Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

metasploit/meterpreter attack


  • This topic is locked This topic is locked
10 replies to this topic

#1 fasterizbetter

fasterizbetter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:midwest
  • Local time:10:23 AM

Posted 09 May 2012 - 08:07 AM

My home network has been under some sort of attack for approximatly 4 months. A remote user has been in the system has communicated with me through notepad. It began with local authorities being taken away and escalated from there. I have a dozen hard drives with varying amount of info on them they all have a small partition that has no attributes and I am unable to erase. Linux software as well as Asus has detected multiple Bios on MoBo's. I'm told he/she/it is entering through a loop back connection?

I found a link to one of my email usernames on a website called MD5 decrypter I was the solution of the day. when this began I had 3 pc's a NAS device and a Iomega cloud. Since then I use omly 1 pc a SonicWALL TZ210 and a gateway. I am strictly lan connected there is no wireless connection.

I have tons of forensic data if needed. any insight on this would be greatly appreciated.

Thanks for your consideration

Ron

P.S. GMER was unable to run the DDS is attached to date no anti-virus or rootkit detector has identified it. but when using hyrams boot cd at times it will catch it in RAM


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by kids at 7:33:40 on 2012-05-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.15833.13417 [GMT -5:00]
.
AV: Doctor Web Anti-Virus *Enabled/Outdated* {A8C161B2-600A-42FD-97E0-4C12952A9FEC}
SP: Doctor Web Anti-Virus *Enabled/Outdated* {13A08056-4630-4D73-AD50-7760EEADD551}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
FW: Dr.Web Firewall *Enabled* {90FAE097-2A65-43A5-BCBF-E5276BF9D897}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Program Files (x86)\Creative\Shared Files\CTAudSvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
C:\Program Files (x86)\DrWeb\dwservice.exe
C:\Program Files (x86)\DrWeb\dwnetfilter.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Program Files (x86)\DrWeb\frwl_svc.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\DrWeb\frwl_notify.exe
C:\Program Files (x86)\DrWeb\spideragent.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\SysWOW64\Ctxfihlp.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Program Files (x86)\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\SysWOW64\CTXFISPI.EXE
C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Windows\system32\sppsvc.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\msiexec.exe
C:\Users\kids\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Y33GPMZ\Defogger.exe
C:\Windows\system32\conhost.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mWinlogon: Userinit=c:\windows\syswow64\userinit.exe,
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Check by Dr.Web - http://www.drweb.com/static/online/drweb-online-en.html
DPF: {D4B68B83-8710-488B-A692-D74B50BA558E} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/15113/CTPIDPDE.cab
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://ccfiles.creative.com/Web/softwareupdate/ocx/110926/CTPID.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{2A7ABB3F-678C-4139-8D1D-5BA48EF979B6} : DhcpNameServer = 192.168.1.1
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Search Helper: {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
BHO-X64: Search Helper - No File
BHO-X64: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB-X64: @C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files (x86)\MSN Toolbar\Platform\6.3.2291.0\npwinext.dll
TB-X64: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
mRun-x64: [CTxfiHlp] CTXFIHLP.EXE
mRun-x64: [HP Software Update] C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe
mRun-x64: [(Default)]
mRun-x64: [Microsoft Default Manager] "C:\Program Files (x86)\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
mRun-x64: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
.
============= SERVICES / DRIVERS ===============
.
R0 DrWebLwf;Dr.Web Firewall Kernel-Mode Driver;C:\Windows\system32\drivers\DrWebLwf.sys --> C:\Windows\system32\drivers\DrWebLwf.sys [?]
R0 DwProt;DrWeb Protection;C:\Windows\system32\drivers\dwprot.sys --> C:\Windows\system32\drivers\dwprot.sys [?]
R0 SpiderG3;DrWeb file system scanner;C:\Windows\system32\drivers\spiderg3.sys --> C:\Windows\system32\drivers\spiderg3.sys [?]
R1 DrWebWfp;DrWebWfp;C:\Windows\system32\drivers\dw_wfp.sys --> C:\Windows\system32\drivers\dw_wfp.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-4-4 63928]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
R2 DrWebAVService;Dr.Web Control Service;C:\Program Files (x86)\DrWeb\dwservice.exe --loglevel=inf --logfile="C:\ProgramData\Doctor Web\Logs\dwservice.log" --> C:\Program Files (x86)\DrWeb\dwservice.exe --loglevel=inf --logfile=C:\ProgramData\Doctor Web\Logs\dwservice.log [?]
R2 DrWebEngine;Dr.Web Scanning Engine (DrWebEngine);C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe [2012-4-23 1919400]
R2 DrWebFwSvc;Dr.Web Firewall Service;C:\Program Files (x86)\DrWeb\frwl_svc.exe [2012-4-23 2289000]
R2 DrWebNetFilter;Dr.Web Net Filtering Service;C:\Program Files (x86)\DrWeb\dwnetfilter.exe [2012-4-23 3031352]
R2 UNS;Intel® Management and Security Application User Notification Service;C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2012-4-22 2656280]
R3 asmthub3;ASMedia USB3 Hub Service;C:\Windows\system32\DRIVERS\asmthub3.sys --> C:\Windows\system32\DRIVERS\asmthub3.sys [?]
R3 asmtxhci;ASMEDIA XHCI Service;C:\Windows\system32\DRIVERS\asmtxhci.sys --> C:\Windows\system32\DRIVERS\asmtxhci.sys [?]
R3 CT20XUT.SYS;CT20XUT.SYS;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
R3 CTHWIUT.SYS;CTHWIUT.SYS;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
R3 ha20x22k;Creative 20X2 HAL Driver;C:\Windows\system32\drivers\ha20x22k.sys --> C:\Windows\system32\drivers\ha20x22k.sys [?]
R3 IntcDAud;Intel® Display Audio;C:\Windows\system32\DRIVERS\IntcDAud.sys --> C:\Windows\system32\DRIVERS\IntcDAud.sys [?]
R3 MEIx64;Intel® Management Engine Interface;C:\Windows\system32\DRIVERS\HECIx64.sys --> C:\Windows\system32\DRIVERS\HECIx64.sys [?]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
RUnknown szkg5;szkg5; [x]
S1 SBRE;SBRE;\??\C:\Windows\system32\drivers\SBREdrv.sys --> C:\Windows\system32\drivers\SBREdrv.sys [?]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-22 136176]
S3 cphs;Intel® Content Protection HECI Service;C:\Windows\SysWOW64\IntelCpHeciSvc.exe [2012-3-19 276248]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;C:\Program Files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-4-23 79360]
S3 CT20XUT;CT20XUT;C:\Windows\system32\drivers\CT20XUT.SYS --> C:\Windows\system32\drivers\CT20XUT.SYS [?]
S3 CTEXFIFX;CTEXFIFX;C:\Windows\system32\drivers\CTEXFIFX.SYS --> C:\Windows\system32\drivers\CTEXFIFX.SYS [?]
S3 CTHWIUT;CTHWIUT;C:\Windows\system32\drivers\CTHWIUT.SYS --> C:\Windows\system32\drivers\CTHWIUT.SYS [?]
S3 esgiguard;esgiguard;C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-3-2 13088]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2012-4-22 136176]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
SUnknown is3srv;is3srv; [x]
.
=============== Created Last 30 ================
.
2012-04-25 17:19:32 1139200 ----a-w- C:\Windows\System32\FntCache.dll
2012-04-25 17:19:31 902656 ----a-w- C:\Windows\System32\d2d1.dll
2012-04-25 17:19:31 739840 ----a-w- C:\Windows\SysWow64\d2d1.dll
2012-04-25 16:02:16 -------- d-----w- C:\Users\kids\AppData\Local\Adobe
2012-04-25 15:49:44 -------- d-----w- C:\Program Files (x86)\Microsoft
2012-04-25 15:49:43 -------- d-----w- C:\Program Files (x86)\MSN Toolbar
2012-04-25 15:49:11 -------- d-----w- C:\Program Files (x86)\Bing Bar Installer
2012-04-25 15:48:10 -------- d-----w- C:\Users\kids\AppData\Roaming\HpUpdate
2012-04-25 15:47:47 750440 ------w- C:\Windows\System32\HPDiscoPM5412.dll
2012-04-25 15:46:43 -------- d-----w- C:\Program Files (x86)\HP
2012-04-25 15:45:52 -------- d-----w- C:\Program Files\HP
2012-04-25 15:36:41 -------- d-----w- C:\Users\kids\AppData\Local\HP
2012-04-25 14:08:16 -------- d-----w- C:\Users\kids\AppData\Local\Diagnostics
2012-04-24 03:48:28 7062 ----a-w- C:\Windows\SysWow64\audiopid.vxd
2012-04-24 03:47:14 -------- d-----w- C:\Program Files (x86)\Common Files\Creative
2012-04-24 03:47:13 -------- d--h--w- C:\Program Files (x86)\Creative Installation Information
2012-04-24 03:47:07 -------- d-----w- C:\Program Files (x86)\Common Files\Creative Labs Shared
2012-04-24 03:46:27 -------- d-----w- C:\Program Files\Creative
2012-04-24 03:46:11 -------- d-----w- C:\Program Files (x86)\Creative
2012-04-24 03:46:07 729088 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iKernel.dll
2012-04-24 03:46:07 69715 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\ctor.dll
2012-04-24 03:46:07 5632 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\DotNetInstaller.exe
2012-04-24 03:46:07 266240 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iscript.dll
2012-04-24 03:46:07 192512 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iuser.dll
2012-04-24 03:46:06 311428 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\setup.dll
2012-04-24 03:46:06 188548 ----a-w- C:\Program Files (x86)\Common Files\InstallShield\Professional\RunTime\09\01\Intel32\iGdi.dll
2012-04-24 03:37:59 98816 ----a-w- C:\Windows\System32\drivers\usbccgp.sys
2012-04-24 03:27:58 -------- d-----w- C:\Windows\SysWow64\Wat
2012-04-24 03:27:58 -------- d-----w- C:\Windows\System32\Wat
2012-04-24 03:25:23 -------- d-----w- C:\Program Files (x86)\MSXML 4.0
2012-04-24 03:19:07 5559152 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-04-24 03:19:07 3968368 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-04-24 03:19:07 3913072 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-04-24 03:17:04 81408 ----a-w- C:\Windows\System32\imagehlp.dll
2012-04-24 03:17:04 5120 ----a-w- C:\Windows\SysWow64\wmi.dll
2012-04-24 03:17:04 5120 ----a-w- C:\Windows\System32\wmi.dll
2012-04-24 03:17:04 23408 ----a-w- C:\Windows\System32\drivers\fs_rec.sys
2012-04-24 03:17:04 220672 ----a-w- C:\Windows\System32\wintrust.dll
2012-04-24 03:17:04 172544 ----a-w- C:\Windows\SysWow64\wintrust.dll
2012-04-24 03:17:04 159232 ----a-w- C:\Windows\SysWow64\imagehlp.dll
2012-04-24 02:46:58 70656 ----a-w- C:\Windows\SysWow64\fontsub.dll
2012-04-24 02:45:12 77312 ----a-w- C:\Windows\System32\packager.dll
2012-04-24 02:45:12 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-04-23 07:25:18 -------- d-----w- C:\Windows\Panther
2012-04-23 06:23:38 -------- d-----w- C:\Users\kids\Doctor Web
2012-04-23 06:23:36 -------- d-----w- C:\defaults
2012-04-23 06:18:25 71896 ----a-w- C:\Windows\System32\drivers\dw_wfp.sys
2012-04-23 06:18:24 242904 ----a-w- C:\Windows\System32\drivers\DrWebLwf.sys
2012-04-23 06:18:17 223960 ----a-w- C:\Windows\System32\drivers\spiderg3.sys
2012-04-23 06:18:15 206552 ----a-w- C:\Windows\System32\drivers\dwprot.sys
2012-04-23 06:18:08 -------- d-----w- C:\Program Files\Common Files\Doctor Web
2012-04-23 06:17:59 -------- d-----w- C:\ProgramData\Doctor Web
2012-04-23 06:17:59 -------- d-----w- C:\Program Files (x86)\DrWeb
2012-04-23 05:13:25 57976 ----a-r- C:\Windows\System32\drivers\SBREDrv.sys
2012-04-23 04:53:45 110080 ----a-r- C:\Users\kids\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\IconF7A21AF7.exe
2012-04-23 04:53:45 110080 ----a-r- C:\Users\kids\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\IconD7F16134.exe
2012-04-23 04:53:45 110080 ----a-r- C:\Users\kids\AppData\Roaming\Microsoft\Installer\{5B210B8A-B66E-4702-B44D-0D6F388D29EB}\Icon1226A4C5.exe
2012-04-23 04:53:44 -------- d-----w- C:\sh4ldr
2012-04-23 04:53:44 -------- d-----w- C:\Program Files\Enigma Software Group
2012-04-23 04:53:01 -------- d-----w- C:\Windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-23 04:53:00 -------- d-----w- C:\Program Files (x86)\Common Files\Wise Installation Wizard
2012-04-23 04:46:51 -------- d-----w- C:\ProgramData\Norton
2012-04-23 04:45:39 -------- d-----w- C:\ProgramData\NortonInstaller
2012-04-23 04:45:18 -------- d-----w- C:\Program Files (x86)\ASM104xUSB3
2012-04-23 04:45:10 8192 ----a-w- C:\Windows\System32\drivers\IntelMEFWVer.dll
2012-04-23 04:45:07 -------- d-----w- C:\Program Files (x86)\Common Files\postureAgent
2012-04-23 04:45:05 56344 ----a-w- C:\Windows\System32\drivers\HECIx64.sys
2012-04-23 04:40:01 -------- d-----w- C:\Program Files\Common Files\Intel
2012-04-23 04:37:31 107552 ----a-w- C:\Windows\System32\RTNUninst64.dll
2012-04-23 04:37:06 -------- d-----w- C:\Windows\SysWow64\RTCOM
2012-04-23 04:37:06 -------- d-----w- C:\Program Files\Realtek
2012-04-23 04:35:59 -------- d-----w- C:\Intel
2012-04-23 04:35:50 -------- d-sh--w- C:\Windows\Installer
2012-04-23 04:35:48 -------- d-----w- C:\Users\kids\AppData\Local\Google
2012-04-23 04:30:59 -------- d-sh--w- C:\Recovery
.
==================== Find3M ====================
.
2012-04-24 03:45:45 466520 ----a-w- C:\Windows\System32\wrap_oal.dll
2012-04-24 03:45:45 123480 ----a-w- C:\Windows\System32\OpenAL32.dll
2012-04-24 03:45:44 445016 ----a-w- C:\Windows\SysWow64\wrap_oal.dll
2012-04-24 03:45:44 109144 ----a-w- C:\Windows\SysWow64\OpenAL32.dll
2012-03-20 04:44:20 5888792 ----a-w- C:\Windows\System32\GfxUI.exe
2012-03-20 04:44:20 509720 ----a-w- C:\Windows\System32\igfxsrvc.exe
2012-03-20 04:44:20 439064 ----a-w- C:\Windows\System32\igfxpers.exe
2012-03-20 04:44:20 398616 ----a-w- C:\Windows\System32\hkcmd.exe
2012-03-20 04:44:20 276248 ----a-w- C:\Windows\SysWow64\IntelCpHeciSvc.exe
2012-03-20 04:44:20 250136 ----a-w- C:\Windows\System32\igfxext.exe
2012-03-20 04:44:20 184600 ----a-w- C:\Windows\System32\difx64.exe
2012-03-20 04:44:20 170264 ----a-w- C:\Windows\System32\igfxtray.exe
2012-03-20 04:42:08 90112 ----a-w- C:\Windows\System32\igfxCoIn_v2696.dll
2012-03-20 04:32:04 14745600 ----a-w- C:\Windows\System32\drivers\igdkmd64.sys
2012-03-20 04:31:56 8087040 ----a-w- C:\Windows\System32\igdumd64.dll
2012-03-20 04:31:16 963912 ----a-w- C:\Windows\SysWow64\igkrng600.bin
2012-03-20 04:31:16 963912 ----a-w- C:\Windows\System32\igkrng600.bin
2012-03-20 04:31:16 261208 ----a-w- C:\Windows\SysWow64\igfcg600m.bin
2012-03-20 04:31:16 261208 ----a-w- C:\Windows\System32\igfcg600m.bin
2012-03-20 04:31:14 79360 ----a-w- C:\Windows\System32\igdde64.dll
2012-03-20 04:26:56 6120960 ----a-w- C:\Windows\SysWow64\igdumd32.dll
2012-03-20 04:25:58 58880 ----a-w- C:\Windows\SysWow64\igdde32.dll
2012-03-20 04:22:10 9605632 ----a-w- C:\Windows\System32\igd10umd64.dll
2012-03-20 04:11:38 7795200 ----a-w- C:\Windows\SysWow64\igd10umd32.dll
2012-03-20 03:31:14 18137088 ----a-w- C:\Windows\System32\ig4icd64.dll
2012-03-20 03:21:14 13212672 ----a-w- C:\Windows\SysWow64\ig4icd32.dll
2012-03-20 03:17:56 28672 ----a-w- C:\Windows\System32\igfxexps.dll
2012-03-20 03:17:46 63488 ----a-w- C:\Windows\System32\igfxsrvc.dll
2012-03-20 03:17:22 110592 ----a-w- C:\Windows\System32\hccutils.dll
2012-03-20 03:17:14 9216 ----a-w- C:\Windows\System32\IGFXDEVLib.dll
2012-03-20 03:17:14 434688 ----a-w- C:\Windows\System32\igfxdev.dll
2012-03-20 03:17:14 172032 ----a-w- C:\Windows\System32\gfxSrvc.dll
2012-03-20 03:16:40 286208 ----a-w- C:\Windows\System32\igfxrenu.lrc
2012-03-20 03:16:38 142336 ----a-w- C:\Windows\System32\igfxdo.dll
2012-03-20 03:16:36 9007616 ----a-w- C:\Windows\System32\igfxress.dll
2012-03-20 03:12:06 25088 ----a-w- C:\Windows\SysWow64\igfxexps32.dll
2012-03-20 03:11:22 325120 ----a-w- C:\Windows\SysWow64\igfxdv32.dll
2012-03-20 03:09:08 524800 ----a-w- C:\Windows\System32\iglhsip64.dll
2012-03-20 03:09:08 519680 ----a-w- C:\Windows\SysWow64\iglhsip32.dll
2012-03-20 03:09:08 2967040 ----a-w- C:\Windows\System32\igfxcmjit64.dll
2012-03-20 03:09:08 237056 ----a-w- C:\Windows\SysWow64\igfxcmrt32.dll
2012-03-20 03:09:08 2321408 ----a-w- C:\Windows\SysWow64\igfxcmjit32.dll
2012-03-20 03:09:08 213504 ----a-w- C:\Windows\System32\iglhcp64.dll
2012-03-20 03:09:08 193024 ----a-w- C:\Windows\System32\igfxcmrt64.dll
2012-03-20 03:09:08 177152 ----a-w- C:\Windows\SysWow64\iglhcp32.dll
2012-02-28 06:56:48 2311168 ----a-w- C:\Windows\System32\jscript9.dll
2012-02-28 06:49:56 1390080 ----a-w- C:\Windows\System32\wininet.dll
2012-02-28 06:48:57 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2012-02-28 06:42:55 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2012-02-28 01:18:55 1799168 ----a-w- C:\Windows\SysWow64\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
2012-02-17 06:38:26 1031680 ----a-w- C:\Windows\System32\rdpcore.dll
2012-02-17 05:34:22 826880 ----a-w- C:\Windows\SysWow64\rdpcore.dll
2012-02-17 04:58:24 210944 ----a-w- C:\Windows\System32\drivers\rdpwd.sys
2012-02-17 04:57:32 23552 ----a-w- C:\Windows\System32\drivers\tdtcp.sys
2012-02-10 06:36:07 1544192 ----a-w- C:\Windows\System32\DWrite.dll
2012-02-10 05:38:43 1077248 ----a-w- C:\Windows\SysWow64\DWrite.dll
.
============= FINISH: 7:34:09.14 ===============

BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 12 May 2012 - 08:51 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#3 fasterizbetter

fasterizbetter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:midwest
  • Local time:10:23 AM

Posted 12 May 2012 - 09:00 PM

First and Foremost My children and Myself want to thank you SINCERELY for taking time out of your life to help people you don't know. Here are the reports you requested. I have been dealing with this fool for 5 months now if any way I can assist please let me know.

20:20:21.0007 1972 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
20:20:21.0116 1972 ============================================================
20:20:21.0116 1972 Current date / time: 2012/05/12 20:20:21.0116
20:20:21.0116 1972 SystemInfo:
20:20:21.0116 1972
20:20:21.0116 1972 OS Version: 6.1.7601 ServicePack: 1.0
20:20:21.0116 1972 Product type: Workstation
20:20:21.0116 1972 ComputerName: KIDS-PC
20:20:21.0116 1972 UserName: kids
20:20:21.0116 1972 Windows directory: C:\Windows
20:20:21.0116 1972 System windows directory: C:\Windows
20:20:21.0116 1972 Running under WOW64
20:20:21.0116 1972 Processor architecture: Intel x64
20:20:21.0116 1972 Number of processors: 4
20:20:21.0116 1972 Page size: 0x1000
20:20:21.0116 1972 Boot type: Normal boot
20:20:21.0116 1972 ============================================================
20:20:21.0600 1972 Initialize success
20:20:23.0799 2084 ============================================================
20:20:23.0799 2084 Scan started
20:20:23.0799 2084 Mode: Manual;
20:20:23.0799 2084 ============================================================
20:20:24.0392 2084 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
20:20:24.0408 2084 1394ohci - ok
20:20:24.0470 2084 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
20:20:24.0470 2084 ACPI - ok
20:20:24.0486 2084 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
20:20:24.0486 2084 AcpiPmi - ok
20:20:24.0548 2084 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
20:20:24.0548 2084 adp94xx - ok
20:20:24.0579 2084 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
20:20:24.0579 2084 adpahci - ok
20:20:24.0611 2084 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
20:20:24.0611 2084 adpu320 - ok
20:20:24.0673 2084 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
20:20:24.0673 2084 AFD - ok
20:20:24.0704 2084 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
20:20:24.0720 2084 agp440 - ok
20:20:24.0751 2084 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
20:20:24.0751 2084 aliide - ok
20:20:24.0782 2084 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
20:20:24.0782 2084 amdide - ok
20:20:24.0813 2084 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
20:20:24.0813 2084 AmdK8 - ok
20:20:24.0845 2084 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\drivers\amdppm.sys
20:20:24.0845 2084 AmdPPM - ok
20:20:24.0907 2084 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\Windows\system32\drivers\amdsata.sys
20:20:24.0907 2084 amdsata - ok
20:20:24.0954 2084 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
20:20:24.0954 2084 amdsbs - ok
20:20:25.0016 2084 amdxata (540daf1cea6094886d72126fd7c33048) C:\Windows\system32\drivers\amdxata.sys
20:20:25.0016 2084 amdxata - ok
20:20:25.0063 2084 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
20:20:25.0063 2084 AppID - ok
20:20:25.0094 2084 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
20:20:25.0094 2084 arc - ok
20:20:25.0110 2084 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
20:20:25.0125 2084 arcsas - ok
20:20:25.0157 2084 asmthub3 (0aa7a996792fb0287b33a57a8093ae44) C:\Windows\system32\DRIVERS\asmthub3.sys
20:20:25.0157 2084 asmthub3 - ok
20:20:25.0188 2084 asmtxhci (125dc3abf5bfccfe82ad17d078e0b9ec) C:\Windows\system32\DRIVERS\asmtxhci.sys
20:20:25.0188 2084 asmtxhci - ok
20:20:25.0219 2084 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
20:20:25.0219 2084 AsyncMac - ok
20:20:25.0266 2084 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
20:20:25.0266 2084 atapi - ok
20:20:25.0344 2084 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
20:20:25.0344 2084 b06bdrv - ok
20:20:25.0406 2084 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
20:20:25.0406 2084 b57nd60a - ok
20:20:25.0437 2084 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
20:20:25.0437 2084 Beep - ok
20:20:25.0484 2084 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
20:20:25.0484 2084 blbdrive - ok
20:20:25.0531 2084 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
20:20:25.0531 2084 bowser - ok
20:20:25.0562 2084 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
20:20:25.0562 2084 BrFiltLo - ok
20:20:25.0578 2084 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
20:20:25.0578 2084 BrFiltUp - ok
20:20:25.0671 2084 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
20:20:25.0671 2084 Brserid - ok
20:20:25.0703 2084 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
20:20:25.0703 2084 BrSerWdm - ok
20:20:25.0718 2084 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
20:20:25.0718 2084 BrUsbMdm - ok
20:20:25.0734 2084 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
20:20:25.0734 2084 BrUsbSer - ok
20:20:25.0749 2084 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
20:20:25.0749 2084 BTHMODEM - ok
20:20:25.0796 2084 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
20:20:25.0796 2084 cdfs - ok
20:20:25.0859 2084 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
20:20:25.0859 2084 cdrom - ok
20:20:25.0890 2084 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\drivers\circlass.sys
20:20:25.0905 2084 circlass - ok
20:20:25.0952 2084 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
20:20:25.0952 2084 CLFS - ok
20:20:26.0061 2084 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
20:20:26.0061 2084 CmBatt - ok
20:20:26.0093 2084 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
20:20:26.0093 2084 cmdide - ok
20:20:26.0186 2084 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
20:20:26.0202 2084 CNG - ok
20:20:26.0249 2084 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
20:20:26.0249 2084 Compbatt - ok
20:20:26.0280 2084 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
20:20:26.0295 2084 CompositeBus - ok
20:20:26.0358 2084 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
20:20:26.0358 2084 crcdisk - ok
20:20:26.0420 2084 CT20XUT (148c9c111291c41d6b2abfb6fbb43856) C:\Windows\system32\drivers\CT20XUT.SYS
20:20:26.0436 2084 CT20XUT - ok
20:20:26.0467 2084 CT20XUT.SYS (148c9c111291c41d6b2abfb6fbb43856) C:\Windows\System32\drivers\CT20XUT.SYS
20:20:26.0467 2084 CT20XUT.SYS - ok
20:20:26.0514 2084 ctac32k (397fbd4454e5b2fb77e55d1013df548c) C:\Windows\system32\drivers\ctac32k.sys
20:20:26.0529 2084 ctac32k - ok
20:20:26.0576 2084 ctaud2k (50a8cd4df066fe57d0c473a2645988cc) C:\Windows\system32\drivers\ctaud2k.sys
20:20:26.0576 2084 ctaud2k - ok
20:20:26.0639 2084 CTEXFIFX (6f9c3c6c78f5296f4bc7102fb0f7cb65) C:\Windows\system32\drivers\CTEXFIFX.SYS
20:20:26.0639 2084 CTEXFIFX - ok
20:20:26.0701 2084 CTEXFIFX.SYS (6f9c3c6c78f5296f4bc7102fb0f7cb65) C:\Windows\System32\drivers\CTEXFIFX.SYS
20:20:26.0717 2084 CTEXFIFX.SYS - ok
20:20:26.0732 2084 CTHWIUT (ae78ca7ee865a28ac841211db655acf3) C:\Windows\system32\drivers\CTHWIUT.SYS
20:20:26.0732 2084 CTHWIUT - ok
20:20:26.0748 2084 CTHWIUT.SYS (ae78ca7ee865a28ac841211db655acf3) C:\Windows\System32\drivers\CTHWIUT.SYS
20:20:26.0748 2084 CTHWIUT.SYS - ok
20:20:26.0779 2084 ctprxy2k (757776e207ca5e71e4a16bd1260ae1f2) C:\Windows\system32\drivers\ctprxy2k.sys
20:20:26.0779 2084 ctprxy2k - ok
20:20:26.0810 2084 ctsfm2k (9b111ee2f488a8d9c21a13ed4c777795) C:\Windows\system32\drivers\ctsfm2k.sys
20:20:26.0810 2084 ctsfm2k - ok
20:20:26.0873 2084 ctxusbm (f02d7fd231af76c69a8f09c619dee384) C:\Windows\system32\DRIVERS\ctxusbm.sys
20:20:26.0873 2084 ctxusbm - ok
20:20:26.0951 2084 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
20:20:26.0951 2084 DfsC - ok
20:20:26.0997 2084 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
20:20:26.0997 2084 discache - ok
20:20:27.0029 2084 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
20:20:27.0029 2084 Disk - ok
20:20:27.0091 2084 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
20:20:27.0091 2084 drmkaud - ok
20:20:27.0138 2084 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
20:20:27.0153 2084 DXGKrnl - ok
20:20:27.0231 2084 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
20:20:27.0278 2084 ebdrv - ok
20:20:27.0341 2084 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
20:20:27.0356 2084 elxstor - ok
20:20:27.0387 2084 emupia (683dcaf0d4efc3f95a32e8924849202d) C:\Windows\system32\drivers\emupia2k.sys
20:20:27.0387 2084 emupia - ok
20:20:27.0419 2084 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
20:20:27.0419 2084 ErrDev - ok
20:20:27.0481 2084 esgiguard (df96c3cd6ae15f6d0a6bcb70f9c1e88d) C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys
20:20:27.0481 2084 esgiguard - ok
20:20:27.0528 2084 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
20:20:27.0528 2084 exfat - ok
20:20:27.0559 2084 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
20:20:27.0559 2084 fastfat - ok
20:20:27.0590 2084 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
20:20:27.0590 2084 fdc - ok
20:20:27.0621 2084 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
20:20:27.0621 2084 FileInfo - ok
20:20:27.0653 2084 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
20:20:27.0653 2084 Filetrace - ok
20:20:27.0684 2084 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
20:20:27.0684 2084 flpydisk - ok
20:20:27.0699 2084 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
20:20:27.0715 2084 FltMgr - ok
20:20:27.0762 2084 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
20:20:27.0762 2084 FsDepends - ok
20:20:27.0824 2084 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\Windows\system32\drivers\Fs_Rec.sys
20:20:27.0824 2084 Fs_Rec - ok
20:20:27.0871 2084 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
20:20:27.0871 2084 fvevol - ok
20:20:27.0902 2084 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
20:20:27.0902 2084 gagp30kx - ok
20:20:27.0980 2084 ha20x22k (076f366b87575adc7d152c7a34acb3dc) C:\Windows\system32\drivers\ha20x22k.sys
20:20:27.0980 2084 ha20x22k - ok
20:20:28.0043 2084 ha20x2k (4a7533eb52dc9d1847e7f78dee1ce322) C:\Windows\system32\drivers\ha20x2k.sys
20:20:28.0074 2084 ha20x2k - ok
20:20:28.0121 2084 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
20:20:28.0121 2084 hcw85cir - ok
20:20:28.0167 2084 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\Windows\system32\drivers\HdAudio.sys
20:20:28.0183 2084 HdAudAddService - ok
20:20:28.0230 2084 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
20:20:28.0230 2084 HDAudBus - ok
20:20:28.0245 2084 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
20:20:28.0245 2084 HidBatt - ok
20:20:28.0277 2084 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
20:20:28.0292 2084 HidBth - ok
20:20:28.0339 2084 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\drivers\hidir.sys
20:20:28.0339 2084 HidIr - ok
20:20:28.0370 2084 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
20:20:28.0370 2084 HidUsb - ok
20:20:28.0417 2084 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
20:20:28.0417 2084 HpSAMD - ok
20:20:28.0464 2084 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
20:20:28.0464 2084 HTTP - ok
20:20:28.0495 2084 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
20:20:28.0495 2084 hwpolicy - ok
20:20:28.0526 2084 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
20:20:28.0526 2084 i8042prt - ok
20:20:28.0604 2084 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
20:20:28.0604 2084 iaStorV - ok
20:20:28.0838 2084 igfx (371d7f91c0d2314eb984a4a6cbeabc92) C:\Windows\system32\DRIVERS\igdkmd64.sys
20:20:29.0025 2084 igfx - ok
20:20:29.0088 2084 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
20:20:29.0088 2084 iirsp - ok
20:20:29.0197 2084 IntcAzAudAddService (eb5fa493a4b6ea290200ae39eba2fbc6) C:\Windows\system32\drivers\RTKVHD64.sys
20:20:29.0213 2084 IntcAzAudAddService - ok
20:20:29.0244 2084 IntcDAud (fc727061c0f47c8059e88e05d5c8e381) C:\Windows\system32\DRIVERS\IntcDAud.sys
20:20:29.0244 2084 IntcDAud - ok
20:20:29.0291 2084 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
20:20:29.0291 2084 intelide - ok
20:20:29.0322 2084 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\DRIVERS\intelppm.sys
20:20:29.0322 2084 intelppm - ok
20:20:29.0353 2084 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
20:20:29.0353 2084 IpFilterDriver - ok
20:20:29.0384 2084 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
20:20:29.0400 2084 IPMIDRV - ok
20:20:29.0431 2084 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
20:20:29.0431 2084 IPNAT - ok
20:20:29.0462 2084 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
20:20:29.0462 2084 IRENUM - ok
20:20:29.0509 2084 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
20:20:29.0509 2084 isapnp - ok
20:20:29.0540 2084 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
20:20:29.0540 2084 iScsiPrt - ok
20:20:29.0571 2084 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
20:20:29.0571 2084 kbdclass - ok
20:20:29.0618 2084 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
20:20:29.0618 2084 kbdhid - ok
20:20:29.0681 2084 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
20:20:29.0681 2084 KSecDD - ok
20:20:29.0727 2084 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
20:20:29.0727 2084 KSecPkg - ok
20:20:29.0774 2084 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
20:20:29.0774 2084 ksthunk - ok
20:20:29.0837 2084 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
20:20:29.0837 2084 lltdio - ok
20:20:29.0930 2084 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
20:20:29.0930 2084 LSI_FC - ok
20:20:29.0993 2084 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
20:20:29.0993 2084 LSI_SAS - ok
20:20:30.0039 2084 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
20:20:30.0039 2084 LSI_SAS2 - ok
20:20:30.0086 2084 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
20:20:30.0086 2084 LSI_SCSI - ok
20:20:30.0102 2084 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
20:20:30.0102 2084 luafv - ok
20:20:30.0149 2084 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
20:20:30.0149 2084 megasas - ok
20:20:30.0180 2084 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
20:20:30.0180 2084 MegaSR - ok
20:20:30.0211 2084 MEIx64 (a6518dcc42f7a6e999bb3bea8fd87567) C:\Windows\system32\DRIVERS\HECIx64.sys
20:20:30.0211 2084 MEIx64 - ok
20:20:30.0258 2084 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
20:20:30.0258 2084 Modem - ok
20:20:30.0305 2084 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
20:20:30.0305 2084 monitor - ok
20:20:30.0336 2084 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
20:20:30.0336 2084 mouclass - ok
