Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SMART Repair Infection


  • This topic is locked This topic is locked
20 replies to this topic

#1 osubraden

osubraden

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 10 May 2012 - 08:48 AM

I have followed the Preparation Guide for New Users and am ready!

Randomly, I received a ZoneAlarm alert about the following programs seeking permission:

C:\Documents and Settings\All Users\Application Data\seBFbp3ASaks09.exe
C:\Documents and Settings\All Users\Application Data\luxxcfjdwitc.exe
C:\Documents and Settings\Braden\Local Settings\Temp\wpbt0.dll

Shortly after my computer was taken over--multiple spam popups about my hard drive failing, desktop icons disappeared, folders emptied, and access to most everything was blocked. I found that I could also no longer enter safe mode.

Slowly I gained some access while doing a few things I read in existing threads here. I have used some AntiVirus programs to date. I have used the Unhide tool. However, I still cannot run some .exe to install a few AntiVirus programs (for instance, SUPERAntiSpyware won't install using the normal .exe). It is as if they begin loading (I see a cmd prompt window open shortly) but get stopped. I fear I am still infected, do not know to what extent, and require help to become virus-free. Thank you.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_16
Run by Braden at 22:30:11 on 2012-05-09
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3055.2024 [GMT -8:00]
.
AV: AntiVir Desktop *Enabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Turtle Beach\Riviera\TBRivieraTray.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Braden\Desktop\CoreTemp32\Core Temp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Core Temp] "c:\documents and settings\braden\desktop\coretemp32\Core Temp.exe"
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Turtle Beach Riviera] "c:\program files\turtle beach\riviera\TBRivieraTray.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{34821E7D-DA7A-49E0-9FC5-CDFDBC631776} : DhcpNameServer = 192.168.1.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\braden\application data\mozilla\firefox\profiles\oktqx4wi.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-7-14 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-5-9 353672]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-7-14 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-7-14 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-7-14 66616]
R2 cpuz132;cpuz132;c:\windows\system32\drivers\cpuz132_x32.sys [2009-10-31 12672]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-9 654408]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\braden\locals~1\temp\alsysio.sys --> c:\docume~1\braden\locals~1\temp\ALSysIO.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [2012-4-5 100368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2010-2-27 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-27 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-27 72728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-9 22344]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S3 apf001;apf001;\??\c:\game\softnyxgame\gunboundis\apf001.sys --> c:\game\softnyxgame\gunboundis\apf001.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2010-2-27 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2010-2-27 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2010-2-27 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2010-2-27 72728]
S3 dxdiag;dxdiag;c:\docume~1\braden\locals~1\temp\dxdiag.sys [2011-4-4 43508]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-12-3 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-12-3 15264]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 129976]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2009-12-1 34384]
.
=============== Created Last 30 ================
.
2012-05-10 05:46:15 -------- d-----w- c:\documents and settings\braden\application data\SUPERAntiSpyware.com
2012-05-10 04:09:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-10 04:09:17 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-05-10 02:43:50 -------- d-----w- c:\documents and settings\braden\application data\Malwarebytes
2012-05-10 02:43:44 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-05-10 02:43:43 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-10 02:43:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-10 02:16:30 16397936 ----a-w- c:\documents and settings\all users\application data\SUPERAntiSpyware.exe
2012-05-10 02:02:09 36317320 ----a-w- c:\documents and settings\all users\application data\sdsetup.exe
2012-04-26 01:53:04 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-26 01:53:00 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-04-26 01:53:00 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
.
==================== Find3M ====================
.
2012-04-06 00:45:23 0 ----a-w- c:\windows\ativpsrm.bin
2012-03-15 04:49:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 06:22:00 7586304 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-03-09 06:14:42 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-03-09 05:19:48 19959808 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 05:02:24 5358304 ----a-w- c:\windows\system32\ati3duag.dll
2012-03-09 04:51:42 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-03-09 04:36:12 4155520 ----a-w- c:\windows\system32\ativvaxx.dll
2012-03-09 04:24:58 638976 ----a-w- c:\windows\system32\atiok3x2.dll
2012-03-09 04:21:52 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 04:20:04 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 04:18:40 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-03-09 04:12:20 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:12:20 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:52:28 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-03-09 03:52:12 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-03-09 03:52:00 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-03-09 03:51:52 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 03:51:36 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-03-09 03:50:00 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-03-09 03:48:28 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-03-09 03:46:26 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 03:41:34 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-03-09 03:36:30 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:36:08 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-03-09 03:29:24 909312 ----a-w- c:\windows\system32\ati2cqag.dll
.
============= FINISH: 22:30:28.04 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 12:40 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

:multiple Anti Virus programs:

It looks like you are operating your computer with multiple Anti Virus programs running in memory at once:

<insert av's>

Anti-virus programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash.

Please remove all but one of them.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 01:38 AM

1. Uninstalled all but one AntiVirus programs (using Avira at the moment...). I'm curious as to why CCC.exe and MOM.exe are still running, even after restart. It looks like remnants of Malwarebytes and possibly another program still remain?
2. Security Check's checkup.txt


Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 6 Out of date!
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Disabled!
Avira AntiVir Personal - Free Antivirus
ZoneAlarm
Antivirus out of date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Ad-Aware
Java™ 6 Update 16
Java version out of date!
Adobe Flash Player 11.1.102.63
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (12.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Ad-Aware AAWService.exe is disabled!
Ad-Aware AAWTray.exe is disabled!
Malwarebytes' Anti-Malware mbamservice.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
Zone Labs ZoneAlarm zlclient.exe
``````````End of Log````````````

3. ComboFix asked to install Recovery Console and I approved. Initially it seem to cause my computer to restart before finishing and did not produce a log. I re-rean ComboFix and it finished properly, creating a log.

ComboFix 12-05-11.02 - Braden 05/10/2012 23:14:36.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3055.2605 [GMT -8:00]
Running from: c:\documents and settings\Braden\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\sdsetup.exe
c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.exe
c:\documents and settings\Braden\WINDOWS
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\dllcache\wmpvis.dll
c:\windows\system32\tmp8A.tmp
c:\windows\system32\tmp8B.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-05-10 03:45 . 2012-05-10 03:46 -------- d-----w- c:\documents and settings\Administrator
2012-05-10 02:43 . 2012-05-10 02:43 -------- d-----w- c:\documents and settings\Braden\Application Data\Malwarebytes
2012-05-10 02:43 . 2012-05-10 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-26 01:53 . 2012-04-26 01:53 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-26 01:53 . 2012-04-26 01:53 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-26 01:53 . 2012-04-26 01:53 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 04:49 . 2011-06-27 11:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 06:22 . 2009-05-09 22:16 7586304 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-03-09 06:14 . 2012-04-06 00:45 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-03-09 05:19 . 2012-04-06 00:45 19959808 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 05:02 . 2009-05-09 22:17 5358304 ----a-w- c:\windows\system32\ati3duag.dll
2012-03-09 04:51 . 2012-04-06 00:45 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-03-09 04:36 . 2009-05-09 22:17 4155520 ----a-w- c:\windows\system32\ativvaxx.dll
2012-03-09 04:24 . 2012-04-06 00:45 638976 ----a-w- c:\windows\system32\atiok3x2.dll
2012-03-09 04:21 . 2012-04-06 00:45 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 04:20 . 2012-04-06 00:45 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 04:18 . 2009-05-09 22:17 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-03-09 04:12 . 2012-04-06 00:45 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:12 . 2012-04-06 00:45 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:52 . 2012-04-06 00:45 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-03-09 03:52 . 2012-04-06 00:45 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-03-09 03:52 . 2012-04-06 00:45 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-03-09 03:51 . 2012-04-06 00:45 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 03:51 . 2012-04-06 00:45 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-03-09 03:50 . 2012-04-06 00:45 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-03-09 03:48 . 2012-04-06 00:45 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-03-09 03:46 . 2012-04-06 00:45 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 03:41 . 2012-04-06 00:45 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-03-09 03:36 . 2012-04-06 00:45 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:36 . 2012-04-06 00:45 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-03-09 03:29 . 2009-05-09 22:17 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-04-26 01:53 . 2011-10-31 19:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\documents and settings\Braden\Desktop\CoreTemp32\Core Temp.exe" [2009-05-10 319504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Turtle Beach Riviera"="c:\program files\Turtle Beach\Riviera\TBRivieraTray.exe" [2007-09-06 1613824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Braden^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Braden\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Braden^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\Braden\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-12-03 09:05 930032 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2008-12-29 13:10 25600 ----a-r- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 19:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 13:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-09 05:08 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-12 15:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-11-22 06:12 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 09:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Braden\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\tony4live3\\counter-strike source\\hl2.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/14/2010 1:29 PM 136360]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Braden\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Braden\LOCALS~1\Temp\ALSysIO.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [4/5/2012 4:45 PM 100368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2/27/2010 3:39 PM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2/27/2010 3:39 PM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2/27/2010 3:39 PM 72728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/27/2010 3:37 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2/27/2010 3:39 PM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2/27/2010 3:39 PM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2/27/2010 3:39 PM 72728]
