Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infection with redirect, not removing


  • This topic is locked This topic is locked
32 replies to this topic

#1 Foooznatch

Foooznatch

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 03 May 2012 - 01:15 PM

Was referenced to this forum from the "Am I infected? What do I do?" forum. Infection with Google/Bing redirect. Since the cleaning instructions given in the other forum, redirect appears to be resolved, but infection is not.

Logs are below.

Thanks!

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180
Run by Administrator at 12:55:04 on 2012-05-03
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.230 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AutoReceive\wrapper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\AutoReceive\jre160_00\bin\java.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Vertical\Wave\TvWksSvc.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Twain_32\Fjscan32\SOP\FtLnSOP.exe
C:\WINDOWS\Twain_32\fjscan32\FjtwSetup.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\userinit.exe
\\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [FtLnSOP_setup] c:\windows\twain_32\fjscan32\sop\FtLnSOP.exe
mRun: [FJTWAIN Setup] c:\windows\twain_32\fjscan32\FjtwSetup.exe /Station
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [WinVNC] "c:\program files\tightvnc\WinVNC.exe" -servicehelper
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
uPolicies-explorer: NoChangeAnimation = 1 (0x1)
uPolicies-explorer: NoChangeKeyboardNavigationIndicators = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: NoStartMenuSubFolders = 1 (0x1)
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-explorer: NoSMMyDocs = 1 (0x1)
uPolicies-explorer: NoFavoritesMenu = 1 (0x1)
uPolicies-explorer: NoSMMyPictures = 1 (0x1)
uPolicies-explorer: NoStartMenuMyMusic = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
uPolicies-explorer: ForceStartMenuLogOff = 1 (0x1)
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoTaskGrouping = 1 (0x1)
uPolicies-explorer: NoSimpleStartMenu = 1 (0x1)
uPolicies-explorer: NoSMBalloonTip = 1 (0x1)
uPolicies-explorer: NoStartMenuEjectPC = 1 (0x1)
uPolicies-explorer: NoDesktopCleanupWizard = 1 (0x1)
uPolicies-explorer: NoActiveDesktop = 1 (0x1)
uPolicies-explorer: NoThemesTab = 1 (0x1)
uPolicies-explorer: NoWelcomeScreen = 1 (0x1)
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-explorer: NoAutoUpdate = 0 (0x0)
uPolicies-explorer: NoPublishingWizard = 1 (0x1)
uPolicies-explorer: NoWebServices = 1 (0x1)
uPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
uPolicies-disallowrun: 1 = aim.exe
uPolicies-disallowrun: 2 = install_aim.exe
uPolicies-disallowrun: 3 = msimn.exe
uPolicies-system: SetVisualStyle =
mPolicies-explorer: NoMSAppLogo5ChannelNotify = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: NoPublishingWizard = 1 (0x1)
mPolicies-explorer: NoWebServices = 1 (0x1)
mPolicies-explorer: NoOnlinePrintsWizard = 1 (0x1)
mPolicies-system: LogonType = 0 (0x0)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: care360.com
Trusted Zone: questdiagnostics.com
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {062D23D1-62F1-4DAD-9201-A5C7249FE5BA} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient712/CPOPM04GoldClient712.cab
DPF: {15772FF0-B907-4D98-B770-0000B63DB314} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/VBPrinter.CAB
DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - hxxp://pmserver/centricitypm/Install/CPOPM04Client/CPOPM04Client.cab
DPF: {16B2BACC-F445-49B2-ABB0-671C5CBE8CE0} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/ComboBridgeControl.CAB
DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
DPF: {69D1E588-02F8-4C00-B311-5C581402C247} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/DGXDPCtr.cab
DPF: {756BEC7B-ADF4-4931-A519-B513B32CFC1B} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/LabelControl.CAB
DPF: {79C259BD-8024-4992-B445-2C52D3449214} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/C360Upgrader.CAB
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DD82DF40-5377-44E2-AED3-8CB6D1AF42E2} - hxxp://pmserver/centricitypm/Install/MAMedicaid04/MAMedicaid04.cab
DPF: {E5855096-43F4-47CF-8723-BAFC1759AFDC} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient710/CPOPM04GoldClient710.cab
DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} - hxxp://pmserver/centricitypm/Install/MBCINSTaller70.dll
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{4A1941C2-B805-4FB8-9E8D-73AE6261EA53} : DhcpNameServer = 192.168.0.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
.
============= SERVICES / DRIVERS ===============
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [2009-1-9 86552]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 AutoReceive;AutoReceive;c:\program files\autoreceive\wrapper.exe [2008-2-11 245248]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-7 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-7 169632]
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [2007-5-9 8704]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-3-17 115952]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-3-17 1799408]
R2 TvWksSvc;TeleVantage Workstation Service;c:\program files\common files\vertical\wave\TvWksSvc.exe [2008-8-7 102400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-3 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120502.005\naveng.sys [2012-5-3 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120502.005\navex15.sys [2012-5-3 1576312]
S2 PEVSystemStart;PEVSystemStart;"c:\combofix\pev.3xe" exec /i "c:\combofix\hidec.3xe" "c:\combofix\swreg.3xe" acl "hkey_local_machine\system\currentcontrolset\enum\root\legacy_beep" /reset /q --> c:\combofix\pev.3XE [?]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-3-28 253088]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [2009-1-9 24876]
.
=============== Created Last 30 ================
.
2012-05-03 13:41:46 -------- d-----w- c:\program files\ESET
2012-05-02 14:26:53 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-05-02 14:09:59 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2012-05-02 14:08:58 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2012-05-02 14:07:59 8704 -c--a-w- c:\windows\system32\dllcache\fxsperf.dll
2012-05-02 14:06:57 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2012-05-02 14:04:51 -------- d-----w- c:\program files\Online Services
2012-05-02 14:04:41 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-05-02 14:04:41 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2012-05-02 13:35:23 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2012-05-02 13:35:23 24661 ----a-w- c:\windows\system32\spxcoins.dll
2012-05-02 13:35:23 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2012-05-02 13:35:23 13312 ----a-w- c:\windows\system32\irclass.dll
2012-05-02 13:35:07 13753 ----a-r- c:\windows\SET52.tmp
2012-05-02 13:35:03 1086058 ----a-r- c:\windows\SET46.tmp
2012-05-02 13:35:00 1042903 ----a-r- c:\windows\SET43.tmp
2012-05-02 13:10:06 -------- d-----w- c:\program files\HitmanPro
2012-05-02 13:10:03 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-05-01 18:55:23 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 17:09:50 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-01 15:55:34 -------- d-----w- C:\drivers
2012-05-01 14:17:17 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-04-16 11:38:25 4126368 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
==================== Find3M ====================
.
2012-04-16 11:38:28 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-16 11:38:27 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
.
============= FINISH: 12:55:44.67 ===============



GMER


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-03 14:12:59
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03
Running: mgkb1y5h.exe; Driver: C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\pxldrpow.sys