20:20:30.0367 2084 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
20:20:30.0367 2084 mouhid - ok
20:20:30.0445 2084 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
20:20:30.0445 2084 mountmgr - ok
20:20:30.0476 2084 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
20:20:30.0476 2084 mpio - ok
20:20:30.0507 2084 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
20:20:30.0507 2084 mpsdrv - ok
20:20:30.0539 2084 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
20:20:30.0539 2084 MRxDAV - ok
20:20:30.0570 2084 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
20:20:30.0585 2084 mrxsmb - ok
20:20:30.0617 2084 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
20:20:30.0617 2084 mrxsmb10 - ok
20:20:30.0648 2084 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
20:20:30.0648 2084 mrxsmb20 - ok
20:20:30.0695 2084 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
20:20:30.0695 2084 msahci - ok
20:20:30.0741 2084 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
20:20:30.0741 2084 msdsm - ok
20:20:30.0773 2084 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
20:20:30.0773 2084 Msfs - ok
20:20:30.0804 2084 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
20:20:30.0804 2084 mshidkmdf - ok
20:20:30.0851 2084 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
20:20:30.0851 2084 msisadrv - ok
20:20:30.0897 2084 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
20:20:30.0897 2084 MSKSSRV - ok
20:20:30.0929 2084 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
20:20:30.0929 2084 MSPCLOCK - ok
20:20:30.0960 2084 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
20:20:30.0960 2084 MSPQM - ok
20:20:30.0991 2084 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
20:20:30.0991 2084 MsRPC - ok
20:20:31.0022 2084 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
20:20:31.0022 2084 mssmbios - ok
20:20:31.0069 2084 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
20:20:31.0069 2084 MSTEE - ok
20:20:31.0116 2084 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\drivers\MTConfig.sys
20:20:31.0116 2084 MTConfig - ok
20:20:31.0131 2084 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
20:20:31.0131 2084 Mup - ok
20:20:31.0209 2084 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
20:20:31.0209 2084 NativeWifiP - ok
20:20:31.0303 2084 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
20:20:31.0319 2084 NDIS - ok
20:20:31.0350 2084 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
20:20:31.0350 2084 NdisCap - ok
20:20:31.0381 2084 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
20:20:31.0381 2084 NdisTapi - ok
20:20:31.0412 2084 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
20:20:31.0412 2084 Ndisuio - ok
20:20:31.0428 2084 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
20:20:31.0428 2084 NdisWan - ok
20:20:31.0459 2084 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
20:20:31.0475 2084 NDProxy - ok
20:20:31.0490 2084 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
20:20:31.0490 2084 NetBIOS - ok
20:20:31.0521 2084 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
20:20:31.0521 2084 NetBT - ok
20:20:31.0599 2084 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
20:20:31.0599 2084 nfrd960 - ok
20:20:31.0646 2084 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
20:20:31.0646 2084 Npfs - ok
20:20:31.0677 2084 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
20:20:31.0677 2084 nsiproxy - ok
20:20:31.0755 2084 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
20:20:31.0771 2084 Ntfs - ok
20:20:31.0818 2084 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
20:20:31.0833 2084 Null - ok
20:20:31.0865 2084 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
20:20:31.0865 2084 nvraid - ok
20:20:31.0911 2084 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
20:20:31.0911 2084 nvstor - ok
20:20:31.0958 2084 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
20:20:31.0958 2084 nv_agp - ok
20:20:31.0974 2084 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
20:20:31.0989 2084 ohci1394 - ok
20:20:32.0052 2084 ossrv (a29a80a1cf63d0dc27eefcaf27d34664) C:\Windows\system32\drivers\ctoss2k.sys
20:20:32.0052 2084 ossrv - ok
20:20:32.0099 2084 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
20:20:32.0099 2084 Parport - ok
20:20:32.0145 2084 partmgr (e9766131eeade40a27dc27d2d68fba9c) C:\Windows\system32\drivers\partmgr.sys
20:20:32.0145 2084 partmgr - ok
20:20:32.0208 2084 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
20:20:32.0208 2084 pci - ok
20:20:32.0239 2084 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
20:20:32.0239 2084 pciide - ok
20:20:32.0286 2084 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
20:20:32.0301 2084 pcmcia - ok
20:20:32.0317 2084 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
20:20:32.0333 2084 pcw - ok
20:20:32.0364 2084 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
20:20:32.0364 2084 PEAUTH - ok
20:20:32.0457 2084 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
20:20:32.0473 2084 PptpMiniport - ok
20:20:32.0489 2084 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
20:20:32.0489 2084 Processor - ok
20:20:32.0551 2084 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
20:20:32.0551 2084 Psched - ok
20:20:32.0613 2084 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
20:20:32.0645 2084 ql2300 - ok
20:20:32.0660 2084 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
20:20:32.0660 2084 ql40xx - ok
20:20:32.0691 2084 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
20:20:32.0691 2084 QWAVEdrv - ok
20:20:32.0738 2084 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
20:20:32.0738 2084 RasAcd - ok
20:20:32.0785 2084 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
20:20:32.0801 2084 RasAgileVpn - ok
20:20:32.0832 2084 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
20:20:32.0832 2084 Rasl2tp - ok
20:20:32.0941 2084 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
20:20:32.0941 2084 RasPppoe - ok
20:20:33.0144 2084 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
20:20:33.0144 2084 RasSstp - ok
20:20:33.0191 2084 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
20:20:33.0222 2084 rdbss - ok
20:20:33.0284 2084 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
20:20:33.0284 2084 rdpbus - ok
20:20:33.0347 2084 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
20:20:33.0347 2084 RDPCDD - ok
20:20:33.0425 2084 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
20:20:33.0425 2084 RDPENCDD - ok
20:20:33.0471 2084 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
20:20:33.0471 2084 RDPREFMP - ok
20:20:33.0627 2084 RDPWD (6d76e6433574b058adcb0c50df834492) C:\Windows\system32\drivers\RDPWD.sys
20:20:33.0674 2084 RDPWD - ok
20:20:33.0768 2084 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
20:20:33.0768 2084 rdyboost - ok
20:20:34.0002 2084 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
20:20:34.0002 2084 rspndr - ok
20:20:34.0189 2084 RTL8167 (ee082e06a82ff630351d1e0ebbd3d8d0) C:\Windows\system32\DRIVERS\Rt64win7.sys
20:20:34.0189 2084 RTL8167 - ok
20:20:34.0220 2084 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
20:20:34.0220 2084 sbp2port - ok
20:20:34.0251 2084 SBRE (9aceb2a2362fc87a3825963e61ba9076) C:\Windows\system32\drivers\SBREdrv.sys
20:20:34.0251 2084 SBRE - ok
20:20:34.0283 2084 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
20:20:34.0283 2084 scfilter - ok
20:20:34.0314 2084 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
20:20:34.0314 2084 secdrv - ok
20:20:34.0361 2084 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
20:20:34.0361 2084 Serenum - ok
20:20:34.0392 2084 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
20:20:34.0392 2084 Serial - ok
20:20:34.0407 2084 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
20:20:34.0407 2084 sermouse - ok
20:20:34.0423 2084 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
20:20:34.0423 2084 sffdisk - ok
20:20:34.0439 2084 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
20:20:34.0439 2084 sffp_mmc - ok
20:20:34.0454 2084 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
20:20:34.0454 2084 sffp_sd - ok
20:20:34.0470 2084 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
20:20:34.0485 2084 sfloppy - ok
20:20:34.0517 2084 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
20:20:34.0517 2084 SiSRaid2 - ok
20:20:34.0532 2084 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
20:20:34.0532 2084 SiSRaid4 - ok
20:20:34.0563 2084 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
20:20:34.0563 2084 Smb - ok
20:20:34.0595 2084 SpiderG3 - ok
20:20:34.0626 2084 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
20:20:34.0626 2084 spldr - ok
20:20:34.0688 2084 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
20:20:34.0688 2084 srv - ok
20:20:34.0719 2084 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
20:20:34.0735 2084 srv2 - ok
20:20:34.0751 2084 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
20:20:34.0751 2084 srvnet - ok
20:20:34.0782 2084 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
20:20:34.0797 2084 stexstor - ok
20:20:34.0829 2084 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
20:20:34.0829 2084 swenum - ok
20:20:34.0907 2084 Tcpip (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\drivers\tcpip.sys
20:20:34.0953 2084 Tcpip - ok
20:20:35.0031 2084 TCPIP6 (acb82bda8f46c84f465c1afa517dc4b9) C:\Windows\system32\DRIVERS\tcpip.sys
20:20:35.0047 2084 TCPIP6 - ok
20:20:35.0078 2084 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
20:20:35.0078 2084 tcpipreg - ok
20:20:35.0109 2084 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
20:20:35.0109 2084 TDPIPE - ok
20:20:35.0141 2084 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\Windows\system32\drivers\tdtcp.sys
20:20:35.0156 2084 TDTCP - ok
20:20:35.0187 2084 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
20:20:35.0187 2084 tdx - ok
20:20:35.0219 2084 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
20:20:35.0219 2084 TermDD - ok
20:20:35.0265 2084 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
20:20:35.0265 2084 tssecsrv - ok
20:20:35.0328 2084 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
20:20:35.0328 2084 TsUsbFlt - ok
20:20:35.0359 2084 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
20:20:35.0359 2084 TsUsbGD - ok
20:20:35.0406 2084 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
20:20:35.0406 2084 tunnel - ok
20:20:35.0421 2084 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
20:20:35.0421 2084 uagp35 - ok
20:20:35.0453 2084 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
20:20:35.0453 2084 udfs - ok
20:20:35.0484 2084 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
20:20:35.0484 2084 uliagpkx - ok
20:20:35.0515 2084 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
20:20:35.0515 2084 umbus - ok
20:20:35.0531 2084 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
20:20:35.0531 2084 UmPass - ok
20:20:35.0609 2084 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
20:20:35.0609 2084 usbccgp - ok
20:20:35.0624 2084 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
20:20:35.0624 2084 usbcir - ok
20:20:35.0702 2084 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\drivers\usbehci.sys
20:20:35.0702 2084 usbehci - ok
20:20:35.0765 2084 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
20:20:35.0780 2084 usbhub - ok
20:20:35.0796 2084 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\drivers\usbohci.sys
20:20:35.0811 2084 usbohci - ok
20:20:35.0843 2084 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\DRIVERS\usbprint.sys
20:20:35.0843 2084 usbprint - ok
20:20:35.0905 2084 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\Windows\system32\DRIVERS\usbscan.sys
20:20:35.0905 2084 usbscan - ok
20:20:35.0952 2084 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
20:20:35.0952 2084 USBSTOR - ok
20:20:35.0999 2084 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
20:20:36.0014 2084 usbuhci - ok
20:20:36.0045 2084 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
20:20:36.0045 2084 vdrvroot - ok
20:20:36.0077 2084 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
20:20:36.0077 2084 vga - ok
20:20:36.0108 2084 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
20:20:36.0108 2084 VgaSave - ok
20:20:36.0123 2084 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
20:20:36.0139 2084 vhdmp - ok
20:20:36.0155 2084 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
20:20:36.0155 2084 viaide - ok
20:20:36.0186 2084 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
20:20:36.0186 2084 volmgr - ok
20:20:36.0217 2084 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
20:20:36.0217 2084 volmgrx - ok
20:20:36.0248 2084 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
20:20:36.0248 2084 volsnap - ok
20:20:36.0295 2084 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
20:20:36.0295 2084 vsmraid - ok
20:20:36.0311 2084 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\System32\drivers\vwifibus.sys
20:20:36.0326 2084 vwifibus - ok
20:20:36.0373 2084 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
20:20:36.0373 2084 WacomPen - ok
20:20:36.0420 2084 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
20:20:36.0420 2084 WANARP - ok
20:20:36.0435 2084 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
20:20:36.0435 2084 Wanarpv6 - ok
20:20:36.0467 2084 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
20:20:36.0467 2084 Wd - ok
20:20:36.0498 2084 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
20:20:36.0513 2084 Wdf01000 - ok
20:20:36.0576 2084 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
20:20:36.0576 2084 WfpLwf - ok
20:20:36.0591 2084 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
20:20:36.0607 2084 WIMMount - ok
20:20:36.0638 2084 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
20:20:36.0638 2084 WmiAcpi - ok
20:20:36.0685 2084 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
20:20:36.0685 2084 ws2ifsl - ok
20:20:36.0716 2084 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
20:20:36.0716 2084 WudfPf - ok
20:20:36.0747 2084 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
20:20:36.0747 2084 WUDFRd - ok
20:20:36.0779 2084 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
20:20:36.0794 2084 \Device\Harddisk0\DR0 - ok
20:20:36.0794 2084 Boot (0x1200) (d5f92f37da3bf4dc39a94a9525ea3920) \Device\Harddisk0\DR0\Partition0
20:20:36.0794 2084 \Device\Harddisk0\DR0\Partition0 - ok
20:20:36.0810 2084 Boot (0x1200) (bb81bed79e7dc6658b4adcc2bd7464dd) \Device\Harddisk0\DR0\Partition1
20:20:36.0810 2084 \Device\Harddisk0\DR0\Partition1 - ok
20:20:36.0810 2084 ============================================================
20:20:36.0810 2084 Scan finished
20:20:36.0810 2084 ============================================================
20:20:36.0810 2076 Detected object count: 0
20:20:36.0810 2076 Actual detected object count: 0
20:20:59.0773 1932 Deinitialize success