S3 dxdiag;dxdiag;\??\c:\docume~1\Braden\LOCALS~1\Temp\dxdiag.sys --> c:\docume~1\Braden\LOCALS~1\Temp\dxdiag.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 1:05 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 1:05 AM 15264]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 5:53 PM 129976]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 3:49 PM 34384]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Braden\Application Data\Mozilla\Firefox\Profiles\oktqx4wi.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-luXXcFXjDwitC - c:\documents and settings\All Users\Application Data\luXXcFXjDwitC.exe
MSConfigStartUp-Spyware Protection - c:\documents and settings\Braden\Application Data\defender.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-10 23:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-05-10 23:22:09
ComboFix-quarantined-files.txt 2012-05-11 07:21
.
Pre-Run: 184,395,456,512 bytes free
Post-Run: 186,415,521,792 bytes free
.
- - End Of File - - 34942ACADADB1592928264B52CE67150

Computer seems to be back to normal as far as I can tell. Please advise!

Edited by osubraden, 11 May 2012 - 01:40 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 01:48 AM

Greetings

those are part of another program - http://www.processlibrary.com/directory/files/mom/214229/

glad things are working better but we are going to make a few more checks to be sure

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 02:16 AM

1. TDSSKiller report:

23:59:47.0437 2148 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
23:59:48.0000 2148 ============================================================
23:59:48.0000 2148 Current date / time: 2012/05/10 23:59:48.0000
23:59:48.0000 2148 SystemInfo:
23:59:48.0000 2148
23:59:48.0000 2148 OS Version: 5.1.2600 ServicePack: 3.0
23:59:48.0000 2148 Product type: Workstation
23:59:48.0000 2148 ComputerName: BRADEN-DESKTOP
23:59:48.0000 2148 UserName: Braden
23:59:48.0000 2148 Windows directory: C:\WINDOWS
23:59:48.0000 2148 System windows directory: C:\WINDOWS
23:59:48.0000 2148 Processor architecture: Intel x86
23:59:48.0000 2148 Number of processors: 4
23:59:48.0000 2148 Page size: 0x1000
23:59:48.0000 2148 Boot type: Normal boot
23:59:48.0000 2148 ============================================================
23:59:49.0453 2148 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
23:59:49.0468 2148 ============================================================
23:59:49.0468 2148 \Device\Harddisk0\DR0:
23:59:49.0468 2148 MBR partitions:
23:59:49.0468 2148 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1D1C0681
23:59:49.0468 2148 ============================================================
23:59:49.0484 2148 C: <-> \Device\Harddisk0\DR0\Partition0
23:59:49.0484 2148 ============================================================
23:59:49.0484 2148 Initialize success
23:59:49.0484 2148 ============================================================
23:59:51.0875 1256 ============================================================
23:59:51.0875 1256 Scan started
23:59:51.0875 1256 Mode: Manual;
23:59:51.0875 1256 ============================================================
23:59:52.0656 1256 Abiosdsk - ok
23:59:52.0656 1256 abp480n5 - ok
23:59:52.0703 1256 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
23:59:52.0703 1256 ACPI - ok
23:59:52.0734 1256 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
23:59:52.0734 1256 ACPIEC - ok
23:59:52.0765 1256 ADIHdAudAddService (ce03d313a12cbc886c3beba3b4967a8a) C:\WINDOWS\system32\drivers\ADIHdAud.sys
23:59:52.0765 1256 ADIHdAudAddService - ok
23:59:52.0765 1256 adpu160m - ok
23:59:52.0796 1256 AEAudio (058cdc314672a28a90566a787d9876e7) C:\WINDOWS\system32\drivers\AEAudio.sys
23:59:52.0796 1256 AEAudio - ok
23:59:52.0812 1256 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
23:59:52.0812 1256 aec - ok
23:59:52.0828 1256 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
23:59:52.0828 1256 AFD - ok
23:59:52.0828 1256 Aha154x - ok
23:59:52.0828 1256 aic78u2 - ok
23:59:52.0843 1256 aic78xx - ok
23:59:52.0875 1256 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
23:59:52.0875 1256 Alerter - ok
23:59:52.0890 1256 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
23:59:52.0890 1256 ALG - ok
23:59:52.0890 1256 AliIde - ok
23:59:52.0953 1256 ALSysIO - ok
23:59:52.0953 1256 amsint - ok
23:59:53.0046 1256 AntiVirSchedulerService (b4837fe56d76b2e9ea90e5365cf6a2be) C:\Program Files\Avira\AntiVir Desktop\sched.exe
23:59:53.0046 1256 AntiVirSchedulerService - ok
23:59:53.0093 1256 AntiVirService (df5a3016052755c910a206058b4a1729) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
23:59:53.0093 1256 AntiVirService - ok
23:59:53.0093 1256 apf001 - ok
23:59:53.0125 1256 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
23:59:53.0125 1256 AppMgmt - ok
23:59:53.0140 1256 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
23:59:53.0140 1256 Arp1394 - ok
23:59:53.0156 1256 asc - ok
23:59:53.0156 1256 asc3350p - ok
23:59:53.0156 1256 asc3550 - ok
23:59:53.0218 1256 aspnet_state (4eabf511b1af176a971c3271e48fa3a8) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
23:59:53.0218 1256 aspnet_state - ok
23:59:53.0265 1256 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
23:59:53.0265 1256 AsyncMac - ok
23:59:53.0296 1256 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
23:59:53.0296 1256 atapi - ok
23:59:53.0296 1256 Atdisk - ok
23:59:53.0343 1256 Ati HotKey Poller (809b0eb83c75061c9de2e528c65a1575) C:\WINDOWS\system32\Ati2evxx.exe
23:59:53.0343 1256 Ati HotKey Poller - ok
23:59:53.0593 1256 ati2mtag (032f23b133b680b06861329c5a176ee0) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
23:59:53.0625 1256 ati2mtag - ok
23:59:53.0765 1256 AtiHDAudioService (bd9ca8136738040d3257363ed12be693) C:\WINDOWS\system32\drivers\AtihdXP3.sys
23:59:53.0765 1256 AtiHDAudioService - ok
23:59:53.0812 1256 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
23:59:53.0812 1256 Atmarpc - ok
23:59:53.0843 1256 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
23:59:53.0843 1256 AudioSrv - ok
23:59:53.0859 1256 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
23:59:53.0859 1256 audstub - ok
23:59:53.0921 1256 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
23:59:53.0921 1256 avgio - ok
23:59:53.0937 1256 avgntflt (1e4114685de1ffa9675e09c6a1fb3f4b) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
23:59:53.0937 1256 avgntflt - ok
23:59:54.0156 1256 avipbb (0f78d3dae6dedd99ae54c9491c62adf2) C:\WINDOWS\system32\DRIVERS\avipbb.sys
23:59:54.0156 1256 avipbb - ok
23:59:54.0250 1256 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