---- System - GMER 1.0.15 ----

SSDT 8633AE78 ZwAlertResumeThread
SSDT 8624EE78 ZwAlertThread
SSDT 8652F2E0 ZwAllocateVirtualMemory
SSDT 8655C258 ZwConnectPort
SSDT 864B2BF8 ZwCreateMutant
SSDT 86269E88 ZwCreateThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA188CB0]
SSDT 8631AD80 ZwFreeVirtualMemory
SSDT 864CA960 ZwImpersonateAnonymousToken
SSDT 864D83A8 ZwImpersonateThread
SSDT 865552F0 ZwMapViewOfSection
SSDT 864C8A60 ZwOpenEvent
SSDT 862A0AF0 ZwOpenProcessToken
SSDT 86303D80 ZwOpenThreadToken
SSDT 86561C38 ZwQueryValueKey
SSDT 86388CF8 ZwResumeThread
SSDT 8654C508 ZwSetContextThread
SSDT 862EED80 ZwSetInformationProcess
SSDT 8630BE78 ZwSetInformationThread
SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA188F10]
SSDT 864B1A68 ZwSuspendProcess
SSDT 864B4E78 ZwSuspendThread
SSDT 86313D80 ZwTerminateProcess
SSDT 8652F2A8 ZwTerminateThread
SSDT 86250D80 ZwUnmapViewOfSection
SSDT 8624EEB0 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\ADMINI~1.ANG\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB12694$\2902660056 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\cfg.ini 163 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\L\lhnjixjf 75264 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U 0 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000000.@ 66560 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\U\80000032.@ 115712 bytes
File C:\WINDOWS\$NtUninstallKB12694$\4068852499\version 1268 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 03 May 2012 - 11:59 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 04 May 2012 - 09:53 AM

Thanks Gringo!

The background of this computer is it started with a browser redirect when searching with Google and Bing. The users then reported additional problems with the machine a few days after that problem. I went and used tools to clean the machine (I have a fairly indepth IT background, but I'll be the first to admit I don't know as much as I think I do. ;). Malware Bytes found and cleaned the infection, and everything appeared to be fixed. A week later the infection returned, searches were redirected and then they started getting popups from fake AV scans. I can't remember all the different ones, but the latest was S.M.A.R.T. Check Data Recovery. I then also lost internet connections on this machine, and also it hid everything. Managed to get everything unhidden and restore connectivity. Then posted on the "Am I infected..." forum, and after trying their suggestions was forwarded here.

I also know this machine is out of date for updates, was going to be updating it soon, but this infection derailed that.
Windows XP SP2
IE 6
Java also needs updating

Machine currently appears to be clean, other then some of my start menu folders missing their shortcuts. But the last BC tech reported the machine still was not clean.

I'll have the logs for you ASAP, Security Check ran, and Combofix is going now, although it's been running for almost 2 hours now.

Thanks again!

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 04 May 2012 - 11:22 AM

ok see you then

Edited by gringo_pr, 04 May 2012 - 11:29 AM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 04 May 2012 - 11:43 AM

Ok so how long is Combofix supposed to take? We're at 4 hours now. It's still at the "..should take 10 minutes..." screen. No change.

Any suggestions?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 04 May 2012 - 12:03 PM

Hello

Ok lets try this, I want you to run combofix in safe mode but it is very important that when combofix reboots the computer for you to direct it back into safe mode so it can finish the scan.

Boot into Safe Mode

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.

after combofix has finished its scan please post the report back here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 04 May 2012 - 01:30 PM

Ok Combofix now running in safe mode. Will keep an eye on it.

In the mean time here's the System Check log:


Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 2 x86
Out of date service pack!!
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
ESET Online Scanner v3
Symantec AntiVirus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 26
Java version out of date!
Adobe Reader 8 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