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-12 20:30:07
-----------------------------
20:30:07.453 OS Version: Windows x64 6.1.7601 Service Pack 1
20:30:07.453 Number of processors: 4 586 0x2A07
20:30:07.453 ComputerName: KIDS-PC UserName: kids
20:30:12.055 Initialize success
20:31:00.880 AVAST engine defs: 12051201
20:31:16.636 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:31:16.636 Disk 0 Vendor: ST500DM002-1BD142 KC45 Size: 476940MB BusType: 11
20:31:16.651 Disk 0 MBR read successfully
20:31:16.667 Disk 0 MBR scan
20:31:16.667 Disk 0 Windows 7 default MBR code
20:31:16.667 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:31:16.682 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 476838 MB offset 206848
20:31:16.698 Disk 0 scanning C:\Windows\system32\drivers
20:31:24.280 Service scanning
20:31:38.008 Modules scanning
20:31:38.008 Disk 0 trace - called modules:
20:31:38.054 ntoskrnl.exe CLASSPNP.SYS disk.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:31:38.054 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa800dab4060]
20:31:38.070 3 CLASSPNP.SYS[fffff8800195043f] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa800d645680]
20:31:41.190 AVAST engine scan C:\
20:51:41.814 Scan finished successfully
20:52:05.089 Disk 0 MBR has been saved successfully to "C:\Users\kids\Desktop\MBR.dat"
20:52:05.089 The log file has been saved successfully to "C:\Users\kids\Desktop\aswMBR.txt"




Attached File  MBR.zip   559bytes   0 downloads

#4 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 13 May 2012 - 09:02 AM

The logs are clean.

Please download Malwarebytes Anti-Malware and save it to your desktop.
  • alternate download link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:[list]
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

For complete or visual instructions on installing and running Malwarebytes Anti-Malware please read this link

Post back with the Malwarebytes Anti-Malware log once it's complete.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be an open door for an infection

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please post the logs for my review.

#5 fasterizbetter

fasterizbetter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:midwest
  • Local time:10:23 AM