23:59:54.0250 1256 Beep - ok
23:59:54.0296 1256 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
23:59:54.0296 1256 BITS - ok
23:59:54.0328 1256 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
23:59:54.0328 1256 Browser - ok
23:59:54.0390 1256 catchme - ok
23:59:54.0421 1256 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
23:59:54.0421 1256 cbidf2k - ok
23:59:54.0421 1256 cd20xrnt - ok
23:59:54.0437 1256 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
23:59:54.0437 1256 Cdaudio - ok
23:59:54.0453 1256 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
23:59:54.0453 1256 Cdfs - ok
23:59:54.0453 1256 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
23:59:54.0453 1256 Cdrom - ok
23:59:54.0453 1256 Changer - ok
23:59:54.0484 1256 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
23:59:54.0484 1256 CiSvc - ok
23:59:54.0484 1256 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
23:59:54.0484 1256 ClipSrv - ok
23:59:54.0562 1256 clr_optimization_v2.0.50727_32 (234b1bc2796483e1f5c3f26649fb3388) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
23:59:54.0562 1256 clr_optimization_v2.0.50727_32 - ok
23:59:54.0562 1256 CmdIde - ok
23:59:54.0640 1256 cmuda3 (6c06cea8fad941c45d935d97c3aa9d56) C:\WINDOWS\system32\drivers\cmudax3.sys
23:59:54.0656 1256 cmuda3 - ok
23:59:54.0656 1256 COMSysApp - ok
23:59:54.0656 1256 Cpqarray - ok
23:59:54.0687 1256 cpuz132 (097a0a4899b759a4f032bd464963b4be) C:\WINDOWS\system32\drivers\cpuz132_x32.sys
23:59:54.0687 1256 cpuz132 - ok
23:59:54.0750 1256 Creative Audio Engine Licensing Service (c0ead9f8ab83d41ff07303c75589c2b8) C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
23:59:54.0750 1256 Creative Audio Engine Licensing Service - ok
23:59:54.0765 1256 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
23:59:54.0765 1256 CryptSvc - ok
23:59:54.0796 1256 CT20XUT (6f778d290f57d6137b7f258725d6d5f6) C:\WINDOWS\system32\drivers\CT20XUT.SYS
23:59:54.0796 1256 CT20XUT - ok
23:59:54.0796 1256 CT20XUT.SYS (6f778d290f57d6137b7f258725d6d5f6) C:\WINDOWS\System32\drivers\CT20XUT.SYS
23:59:54.0812 1256 CT20XUT.SYS - ok
23:59:54.0828 1256 ctac32k (3404d052223e2c8f2ccd746c21680e65) C:\WINDOWS\system32\drivers\ctac32k.sys
23:59:54.0828 1256 ctac32k - ok
23:59:54.0859 1256 ctaud2k (8254a1775b91b3c7644bc5d684f4aa59) C:\WINDOWS\system32\drivers\ctaud2k.sys
23:59:54.0859 1256 ctaud2k - ok
23:59:54.0921 1256 CTAudSvcService (69cdba2b9c397e349a04fa70dd9170a2) C:\Program Files\Creative\Shared Files\CTAudSvc.exe
23:59:54.0937 1256 CTAudSvcService - ok
23:59:54.0968 1256 ctdvda2k (ac816d2a85c2673adc5340d5cdeab6b2) C:\WINDOWS\system32\drivers\ctdvda2k.sys
23:59:54.0984 1256 ctdvda2k - ok
23:59:55.0046 1256 CTEXFIFX (6d4cef46bb223601289dc64034401c65) C:\WINDOWS\system32\drivers\CTEXFIFX.SYS
23:59:55.0062 1256 CTEXFIFX - ok
23:59:55.0062 1256 CTEXFIFX.SYS (6d4cef46bb223601289dc64034401c65) C:\WINDOWS\System32\drivers\CTEXFIFX.SYS
23:59:55.0078 1256 CTEXFIFX.SYS - ok
23:59:55.0093 1256 CTHWIUT (44b9f2040c57cfa509548ddab2e8bf09) C:\WINDOWS\system32\drivers\CTHWIUT.SYS
23:59:55.0093 1256 CTHWIUT - ok
23:59:55.0093 1256 CTHWIUT.SYS (44b9f2040c57cfa509548ddab2e8bf09) C:\WINDOWS\System32\drivers\CTHWIUT.SYS
23:59:55.0093 1256 CTHWIUT.SYS - ok
23:59:55.0093 1256 ctprxy2k (df51f3d85d2a20b4e95c2002505d4210) C:\WINDOWS\system32\drivers\ctprxy2k.sys
23:59:55.0093 1256 ctprxy2k - ok
23:59:55.0109 1256 ctsfm2k (8b6595ea6912a09eae381c594dca4947) C:\WINDOWS\system32\drivers\ctsfm2k.sys
23:59:55.0109 1256 ctsfm2k - ok
23:59:55.0109 1256 dac2w2k - ok
23:59:55.0109 1256 dac960nt - ok
23:59:55.0156 1256 DcomLaunch (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\system32\rpcss.dll
23:59:55.0171 1256 DcomLaunch - ok
23:59:55.0203 1256 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
23:59:55.0203 1256 Dhcp - ok
23:59:55.0234 1256 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
23:59:55.0234 1256 Disk - ok
23:59:55.0234 1256 dmadmin - ok
23:59:55.0265 1256 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
23:59:55.0281 1256 dmboot - ok
23:59:55.0296 1256 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
23:59:55.0296 1256 dmio - ok
23:59:55.0312 1256 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
23:59:55.0312 1256 dmload - ok
23:59:55.0328 1256 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
23:59:55.0328 1256 dmserver - ok
23:59:55.0343 1256 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
23:59:55.0343 1256 DMusic - ok
23:59:55.0343 1256 Dnscache (474b4dc3983173e4b4c9740b0dac98a6) C:\WINDOWS\System32\dnsrslvr.dll
23:59:55.0359 1256 Dnscache - ok
23:59:55.0390 1256 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
23:59:55.0390 1256 Dot3svc - ok
23:59:55.0390 1256 dpti2o - ok
23:59:55.0390 1256 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
23:59:55.0390 1256 drmkaud - ok
23:59:55.0453 1256 dxdiag - ok
23:59:55.0484 1256 e1express (6f7ccd3c02b26d530900f06d98171a69) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
23:59:55.0484 1256 e1express - ok
23:59:55.0500 1256 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
23:59:55.0500 1256 EapHost - ok
23:59:55.0531 1256 emupia (6c3dce1a5600a079b046937653933281) C:\WINDOWS\system32\drivers\emupia2k.sys
23:59:55.0531 1256 emupia - ok
23:59:55.0531 1256 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
23:59:55.0531 1256 ERSvc - ok
23:59:55.0562 1256 Eventlog (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
23:59:55.0562 1256 Eventlog - ok
23:59:55.0578 1256 EventSystem (19a799805b24990867b00c120d300c3a) C:\WINDOWS\System32\es.dll
23:59:55.0578 1256 EventSystem - ok
23:59:55.0593 1256 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
23:59:55.0593 1256 Fastfat - ok
23:59:55.0625 1256 FastUserSwitchingCompatibility (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
23:59:55.0625 1256 FastUserSwitchingCompatibility - ok
23:59:55.0640 1256 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
23:59:55.0640 1256 Fdc - ok
23:59:55.0640 1256 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
23:59:55.0640 1256 Fips - ok
23:59:55.0656 1256 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
23:59:55.0656 1256 Flpydisk - ok
23:59:55.0687 1256 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
23:59:55.0687 1256 FltMgr - ok
