:\windows\$NtUninstallKB2570947$\spmsg.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 26488 c:\windows\$NtUninstallKB2570947$\spcustom.dll
+ 2012-04-19 03:55 . 2012-04-19 03:55 353440 c:\windows\system32\Macromed\Flash\FlashUtil32_11_2_202_233_Plugin.exe
+ 2012-04-12 02:08 . 2012-04-19 03:55 253088 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2012-04-20 17:56 . 2010-07-05 13:16 382840 c:\windows\ie8updates\KB2618444-IE8\updspapi.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 755576 c:\windows\ie8updates\KB2618444-IE8\update.exe
+ 2012-04-20 17:56 . 2010-07-05 13:15 231288 c:\windows\ie8updates\KB2618444-IE8\spuninst.exe
+ 2012-04-20 17:56 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2618451$\updspapi.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 755576 c:\windows\$NtUninstallKB2618451$\update.exe
+ 2012-04-20 17:56 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2618451$\spuninst.exe
+ 2012-04-20 17:56 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2603381$\updspapi.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 755576 c:\windows\$NtUninstallKB2603381$\update.exe
+ 2012-04-20 17:56 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2603381$\spuninst.exe
+ 2012-04-20 17:56 . 2010-07-05 13:16 382840 c:\windows\$NtUninstallKB2570947$\updspapi.dll
+ 2012-04-20 17:56 . 2010-07-05 13:15 755576 c:\windows\$NtUninstallKB2570947$\update.exe
+ 2012-04-20 17:56 . 2010-07-05 13:15 231288 c:\windows\$NtUninstallKB2570947$\spuninst.exe
+ 2012-04-19 03:55 . 2012-04-19 03:55 8797344 c:\windows\system32\Macromed\Flash\NPSWF32_11_2_202_233.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2001-11-02 15:50 24636 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\winaw32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymDS.sys [5/2/2011 9:18 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\SymEFA.sys [5/17/2011 10:32 PM 756856]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\BASHDefs\20120413.011\BHDrvx86.sys [4/20/2012 2:46 PM 821880]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\SEP\0C01029F\136B.105\x86\Ironx86.sys [5/10/2011 10:54 PM 136312]
R2 SepMasterService;Symantec Endpoint Protection;c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe [6/14/2011 6:31 PM 137224]
R3 CnxtHdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;c:\windows\system32\drivers\CHDAud.sys [1/31/2008 8:18 PM 732160]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [4/10/2012 10:46 AM 106104]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Data\Definitions\IPSDefs\20120419.001\IDSXpx86.sys [4/20/2012 2:46 PM 356792]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/11/2012 10:08 PM 253088]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [5/11/2010 10:44 AM 1684736]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 11:58 AM 11336]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [3/22/2011 2:39 PM 109568]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [3/21/2011 11:03 AM 187392]
S3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [3/24/2010 1:11 PM 992256]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - ASWMBR
*Deregistered* - aswMBR
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-20 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-12 03:55]
.
2012-04-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = wmplayer.exe //ICWLaunch
uInternet Settings,ProxyOverride = *.local
TCP: DhcpNameServer = 192.168.0.1
DPF: {071B764E-14E9-43F6-A031-4892D6D8F648} - hxxp://192.168.4.2/browserclient/BrowserClient.cab
FF - ProfilePath - c:\documents and settings\adesjeunes\Application Data\Mozilla\Firefox\Profiles\kd04efwv.default\
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-21 20:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SepMasterService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\ccSvcHst.exe\" /s \"Symantec Endpoint Protection\" /m \"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\sms.dll\" /prefetch:1"
--
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\SmcService]
"ImagePath"="\"c:\program files\Symantec\Symantec Endpoint Protection\12.1.671.4971.105\Bin\Smc.exe\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Symantec\Symantec Endpoint Protection\CurrentVersion]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,4f,00,46,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1320)
c:\windows\system32\igfxdev.dll
.
- - - - - - - > 'explorer.exe'(2768)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-04-21 20:29:31
ComboFix-quarantined-files.txt 2012-04-22 00:29
ComboFix2.txt 2012-04-16 20:16
ComboFix3.txt 2012-04-10 15:13
.
Pre-Run: 244,885,696,512 bytes free
Post-Run: 245,129,019,392 bytes free
.
- - End Of File - - 8C64E8F5D931FEAA2F5773E7E0717951

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 21 April 2012 - 07:36 PM

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 23 April 2012 - 11:40 PM

Hello


Just a friendly bump to check in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:04:49 PM

Posted 26 April 2012 - 11:18 PM

Hello

48 Hour bump

It has been more than 48 hours since my last post.

  • do you still need help with this?
  • do you need more time?
  • are you having problems following my instructions?
  • if after 48hrs you have not replied to this thread then it will have to be closed!

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 boostdemon

boostdemon
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:49 PM

Posted 27 April 2012 - 02:28 PM

Haven't had time to mess with it this week... sorry. It has been running fine since combo fix though. I'll run HJT tomorrow and see what is left if anything. thanks for the help




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users