Posted 13 May 2012 - 11:35 AM

ComboFix 12-05-13.03 - kids 05/13/2012 11:12:01.1.4 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.15833.14060 [GMT -5:00]
Running from: c:\users\kids\Downloads\ComboFix.exe
AV: avast! Internet Security *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
FW: avast! Internet Security *Disabled* {131692B0-0864-D491-4E21-3A3A1D8BBB47}
SP: avast! Internet Security *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\kids\AppData\Local\Temp\{D2C237D2-605E-4030-B9A9-A81E8502C83A}\fpb.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-13 to 2012-05-13 )))))))))))))))))))))))))))))))
.
.
2012-05-13 16:14 . 2012-05-13 16:14 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-13 16:04 . 2012-05-13 16:04 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-05-13 16:04 . 2012-05-13 16:04 -------- d-----w- c:\programdata\Malwarebytes
2012-05-13 16:04 . 2012-04-04 20:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-13 11:29 . 2012-05-13 11:47 -------- d-----w- c:\programdata\SolarWinds
2012-05-13 11:28 . 2012-05-13 11:47 -------- d-----w- c:\program files (x86)\SolarWinds
2012-05-13 06:10 . 2012-05-13 07:43 -------- d-----w- C:\!visuallogic!
2012-05-13 04:41 . 2012-05-13 04:41 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-05-13 04:41 . 2012-05-13 04:41 -------- d-----w- c:\program files (x86)\Oracle
2012-05-13 04:40 . 2012-04-04 23:47 772504 ----a-w- c:\windows\SysWow64\npDeployJava1.dll
2012-05-13 04:40 . 2012-04-04 23:47 687504 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-05-13 04:40 . 2012-05-13 04:40 -------- d-----w- c:\program files (x86)\Java
2012-05-13 04:37 . 2012-05-13 04:37 -------- d-----w- c:\program files\Microsoft Silverlight
2012-05-13 04:37 . 2012-05-13 04:37 -------- d-----w- c:\program files (x86)\Microsoft Silverlight
2012-05-13 04:22 . 2012-05-13 04:22 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service
2012-05-13 03:55 . 2012-05-13 03:55 -------- d-----w- c:\programdata\AVAST Software
2012-05-13 03:55 . 2012-05-13 03:55 -------- d-----w- c:\program files\AVAST Software
2012-05-12 00:22 . 2012-05-12 00:22 -------- d-----w- c:\users\Default\AppData\Local\Microsoft Help
2012-05-11 23:07 . 2012-05-13 04:47 70304 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-05-11 23:07 . 2012-05-13 04:47 419488 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-05-11 23:07 . 2012-05-11 23:07 -------- d-----w- c:\windows\SysWow64\Macromed
2012-05-11 23:07 . 2012-05-11 23:07 -------- d-----w- c:\windows\system32\Macromed
2012-05-11 22:52 . 2012-05-11 22:52 -------- d-----w- c:\windows\PCHEALTH
2012-05-11 22:50 . 2012-05-11 22:50 -------- d-----w- c:\program files (x86)\Microsoft Analysis Services
2012-05-11 22:50 . 2012-05-11 22:52 -------- d-----w- c:\windows\SHELLNEW
2012-05-11 22:50 . 2012-05-13 15:39 -------- d-----w- c:\programdata\Microsoft Help
2012-05-11 22:49 . 2012-05-11 22:49 -------- d-----r- C:\MSOCache
2012-05-11 22:36 . 2012-05-11 22:36 -------- d-----w- c:\programdata\Citrix
2012-05-11 22:36 . 2012-05-11 22:36 -------- d-----w- c:\program files (x86)\Citrix
2012-05-11 22:36 . 2012-05-11 22:36 -------- d-----w- c:\program files (x86)\Common Files\Citrix
2012-05-11 22:23 . 2012-03-31 06:05 5559664 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 22:23 . 2012-03-03 06:35 1544704 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 22:23 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\SysWow64\DWrite.dll
2012-05-11 22:23 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2012-05-11 22:23 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2012-05-11 22:23 . 2012-03-31 03:10 3146240 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 22:23 . 2012-03-17 07:58 75120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 22:22 . 2012-04-18 08:03 8917360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{69266FED-9353-46A7-9A9F-5463DDDC1993}\mpengine.dll
2012-05-11 22:22 . 2012-03-30 11:35 1918320 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 22:22 . 2012-03-31 05:40 1367552 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 22:22 . 2012-03-31 04:29 936960 ----a-w- c:\program files (x86)\Common Files\Microsoft Shared\ink\journal.dll
2012-05-09 14:36 . 2012-05-09 14:36 -------- d-----w- c:\program files\CCleaner
2012-04-25 17:19 . 2011-02-19 12:05 1139200 ----a-w- c:\windows\system32\FntCache.dll
2012-04-25 17:19 . 2011-02-19 12:04 902656 ----a-w- c:\windows\system32\d2d1.dll
2012-04-25 17:19 . 2011-02-19 06:30 739840 ----a-w- c:\windows\SysWow64\d2d1.dll
2012-04-25 16:00 . 2012-04-25 16:00 -------- d-----w- c:\program files (x86)\Common Files\Adobe
2012-04-25 15:49 . 2012-05-09 14:35 -------- d-----w- c:\program files (x86)\Microsoft
2012-04-25 15:47 . 2010-11-17 02:24 750440 ------w- c:\windows\system32\HPDiscoPM5412.dll
2012-04-25 15:46 . 2012-04-25 16:09 -------- d-----w- c:\programdata\HP
2012-04-25 15:46 . 2012-04-25 15:48 -------- d-----w- c:\program files (x86)\HP
2012-04-25 15:45 . 2012-04-25 15:45 -------- d-----w- c:\program files\HP
2012-04-24 03:48 . 2003-06-13 04:25 7062 ----a-w- c:\windows\SysWow64\audiopid.vxd
2012-04-24 03:47 . 2012-04-24 03:47 -------- d-----w- c:\program files (x86)\Common Files\Creative
2012-04-24 03:47 . 2012-04-24 03:48 -------- d--h--w- c:\program files (x86)\Creative Installation Information
2012-04-24 03:47 . 2012-04-24 03:47 -------- d-----w- c:\program files (x86)\Common Files\Creative Labs Shared
2012-04-24 03:46 . 2012-04-24 03:47 -------- d-----w- c:\program files\Creative
2012-04-24 03:46 . 2012-04-24 03:46 -------- d-----w- c:\program files (x86)\Creative
2012-04-24 03:37 . 2011-03-25 03:29 343040 ----a-w- c:\windows\system32\drivers\usbhub.sys
2012-04-24 03:27 . 2012-04-24 03:27 -------- d-----w- c:\windows\SysWow64\Wat
2012-04-24 03:27 . 2012-04-24 03:27 -------- d-----w- c:\windows\system32\Wat
2012-04-24 03:25 . 2012-04-24 03:25 -------- d-----w- c:\program files (x86)\MSXML 4.0
2012-04-24 03:17 . 2012-03-01 06:46 23408 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-24 03:17 . 2012-03-01 06:38 220672 ----a-w- c:\windows\system32\wintrust.dll
2012-04-24 03:17 . 2012-03-01 06:33 81408 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-24 03:17 . 2012-03-01 06:28 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-24 03:17 . 2012-03-01 05:37 172544 ----a-w- c:\windows\SysWow64\wintrust.dll
2012-04-24 03:17 . 2012-03-01 05:33 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2012-04-24 03:17 . 2012-03-01 05:29 5120 ----a-w- c:\windows\SysWow64\wmi.dll
2012-04-24 02:46 . 2011-04-22 22:15 27520 ----a-w- c:\windows\system32\drivers\Diskdump.sys
2012-04-24 02:45 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-04-24 02:45 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-04-23 07:25 . 2012-05-09 14:39 -------- d-----w- c:\windows\Panther
2012-04-23 06:18 . 2012-04-23 06:18 -------- d-----w- c:\program files\Common Files\Doctor Web
2012-04-23 06:17 . 2012-05-09 14:38 -------- d-----w- c:\program files (x86)\DrWeb
2012-04-23 06:17 . 2012-04-23 06:18 -------- d-----w- c:\programdata\Doctor Web
2012-04-23 05:13 . 2012-01-12 14:28 57976 ----a-r- c:\windows\system32\drivers\SBREDrv.sys
2012-04-23 04:53 . 2012-04-23 04:58 -------- d-----w- C:\sh4ldr
2012-04-23 04:53 . 2012-04-23 04:53 -------- d-----w- c:\program files\Enigma Software Group
2012-04-23 04:53 . 2012-04-23 04:53 -------- d-----w- c:\windows\5B210B8AB66E4702B44D0D6F388D29EB.TMP
2012-04-23 04:53 . 2012-04-23 04:53 -------- d-----w- c:\program files (x86)\Common Files\Wise Installation Wizard
2012-04-23 04:48 . 2012-04-23 04:48 -------- d-----w- c:\programdata\Intel
2012-04-23 04:46 . 2012-04-23 06:24 -------- d-----w- c:\programdata\Norton
2012-04-23 04:45 . 2012-04-23 04:45 -------- d-----w- c:\program files (x86)\ASM104xUSB3
2012-04-23 04:45 . 2010-12-20 23:08 8192 ----a-w- c:\windows\system32\drivers\IntelMEFWVer.dll
2012-04-23 04:45 . 2012-04-23 04:45 -------- d-----w- c:\program files (x86)\Common Files\postureAgent
2012-04-23 04:45 . 2010-10-19 21:34 56344 ----a-w- c:\windows\system32\drivers\HECIx64.sys
2012-04-23 04:40 . 2012-04-23 04:40 -------- d-----w- c:\program files\Common Files\Intel
2012-04-23 04:37 . 2011-06-10 11:34 107552 ----a-w- c:\windows\system32\RTNUninst64.dll
2012-04-23 04:37 . 2012-04-23 04:37 -------- d-----w- c:\windows\SysWow64\RTCOM
2012-04-23 04:37 . 2012-04-23 04:37 -------- d-----w- c:\program files\Realtek
2012-04-23 04:35 . 2012-04-23 04:39 -------- d-----w- C:\Intel
2012-04-23 04:35 . 2012-05-13 15:39 -------- d-sh--w- c:\windows\Installer
2012-04-23 04:35 . 2012-04-23 04:35 -------- d-----w- c:\program files (x86)\Google
2012-04-23 04:31 . 2012-05-09 14:29 -------- d-----w- c:\users\kids
2012-04-23 04:30 . 2012-04-23 04:30 -------- d-----w- C:\Recovery
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-20 04:44 . 2012-03-20 04:44 5888792 ----a-w- c:\windows\system32\GfxUI.exe
2012-03-20 04:44 . 2012-03-20 04:44 509720 ----a-w- c:\windows\system32\igfxsrvc.exe
2012-03-20 04:44 . 2012-03-20 04:44 439064 ----a-w- c:\windows\system32\igfxpers.exe
2012-03-20 04:44 . 2012-03-20 04:44 398616 ----a-w- c:\windows\system32\hkcmd.exe
2012-03-20 04:44 . 2012-03-20 04:44 276248 ----a-w- c:\windows\SysWow64\IntelCpHeciSvc.exe
2012-03-20 04:44 . 2012-03-20 04:44 250136 ----a-w- c:\windows\system32\igfxext.exe
2012-03-20 04:44 . 2012-03-20 04:44 184600 ----a-w- c:\windows\system32\difx64.exe
2012-03-20 04:44 . 2012-03-20 04:44 170264 ----a-w- c:\windows\system32\igfxtray.exe
2012-03-20 04:42 . 2012-03-20 04:42 90112 ----a-w- c:\windows\system32\igfxCoIn_v2696.dll
2012-03-20 04:32 . 2012-03-20 04:32 14745600 ----a-w- c:\windows\system32\drivers\igdkmd64.sys
2012-03-20 04:31 . 2012-03-20 04:31 8087040 ----a-w- c:\windows\system32\igdumd64.dll
2012-03-20 04:31 . 2012-03-20 04:31 963912 ----a-w- c:\windows\system32\igkrng600.bin
2012-03-20 04:31 . 2012-03-20 04:31 261208 ----a-w- c:\windows\system32\igfcg600m.bin
2012-03-20 04:31 . 2012-03-20 04:31 79360 ----a-w- c:\windows\system32\igdde64.dll
2012-03-20 04:26 . 2012-03-20 04:26 6120960 ----a-w- c:\windows\SysWow64\igdumd32.dll
2012-03-20 04:25 . 2012-03-20 04:25 58880 ----a-w- c:\windows\SysWow64\igdde32.dll
2012-03-20 04:11 . 2012-03-20 04:11 7795200 ----a-w- c:\windows\SysWow64\igd10umd32.dll
2012-03-20 03:31 . 2012-03-20 03:31 18137088 ----a-w- c:\windows\system32\ig4icd64.dll
2012-03-20 03:21 . 2012-03-20 03:21 13212672 ----a-w- c:\windows\SysWow64\ig4icd32.dll
2012-03-20 03:18 . 2012-03-20 03:18 439296 ----a-w- c:\windows\system32\igfxrrom.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrhrv.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438272 ----a-w- c:\windows\system32\igfxrsky.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437760 ----a-w- c:\windows\system32\igfxrslv.lrc
2012-03-20 03:18 . 2012-03-20 03:18 439808 ----a-w- c:\windows\system32\igfxresn.lrc
2012-03-20 03:18 . 2012-03-20 03:18 439296 ----a-w- c:\windows\system32\igfxrrus.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrptg.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrplk.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437760 ----a-w- c:\windows\system32\igfxrtrk.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437760 ----a-w- c:\windows\system32\igfxrsve.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437760 ----a-w- c:\windows\system32\igfxrptb.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437248 ----a-w- c:\windows\system32\igfxrtha.lrc
2012-03-20 03:18 . 2012-03-20 03:18 440320 ----a-w- c:\windows\system32\igfxrell.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrita.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438272 ----a-w- c:\windows\system32\igfxrhun.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437760 ----a-w- c:\windows\system32\igfxrnor.lrc
2012-03-20 03:18 . 2012-03-20 03:18 435712 ----a-w- c:\windows\system32\igfxrheb.lrc
2012-03-20 03:18 . 2012-03-20 03:18 432128 ----a-w- c:\windows\system32\igfxrjpn.lrc
2012-03-20 03:18 . 2012-03-20 03:18 430592 ----a-w- c:\windows\system32\igfxrkor.lrc
2012-03-20 03:18 . 2012-03-20 03:18 439808 ----a-w- c:\windows\system32\igfxrfra.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrnld.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438784 ----a-w- c:\windows\system32\igfxrdeu.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438272 ----a-w- c:\windows\system32\igfxrfin.lrc
2012-03-20 03:18 . 2012-03-20 03:18 438272 ----a-w- c:\windows\system32\igfxrcsy.lrc
2012-03-20 03:18 . 2012-03-20 03:18 437248 ----a-w- c:\windows\system32\igfxrdan.lrc
2012-03-20 03:18 . 2012-03-20 03:18 429056 ----a-w- c:\windows\system32\igfxrcht.lrc
2012-03-20 03:18 . 2012-03-20 03:18 435712 ----a-w- c:\windows\system32\igfxrara.lrc
2012-03-20 03:18 . 2012-03-20 03:18 428544 ----a-w- c:\windows\system32\igfxrchs.lrc
2012-03-20 03:18 . 2012-03-20 03:18 126976 ----a-w- c:\windows\system32\igfxcpl.cpl
2012-03-20 03:18 . 2012-03-20 03:18 386560 ----a-w- c:\windows\system32\igfxpph.dll
2012-03-20 03:18 . 2012-03-20 03:18 410624 ----a-w- c:\windows\system32\igfxTMM.dll
2012-03-20 03:17 . 2012-03-20 03:17 28672 ----a-w- c:\windows\system32\igfxexps.dll
2012-03-20 03:17 . 2012-03-20 03:17 9216 ----a-w- c:\windows\system32\IGFXDEVLib.dll
2012-03-20 03:17 . 2012-03-20 03:17 434688 ----a-w- c:\windows\system32\igfxdev.dll
2012-03-20 03:17 . 2012-03-20 03:17 172032 ----a-w- c:\windows\system32\gfxSrvc.dll
2012-03-20 03:16 . 2012-03-20 03:16 286208 ----a-w- c:\windows\system32\igfxrenu.lrc
2012-03-20 03:16 . 2012-03-20 03:16 142336 ----a-w- c:\windows\system32\igfxdo.dll
2012-03-20 03:12 . 2012-03-20 03:12 25088 ----a-w- c:\windows\SysWow64\igfxexps32.dll
2012-03-20 03:11 . 2012-03-20 03:11 325120 ----a-w- c:\windows\SysWow64\igfxdv32.dll
2012-03-20 03:09 . 2012-03-20 03:09 524800 ----a-w- c:\windows\system32\iglhsip64.dll
2012-03-20 03:09 . 2012-03-20 03:09 519680 ----a-w- c:\windows\SysWow64\iglhsip32.dll
2012-03-20 03:09 . 2012-03-20 03:09 2967040 ----a-w- c:\windows\system32\igfxcmjit64.dll
2012-03-20 03:09 . 2012-03-20 03:09 237056 ----a-w- c:\windows\SysWow64\igfxcmrt32.dll
2012-03-20 03:09 . 2012-03-20 03:09 2321408 ----a-w- c:\windows\SysWow64\igfxcmjit32.dll
2012-03-20 03:09 . 2012-03-20 03:09 213504 ----a-w- c:\windows\system32\iglhcp64.dll
2012-03-20 03:09 . 2012-03-20 03:09 193024 ----a-w- c:\windows\system32\igfxcmrt64.dll
2012-03-20 03:09 . 2012-03-20 03:09 177152 ----a-w- c:\windows\SysWow64\iglhcp32.dll
2012-02-23 15:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
2012-02-14 17:09 . 2012-02-14 17:09 1070352 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2012-02-14 06:42 . 2012-02-14 06:42 93272 ----a-w- c:\windows\system32\drivers\ctxusbm.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="c:\program files (x86)\Hp\HP Software Update\HPWuSchd2.exe" [2010-06-10 49208]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-03-06 4241512]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Citrix\ICACLI~1\RSHook.dll
.
R0 SpiderG3;DrWeb file system scanner;c:\windows\system32\drivers\spiderg3.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-23 136176]
R2 UNS;Intel® Management and Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-12-20 2656280]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-13 257696]
R3 cphs;Intel® Content Protection HECI Service;c:\windows\SysWow64\IntelCpHeciSvc.exe [2012-03-20 276248]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files (x86)\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2012-04-24 79360]
R3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.SYS [x]
R3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.SYS [x]
R3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.SYS [x]
R3 esgiguard;esgiguard;c:\program files\Enigma Software Group\SpyHunter\esgiguard.sys [2011-03-02 13088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-23 136176]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-04-21 129976]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\DRIVERS\aswNdis.sys [x]
S0 aswNdis2;avast! Firewall Core Firewall Service; [x]
S1 aswFW;avast! TDI Firewall driver; [x]
S1 aswKbd;aswKbd; [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\DRIVERS\ctxusbm.sys [x]
S1 SBRE;SBRE;c:\windows\system32\drivers\SBREdrv.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-04-04 63928]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 avast! Firewall;avast! Firewall;c:\program files\AVAST Software\Avast\afwServ.exe [2012-03-06 134920]
S3 asmthub3;ASMedia USB3 Hub Service;c:\windows\system32\DRIVERS\asmthub3.sys [x]
S3 asmtxhci;ASMEDIA XHCI Service;c:\windows\system32\DRIVERS\asmtxhci.sys [x]
S3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\System32\drivers\CT20XUT.SYS [x]
S3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\System32\drivers\CTEXFIFX.SYS [x]
S3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\System32\drivers\CTHWIUT.SYS [x]
S3 ha20x22k;Creative 20X2 HAL Driver;c:\windows\system32\drivers\ha20x22k.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [x]
S3 MEIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-13 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-11 04:47]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-23 04:35]
.
2012-05-13 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2012-04-23 04:35]
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-06 23:15 135408 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2011-06-28 11905128]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-03-20 170264]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-03-20 398616]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-03-20 439064]
"Logitech Download Assistant"="c:\windows\system32\rundll32.exe" [2009-07-14 45568]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
DPF: {E705A591-DA3C-4228-B0D5-A356DBA42FBF} - hxxp://ccfiles.creative.com/Web/softwareupdate/su2/ocx/20015/CTSUEng.cab
FF - ProfilePath - c:\users\kids\AppData\Roaming\Mozilla\Firefox\Profiles\2ic58kup.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 0
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_2_202_235_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_2_202_235.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Creative\Shared Files\CTAudSvc.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
.
**************************************************************************
.
Completion time: 2012-05-13 11:18:11 - machine was rebooted
ComboFix-quarantined-files.txt 2012-05-13 16:18
.
Pre-Run: 439,925,792,768 bytes free
Post-Run: 439,665,614,848 bytes free
.
- - End Of File - - BA790020364C09161F37151B6BF4EA65


Results of screen317's Security Check version 0.99.32
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
avast! Internet Security
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