23:59:55.0796 1256 FontCache3.0.0.0 (993883524aa9cf1c90e1545411a9ac9c) C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
23:59:55.0796 1256 FontCache3.0.0.0 - ok
23:59:55.0828 1256 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
23:59:55.0828 1256 Fs_Rec - ok
23:59:55.0828 1256 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
23:59:55.0828 1256 Ftdisk - ok
23:59:55.0843 1256 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
23:59:55.0843 1256 Gpc - ok
23:59:55.0875 1256 ha20x2k (46209281d43511ce2c660821b05c2b5d) C:\WINDOWS\system32\drivers\ha20x2k.sys
23:59:55.0890 1256 ha20x2k - ok
23:59:55.0906 1256 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
23:59:55.0906 1256 HDAudBus - ok
23:59:55.0968 1256 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
23:59:55.0968 1256 helpsvc - ok
23:59:55.0984 1256 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
23:59:55.0984 1256 HidServ - ok
23:59:56.0000 1256 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
23:59:56.0015 1256 HidUsb - ok
23:59:56.0046 1256 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
23:59:56.0046 1256 hkmsvc - ok
23:59:56.0046 1256 hpn - ok
23:59:56.0078 1256 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
23:59:56.0078 1256 HTTP - ok
23:59:56.0093 1256 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
23:59:56.0093 1256 HTTPFilter - ok
23:59:56.0093 1256 i2omgmt - ok
23:59:56.0093 1256 i2omp - ok
23:59:56.0109 1256 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
23:59:56.0109 1256 i8042prt - ok
23:59:56.0187 1256 idsvc (e7cc3aeaed9893a88876744cd439f76c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
23:59:56.0203 1256 idsvc - ok
23:59:56.0218 1256 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
23:59:56.0218 1256 Imapi - ok
23:59:56.0250 1256 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
23:59:56.0250 1256 ImapiService - ok
23:59:56.0250 1256 ini910u - ok
23:59:56.0250 1256 IntelIde - ok
23:59:56.0265 1256 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
23:59:56.0265 1256 intelppm - ok
23:59:56.0265 1256 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
23:59:56.0281 1256 ip6fw - ok
23:59:56.0296 1256 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
23:59:56.0296 1256 IpFilterDriver - ok
23:59:56.0312 1256 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
23:59:56.0312 1256 IpInIp - ok
23:59:56.0343 1256 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
23:59:56.0343 1256 IpNat - ok
23:59:56.0343 1256 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
23:59:56.0343 1256 IPSec - ok
23:59:56.0359 1256 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
23:59:56.0359 1256 IRENUM - ok
23:59:56.0390 1256 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
23:59:56.0390 1256 isapnp - ok
23:59:56.0390 1256 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
23:59:56.0390 1256 Kbdclass - ok
23:59:56.0406 1256 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
23:59:56.0406 1256 kbdhid - ok
23:59:56.0437 1256 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
23:59:56.0437 1256 kmixer - ok
23:59:56.0453 1256 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
23:59:56.0453 1256 KSecDD - ok
23:59:56.0453 1256 lanmanserver (f385f4b02c535bffe1d70cab80838123) C:\WINDOWS\System32\srvsvc.dll
23:59:56.0453 1256 lanmanserver - ok
23:59:56.0468 1256 lanmanworkstation (1b67b632786fef1c1bbaef46c2f3f2e6) C:\WINDOWS\System32\wkssvc.dll
23:59:56.0468 1256 lanmanworkstation - ok
23:59:56.0609 1256 Lavasoft Ad-Aware Service (656b09ee2900b00b5d9874da513a9ed3) C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
23:59:56.0625 1256 Lavasoft Ad-Aware Service - ok
23:59:56.0640 1256 Lavasoft Kernexplorer (0bd6d3f477df86420de942a741dabe37) C:\Program Files\Lavasoft\Ad-Aware\KernExplorer.sys
23:59:56.0640 1256 Lavasoft Kernexplorer - ok
23:59:56.0671 1256 Lbd - ok
23:59:56.0671 1256 lbrtfdc - ok
23:59:56.0687 1256 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
23:59:56.0687 1256 LmHosts - ok
23:59:56.0703 1256 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
23:59:56.0703 1256 Messenger - ok
23:59:56.0750 1256 Microsoft Office Groove Audit Service (fafe367d032ed82e9332b4c741a20216) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
23:59:56.0750 1256 Microsoft Office Groove Audit Service - ok
23:59:56.0796 1256 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
23:59:56.0796 1256 mnmdd - ok
23:59:56.0828 1256 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
23:59:56.0828 1256 mnmsrvc - ok
23:59:56.0843 1256 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
23:59:56.0843 1256 Modem - ok
23:59:56.0890 1256 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
23:59:56.0890 1256 Mouclass - ok
23:59:56.0921 1256 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
23:59:56.0921 1256 mouhid - ok
23:59:56.0921 1256 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
23:59:56.0921 1256 MountMgr - ok
23:59:56.0968 1256 MozillaMaintenance (96aa8ba23142cc8e2b30f3cae0c80254) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
23:59:56.0968 1256 MozillaMaintenance - ok
23:59:56.0968 1256 mraid35x - ok
23:59:56.0984 1256 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
23:59:56.0984 1256 MRxDAV - ok
23:59:57.0031 1256 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
23:59:57.0046 1256 MRxSmb - ok
23:59:57.0062 1256 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
23:59:57.0062 1256 MSDTC - ok
23:59:57.0062 1256 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
23:59:57.0062 1256 Msfs - ok
23:59:57.0062 1256 MSIServer - ok
23:59:57.0109 1256 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
23:59:57.0109 1256 MSKSSRV - ok
23:59:57.0109 1256 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
23:59:57.0109 1256 MSPCLOCK - ok
23:59:57.0109 1256 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
23:59:57.0109 1256 MSPQM - ok
23:59:57.0125 1256 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
23:59:57.0125 1256 mssmbios - ok
23:59:57.0140 1256 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
23:59:57.0140 1256 Mup - ok
23:59:57.0171 1256 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
23:59:57.0171 1256 napagent - ok
23:59:57.0187 1256 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
23:59:57.0187 1256 NDIS - ok