Symantec AntiVirus DefWatch.exe
Symantec AntiVirus SavRoam.exe
Symantec AntiVirus Rtvscan.exe
``````````End of Log````````````

#8 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 04 May 2012 - 02:54 PM

No change running in Safe Mode, still staying at the same screen. We're at 2.5 hours now. It seems like it's doing something has I can hear the HD spinning up, and the activity light is staying constant. But it almost seems like it's hung up?

Not sure if I'm missing something, or if something is conflicting with it?

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 04 May 2012 - 04:11 PM

Greetings

most likely the infection stop CF and I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 06 May 2012 - 11:45 PM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 07 May 2012 - 08:32 AM

Sorry Gringo. This is a PC in my office, and I was away for the weekend. I actually let Combofix run in Safe Mode over the weekend, and it reached the Reboot stage. I rebooted the machine back into Safe Mode to complete the scan, and it appears to be doing that now. I'll keep an eye on it and update you as soon as possible!

Thanks again for all you help, and sorry for the delay.

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 07 May 2012 - 08:58 AM

no problem I will check on you later


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 08 May 2012 - 03:48 PM

Good news! Combofix finally finished, almost 48 hours after it rebooted. Below is the log. Ready for next steps.

Combofix Log:


ComboFix 12-05-03.03 - Administrator 05/08/2012 13:20:04.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.840 [GMT -4:00]
Running from: c:\documents and settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\ADMINISTRATOR.ANGELS\Start Menu\Programs\System Check
c:\documents and settings\ADMINISTRATOR.ANGELS\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\ADMINISTRATOR.ANGELS\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\All Users\Application Data\HPvdG0jW0RKxd5
c:\documents and settings\All Users\Application Data\U2n8ldvy9E5p0e
c:\windows\$NtUninstallKB12694$
c:\windows\$NtUninstallKB12694$\2902660056
c:\windows\$NtUninstallKB12694$\4068852499\@
c:\windows\$NtUninstallKB12694$\4068852499\cfg.ini
c:\windows\$NtUninstallKB12694$\4068852499\Desktop.ini
c:\windows\$NtUninstallKB12694$\4068852499\L\lhnjixjf
c:\windows\$NtUninstallKB12694$\4068852499\U\00000001.@
c:\windows\$NtUninstallKB12694$\4068852499\U\00000002.@
c:\windows\$NtUninstallKB12694$\4068852499\U\00000004.@
c:\windows\$NtUninstallKB12694$\4068852499\U\80000000.@
c:\windows\$NtUninstallKB12694$\4068852499\U\80000004.@
c:\windows\$NtUninstallKB12694$\4068852499\U\80000032.@
c:\windows\$NtUninstallKB12694$\4068852499\version
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\GroupPolicy\User\Scripts\scripts.ini
c:\windows\system32\zip32.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-04-08 to 2012-05-08 )))))))))))))))))))))))))))))))
.
.
2012-05-03 13:41 . 2012-05-03 13:41 -------- d-----w- c:\program files\ESET
2012-05-02 14:26 . 2006-10-06 16:09 155648 ----a-w- c:\windows\system32\igfxres.dll
2012-05-02 14:09 . 2004-08-04 12:00 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2012-05-02 14:08 . 2004-08-04 12:00 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2012-05-02 14:07 . 2004-08-04 12:00 8704 -c--a-w- c:\windows\system32\dllcache\fxsperf.dll
2012-05-02 14:06 . 2004-08-04 12:00 7168 -c--a-w- c:\windows\system32\dllcache\wamregps.dll
2012-05-02 14:04 . 2004-08-04 12:00 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2012-05-02 14:04 . 2004-08-04 12:00 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2012-05-02 13:10 . 2012-05-02 13:10 -------- d-----w- c:\program files\HitmanPro
2012-05-02 13:10 . 2012-05-02 13:10 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-05-01 18:55 . 2012-05-01 18:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-01 17:09 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-01 15:55 . 2012-05-01 15:55 -------- d-----w- C:\drivers
2012-04-16 11:38 . 2012-05-08 17:35 4126880 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-08 17:35 . 2012-03-28 19:13 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-08 17:35 . 2011-06-03 18:02 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-28 15:30 . 2012-03-28 15:30 388096 ----a-r- c:\documents and settings\Sphillion\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-04 143360]
"FtLnSOP_setup"="c:\windows\Twain_32\Fjscan32\SOP\FtLnSOP.exe" [2005-01-06 212992]
"FJTWAIN Setup"="c:\windows\Twain_32\fjscan32\FjtwSetup.exe" [2004-09-01 126976]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"WinVNC"="c:\program files\TightVNC\WinVNC.exe" [2009-03-05 585728]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-03-07 53408]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2011-08-31 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-06 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-06 114688]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-10-06 94208]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-11 16267776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)
"NoChangeKeyboardNavigationIndicators"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"NoStartMenuSubFolders"= 1 (0x1)
"NoSMMyDocs"= 1 (0x1)
"NoFavoritesMenu"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoStartMenuMyMusic"= 1 (0x1)
"NoStartMenuNetworkPlaces"= 1 (0x1)
"ForceStartMenuLogOff"= 1 (0x1)
"NoTaskGrouping"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
"NoStartMenuEjectPC"= 1 (0x1)
"NoWelcomeScreen"= 1 (0x1)
"NoAutoUpdate"= 0 (0x0)
"NoPublishingWizard"= 1 (0x1)
"NoWebServices"= 1 (0x1)
"NoOnlinePrintsWizard"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1118\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1118\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1119\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1119\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1120\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1120\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1123\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1123\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1126\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1126\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1127\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1127\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1128\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1128\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1132\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1132\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1133\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1133\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1139\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1139\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1141\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1141\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1142\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1142\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1179\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1179\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1223\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1223\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1224\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1224\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1232\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1232\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1237\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1237\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1242\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1242\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1245\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1245\