JavaFX 2.1.0
Java™ 7 Update 4
Adobe Flash Player 11.2.202.235
Adobe Reader X (10.1.3)
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVAST Software Avast AvastSvc.exe
AVAST Software Avast afwServ.exe
AVAST Software Avast AvastUI.exe
``````````End of Log````````````


Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.13.02

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
kids :: KIDS-PC [administrator]

5/13/2012 11:04:38 AM
mbam-log-2012-05-13 (11-04-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 196744
Time elapsed: 1 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Sorry I inverted first two reports

#6 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 14 May 2012 - 07:54 AM

All your logs are clean.

Are are the current issues with this computer.

#7 fasterizbetter

fasterizbetter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:midwest
  • Local time:10:23 AM

Posted 14 May 2012 - 01:14 PM

At any given time an intruder enters my network will remove all my permissions until the machine becomes non functional. domain authority control's group policy even though I don't have a domain. there are drivers installed that aren't mine. There are hidden registry entries bios has been tampered with. The intruder and I have had multple exchanges through either notepad or sticky notes. If I run " silent runners" it will show the registry mods. There is small partition on the hard drive that Ididn't install that I'm unable to remove because it has no attributes. What I think has happened is somehow my PC has been made a part of his/her network. i have multiple hard drives with various amounts of data that I've swapped as well as printed data this all began about 5 mos ago. The operating system on this machine has been reloaded no less than 50 times. it is a real pain in the ass

#8 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 15 May 2012 - 07:36 AM

I suggest you install a Firewall. You presently are using AVAST. If you like it then I suggest you upgrade your programs.
You will find the information on their site.
===

Lets check your partitions.

Please download this ListPart.exe to a folder of you choice. Select the proper tool for your system.

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
Run the tool as an Administrator , click Scan and copy and post the log (Result.txt) in your next reply.

#9 fasterizbetter

fasterizbetter
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:midwest
  • Local time:10:23 AM

Posted 20 May 2012 - 12:08 AM

Very sorry about the delayed response. I finally have acquired some data. The network that this pc is on includes a single computer "THIS ONE" a Sonic Wall TZ210 and a Motorolla surf board. that is the entire network. I have no server or anything like that.I am connected via LAN. I ran this software just now. here are the results:

Date: Mon 9/15/03 @ 10:09:40 PM
Click here to Print this Report



Computers Scanned for this Report

Infiltrator scanned 3 computers for this report, as follows:

192.168.1.101
192.168.1.100
192.168.1.102
Back to Top



Computer System Information

Infiltrator obtained the following system information for each target:

192.168.1.101
IP Address: 192.168.1.101
Name: clare
OS: Windows XP
Comments:
DNS Lookup: CLARE
Platform: 500 Major: 5 Minor: 1
Domain: SPYTECHLAN
Time: 02:54:45.02 (5) on 9/16/2003
Uptime: 59h 34m 56s
Net Logon Performed by PDC Server

192.168.1.100
IP Address: 192.168.1.100
Name: SPYTECH-DESKTOP
OS: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)
Comments: Spytech Desktop
DNS Lookup: SPYTECH-DESKTOP
Platform: 500 Major: 5 Minor: 1
Domain: SPYTECHLAN
Time: 02:53:07.40 (5) on 9/16/2003
Uptime: 254h 54m 22s
Net Logon Performed by PDC Server

192.168.1.102
IP Address: 192.168.1.102
Name: SPYTECH-LAPTOP
OS: Windows XP
Comments: Laptop
DNS Lookup: spytech-laptop.eau.wi.charter.com
Platform: 500 Major: 5 Minor: 1
Domain: SPYTECHLAN
Time: 02:51:39.18 (5) on 9/16/2003
Uptime: 00h 20m 01s
Net Logon Performed by PDC Server

Back to Top



Computers Registry Information

Infiltrator obtained the following system information for each target via a remote registry connection:

192.168.1.101
No information could be retrieved.

192.168.1.100
Registered Owner: Spytech
Product Name: Microsoft Windows XP
Product ID: 55444-OEM-1111111-00228
Version: 5.1
Type: Multiprocessor Free
Build: 2600
Software Type: SYSTEM
Source Path: D:\i386
System Root: C:\WINDOWS
Path Name: C:\WINDOWS
Processor: AMD Athlon™ MP 2000+
Description: x86 Family 6 Model 6 Stepping 2
Vendor: AuthenticAMD
MHZ: 1666

192.168.1.102
Registered Owner: Nathan Polencheck
Product Name: Microsoft Windows XP
Product ID: 55232-324-1111356-23333
Version: 5.1
Type: Uniprocessor Free
Build: 2600
Software Type: SYSTEM
Source Path: E:\I386
System Root: D:\WINDOWS
Path Name: D:\WINDOWS
Processor:
Description: x86 Family 6 Model 8 Stepping 3
Vendor: GenuineIntel
MHZ: 701

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top



NetBios Scan Results

Infiltrator obtained the following NetBios tables from the target computers:

192.168.1.101
No information could be retrieved.

192.168.1.100
SPYTECH-DESKTOP - Workstation Service
SPYTECHLAN - Domain Name
SPYTECH-DESKTOP - File Server Service
SPYTECHLAN - Browser Service Elections
SPYTECHLAN - Master Browser
__MSBROWSE__ - Master Browser
MAC Address: 00-03-b2-a1-63-d5

192.168.1.102
No information could be retrieved.

Security Implications: High
Contrary to many beliefs, the ability to enumerate a machines NetBios table is not a considerate security risk when properly configured. However, NetBios can cause a considerable security risk if poorly-passworded file/printer shares are activated, or if shares are not password-protected at all. If file/printer sharing is not needed it is still recommended that NetBios be disabled. More information can be obtained about this here.

Back to Top



SNMP Scan Results

Infiltrator obtained the following system information for each target via a SNMP connection:

192.168.1.101
SNMP Connection Failed.

192.168.1.100
Description: Hardware: x86 Family 6 Model 6 Stepping 2 AT/AT COMPATIBLE - Software: Windows 2000 Version 5.1 (Build 2600 Multiprocessor Free)
Object ID: .iso.org.dod.internet.private.enterprises.microsoft.software.systems.os.windowsNT.workstation
UpTime: 10 days, 0 hours, 53 minutes, 17 seconds
Contact: (none)
Location: (none)
Name: SPYTECH-DESKTOP
Service Count: 76

192.168.1.102
SNMP Connection Failed.

Security Implications: High
The SNMP service can create a considerable security risk when configured improperly. If Infiltrator was able to connect to a target via SNMP then action should be taken immediately, as an open SNMP service can provide a wealth of information to a malicious attacker. If the SNMP service is absolutely required, it should be protected with a hard-to-guess community string (the default is usually "public").

Back to Top



Ping Sweep Results

Infiltrator obtained the following information by performing a ping sweep:

192.168.1.101
Elapsed (average): 2ms
Time-To-Live (TTL): 128
Total Hops Away: 0
Target is on Network Segment

192.168.1.100
Elapsed (average): 0ms
Time-To-Live (TTL): 255
Total Hops Away: 0
Target is on Network Segment

192.168.1.102
Elapsed (average): 0ms
Time-To-Live (TTL): 128
Total Hops Away: 0
Target is on Network Segment

Security Implications: Low
Pinging alone is not a considerable security risk. An attacker can utilize ping sweeps to tell if hosts are alive, time zones of the target host, or even what operating system is being used. If you find your computers being pinged more than usual it may be wise to limit incoming ICMP traffic on your network in order to thwart ping sweeps.

Back to Top



Null Session Connection

Infiltrator null session connection attempt results:

192.168.1.101
NULL Session Connection was Established!

192.168.1.100
NULL Session Connection was Established!

192.168.1.102
NULL Session Connection was Established!

Security Implications: High
The null sessions is the starting point for nearly all NetBios and target enumerations. If a null session is able to be established then information may be able to be retrieved by remote users by connecting as an anonymous user with no password. Null Sessions should be disabled by setting the RestrictAnonymous key to 1. More information can be read here.

Back to Top



WebServer Information

Infiltrator obtained the following information about the webserver on each target (if present):

192.168.1.101
Server: No WebServer Present
Available Commands: Options Unavailable

192.168.1.100
Server: No WebServer Present
Available Commands: Options Unavailable

192.168.1.102
Server: No WebServer Present
Available Commands: Options Unavailable

Security Implications: Low
The ability to view view the server and software a webserver is running can allow an attacker to determine if out-of-date software, or vulnerable software is running on a server. A webserver should be configured to display the minimum amount of information to users that may be probing the server.

Back to Top



Password Policy Information

Infiltrator obtained the following password policies for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
Minimum Length: no minimum password length
Minimum Age: no minimum password age
Maximum Age: 42 days
History Length: no password history length set
Lockout: no lockout policy
Lockout Duration: lockout duration: 30 minutes
Lockout Reset: lockout reset: 30 minutes

192.168.1.102
Minimum Length: no minimum password length
Minimum Age: no minimum password age
Maximum Age: 42 days
History Length: no password history length set
Lockout: no lockout policy
Lockout Duration: lockout duration: 30 minutes
Lockout Reset: lockout reset: 30 minutes

Security Implications: High
A weak password policy can be an easy entry point into your network by a malicious user. Password policies that do not enforce complex passwords or repeated password changes make login points susceptible to brute force attacks. For more information on how to secure your password policy visit the Microsoft security guide here.

Back to Top



File Shares Listing

Infiltrator obtained the following file shares for each target:

192.168.1.101
My Documents
Type: File

IPC$
Type: IPC
Comments: Remote IPC

print$
Type: File
Comments: Printer Drivers

CanonBub
Type: Printer
Comments: Canon Bubble-Jet BJC-3000

clares cd
Type: File

Clare's Music
Type: File

ADMIN$
Type: File
Comments: Remote Admin

C$
Type: File
Comments: Default share


192.168.1.100
IPC$
Type: IPC
Comments: Remote IPC

Documents
Type: File

F$
Type: File
Comments: Default share

dip
Type: File

ADMIN$
Type: File
Comments: Remote Admin

C$
Type: File
Comments: Default share


192.168.1.102
IPC$
Type: IPC
Comments: Remote IPC

D$
Type: File
Comments: Default share

ADMIN$
Type: File
Comments: Remote Admin

C$
Type: File
Comments: Default share


Security Implications: High
File and print shares that are not protected by secure passwords allow extremely easy access to a target. An open share can be viewed by anyone on the network (or Internet if the target is non-networked computer) and should always be securely protected from unauthorized access.

Back to Top



Users Listing

Infiltrator obtained the following user listings for each target:

192.168.1.101
Administrator

Guest

HelpAssistant

SUPPORT_388945a0

ClareC


192.168.1.100
Admin (admin)
comment: Built-in account for administering the computer/domain
last login: Tue Feb 04 23:02:43 2003
good logins: 5
bad logins: 0
attributes:

Guest (guest)
comment: Built-in account for guest access to the computer/domain
last login: Sat Dec 14 04:29:39 2002
good logins: 189
bad logins: 0
attributes: disabled no password password cannot be changed

HelpAssistant (guest)
Remote Desktop Help Assistant Account
comment: Account for Providing Remote Assistance
good logins: 0
bad logins: 0
attributes: disabled password cannot be changed

Spytech (admin)
last login: Mon Sep 15 21:33:19 2003
good logins: 1919
bad logins: 0
attributes:

SUPPORT_388945a0 (guest)
CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
comment: This is a vendor's account for the Help and Support Service
good logins: 0
bad logins: 0
attributes: disabled password cannot be changed


192.168.1.102
Administrator (admin)
comment: Built-in account for administering the computer/domain
good logins: 0
bad logins: 0
attributes:

Guest (guest)
comment: Built-in account for guest access to the computer/domain
last login: Fri Sep 05 01:19:10 2003
good logins: 0
bad logins: 0
attributes: no password password cannot be changed

HelpAssistant (guest)
Remote Desktop Help Assistant Account
comment: Account for Providing Remote Assistance
good logins: 0
bad logins: 0
attributes: password cannot be changed

Spytech (admin)
last login: Mon Sep 15 21:33:27 2003
good logins: 662
bad logins: 0
attributes:

SUPPORT_388945a0 (guest)
CN=Microsoft Corporation,L=Redmond,S=Washington,C=US
comment: This is a vendor's account for the Help and Support Service
good logins: 0
bad logins: 0
attributes: disabled password cannot be changed


Security Implications: Moderate
If an attacker is able to enumerate usernames on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top



User Groups Listing

Infiltrator obtained the following groups listings for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
Administrators
SPYTECH-DESKTOP\Admin
SPYTECH-DESKTOP\Spytech

Backup Operators

Guests
SPYTECH-DESKTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

HelpServicesGroup
SPYTECH-DESKTOP\SUPPORT_388945a0


192.168.1.102
Administrators
SPYTECH-LAPTOP\Administrator
SPYTECH-LAPTOP\Spytech

Backup Operators

Guests
SPYTECH-LAPTOP\Guest

Network Configuration Operators

Power Users

Remote Desktop Users

Replicator

Users
NT AUTHORITY\INTERACTIVE
NT AUTHORITY\Authenticated Users

HelpServicesGroup
SPYTECH-LAPTOP\SUPPORT_388945a0


Security Implications: Moderate
If an attacker is able to enumerate groups on a target it will make brute force attacks on a target easier, however a strong password can elleviate this problem.

Back to Top



Drives Listing

Infiltrator obtained the following drive listings for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
A:
C:
D:
E:
F:

192.168.1.102
A:
C:
D:
E:

Security Implications: Low
A drive listing alone is barely a security risk - as drives on a system can be easily guessed.

Back to Top



Startup Keys Listing

Infiltrator obtained the following registry startup keys for each target via a remote registry connection:

192.168.1.101

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.
No information could be retrieved.

192.168.1.100

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.
NvCplDaemon: RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
UpdReg: C:\WINDOWS\Updreg.exe
Jet Detection: C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
DSKEY: C:\WINDOWS\system32\DsKey.exe
ccApp: "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy: "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check: C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
QuickTime Task: "C:\Program Files\QuickTime\qttask.exe" -atboottime
wcmdmgr: C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
WT GameChannel: C:\Program Files\WildTangent\Apps\GameChannel.exe

192.168.1.102

User Startup Keys
The list of HKEY_CURRENT_USER registry startup keys.
AIM: D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
MSMSGS: "D:\Program Files\Messenger\msmsgs.exe" /background

Machine Startup Keys
The list of HKEY_LOCAL_MACHINE registry startup keys.
PopupAgent: \\spytech-desktop\source\PopupAgent2\Debug\PopupAgent.exe
ccApp: "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy: "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Advanced Tools Check: D:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

Security Implications: Moderate
The information presented here is enumerated via a remote registry connection. This will always succeed if the scan target in question is local to the scan (ie: Infiltrator is scanning the computer it is running on), however, if this succeeds on a remote computer then caution should be taken, as the registry could be modified remotely by any user with escalated privileges.

Back to Top



Installed Hotfixes

Infiltrator obtained the following list of hotfixes for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606

192.168.1.102
Windows XP Hotfix - KB821557
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB823980
Windows XP Hotfix (SP1) [See Q309521 for more information]
Windows XP Hotfix (SP1) [See Q311889 for more information]
Windows XP Hotfix (SP1) [See Q311967 for more information]
Windows XP Hotfix (SP1) [See Q313450 for more information]
Windows XP Hotfix (SP1) [See Q314147 for more information]
Windows XP Hotfix (SP1) [See Q314862 for more information]
Windows XP Hotfix (SP1) [See Q315000 for more information]
Windows XP Hotfix (SP1) [See Q315403 for more information]
Windows XP Hotfix (SP1) [See Q317277 for more information]
Windows XP Hotfix (SP1) [See Q318138 for more information]
Windows XP Hotfix (SP1) [See Q323172 for more information]
Windows XP Hotfix (SP1) [See Q324096 for more information]
Windows XP Hotfix (SP1) [See Q324380 for more information]
Windows XP Hotfix (SP1) [See Q326830 for more information]
Windows XP Hotfix (SP1) Q328310