23:59:57.0203 1256 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
23:59:57.0203 1256 NdisTapi - ok
23:59:57.0203 1256 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
23:59:57.0203 1256 Ndisuio - ok
23:59:57.0218 1256 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
23:59:57.0218 1256 NdisWan - ok
23:59:57.0234 1256 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
23:59:57.0234 1256 NDProxy - ok
23:59:57.0234 1256 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
23:59:57.0234 1256 NetBIOS - ok
23:59:57.0250 1256 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
23:59:57.0250 1256 NetBT - ok
23:59:57.0265 1256 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:59:57.0265 1256 NetDDE - ok
23:59:57.0281 1256 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
23:59:57.0281 1256 NetDDEdsdm - ok
23:59:57.0296 1256 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:59:57.0296 1256 Netlogon - ok
23:59:57.0312 1256 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
23:59:57.0312 1256 Netman - ok
23:59:57.0390 1256 NetTcpPortSharing (f9102685f97f9ba85f4a70afcf722cfe) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
23:59:57.0390 1256 NetTcpPortSharing - ok
23:59:57.0421 1256 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
23:59:57.0437 1256 NIC1394 - ok
23:59:57.0437 1256 Nla (b4138e99236f0f57d4cf49bae98a0746) C:\WINDOWS\System32\mswsock.dll
23:59:57.0437 1256 Nla - ok
23:59:57.0531 1256 NMSAccessU (fd306fbcce7adb1077b709742e7148e9) C:\Program Files\CDBurnerXP\NMSAccessU.exe
23:59:57.0531 1256 NMSAccessU - ok
23:59:57.0546 1256 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
23:59:57.0546 1256 Npfs - ok
23:59:57.0609 1256 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
23:59:57.0609 1256 Ntfs - ok
23:59:57.0609 1256 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
23:59:57.0609 1256 NtLmSsp - ok
23:59:57.0656 1256 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
23:59:57.0671 1256 NtmsSvc - ok
23:59:57.0671 1256 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
23:59:57.0687 1256 Null - ok
23:59:57.0718 1256 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
23:59:57.0718 1256 NwlnkFlt - ok
23:59:57.0734 1256 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
23:59:57.0734 1256 NwlnkFwd - ok
23:59:57.0812 1256 odserv (84de1dd996b48b05ace31ad015fa108a) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
23:59:57.0812 1256 odserv - ok
23:59:57.0812 1256 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
23:59:57.0812 1256 ohci1394 - ok
23:59:57.0843 1256 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
23:59:57.0843 1256 ose - ok
23:59:57.0859 1256 ossrv (5cfbf86e0a98390eba378a7e738f92e3) C:\WINDOWS\system32\drivers\ctoss2k.sys
23:59:57.0859 1256 ossrv - ok
23:59:57.0875 1256 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
23:59:57.0875 1256 Parport - ok
23:59:57.0875 1256 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
23:59:57.0875 1256 PartMgr - ok
23:59:57.0890 1256 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
23:59:57.0890 1256 ParVdm - ok
23:59:57.0906 1256 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
23:59:57.0906 1256 PCI - ok
23:59:57.0906 1256 PCIDump - ok
23:59:57.0953 1256 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
23:59:57.0953 1256 PCIIde - ok
23:59:57.0968 1256 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
23:59:57.0968 1256 Pcmcia - ok
23:59:57.0968 1256 PDCOMP - ok
23:59:57.0984 1256 PDFRAME - ok
23:59:57.0984 1256 PDRELI - ok
23:59:57.0984 1256 PDRFRAME - ok
23:59:57.0984 1256 perc2 - ok
23:59:57.0984 1256 perc2hib - ok
23:59:58.0015 1256 PlugPlay (0e776ed5f7cc9f94299e70461b7b8185) C:\WINDOWS\system32\services.exe
23:59:58.0015 1256 PlugPlay - ok
23:59:58.0031 1256 Point32 (cf7c1868b90c90a265fc3f60ce46265b) C:\WINDOWS\system32\DRIVERS\point32.sys
23:59:58.0031 1256 Point32 - ok
23:59:58.0046 1256 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:59:58.0046 1256 PolicyAgent - ok
23:59:58.0046 1256 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
23:59:58.0046 1256 PptpMiniport - ok
23:59:58.0062 1256 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
23:59:58.0062 1256 Processor - ok
23:59:58.0062 1256 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:59:58.0062 1256 ProtectedStorage - ok
23:59:58.0078 1256 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
23:59:58.0078 1256 PSched - ok
23:59:58.0078 1256 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
23:59:58.0078 1256 Ptilink - ok
23:59:58.0109 1256 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
23:59:58.0109 1256 PxHelp20 - ok
23:59:58.0109 1256 ql1080 - ok
23:59:58.0125 1256 Ql10wnt - ok
23:59:58.0125 1256 ql12160 - ok
23:59:58.0125 1256 ql1240 - ok
23:59:58.0125 1256 ql1280 - ok
23:59:58.0140 1256 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
23:59:58.0140 1256 RasAcd - ok
23:59:58.0156 1256 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
23:59:58.0156 1256 RasAuto - ok
23:59:58.0156 1256 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
23:59:58.0156 1256 Rasl2tp - ok
23:59:58.0187 1256 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
23:59:58.0187 1256 RasMan - ok
23:59:58.0187 1256 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
23:59:58.0187 1256 RasPppoe - ok
23:59:58.0187 1256 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
23:59:58.0187 1256 Raspti - ok
23:59:58.0203 1256 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
23:59:58.0203 1256 Rdbss - ok
23:59:58.0203 1256 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
23:59:58.0203 1256 RDPCDD - ok
23:59:58.0218 1256 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
23:59:58.0218 1256 rdpdr - ok
23:59:58.0250 1256 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
23:59:58.0250 1256 RDPWD - ok
23:59:58.0265 1256 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
23:59:58.0281 1256 RDSessMgr - ok
23:59:58.0296 1256 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
23:59:58.0296 1256 redbook - ok
23:59:58.0328 1256 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
23:59:58.0328 1256 RemoteAccess - ok
23:59:58.0343 1256 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
23:59:58.0343 1256 RemoteRegistry - ok
23:59:58.0375 1256 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