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1247\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1247\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1258\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1258\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1261\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1261\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1262\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1262\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1266\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1266\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1268\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1268\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1289\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1289\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1291\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1291\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1299\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1299\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1302\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1302\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1303\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1303\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1304\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1304\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1308\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1308\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1309\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1309\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1314\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1314\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1317\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1317\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1318\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1318\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1319\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1319\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1323\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1323\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1332\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1332\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1333\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-1333\Scripts\Logon\1\0]
"Script"=STANDARD.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1200536926-958972923-1830762632-500\Scripts\Logon\0\0]
"Script"=C:\MAPSCAN.BAT
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
2006-03-17 10:34 124656 ----a-w- c:\progra~1\SYMANT~1\VPTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R1 RCFOX;SonicWALL IPsec Driver;c:\windows\system32\drivers\RCFOX.SYS [1/9/2009 11:51 AM 86552]
R2 AutoReceive;AutoReceive;c:\program files\AutoReceive\wrapper.exe [2/11/2008 2:20 PM 245248]
R2 InAspi32;InAspi32;c:\windows\system32\drivers\InAspi32.sys [5/9/2007 1:23 PM 8704]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [3/17/2006 6:34 AM 115952]
R2 TvWksSvc;TeleVantage Workstation Service;c:\program files\Common Files\Vertical\Wave\TvWksSvc.exe [8/7/2008 1:46 AM 102400]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/3/2012 10:03 AM 106104]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [3/28/2012 3:13 PM 257696]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\drivers\rcvpn.sys [1/9/2009 11:51 AM 24876]
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-28 17:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
Trusted Zone: care360.com
Trusted Zone: questdiagnostics.com
TCP: DhcpNameServer = 192.168.0.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {062D23D1-62F1-4DAD-9201-A5C7249FE5BA} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient712/CPOPM04GoldClient712.cab
DPF: {15772FF0-B907-4D98-B770-0000B63DB314} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/VBPrinter.CAB
DPF: {15D73F88-277E-42EC-BE97-C64E1C6A18D9} - hxxp://pmserver/centricitypm/Install/CPOPM04Client/CPOPM04Client.cab
DPF: {16B2BACC-F445-49B2-ABB0-671C5CBE8CE0} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/ComboBridgeControl.CAB
DPF: {473372A0-AF4A-4B99-B346-A7327B718981} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient711_2/CPOPM04GoldClient711_2.cab
DPF: {69D1E588-02F8-4C00-B311-5C581402C247} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/DGXDPCtr.cab
DPF: {756BEC7B-ADF4-4931-A519-B513B32CFC1B} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/LabelControl.CAB
DPF: {79C259BD-8024-4992-B445-2C52D3449214} - hxxps://cas2.questdiagnostics.com/EREQ_SSLcabs/C360Upgrader.CAB
DPF: {DD82DF40-5377-44E2-AED3-8CB6D1AF42E2} - hxxp://pmserver/centricitypm/Install/MAMedicaid04/MAMedicaid04.cab
DPF: {E5855096-43F4-47CF-8723-BAFC1759AFDC} - hxxp://pmserver/centricitypm/Install/CPOPM04GoldClient710/CPOPM04GoldClient710.cab
DPF: {F839F0A1-4D68-472A-BBB8-08FA530581CF} - hxxp://pmserver/centricitypm/Install/MBCINSTaller70.dll
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-LiveUpdate - c:\program files\Symantec\LiveUpdate\LSETUP.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-08 15:08
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\AutoReceive\jre160_00\bin\java.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
c:\program files\Adobe\Acrobat 7.0\Distillr\AcroDist.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2012-05-08 15:12:54 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-08 19:12
.
Pre-Run: 65,166,389,248 bytes free
Post-Run: 67,144,409,088 bytes free
.
- - End Of File - - B1A63A9F9CC74826868BBD7898E5F23E

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:11:07 AM

Posted 08 May 2012 - 08:57 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 Foooznatch

Foooznatch
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:10:07 AM

Posted 09 May 2012 - 08:59 AM

Alright. Scans completed, and results are below:

TDSSKiller:

09:37:11.0511 1984 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
09:37:11.0807 1984 ============================================================
09:37:11.0807 1984 Current date / time: 2012/05/09 09:37:11.0807
09:37:11.0807 1984 SystemInfo:
09:37:11.0807 1984
09:37:11.0807 1984 OS Version: 5.1.2600 ServicePack: 2.0
09:37:11.0807 1984 Product type: Workstation
09:37:11.0807 1984 ComputerName: MAEHC0027
09:37:11.0807 1984 UserName: Administrator
09:37:11.0807 1984 Windows directory: C:\WINDOWS
09:37:11.0807 1984 System windows directory: C:\WINDOWS
09:37:11.0807 1984 Processor architecture: Intel x86
09:37:11.0807 1984 Number of processors: 2
09:37:11.0807 1984 Page size: 0x1000
09:37:11.0807 1984 Boot type: Normal boot
09:37:11.0807 1984 ============================================================
09:37:13.0738 1984 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
09:37:13.0738 1984 ============================================================
09:37:13.0738 1984 \Device\Harddisk0\DR0:
09:37:13.0738 1984 MBR partitions:
09:37:13.0738 1984 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
09:37:13.0738 1984 ============================================================
09:37:13.0754 1984 C: <-> \Device\Harddisk0\DR0\Partition0
09:37:13.0754 1984 ============================================================
09:37:13.0754 1984 Initialize success
09:37:13.0754 1984 ============================================================
09:37:41.0512 2452 ============================================================
09:37:41.0512 2452 Scan started
09:37:41.0512 2452 Mode: Manual;
09:37:41.0512 2452 ============================================================
09:37:41.0668 2452 Abiosdsk - ok
09:37:41.0668 2452 abp480n5 - ok
09:37:41.0699 2452 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
09:37:41.0715 2452 ACPI - ok
09:37:41.0730 2452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