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP2) [See Q329115 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q331953
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q811493
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP1) Q819696

Security Implications: High
Care should always be taken to make sure all computers on your network are always up to date with the latest service packs and upgrades. An outdated system (such as an IIS 4 server) is easy prey for attackers. The Microsoft Hotfix and Security Bulletin is a great source of information for staying updated and current. The Bulletin can viewed here.

Back to Top



Installed Software

Infiltrator obtained the following list of installed software for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
1) Adobe Acrobat 5.0
Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools
Path:

3) America Online
Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger
Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)
Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925
Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)
Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)
Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994
Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Driver Installation
Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

11) Viewpoint Media Player
Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

12) Microsoft Visual C++ 6.0 Professional Edition
Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

13) WinZip
Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

14) WebFldrs XP
Path:

15) Microsoft Office XP Professional with FrontPage
Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

16) Macromedia Extension Manager
Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

17) Macromedia Dreamweaver 4
Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

18) Norton AntiVirus 2003 Professional Edition
Path:


192.168.1.102
1) Adobe Acrobat 5.0
Path: D:\WINDOWS\ISUNINST.EXE -f"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"D:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"

2) Advanced Tools
Path:

3) America Online
Path: D:\Program Files\Common Files\aolshare\Aolunins_us.exe

4) AOL Instant Messenger
Path: D:\Program Files\AIM95\uninstll.exe -LOG= D:\Program Files\AIM95\install.log -OEM=

5) AOL Coach Version 1.0(Build: 20020605.1)
Path: D:\WINDOWS\AolCInUn.exe

6) Internet Explorer Q822925
Path: D:\WINDOWS\ieuninst.exe D:\WINDOWS\INF\Q822925.inf

7) LiveReg (Symantec Corporation)
Path: D:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE

8) LiveUpdate 1.80 (Symantec Corporation)
Path: D:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U

9) Outlook Express Update Q330994
Path: D:\WINDOWS\Q330994.exe D:\WINDOWS\INF\Q330994.inf

10) Windows XP Application Compatibility Update[Q313484]
Path: D:\WINDOWS\$NtUninstallQ313484$\spuninst\spuninst.exe

11) Windows XP Application Compatibility Update[Q319580]
Path: D:\WINDOWS\$NtUninstallQ319580$\spuninst\spuninst.exe

12) Driver Installation
Path: D:\WINDOWS\iun6002.exe "D:\Program Files\Driver Installation\irunin.ini"

13) Spytech SpyAgent
Path: D:\WINDOWS\unvise32.exe D:\Program Files\Spytech Software\Spytech SpyAgent\uninstal.log

14) Viewpoint Media Player
Path: d:\program files\viewpoint\viewpoint media player\mtsAxInstaller.exe /u

15) Microsoft Visual C++ 6.0 Professional Edition
Path: D:\Program Files\Microsoft Visual Studio\VC98\Setup\1033\Setup.exe

16) WinZip
Path: "D:\Program Files\WinZip\WINZIP32.EXE" /uninstall

17) WebFldrs XP
Path:

18) Microsoft Office XP Professional with FrontPage
Path: MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}

19) Macromedia Extension Manager
Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" mmUninstall

20) Macromedia Fireworks 4
Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{A8833100-1481-11D4-9731-00C04F8EEB39}\setup.exe" UNINSTALL

21) Macromedia Dreamweaver 4
Path: RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{ABDA9912-5D00-11D4-BAE7-9367CA097955}\setup.exe" mmUninstall

22) Norton AntiVirus 2003 Professional Edition
Path:


Security Implications: High
The enumeration of installed software on a target computer may not really help an attacker if they are able to obtain this information, but a network administrator should always enforce a strict software installation policy. Rouge software installs by users on a network can allow for the entrances of viruses and worms - which can easily spread through a network and create considerable damage. All software should be tested and approved by a test lab before being installed on each computer.

Back to Top



Running Services

Infiltrator obtained the following list of running services for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
1) AudioSrv - Windows Audio
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

2) BITS - Background Intelligent Transfer Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Uses idle network bandwidth to transfer data.

3) Browser - Computer Browser
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

4) ccEvtMgr - Symantec Event Manager
Path: C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Info: Symantec Event Manager

5) Creative Service for CDROM Access - Creative Service for CDROM Access
Path: C:\WINDOWS\System32\CTsvcCDA.EXE
Info:

6) CryptSvc - Cryptographic Services
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Info:

7) Dhcp - DHCP Client
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages network configuration by registering and updating IP addresses and DNS names.

8) dmserver - Logical Disk Manager
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

9) ERSvc - Error Reporting Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Allows error reporting for services and applictions running in non-standard environments.

10) Eventlog - Event Log
Path: C:\WINDOWS\system32\services.exe
Info: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

11) EventSystem - COM+ Event System
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

12) FastUserSwitchingCompatibility - Fast User Switching Compatibility
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides management for applications that require assistance in a multiple user environment.

13) helpsvc - Help and Support
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

14) HidServ - HID Input Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

15) lanmanserver - Server
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

16) lanmanworkstation - Workstation
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

17) LmHosts - TCP/IP NetBIOS Helper
Path: C:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

18) navapsvc - Norton AntiVirus Auto Protect Service
Path: C:\Program Files\Norton AntiVirus\navapsvc.exe
Info: Handles Norton AntiVirus Auto-Protect events.

19) Netman - Network Connections
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

20) Nla - Network Location Awareness (NLA)
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Collects and stores network configuration and location information, and notifies applications when this information changes.

21) NProtectService - Norton Unerase Protection
Path: C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
Info:

22) NVSvc - NVIDIA Driver Helper Service
Path: C:\WINDOWS\System32\nvsvc32.exe
Info:

23) PlugPlay - Plug and Play
Path: C:\WINDOWS\system32\services.exe
Info: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

24) PolicyAgent - IPSEC Services
Path: C:\WINDOWS\System32\lsass.exe
Info: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

25) ProtectedStorage - Protected Storage
Path: C:\WINDOWS\system32\lsass.exe
Info: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

26) RasMan - Remote Access Connection Manager
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Creates a network connection.

27) RemoteRegistry - Remote Registry
Path: C:\WINDOWS\system32\svchost.exe -k LocalService
Info: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

28) RpcSs - Remote Procedure Call (RPC)
Path: C:\WINDOWS\system32\svchost -k rpcss
Info: Provides the endpoint mapper and other miscellaneous RPC services.

29) SamSs - Security Accounts Manager
Path: C:\WINDOWS\system32\lsass.exe
Info: Stores security information for local user accounts.

30) Schedule - Task Scheduler
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

31) seclogon - Secondary Logon
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

32) SENS - System Event Notification
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

33) ShellHWDetection - Shell Hardware Detection
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

34) SNMP - SNMP Service
Path: C:\WINDOWS\System32\snmp.exe
Info:

35) Spooler - Print Spooler
Path: C:\WINDOWS\system32\spoolsv.exe
Info: Loads files to memory for later printing.

36) srservice - System Restore Service
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

37) SSDPSRV - SSDP Discovery Service
Path: C:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables discovery of UPnP devices on your home network.

38) stisvc - Windows Image Acquisition (WIA)
Path: C:\WINDOWS\System32\svchost.exe -k imgsvc
Info: Provides image acquisition services for scanners and cameras.

39) TapiSrv - Telephony
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

40) TermService - Terminal Services
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

41) Themes - Themes
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides user experience theme management.

42) TrkWks - Distributed Link Tracking Client
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Maintains links between NTFS files within a computer or across computers in a network domain.

43) uploadmgr - Upload Manager
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

44) W32Time - Windows Time
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

45) WANMiniportService - WAN Miniport (ATW) Service
Path: C:\WINDOWS\wanmpsvc.exe
Info:

46) WebClient - WebClient
Path: C:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

47) winmgmt - Windows Management Instrumentation
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Info:

48) WMDM PMSP Service - WMDM PMSP Service
Path: C:\WINDOWS\System32\MsPMSPSv.exe
Info:

49) wuauserv - Automatic Updates
Path: C:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

50) WZCSVC - Wireless Zero Configuration
Path: C:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides automatic configuration for the 802.11 adapters


192.168.1.102
1) ALG - Application Layer Gateway Service
Path: D:\WINDOWS\System32\alg.exe
Info: Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall

2) AudioSrv - Windows Audio
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.

3) Browser - Computer Browser
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

4) ccEvtMgr - Symantec Event Manager
Path: D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
Info: Symantec Event Manager

5) CryptSvc - Cryptographic Services
Path: D:\WINDOWS\system32\svchost.exe -k netsvcs
Info:

6) Dhcp - DHCP Client
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages network configuration by registering and updating IP addresses and DNS names.

7) Dnscache - DNS Client
Path: D:\WINDOWS\System32\svchost.exe -k NetworkService
Info:

8) ERSvc - Error Reporting Service
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Allows error reporting for services and applictions running in non-standard environments.

9) Eventlog - Event Log
Path: D:\WINDOWS\system32\services.exe
Info: Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.

10) EventSystem - COM+ Event System
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

11) FastUserSwitchingCompatibility - Fast User Switching Compatibility
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides management for applications that require assistance in a multiple user environment.

12) helpsvc - Help and Support
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

13) HidServ - HID Input Service
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

14) lanmanserver - Server
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

15) lanmanworkstation - Workstation
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

16) LmHosts - TCP/IP NetBIOS Helper
Path: D:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.

17) Messenger - Messenger
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

18) navapsvc - Norton AntiVirus Auto Protect Service
Path: D:\Program Files\Norton AntiVirus\navapsvc.exe
Info: Handles Norton AntiVirus Auto-Protect events.

19) Netman - Network Connections
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.

20) Nla - Network Location Awareness (NLA)
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Collects and stores network configuration and location information, and notifies applications when this information changes.

21) NProtectService - Norton Unerase Protection
Path: D:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
Info:

22) PlugPlay - Plug and Play
Path: D:\WINDOWS\system32\services.exe
Info: Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.

23) PolicyAgent - IPSEC Services
Path: D:\WINDOWS\System32\lsass.exe
Info: Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.

24) ProtectedStorage - Protected Storage
Path: D:\WINDOWS\system32\lsass.exe
Info: Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.

25) RasAuto - Remote Access Auto Connection Manager
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.

26) RasMan - Remote Access Connection Manager
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Creates a network connection.

27) RemoteRegistry - Remote Registry
Path: D:\WINDOWS\system32\svchost.exe -k LocalService
Info: Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start.

28) RpcSs - Remote Procedure Call (RPC)
Path: D:\WINDOWS\system32\svchost -k rpcss
Info: Provides the endpoint mapper and other miscellaneous RPC services.

29) SamSs - Security Accounts Manager
Path: D:\WINDOWS\system32\lsass.exe
Info: Stores security information for local user accounts.

30) Schedule - Task Scheduler
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.

31) seclogon - Secondary Logon
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

32) SENS - System Event Notification
Path: D:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.

33) SharedAccess - Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS)
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.

34) ShellHWDetection - Shell Hardware Detection
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

35) Spooler - Print Spooler
Path: D:\WINDOWS\system32\spoolsv.exe
Info: Loads files to memory for later printing.

36) srservice - System Restore Service
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties

37) SSDPSRV - SSDP Discovery Service
Path: D:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables discovery of UPnP devices on your home network.

38) stisvc - Windows Image Acquisition (WIA)
Path: D:\WINDOWS\System32\svchost.exe -k imgsvc
Info: Provides image acquisition services for scanners and cameras.

39) TapiSrv - Telephony
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.

40) TermService - Terminal Services
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

41) Themes - Themes
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides user experience theme management.

42) TrkWks - Distributed Link Tracking Client
Path: D:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Maintains links between NTFS files within a computer or across computers in a network domain.

43) uploadmgr - Upload Manager
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info:

44) W32Time - Windows Time
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

45) WANMiniportService - WAN Miniport (ATW) Service
Path: D:\WINDOWS\wanmpsvc.exe
Info:

46) WebClient - WebClient
Path: D:\WINDOWS\System32\svchost.exe -k LocalService
Info: Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.

47) winmgmt - Windows Management Instrumentation
Path: D:\WINDOWS\system32\svchost.exe -k netsvcs
Info:

48) WmdmPmSp - Portable Media Serial Number
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Retrieves the serial number of any portable music player connected to your computer

49) wuauserv - Automatic Updates
Path: D:\WINDOWS\system32\svchost.exe -k netsvcs
Info: Enables the download and installation of critical Windows updates. If the service is disabled, the operating system can be manually updated at the Windows Update Web site.

50) WZCSVC - Wireless Zero Configuration
Path: D:\WINDOWS\System32\svchost.exe -k netsvcs
Info: Provides automatic configuration for the 802.11 adapters


Back to Top



Running Processes

Infiltrator obtained the following list of running processes for each target:

192.168.1.101
This scan was not performed.

192.168.1.100
This scan was not performed.

192.168.1.102
[System Process]
System
smss.exe
csrss.exe
winlogon.exe
services.exe
lsass.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
CCEVTMGR.EXE
spoolsv.exe
alg.exe
NAVAPSVC.EXE
NPROTECT.EXE
svchost.exe
wanmpsvc.exe
explorer.exe
CCAPP.EXE
aim.exe
wuauclt.exe
MSDEV.EXE
Infiltrator.exe

Back to Top



Current Sessions Listing

Infiltrator obtained the following list of active sessions for each target:

192.168.1.101
SPYTECH-LAPTOP time active: 0, time idle: 4 username: SPYTECH

192.168.1.100
SPYTECH-LAPTOP time active: 0, time idle: 1190 username: SPYTECH

192.168.1.102
127.0.0.1 time active: 9, time idle: 9 username:

Security Implications: Low
The enumeration of sessions on a target computer is not a real risk in itself, however it can allow a curious user to see who is connected to a machine, and thus give them an idea of who else is present on the target's network.

Back to Top



Transports Listing

Infiltrator obtained the following transport listings for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
0: \Device\NetbiosSmb @ 000000000000
1: \Device\NetBT_Tcpip_{53FDF81B-B52E-47C9-BE69-BB475F2214D2} @ 0002b3a367d3

192.168.1.102
0: \Device\NetbiosSmb @ 000000000000
1: \Device\NetBT_Tcpip_{87F5EB21-F160-4845-99C2-9BA95E002570} @ 0006252d0036

Security Implications: Low

Back to Top



Jobs Listing

Infiltrator obtained the following list of scheduled jobs for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
No information could be retrieved.

192.168.1.102
No information could be retrieved.

Security Implications: Moderate
The enumeration of jobs scheduled on a target is not a real risk in itself, however a user with admin privileges can use the 'at' command to schedule jobs on a target computer - which can easily be used to install trojans or remote command line applications on the target.

Back to Top



Local Security Authority Information

Infiltrator obtained the following LSA information for each target:

192.168.1.101
server role: 3 [primary (unknown)]
domain: SPYTECHLAN
paged pool limit: 33554432
non paged pool limit: 1048576
min work set size: 65536
max work set size: 251658240
pagefile limit: 0
time limit: 0

192.168.1.100
server role: 3 [primary (unknown)]
domain: SPYTECHLAN
paged pool limit: 33554432
non paged pool limit: 1048576
min work set size: 65536
max work set size: 251658240
pagefile limit: 0
time limit: 0

192.168.1.102
server role: 3 [primary (unknown)]
domain: SPYTECHLAN
paged pool limit: 33554432
non paged pool limit: 1048576
min work set size: 65536
max work set size: 251658240
pagefile limit: 0
time limit: 0

Security Implications: Low

Back to Top



Trusted Domains Listing

Infiltrator obtained the following list of trusted domains for each target:

192.168.1.101
No information could be retrieved.

192.168.1.100
No information could be retrieved.

192.168.1.102
No information could be retrieved.

Security Implications: Low
Knowing what domains are trusted by each user domain can allow an attacker to possibly use other access points to attack the target system.

Back to Top



Port Banners Listing

Infiltrator obtained the following port banners for each target:

192.168.1.101
No port banners retrieved.

192.168.1.100
No port banners retrieved.

192.168.1.102
No port banners retrieved.

Security Implications: Moderate
Port banners allow a snooping attacker to view what services are running on what ports. This can sometimes reveal what operating system the target is running, as well if the services running are vulnerable to any known exploits.

Back to Top



Open Ports

Infiltrator obtained the following list of open ports for each target:

192.168.1.101
25 (TCP)
SMTP - Simple Mail Transfer Protocol

110 (TCP)
POP3 - Post Office Protocol - Version 3

135 (TCP)
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)
NETBIOS-SSN - NETBIOS Session Service

445 (TCP)
MICROSOFT-DS - Microsoft-DS

1025 (TCP)
LISTEN - listen

5000 (TCP)
Microsoft for Universal Plug and Play

123 (UDP)
NTP - Network Time Protocol

135 (UDP)
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

137 (UDP)
NETBIOS-NS - NETBIOS Name Service

138 (UDP)
NETBIOS-DGM - NETBIOS Datagram Service

445 (UDP)
MICROSOFT-DS - Microsoft-DS

1900 (UDP)
SSDP - Simple Service Discovery Protocol


192.168.1.100
25 (TCP)
SMTP - Simple Mail Transfer Protocol

110 (TCP)
POP3 - Post Office Protocol - Version 3

135 (TCP)
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)
NETBIOS-SSN - NETBIOS Session Service

445 (TCP)
MICROSOFT-DS - Microsoft-DS

1025 (TCP)
LISTEN - listen

5000 (TCP)
Microsoft for Universal Plug and Play

123 (UDP)
NTP - Network Time Protocol

137 (UDP)
NETBIOS-NS - NETBIOS Name Service

138 (UDP)
NETBIOS-DGM - NETBIOS Datagram Service

161 (UDP)
SNMP - SNMP (Simple Network Management Protocol)

445 (UDP)
MICROSOFT-DS - Microsoft-DS

1900 (UDP)
SSDP - Simple Service Discovery Protocol


192.168.1.102
25 (TCP)
SMTP - Simple Mail Transfer Protocol

110 (TCP)
POP3 - Post Office Protocol - Version 3

135 (TCP)
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

139 (TCP)
NETBIOS-SSN - NETBIOS Session Service

445 (TCP)
MICROSOFT-DS - Microsoft-DS

1025 (TCP)
LISTEN - listen

3389 (TCP)
Microsoft Term server.2000/XP

5000 (TCP)
Microsoft for Universal Plug and Play

123 (UDP)
NTP - Network Time Protocol

135 (UDP)
RPC-LOCATOR - RPC (Remote Procedure Call) Location Service

137 (UDP)
NETBIOS-NS - NETBIOS Name Service

138 (UDP)
NETBIOS-DGM - NETBIOS Datagram Service

445 (UDP)
MICROSOFT-DS - Microsoft-DS

1900 (UDP)
SSDP - Simple Service Discovery Protocol


Security Implications: Moderate
Open ports can be the starting point for an attack. While an open port does not necessarily mean an attack point, what really matters is if the service on the open port can allow a possible compromise of the computer (for example: telnet with a weak login combination running on port 23).

Back to Top



Auditing Results

Infiltrator discovered the following alerts on each target:

192.168.1.101
Guest account exists
To protect security the Guest account should be removed or renamed.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp


192.168.1.100
AutoShareServer
The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareServer to 0 to stop creating these shares.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

AutoShareWKS
The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareWKS to 0 to stop creating these shares.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWKS - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

Cached Logon Credentials
This could lead to information exposure. CachedLogonsCount should be set to 0 to prevent this.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon\CachedLogonsCount - not-equals 0
URL: http://is-it-true.org/nt/atips/atips36.shtml

DCOM Enabled
DCOM is used to perform code execution on remote computers. This Should be disabled if not used by setting EnableDCOM to N
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM - equals Y
URL: http://support.microsoft.com/support/kb/articles/Q158/5/08.asp

Last logged-on username visible
By default Windows NT/2000 displays the username of the user who logged on last.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/q114/4/63.asp

LM Hash being used
It is recommended to use NTLM authentication instead of LM.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel - not-equals 2
URL: http://support.microsoft.com/support/kb/articles/q147/7/06.asp

Anonymous Logins allowed (null sessions)
Users can login anonymously and use null sessions to connect to this computer. You should disable guest access by setting RestrictAnonymous to 1.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous - not-equals 1
URL: http://support.microsoft.com/default.aspx?scid=KB;en-us;143474

CD Autorun is enabled
Users can start software by inserting a CD in to the CD drive. To disable set AutoRun to 0.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun - not-equals 0
URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Pagefile clearing on shutdown is not enabled
Users can possibly obtain sensitive information from the pagefile since it is not cleared when this computer is shutdown.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown - not-equals 1
URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

SNMP
The SNMP service is installed on this server. Make sure this service is secured with a strong community string, or disable it completely.
Port 161
URL: http://www.sans.org/resources/idfaq/snmp.php

Guest account exists
To protect security the Guest account should be removed or renamed.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" is disabled
If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has no password
All user accounts should be protected by strong passwords to protect security. A password should be implemented immediately.
URL:https://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/windows_password_tips.asp

User account "HelpAssistant" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "HelpAssistant" is disabled
If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" is disabled
If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Password Policy has no Minimum Password Length set
Permitting short passwords (or no passwords) will reduce security because short passwords may be easily broken with tools that perform either dictionary or brute force attacks against the passwords.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Minimum Password Age set
Having no minium age set for passwords allows users to keep their passwords for an indefinite amount of time - frequently changing user passwords in your environment may help reduce the risk of a valid password being cracked.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no History Length set
Having no history length set allows a user to keep the same previous password when forced to change their password. The longer the same password is in use for an account the greater the chance that an attacker will be able to determine the password.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Lockout Policy set
Having no lockout policy set allows an attacker to use brute-force attacks since they have no chance of being locked out due to wrong password guesses.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp


192.168.1.102
AutoShareServer
The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareServer to 0 to stop creating these shares.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareServer - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

AutoShareWKS
The administrative shares (C$,D$,ADMIN$,etc) are created on this machine.If you do not use them set AutoShareWKS to 0 to stop creating these shares.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWKS - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/Q245/1/17.asp

Cached Logon Credentials
This could lead to information exposure. CachedLogonsCount should be set to 0 to prevent this.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon\CachedLogonsCount - not-equals 0
URL: http://is-it-true.org/nt/atips/atips36.shtml

DCOM Enabled
DCOM is used to perform code execution on remote computers. This Should be disabled if not used by setting EnableDCOM to N
Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM - equals Y
URL: http://support.microsoft.com/support/kb/articles/Q158/5/08.asp

Last logged-on username visible
By default Windows NT/2000 displays the username of the user who logged on last.
Key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\DontDisplayLastUserName - not-equals 0
URL: http://support.microsoft.com/support/kb/articles/q114/4/63.asp

LM Hash being used
It is recommended to use NTLM authentication instead of LM.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LMCompatibilityLevel - not-equals 2
URL: http://support.microsoft.com/support/kb/articles/q147/7/06.asp

Anonymous Logins allowed (null sessions)
Users can login anonymously and use null sessions to connect to this computer. You should disable guest access by setting RestrictAnonymous to 1.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous - not-equals 1
URL: http://support.microsoft.com/default.aspx?scid=KB;en-us;143474

Audit use of Scheduling service is not enabled
The ability to audit the use of the scheduling service is not enabled.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Submit Control - not-equals 1
URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

CD Autorun is enabled
Users can start software by inserting a CD in to the CD drive. To disable set AutoRun to 0.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\AutoRun - not-equals 0
URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Pagefile clearing on shutdown is not enabled
Users can possibly obtain sensitive information from the pagefile since it is not cleared when this computer is shutdown.
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\ClearPageFileAtShutdown - not-equals 1
URL: http://sabernet.home.comcast.net/papers/WindowsNT.html

Printer Driver Security
By default, any low level user can bypass the security of the local NT system and install a trojan printer drivers.
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers\AddPrintDrivers - not-equals 1
URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secinst.asp

CrashOnAuditFail
It is recommended that you use the crash on audit fail settings. When the system security log reaches its maximum size it will stop recording security events. By enabling the crash on audit fail system, your system will shutdown until an administrator log
Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail - not-equals 1
URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/msdn_secinst.asp

Terminal Services
Terminal Services are installed on this server.
Port 3389
URL: http://www.microsoft.com/windows2000/technologies/terminal/default.asp

User account "Administrator" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Guest account exists
To protect security the Guest account should be removed or renamed.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "Guest" has no password
All user accounts should be protected by strong passwords to protect security. A password should be implemented immediately.
URL:https://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/winxppro/proddocs/windows_password_tips.asp

User account "HelpAssistant" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" has never logged on
If a username is not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

User account "SUPPORT_388945a0" is disabled
If a username is disabled and not being used it should be removed from the computer to avoid unauthorized access or abuse.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/tcg/tcgch05.asp

Password Policy has no Minimum Password Length set
Permitting short passwords (or no passwords) will reduce security because short passwords may be easily broken with tools that perform either dictionary or brute force attacks against the passwords.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Minimum Password Age set
Having no minium age set for passwords allows users to keep their passwords for an indefinite amount of time - frequently changing user passwords in your environment may help reduce the risk of a valid password being cracked.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no History Length set
Having no history length set allows a user to keep the same previous password when forced to change their password. The longer the same password is in use for an account the greater the chance that an attacker will be able to determine the password.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp

Password Policy has no Lockout Policy set
Having no lockout policy set allows an attacker to use brute-force attacks since they have no chance of being locked out due to wrong password guesses.
URL:http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/hardsys/TCG/TCGCH00.asp



Back to Top



Conclusion

192.168.1.101
Number of Low Security Risks: 3
Number of Moderate Security Risks: 1
Number of High Security Risks: 1
Number of Open Ports: 13
Number of Security Audits: 1

192.168.1.100
Number of Low Security Risks: 5
Number of Moderate Security Risks: 4
Number of High Security Risks: 3
Number of Open Ports: 13
Number of Security Audits: 21

192.168.1.102
Number of Low Security Risks: 5
Number of Moderate Security Risks: 4
Number of High Security Risks: 3
Number of Open Ports: 14
Number of Security Audits: 24

What does this mean: Infiltrator tallies up the number of successful Low, Moderate, and High security scans performed. Any scan that was successfully performed and divulges any information on the target system will increment the above counts. This helps give you an idea on how each target performed, as well as gives you an idea on how much information a remote attacker could possibly gain from the above targets. Open ports and successful security audits are also tallied as well.

Back to Top

Copyright Infiltration Systems 2003.
www.infiltration-systems.com

#10 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 20 May 2012 - 07:35 AM

I have determined that your logs are clean of malware.

The last log you have provided is out of my league. Never used it nor can I analyze it.

I suggest you start a new topic in the Networking forum
http://www.bleepingcomputer.com/forums/forum21.html

A qualified helper should be able to help you.

===

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

#11 nasdaq

nasdaq

  • Malware Response Team
  • 40,735 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:23 AM

Posted 26 May 2012 - 09:02 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users