23:59:58.0375 1256 RpcLocator - ok
23:59:58.0406 1256 RpcSs (2589fe6015a316c0f5d5112b4da7b509) C:\WINDOWS\System32\rpcss.dll
23:59:58.0406 1256 RpcSs - ok
23:59:58.0453 1256 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
23:59:58.0453 1256 RSVP - ok
23:59:58.0484 1256 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
23:59:58.0484 1256 SamSs - ok
23:59:58.0500 1256 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
23:59:58.0500 1256 SCardSvr - ok
23:59:58.0531 1256 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
23:59:58.0531 1256 Schedule - ok
23:59:58.0578 1256 SCREAMINGBDRIVER (a643d6df1b7546256b11fb5d6b5d1375) C:\WINDOWS\system32\drivers\ScreamingBAudio.sys
23:59:58.0578 1256 SCREAMINGBDRIVER - ok
23:59:58.0593 1256 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
23:59:58.0593 1256 Secdrv - ok
23:59:58.0593 1256 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
23:59:58.0593 1256 seclogon - ok
23:59:58.0640 1256 SenFiltService (b6a6b409fda9d9ebd3aadb838d3d7173) C:\WINDOWS\system32\drivers\Senfilt.sys
23:59:58.0640 1256 SenFiltService - ok
23:59:58.0640 1256 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
23:59:58.0640 1256 SENS - ok
23:59:58.0656 1256 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
23:59:58.0656 1256 serenum - ok
23:59:58.0656 1256 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
23:59:58.0656 1256 Serial - ok
23:59:58.0671 1256 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
23:59:58.0671 1256 Sfloppy - ok
23:59:58.0718 1256 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
23:59:58.0718 1256 SharedAccess - ok
23:59:58.0718 1256 ShellHWDetection (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
23:59:58.0718 1256 ShellHWDetection - ok
23:59:58.0734 1256 Simbad - ok
23:59:58.0734 1256 Sparrow - ok
23:59:58.0734 1256 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
23:59:58.0734 1256 splitter - ok
23:59:58.0750 1256 Spooler (d8e14a61acc1d4a6cd0d38aebac7fa3b) C:\WINDOWS\system32\spoolsv.exe
23:59:58.0750 1256 Spooler - ok
23:59:58.0750 1256 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
23:59:58.0750 1256 sr - ok
23:59:58.0828 1256 srescan (bb1cc49b817d2551eb321f4a9afb7d8c) C:\WINDOWS\system32\ZoneLabs\srescan.sys
23:59:58.0828 1256 srescan - ok
23:59:58.0859 1256 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
23:59:58.0859 1256 srservice - ok
23:59:58.0890 1256 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
23:59:58.0890 1256 Srv - ok
23:59:58.0906 1256 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
23:59:58.0906 1256 SSDPSRV - ok
23:59:58.0937 1256 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
23:59:58.0937 1256 ssmdrv - ok
23:59:58.0953 1256 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
23:59:58.0953 1256 StarOpen - ok
23:59:58.0968 1256 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
23:59:58.0968 1256 stisvc - ok
23:59:59.0000 1256 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
23:59:59.0000 1256 swenum - ok
23:59:59.0015 1256 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
23:59:59.0015 1256 swmidi - ok
23:59:59.0015 1256 SwPrv - ok
23:59:59.0015 1256 symc810 - ok
23:59:59.0015 1256 symc8xx - ok
23:59:59.0015 1256 sym_hi - ok
23:59:59.0015 1256 sym_u3 - ok
23:59:59.0031 1256 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
23:59:59.0031 1256 sysaudio - ok
23:59:59.0062 1256 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
23:59:59.0062 1256 SysmonLog - ok
23:59:59.0078 1256 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
23:59:59.0078 1256 TapiSrv - ok
23:59:59.0093 1256 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
23:59:59.0109 1256 Tcpip - ok
23:59:59.0125 1256 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
23:59:59.0125 1256 TDPIPE - ok
23:59:59.0140 1256 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
23:59:59.0140 1256 TDTCP - ok
23:59:59.0140 1256 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
23:59:59.0140 1256 TermDD - ok
23:59:59.0156 1256 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
23:59:59.0156 1256 TermService - ok
23:59:59.0171 1256 Themes (1926899bf9ffe2602b63074971700412) C:\WINDOWS\System32\shsvcs.dll
23:59:59.0171 1256 Themes - ok
23:59:59.0218 1256 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\System32\tlntsvr.exe
23:59:59.0218 1256 TlntSvr - ok
23:59:59.0218 1256 TosIde - ok
23:59:59.0234 1256 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
23:59:59.0234 1256 TrkWks - ok
23:59:59.0265 1256 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
23:59:59.0265 1256 Udfs - ok
23:59:59.0265 1256 ultra - ok
23:59:59.0281 1256 UMWdf (ab0a7ca90d9e3d6a193905dc1715ded0) C:\WINDOWS\system32\wdfmgr.exe
23:59:59.0281 1256 UMWdf - ok
23:59:59.0312 1256 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
23:59:59.0312 1256 Update - ok
23:59:59.0359 1256 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
23:59:59.0359 1256 upnphost - ok
23:59:59.0390 1256 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
23:59:59.0390 1256 UPS - ok
23:59:59.0421 1256 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
23:59:59.0421 1256 usbccgp - ok
23:59:59.0421 1256 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
23:59:59.0421 1256 usbehci - ok
23:59:59.0437 1256 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
23:59:59.0437 1256 usbhub - ok
23:59:59.0484 1256 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
23:59:59.0484 1256 usbprint - ok
23:59:59.0484 1256 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
23:59:59.0484 1256 usbscan - ok
23:59:59.0531 1256 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
23:59:59.0531 1256 USBSTOR - ok
23:59:59.0562 1256 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
23:59:59.0562 1256 usbuhci - ok
23:59:59.0593 1256 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
23:59:59.0593 1256 VgaSave - ok
23:59:59.0593 1256 ViaIde - ok
23:59:59.0625 1256 vmm (590c7a3a1133e51a7e1cef67366e75af) C:\WINDOWS\system32\Drivers\vmm.sys
23:59:59.0625 1256 vmm - ok
23:59:59.0671 1256 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
23:59:59.0671 1256 VolSnap - ok
23:59:59.0703 1256 VPCNetS2 (f96a678debdccb0b4bb7f38cb2580589) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
23:59:59.0703 1256 VPCNetS2 - ok