09:37:41.0730 2452 ACPIEC - ok
09:37:41.0793 2452 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
09:37:41.0793 2452 AdobeFlashPlayerUpdateSvc - ok
09:37:41.0808 2452 adpu160m - ok
09:37:41.0824 2452 aeaudio (3cb6ae5435987b1f8c83fd2730479878) C:\WINDOWS\system32\drivers\aeaudio.sys
09:37:41.0840 2452 aeaudio - ok
09:37:41.0902 2452 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
09:37:41.0902 2452 aec - ok
09:37:41.0933 2452 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
09:37:41.0949 2452 AFD - ok
09:37:41.0949 2452 Aha154x - ok
09:37:41.0949 2452 aic78u2 - ok
09:37:41.0964 2452 aic78xx - ok
09:37:41.0980 2452 Alerter (c7ae0fd3867db0d42b03b73c18f3d671) C:\WINDOWS\system32\alrsvc.dll
09:37:41.0995 2452 Alerter - ok
09:37:42.0011 2452 ALG (f1958fbf86d5c004cf19a5951a9514b7) C:\WINDOWS\System32\alg.exe
09:37:42.0011 2452 ALG - ok
09:37:42.0011 2452 AliIde - ok
09:37:42.0026 2452 amsint - ok
09:37:42.0073 2452 AppMgmt (9c3c12975c97119412802b181fbeeffe) C:\WINDOWS\System32\appmgmts.dll
09:37:42.0073 2452 AppMgmt - ok
09:37:42.0073 2452 asc - ok
09:37:42.0073 2452 asc3350p - ok
09:37:42.0089 2452 asc3550 - ok
09:37:42.0276 2452 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
09:37:42.0322 2452 aspnet_state - ok
09:37:42.0338 2452 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
09:37:42.0338 2452 AsyncMac - ok
09:37:42.0369 2452 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
09:37:42.0369 2452 atapi - ok
09:37:42.0369 2452 Atdisk - ok
09:37:42.0416 2452 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
09:37:42.0416 2452 Atmarpc - ok
09:37:42.0463 2452 AudioSrv (db66db626e4882ebef55f136f12c1829) C:\WINDOWS\System32\audiosrv.dll
09:37:42.0463 2452 AudioSrv - ok
09:37:42.0494 2452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
09:37:42.0509 2452 audstub - ok
09:37:42.0603 2452 AutoReceive (c5857bb6f31464037b80605fb2901baa) C:\Program Files\AutoReceive\wrapper.exe
09:37:42.0603 2452 AutoReceive - ok
09:37:42.0634 2452 b57w2k (5175e788bcd1cb7345ab21f3e14369d2) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
09:37:42.0634 2452 b57w2k - ok
09:37:42.0665 2452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
09:37:42.0665 2452 Beep - ok
09:37:42.0727 2452 BITS (2c69ec7e5a311334d10dd95f338fccea) C:\WINDOWS\system32\qmgr.dll
09:37:42.0727 2452 BITS - ok
09:37:42.0759 2452 Browser (e3cfccdda4edd1d0dc9168b2e18f27b8) C:\WINDOWS\System32\browser.dll
09:37:42.0759 2452 Browser - ok
09:37:42.0774 2452 catchme - ok
09:37:42.0805 2452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
09:37:42.0805 2452 cbidf2k - ok
09:37:42.0852 2452 ccEvtMgr (c5f0c1fff968e9d143f62075cbd8ed60) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
09:37:42.0852 2452 ccEvtMgr - ok
09:37:42.0868 2452 ccSetMgr (324318bd026aa58e3ea8c23647ade1c3) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
09:37:42.0868 2452 ccSetMgr - ok
09:37:42.0883 2452 cd20xrnt - ok
09:37:42.0914 2452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
09:37:42.0914 2452 Cdaudio - ok
09:37:42.0946 2452 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
09:37:42.0946 2452 Cdfs - ok
09:37:42.0977 2452 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
09:37:42.0992 2452 Cdrom - ok
09:37:43.0023 2452 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
09:37:43.0039 2452 cercsr6 - ok
09:37:43.0039 2452 Changer - ok
09:37:43.0055 2452 CiSvc (3192bd04d032a9c4a85a3278c268a13a) C:\WINDOWS\system32\cisvc.exe
09:37:43.0070 2452 CiSvc - ok
09:37:43.0086 2452 ClipSrv (c8dec22c4137d7a90f8bdf41ca4b82ae) C:\WINDOWS\system32\clipsrv.exe
09:37:43.0101 2452 ClipSrv - ok
09:37:43.0288 2452 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
09:37:43.0319 2452 clr_optimization_v2.0.50727_32 - ok
09:37:43.0335 2452 CmdIde - ok
09:37:43.0335 2452 COMSysApp - ok
09:37:43.0335 2452 Cpqarray - ok
09:37:43.0366 2452 CryptSvc (10654f9ddcea9c46cfb77554231be73b) C:\WINDOWS\System32\cryptsvc.dll
09:37:43.0366 2452 CryptSvc - ok
09:37:43.0397 2452 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
09:37:43.0397 2452 ctxusbm - ok
09:37:43.0413 2452 dac2w2k - ok
09:37:43.0413 2452 dac960nt - ok
09:37:43.0460 2452 DcomLaunch (5c83a4408604f737717ab96371201680) C:\WINDOWS\system32\rpcss.dll
09:37:43.0475 2452 DcomLaunch - ok
09:37:43.0537 2452 DefWatch (6a0a8fe766943de793e6f03f4fe882dd) C:\Program Files\Symantec AntiVirus\DefWatch.exe
09:37:43.0537 2452 DefWatch - ok
09:37:43.0569 2452 Dhcp (cb6ca3e5261d65f6f809eed23bf167aa) C:\WINDOWS\System32\dhcpcsvc.dll
09:37:43.0569 2452 Dhcp - ok
09:37:43.0600 2452 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
09:37:43.0600 2452 Disk - ok
09:37:43.0600 2452 dmadmin - ok
09:37:43.0693 2452 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
09:37:43.0709 2452 dmboot - ok
09:37:43.0740 2452 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
09:37:43.0740 2452 dmio - ok
09:37:43.0740 2452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
09:37:43.0740 2452 dmload - ok
09:37:43.0771 2452 dmserver (1639d9964c9e1b2ecca95c8217d3e70d) C:\WINDOWS\System32\dmserver.dll
09:37:43.0787 2452 dmserver - ok
09:37:43.0802 2452 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
09:37:43.0802 2452 DMusic - ok
09:37:43.0833 2452 DNE (7efbafdec4f543d43296bdbdf912bdd4) C:\WINDOWS\system32\DRIVERS\dne2000.sys
09:37:43.0849 2452 DNE - ok
09:37:43.0880 2452 Dnscache (7379de06fd196e396a00aa97b990c00d) C:\WINDOWS\System32\dnsrslvr.dll
09:37:43.0896 2452 Dnscache - ok
09:37:43.0911 2452 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
09:37:43.0927 2452 Dot3svc - ok
09:37:43.0927 2452 dpti2o - ok
09:37:43.0958 2452 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
09:37:43.0958 2452 drmkaud - ok
09:37:43.0974 2452 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
09:37:43.0974 2452 EapHost - ok
09:37:44.0052 2452 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
09:37:44.0098 2452 eeCtrl - ok
09:37:44.0114 2452 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
09:37:44.0129 2452 EraserUtilRebootDrv - ok
09:37:44.0161 2452 ERSvc (67dff7bbbd0e80aab7b3cf061448db8a) C:\WINDOWS\System32\ersvc.dll
09:37:44.0161 2452 ERSvc - ok
09:37:44.0192 2452 Eventlog (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
09:37:44.0207 2452 Eventlog - ok
09:37:44.0238 2452 EventSystem (acd36a2dd7d1e9d8a060aa651dc07e63) C:\WINDOWS\system32\es.dll
09:37:44.0238 2452 EventSystem - ok
09:37:44.0301 2452 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
09:37:44.0301 2452 Fastfat - ok
09:37:44.0347 2452 FastUserSwitchingCompatibility (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
09:37:44.0347 2452 FastUserSwitchingCompatibility - ok
09:37:44.0379 2452 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
09:37:44.0379 2452 Fdc - ok
09:37:44.0394 2452 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
09:37:44.0410 2452 Fips - ok
09:37:44.0425 2452 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
09:37:44.0441 2452 Flpydisk - ok
09:37:44.0472 2452 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\drivers\fltmgr.sys
09:37:44.0472 2452 FltMgr - ok
09:37:44.0566 2452 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
09:37:44.0566 2452 FontCache3.0.0.0 - ok
09:37:44.0597 2452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
09:37:44.0612 2452 Fs_Rec - ok
09:37:44.0628 2452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
09:37:44.0628 2452 Ftdisk - ok
09:37:44.0628 2452 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
09:37:44.0643 2452 Gpc - ok
09:37:44.0643 2452 hclinetd - ok
09:37:44.0659 2452 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
09:37:44.0675 2452 HDAudBus - ok
09:37:44.0737 2452 helpsvc (8827911a8c37e40c027cbfc88e69d967) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
09:37:44.0737 2452 helpsvc - ok
09:37:44.0737 2452 HidServ - ok
09:37:44.0768 2452 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
09:37:44.0768 2452 HidUsb - ok
09:37:44.0799 2452 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
09:37:44.0799 2452 hkmsvc - ok
09:37:44.0815 2452 hpn - ok
09:37:44.0846 2452 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
09:37:44.0846 2452 HTTP - ok
09:37:44.0877 2452 HTTPFilter (064d8581adf77c25133e7d751d917d83) C:\WINDOWS\System32\w3ssl.dll
09:37:44.0893 2452 HTTPFilter - ok
09:37:44.0893 2452 i2omgmt - ok
09:37:44.0908 2452 i2omp - ok
09:37:44.0908 2452 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
09:37:44.0924 2452 i8042prt - ok
09:37:44.0971 2452 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
09:37:45.0033 2452 ialm - ok
09:37:45.0173 2452 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
09:37:45.0282 2452 idsvc - ok
09:37:45.0360 2452 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
09:37:45.0376 2452 Imapi - ok
09:37:45.0422 2452 ImapiService (fa788520bcac0f5d9d5cde5615c0d931) C:\WINDOWS\system32\imapi.exe
09:37:45.0438 2452 ImapiService - ok
09:37:45.0453 2452 InAspi32 (35738fd20716cfcc5cb104f76ee48e80) C:\WINDOWS\system32\drivers\InAspi32.sys
09:37:45.0469 2452 InAspi32 - ok
09:37:45.0469 2452 ini910u - ok
09:37:45.0656 2452 IntcAzAudAddService (6d6b57808c923a4d79cc8f47307753c9) C:\WINDOWS\system32\drivers\RtkHDAud.sys
09:37:45.0781 2452 IntcAzAudAddService - ok
09:37:45.0827 2452 IntelIde - ok
09:37:45.0858 2452 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
09:37:45.0874 2452 intelppm - ok
09:37:45.0890 2452 ip6fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\drivers\ip6fw.sys
09:37:45.0890 2452 ip6fw - ok
09:37:45.0936 2452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
09:37:45.0936 2452 IpFilterDriver - ok
09:37:45.0968 2452 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
09:37:45.0983 2452 IpInIp - ok
09:37:46.0014 2452 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
09:37:46.0030 2452 IpNat - ok
09:37:46.0030 2452 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
09:37:46.0030 2452 IPSec - ok
09:37:46.0061 2452 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
09:37:46.0061 2452 IRENUM - ok
09:37:46.0108 2452 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
09:37:46.0108 2452 isapnp - ok
09:37:46.0232 2452 JavaQuickStarterService (9dba73c2f1e76ec4cb837e67c5743596) C:\Program Files\Java\jre6\bin\jqs.exe
09:37:46.0232 2452 JavaQuickStarterService - ok
09:37:46.0263 2452 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
09:37:46.0279 2452 Kbdclass - ok
09:37:46.0310 2452 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
09:37:46.0310 2452 kmixer - ok
09:37:46.0326 2452 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
09:37:46.0341 2452 KSecDD - ok
09:37:46.0373 2452 lanmanserver (93d32468d34e000cb3407947d1d6e22a) C:\WINDOWS\System32\srvsvc.dll
09:37:46.0373 2452 lanmanserver - ok
09:37:46.0404 2452 lanmanworkstation (2c0a7b2ae9c26f2c163627679b42783c) C:\WINDOWS\System32\wkssvc.dll
09:37:46.0419 2452 lanmanworkstation - ok
09:37:46.0435 2452 lbrtfdc - ok
09:37:46.0559 2452 LiveUpdate (89bffb6a09652da7d019a387354d0d19) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
09:37:46.0700 2452 LiveUpdate - ok
09:37:46.0793 2452 LmHosts (b3eff6d938c572e90a07b3d87a3c7657) C:\WINDOWS\System32\lmhsvc.dll
09:37:46.0809 2452 LmHosts - ok
09:37:46.0887 2452 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
09:37:46.0887 2452 MDM - ok
09:37:46.0902 2452 Messenger (95fd808e4ac22aba025a7b3eac0375d2) C:\WINDOWS\System32\msgsvc.dll
09:37:46.0918 2452 Messenger - ok
09:37:46.0933 2452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
09:37:46.0949 2452 mnmdd - ok
09:37:46.0980 2452 mnmsrvc (f6415361201915b9fe3896b0e4e724ff) C:\WINDOWS\System32\mnmsrvc.exe
09:37:46.0980 2452 mnmsrvc - ok
09:37:47.0027 2452 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
09:37:47.0027 2452 Modem - ok
09:37:47.0058 2452 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
09:37:47.0074 2452 Mouclass - ok
09:37:47.0105 2452 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
09:37:47.0120 2452 mouhid - ok
09:37:47.0151 2452 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
09:37:47.0151 2452 MountMgr - ok
09:37:47.0151 2452 mraid35x - ok
09:37:47.0167 2452 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
09:37:47.0167 2452 MRxDAV - ok
09:37:47.0214 2452 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
09:37:47.0214 2452 MRxSmb - ok
09:37:47.0260 2452 MSDTC (c7c3d89eb0a6f3dba622ea737fa335b1) C:\WINDOWS\System32\msdtc.exe
09:37:47.0260 2452 MSDTC - ok
09:37:47.0276 2452 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
09:37:47.0276 2452 Msfs - ok
09:37:47.0276 2452 MSIServer - ok
09:37:47.0292 2452 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
09:37:47.0307 2452 MSKSSRV - ok
09:37:47.0323 2452 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
09:37:47.0323 2452 MSPCLOCK - ok
09:37:47.0338 2452 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
09:37:47.0354 2452 MSPQM - ok
09:37:47.0369 2452 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
09:37:47.0369 2452 mssmbios - ok
09:37:47.0401 2452 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
09:37:47.0401 2452 Mup - ok
09:37:47.0432 2452 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
09:37:47.0447 2452 napagent - ok
09:37:47.0541 2452 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120507.002\naveng.sys
09:37:47.0541 2452 NAVENG - ok
09:37:47.0619 2452 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120507.002\navex15.sys
09:37:47.0619 2452 NAVEX15 - ok
09:37:47.0728 2452 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
09:37:47.0728 2452 NDIS - ok
09:37:47.0759 2452 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
09:37:47.0774 2452 NdisTapi - ok
09:37:47.0790 2452 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
09:37:47.0806 2452 Ndisuio - ok
09:37:47.0821 2452 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
09:37:47.0837 2452 NdisWan - ok
09:37:47.0837 2452 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
09:37:47.0852 2452 NDProxy - ok
09:37:47.0868 2452 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
09:37:47.0868 2452 NetBIOS - ok
09:37:47.0915 2452 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
09:37:47.0930 2452 NetBT - ok
09:37:47.0993 2452 NetDDE (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
09:37:48.0008 2452 NetDDE - ok
09:37:48.0008 2452 NetDDEdsdm (05afb5ad06462257bea7495283c86d50) C:\WINDOWS\system32\netdde.exe
09:37:48.0024 2452 NetDDEdsdm - ok
09:37:48.0039 2452 Netlogon (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
09:37:48.0039 2452 Netlogon - ok
09:37:48.0086 2452 Netman (dab9e6c7105d2ef49876fe92c524f565) C:\WINDOWS\System32\netman.dll
09:37:48.0086 2452 Netman - ok
09:37:48.0195 2452 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
09:37:48.0226 2452 NetTcpPortSharing - ok
09:37:48.0257 2452 Nla (4e74af063c3271fbea20dd940cfd1184) C:\WINDOWS\System32\mswsock.dll
09:37:48.0273 2452 Nla - ok
09:37:48.0289 2452 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
09:37:48.0289 2452 Npfs - ok
09:37:48.0335 2452 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
09:37:48.0351 2452 Ntfs - ok
09:37:48.0366 2452 NtLmSsp (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
09:37:48.0366 2452 NtLmSsp - ok
09:37:48.0413 2452 NtmsSvc (b62f29c00ac55a761b2e45877d85ea0f) C:\WINDOWS\system32\ntmssvc.dll
09:37:48.0429 2452 NtmsSvc - ok
09:37:48.0460 2452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
09:37:48.0460 2452 Null - ok
09:37:48.0491 2452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
09:37:48.0491 2452 NwlnkFlt - ok
09:37:48.0507 2452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
09:37:48.0522 2452 NwlnkFwd - ok
09:37:48.0585 2452 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:37:48.0600 2452 ose - ok
09:37:48.0631 2452 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
09:37:48.0647 2452 Parport - ok
09:37:48.0647 2452 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
09:37:48.0647 2452 PartMgr - ok
09:37:48.0678 2452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
09:37:48.0678 2452 ParVdm - ok
09:37:48.0694 2452 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
09:37:48.0694 2452 PCI - ok
09:37:48.0694 2452 PCIDump - ok
09:37:48.0709 2452 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
09:37:48.0709 2452 PCIIde - ok
09:37:48.0740 2452 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
09:37:48.0756 2452 Pcmcia - ok
09:37:48.0756 2452 PDCOMP - ok
09:37:48.0756 2452 PDFRAME - ok
09:37:48.0771 2452 PDRELI - ok
09:37:48.0771 2452 PDRFRAME - ok
09:37:48.0771 2452 perc2 - ok
09:37:48.0771 2452 perc2hib - ok
09:37:48.0803 2452 PlugPlay (c6ce6eec82f187615d1002bb3bb50ed4) C:\WINDOWS\system32\services.exe
09:37:48.0803 2452 PlugPlay - ok
09:37:48.0803 2452 PolicyAgent (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
09:37:48.0803 2452 PolicyAgent - ok
09:37:48.0849 2452 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
09:37:48.0849 2452 PptpMiniport - ok
09:37:48.0880 2452 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
09:37:48.0896 2452 Processor - ok
09:37:48.0896 2452 ProtectedStorage (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
09:37:48.0896 2452 ProtectedStorage - ok
09:37:48.0896 2452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
09:37:48.0912 2452 Ptilink - ok
09:37:48.0912 2452 ql1080 - ok
09:37:48.0912 2452 Ql10wnt - ok
09:37:48.0912 2452 ql12160 - ok
09:37:48.0927 2452 ql1240 - ok
09:37:48.0927 2452 ql1280 - ok
09:37:49.0332 2452 RampartSvc (bc1980557ce60cf5dfc5d570256b0a83) C:\Program Files\SonicWALL\SonicWALL Global VPN Client\RampartSvc.exe
09:37:49.0753 2452 RampartSvc - ok
09:37:49.0815 2452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
09:37:49.0831 2452 RasAcd - ok
09:37:50.0220 2452 RasAuto (44db7a9bdd2fb58747d123fbf1d35adb) C:\WINDOWS\System32\rasauto.dll
09:37:50.0236 2452 RasAuto - ok
09:37:50.0267 2452 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
09:37:50.0282 2452 Rasl2tp - ok
09:37:50.0329 2452 RasMan (41a3c11e3517c962c9b44893bcec3b34) C:\WINDOWS\System32\rasmans.dll
09:37:50.0345 2452 RasMan - ok
09:37:50.0360 2452 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
09:37:50.0360 2452 RasPppoe - ok
09:37:50.0376 2452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
09:37:50.0376 2452 Raspti - ok
09:37:50.0407 2452 RCFOX (8f1211a58c1bf3b63ca928878ac6deb0) C:\WINDOWS\system32\Drivers\RCFOX.sys
09:37:50.0423 2452 RCFOX - ok
09:37:50.0454 2452 rcvpn (bca39c96b11318cbc2797c4b842e22e4) C:\WINDOWS\system32\DRIVERS\rcvpn.sys
09:37:50.0454 2452 rcvpn - ok
09:37:50.0485 2452 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
09:37:50.0501 2452 Rdbss - ok
09:37:50.0516 2452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
09:37:50.0516 2452 RDPCDD - ok
09:37:50.0547 2452 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
09:37:50.0563 2452 rdpdr - ok
09:37:50.0594 2452 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
09:37:50.0610 2452 RDPWD - ok
09:37:50.0641 2452 RDSessMgr (729798e0933076b8fcfcd9934698f164) C:\WINDOWS\system32\sessmgr.exe
09:37:50.0672 2452 RDSessMgr - ok
09:37:50.0687 2452 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
09:37:50.0703 2452 redbook - ok
09:37:50.0719 2452 RemoteAccess (3046db917e3cfa040632799dd9b14865) C:\WINDOWS\System32\mprdim.dll
09:37:50.0734 2452 RemoteAccess - ok
09:37:50.0750 2452 RemoteRegistry (3151427db7d87107d1c5be58fac53960) C:\WINDOWS\system32\regsvc.dll
09:37:50.0750 2452 RemoteRegistry - ok
09:37:50.0781 2452 RpcLocator (793f04a09b15e7c6c11dbdffaf06c0ab) C:\WINDOWS\system32\locator.exe
09:37:50.0796 2452 RpcLocator - ok
09:37:50.0828 2452 RpcSs (5c83a4408604f737717ab96371201680) C:\WINDOWS\System32\rpcss.dll
09:37:50.0843 2452 RpcSs - ok
09:37:50.0874 2452 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
09:37:50.0906 2452 RSVP - ok
09:37:50.0937 2452 SamSs (84885f9b82f4d55c6146ebf6065d75d2) C:\WINDOWS\system32\lsass.exe
09:37:50.0937 2452 SamSs - ok
09:37:51.0015 2452 SavRoam (0de5ce2c919e4371c1fced0196086e3e) C:\Program Files\Symantec AntiVirus\SavRoam.exe
09:37:51.0030 2452 SavRoam - ok
09:37:51.0061 2452 SAVRT (cdb565c093b0105086cc630b32f9e6e6) C:\Program Files\Symantec AntiVirus\savrt.sys
09:37:51.0124 2452 SAVRT - ok
09:37:51.0124 2452 SAVRTPEL (1042cb5a003f9aed8d6cec56a0fc6c49) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
09:37:51.0139 2452 SAVRTPEL - ok
09:37:51.0170 2452 SCardSvr (25d8de134df108e3dbc8d7d23b1aa58e) C:\WINDOWS\System32\SCardSvr.exe
09:37:51.0186 2452 SCardSvr - ok
09:37:51.0217 2452 Schedule (92360854316611f6cc471612213c3d92) C:\WINDOWS\system32\schedsvc.dll
09:37:51.0217 2452 Schedule - ok
09:37:51.0248 2452 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
09:37:51.0264 2452 Secdrv - ok
09:37:51.0279 2452 seclogon (b1e0ce09895376871746f36dc5773b4f) C:\WINDOWS\System32\seclogon.dll
09:37:51.0295 2452 seclogon - ok
09:37:51.0311 2452 SENS (dfd9870cf39c791d86c4c209da9fa919) C:\WINDOWS\system32\sens.dll
09:37:51.0326 2452 SENS - ok
09:37:51.0342 2452 Sentinel (d23fc3f409fdbb2a5c230abc137c4b45) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
09:37:51.0357 2452 Sentinel - ok
09:37:51.0388 2452 SentinelProtectionServer (881f7e7a2a9f9e91189b4fbb70eb5f47) C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe
09:37:51.0388 2452 SentinelProtectionServer - ok
09:37:51.0420 2452 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
09:37:51.0420 2452 serenum - ok
09:37:51.0451 2452 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
09:37:51.0466 2452 Serial - ok
09:37:51.0482 2452 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
09:37:51.0482 2452 Sfloppy - ok
09:37:51.0544 2452 SharedAccess (36cc8c01b5e50163037bef56cb96deff) C:\WINDOWS\System32\ipnathlp.dll
09:37:51.0591 2452 SharedAccess - ok
09:37:51.0622 2452 ShellHWDetection (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
09:37:51.0622 2452 ShellHWDetection - ok
09:37:51.0622 2452 Simbad - ok
09:37:51.0669 2452 smwdm (86d17b6760dd2b09e932ff101714e0dc) C:\WINDOWS\system32\drivers\smwdm.sys
09:37:51.0700 2452 smwdm - ok
09:37:51.0762 2452 SNDSrvc (c5f415bb02ee89cde1b6cee3538f424b) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
09:37:51.0793 2452 SNDSrvc - ok
09:37:51.0793 2452 Sparrow - ok
09:37:51.0825 2452 SPBBCDrv (cc22bf5631c4837abcd81d75de8fb1aa) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
09:37:51.0856 2452 SPBBCDrv - ok
09:37:51.0902 2452 SPBBCSvc (dabd8523d9b60ce6513653dfd8b96c1b) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
09:37:51.0934 2452 SPBBCSvc - ok
09:37:51.0996 2452 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
09:37:51.0996 2452 splitter - ok
09:37:52.0027 2452 Spooler (7435b108b935e42ea92ca94f59c8e717) C:\WINDOWS\system32\spoolsv.exe
09:37:52.0027 2452 Spooler - ok
09:37:52.0058 2452 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
09:37:52.0074 2452 sr - ok
09:37:52.0105 2452 srservice (92bdf74f12d6cbec43c94d4b7f804838) C:\WINDOWS\system32\srsvc.dll
09:37:52.0121 2452 srservice - ok
09:37:52.0152 2452 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
09:37:52.0152 2452 Srv - ok
09:37:52.0198 2452 SSDPSRV (4b8d61792f7175bed48859cc18ce4e38) C:\WINDOWS\System32\ssdpsrv.dll
09:37:52.0198 2452 SSDPSRV - ok
09:37:52.0230 2452 stisvc (d9f6c4f6b1e188adafc42b561d9bc2e6) C:\WINDOWS\system32\wiaservc.dll
09:37:52.0245 2452 stisvc - ok
09:37:52.0276 2452 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
09:37:52.0292 2452 swenum - ok
09:37:52.0323 2452 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
09:37:52.0323 2452 swmidi - ok
09:37:52.0323 2452 SwPrv - ok
09:37:52.0448 2452 Symantec AntiVirus (8b3550214824abf244d1e27e2a300990) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
09:37:52.0526 2452 Symantec AntiVirus - ok
09:37:52.0588 2452 symc810 - ok
09:37:52.0603 2452 symc8xx - ok
09:37:52.0619 2452 SymEvent (5156f63e684e8c864ff40e40d5309f41) C:\Program Files\Symantec\SYMEVENT.SYS
09:37:52.0619 2452 SymEvent - ok
09:37:52.0650 2452 SYMREDRV (5314e345dfc068504cfb2676d3b2ca39) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
09:37:52.0650 2452 SYMREDRV - ok
09:37:52.0697 2452 SYMTDI (8cd0a1478256240249b8ee88e6f25e94) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
09:37:52.0712 2452 SYMTDI - ok
09:37:52.0712 2452 sym_hi - ok
09:37:52.0712 2452 sym_u3 - ok
09:37:52.0759 2452 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
09:37:52.0759 2452 sysaudio - ok
09:37:52.0775 2452 SysmonLog (8b54aa346d1b1b113ffaa75501b8b1b2) C:\WINDOWS\system32\smlogsvc.exe
09:37:52.0790 2452 SysmonLog - ok
09:37:52.0837 2452 TapiSrv (eb4a4187d74a8efdcbea3ea2cb1bdfbd) C:\WINDOWS\System32\tapisrv.dll
09:37:52.0853 2452 TapiSrv - ok
09:37:52.0868 2452 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
09:37:52.0884 2452 Tcpip - ok
09:37:52.0899 2452 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
09:37:52.0915 2452 TDPIPE - ok
09:37:52.0946 2452 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
09:37:52.0946 2452 TDTCP - ok
09:37:52.0977 2452 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
09:37:52.0993 2452 TermDD - ok
09:37:53.0055 2452 TermService (b60c877d16d9c880b952fda04adf16e6) C:\WINDOWS\System32\termsrv.dll
09:37:53.0055 2452 TermService - ok
09:37:53.0086 2452 Themes (e7518dc542d3ebdcb80edd98462c7821) C:\WINDOWS\System32\shsvcs.dll
09:37:53.0102 2452 Themes - ok
09:37:53.0133 2452 TlntSvr (37db0a7d097310e8b4de803fc3119c78) C:\WINDOWS\System32\tlntsvr.exe
09:37:53.0149 2452 TlntSvr - ok
09:37:53.0149 2452 TosIde - ok
09:37:53.0195 2452 TrkWks (6d9ac544b30f96c57f8206566c1fb6a1) C:\WINDOWS\system32\trkwks.dll
09:37:53.0195 2452 TrkWks - ok
09:37:53.0289 2452 TvWksSvc (bb4ef8c0241330629fc7f6326ccc1359) C:\Program Files\Common Files\Vertical\Wave\TvWksSvc.exe
09:37:53.0289 2452 TvWksSvc - ok
09:37:53.0336 2452 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
09:37:53.0336 2452 Udfs - ok
09:37:53.0336 2452 ultra - ok
09:37:53.0367 2452 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
09:37:53.0382 2452 Update - ok
09:37:53.0429 2452 upnphost (0546477bde979e33294fe97f6b3de84a) C:\WINDOWS\System32\upnphost.dll
09:37:53.0429 2452 upnphost - ok
09:37:53.0460 2452 UPS (3f5df65b0758675f95a2d43918a740a3) C:\WINDOWS\System32\ups.exe
09:37:53.0476 2452 UPS - ok
09:37:53.0491 2452 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
09:37:53.0507 2452 usbehci - ok
09:37:53.0538 2452 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
09:37:53.0538 2452 usbhub - ok
09:37:53.0569 2452 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
09:37:53.0585 2452 usbprint - ok
09:37:53.0600 2452 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:37:53.0600 2452 usbscan - ok
09:37:53.0632 2452 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
09:37:53.0632 2452 USBSTOR - ok
09:37:53.0663 2452 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
09:37:53.0663 2452 usbuhci - ok
09:37:53.0694 2452 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
09:37:53.0709 2452 VgaSave - ok
09:37:53.0709 2452 ViaIde - ok
09:37:53.0741 2452 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
09:37:53.0741 2452 VolSnap - ok
09:37:53.0772 2452 VSS (3ee00364ae0fd8d604f46cbaf512838a) C:\WINDOWS\System32\vssvc.exe
09:37:53.0803 2452 VSS - ok
09:37:53.0834 2452 W32Time (2b281958f5d0cf99ed626e3ef39d5c8d) C:\WINDOWS\system32\w32time.dll
09:37:53.0834 2452 W32Time - ok
09:37:53.0850 2452 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
09:37:53.0850 2452 Wanarp - ok
09:37:53.0865 2452 WDICA - ok
09:37:53.0912 2452 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
09:37:53.0912 2452 wdmaud - ok
09:37:53.0928 2452 WebClient (5d0a442864bfbf3b19dcca4cd29f6e99) C:\WINDOWS\System32\webclnt.dll
09:37:53.0943 2452 WebClient - ok
09:37:54.0021 2452 winmgmt (f399242a80c4066fd155efa4cf96658e) C:\WINDOWS\system32\wbem\WMIsvc.dll
09:37:54.0037 2452 winmgmt - ok
09:37:54.0130 2452 winvnc (847a140d1e8ec90d21f841d7065e6abb) C:\Program Files\TightVNC\WinVNC.exe
09:37:54.0161 2452 winvnc - ok
09:37:54.0208 2452 WmdmPmSN (c086483e3dba8c1c0a687ec8d5b3d4c1) C:\WINDOWS\system32\mspmsnsv.dll
09:37:54.0208 2452 WmdmPmSN - ok
09:37:54.0255 2452 Wmi (1aff244ca134956c54474f4e2433e4ce) C:\WINDOWS\System32\advapi32.dll
09:37:54.0286 2452 Wmi - ok
09:37:54.0348 2452 WmiAcpi (ae2c8544e747c20062db27456ea2d67a) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
09:37:54.0348 2452 WmiAcpi - ok
09:37:54.0395 2452 WmiApSrv (ba8cecc3e813e1f7c441b20393d4f86c) C:\WINDOWS\system32\wbem\wmiapsrv.exe
09:37:54.0442 2452 WmiApSrv - ok
09:37:54.0457 2452 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
09:37:54.0473 2452 WS2IFSL - ok
09:37:54.0519 2452 wscsvc (4d59daa66c60858cdf4f67a900f42d4a) C:\WINDOWS\system32\wscsvc.dll
09:37:54.0535 2452 wscsvc - ok
09:37:54.0551 2452 wuauserv (13d72740963cba12d9ff76a7f218bcd8) C:\WINDOWS\system32\wuauserv.dll
09:37:54.0566 2452 wuauserv - ok
09:37:54.0597 2452 WZCSVC (5a91e6feab9f901302fa7ff768c0120f) C:\WINDOWS\System32\wzcsvc.dll
09:37:54.0613 2452 WZCSVC - ok
09:37:54.0644 2452 xmlprov (eef46dab68229a14da3d8e73c99e2959) C:\WINDOWS\System32\xmlprov.dll
09:37:54.0644 2452 xmlprov - ok
09:37:54.0660 2452 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
09:37:54.0800 2452 \Device\Harddisk0\DR0 - ok
09:37:54.0800 2452 Boot (0x1200) (4e85c0a7425042ef4050c7bf692b283e) \Device\Harddisk0\DR0\Partition0
09:37:54.0800 2452 \Device\Harddisk0\DR0\Partition0 - ok
09:37:54.0800 2452 ============================================================
09:37:54.0800 2452 Scan finished
09:37:54.0800 2452 ============================================================
09:37:54.0815 3948 Detected object count: 0
09:37:54.0815 3948 Actual detected object count: 0
09:38:36.0360 3296 Deinitialize success


aswMBR:


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-09 09:39:02
-----------------------------
09:39:02.561 OS Version: Windows 5.1.2600 Service Pack 2
09:39:02.561 Number of processors: 2 586 0xF06
09:39:02.561 ComputerName: MAEHC0027 UserName:
09:39:02.795 Initialize success
09:40:00.316 AVAST engine defs: 12050900
09:40:06.170 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
09:40:06.170 Disk 0 Vendor: WDC_WD800JD-60LSA5 10.01E03 Size: 76319MB BusType: 3
09:40:06.185 Disk 0 MBR read successfully
09:40:06.185 Disk 0 MBR scan
09:40:06.497 Disk 0 Windows XP default MBR code
09:40:06.497 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
09:40:06.529 Disk 0 scanning sectors +156296385
09:40:07.028 Disk 0 scanning C:\WINDOWS\system32\drivers
09:40:25.447 Service scanning
09:40:45.926 Modules scanning
09:40:54.323 Disk 0 trace - called modules:
09:40:54.339 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
09:40:54.339 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8655fab8]
09:40:54.355 3 CLASSPNP.SYS[f75c905b] -> nt!IofCallDriver -> \Device\0000006d[0x86555f18]
09:40:54.355 5 ACPI.sys[f745f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86563940]
09:40:54.932 AVAST engine scan C:\WINDOWS
09:41:09.292 AVAST engine scan C:\WINDOWS\system32
09:52:09.500 AVAST engine scan C:\WINDOWS\system32\drivers
09:53:21.232 AVAST engine scan C:\Documents and Settings\ADMINISTRATOR.ANGELS
09:54:59.682 AVAST engine scan C:\Documents and Settings\All Users
09:56:07.842 Scan finished successfully
09:57:23.612 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\MBR.dat"
09:57:23.628 The log file has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\aswMBR.txt"
09:58:09.553 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\MBR.dat"
09:58:09.553 The log file has been saved successfully to "C:\Documents and Settings\ADMINISTRATOR.ANGELS\Desktop\Cleanup Tools\Logs\aswMBR.txt"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users