23:59:59.0734 1256 vsdatant (13a225a31f8d64a395373e9434d2d1ab) C:\WINDOWS\system32\vsdatant.sys
23:59:59.0750 1256 vsdatant - ok
23:59:59.0750 1256 vsmon - ok
23:59:59.0796 1256 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
23:59:59.0796 1256 VSS - ok
23:59:59.0828 1256 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
23:59:59.0828 1256 W32Time - ok
23:59:59.0859 1256 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
23:59:59.0859 1256 Wanarp - ok
23:59:59.0859 1256 WDICA - ok
23:59:59.0875 1256 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
23:59:59.0875 1256 wdmaud - ok
23:59:59.0875 1256 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
23:59:59.0875 1256 WebClient - ok
23:59:59.0953 1256 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
23:59:59.0953 1256 winmgmt - ok
23:59:59.0984 1256 WmdmPmSN (140ef97b64f560fd78643cae2cdad838) C:\WINDOWS\system32\MsPMSNSv.dll
23:59:59.0984 1256 WmdmPmSN - ok
00:00:00.0031 1256 Wmi (bab489a5fe26f2d0c910cf7af7e4cf92) C:\WINDOWS\System32\advapi32.dll
00:00:00.0046 1256 Wmi - ok
00:00:00.0093 1256 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
00:00:00.0093 1256 WmiApSrv - ok
00:00:00.0140 1256 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
00:00:00.0140 1256 WS2IFSL - ok
00:00:00.0203 1256 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
00:00:00.0203 1256 wscsvc - ok
00:00:00.0203 1256 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
00:00:00.0203 1256 wuauserv - ok
00:00:00.0265 1256 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
00:00:00.0265 1256 WZCSVC - ok
00:00:00.0281 1256 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
00:00:00.0281 1256 xmlprov - ok
00:00:00.0312 1256 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
00:00:00.0453 1256 \Device\Harddisk0\DR0 - ok
00:00:00.0453 1256 Boot (0x1200) (1f3d6f83ea3d33c56423c094d9fbb1be) \Device\Harddisk0\DR0\Partition0
00:00:00.0453 1256 \Device\Harddisk0\DR0\Partition0 - ok
00:00:00.0453 1256 ============================================================
00:00:00.0453 1256 Scan finished
00:00:00.0453 1256 ============================================================
00:00:00.0453 2484 Detected object count: 0
00:00:00.0453 2484 Actual detected object count: 0

2. aswMBR report:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-11 00:02:48
-----------------------------
00:02:48.343 OS Version: Windows 5.1.2600 Service Pack 3
00:02:48.343 Number of processors: 4 586 0xF07
00:02:48.343 ComputerName: BRADEN-DESKTOP UserName: Braden
00:02:48.984 Initialize success
00:13:12.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12
00:13:12.875 Disk 0 Vendor: ST3250410AS 4.AAA Size: 238475MB BusType: 3
00:13:12.875 Disk 0 MBR read successfully
00:13:12.875 Disk 0 MBR scan
00:13:12.875 Disk 0 Windows XP default MBR code
00:13:12.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238464 MB offset 63
00:13:12.890 Disk 0 scanning sectors +488376000
00:13:12.968 Disk 0 scanning C:\WINDOWS\system32\drivers
00:13:17.593 Service scanning
00:13:23.171 Service vsdatant C:\WINDOWS\System32\vsdatant.sys **LOCKED** 32
00:13:24.156 Modules scanning
00:13:26.562 Disk 0 trace - called modules:
00:13:26.593 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
00:13:26.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a41fab8]
00:13:26.593 3 CLASSPNP.SYS[b8108fd7] -> nt!IofCallDriver -> \Device\00000080[0x8a4769e8]
00:13:26.593 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP3T0L0-12[0x8a421940]
00:13:26.609 Scan finished successfully
00:13:39.640 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Braden\Desktop\MBR.dat"
00:13:39.640 The log file has been saved successfully to "C:\Documents and Settings\Braden\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 02:30 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 08:39 AM

As far as I can tell the ride is over. No more hidden files, no more pop ups, no more rogue programs trying to seek access (as alerted by ZoneAlarm). Are you seeing anything else hidden? Also, any recommendations? Please advise :)

ComboFix 12-05-11.02 - Braden 05/11/2012 6:22.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3055.2441 [GMT -8:00]
Running from: c:\documents and settings\Braden\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Braden\Desktop\CFScript.txt
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-05-10 03:45 . 2012-05-10 03:46 -------- d-----w- c:\documents and settings\Administrator
2012-05-10 02:43 . 2012-05-10 02:43 -------- d-----w- c:\documents and settings\Braden\Application Data\Malwarebytes
2012-05-10 02:43 . 2012-05-10 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-26 01:53 . 2012-04-26 01:53 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-04-26 01:53 . 2012-04-26 01:53 157352 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice_installer.exe
2012-04-26 01:53 . 2012-04-26 01:53 129976 ----a-w- c:\program files\Mozilla Firefox\maintenanceservice.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-15 04:49 . 2011-06-27 11:39 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-09 06:22 . 2009-05-09 22:16 7586304 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2012-03-09 06:14 . 2012-04-06 00:45 311296 ----a-w- c:\windows\system32\atiiiexx.dll
2012-03-09 05:19 . 2012-04-06 00:45 19959808 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 05:02 . 2009-05-09 22:17 5358304 ----a-w- c:\windows\system32\ati3duag.dll
2012-03-09 04:51 . 2012-04-06 00:45 956160 ----a-w- c:\windows\system32\ativvamv.dll
2012-03-09 04:36 . 2009-05-09 22:17 4155520 ----a-w- c:\windows\system32\ativvaxx.dll
2012-03-09 04:24 . 2012-04-06 00:45 638976 ----a-w- c:\windows\system32\atiok3x2.dll
2012-03-09 04:21 . 2012-04-06 00:45 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 04:20 . 2012-04-06 00:45 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 04:18 . 2009-05-09 22:17 305152 ----a-w- c:\windows\system32\ati2dvag.dll
2012-03-09 04:12 . 2012-04-06 00:45 65024 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:12 . 2012-04-06 00:45 65024 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:52 . 2012-04-06 00:45 212992 ----a-w- c:\windows\system32\atipdlxx.dll
2012-03-09 03:52 . 2012-04-06 00:45 159744 ----a-w- c:\windows\system32\Oemdspif.dll
2012-03-09 03:52 . 2012-04-06 00:45 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2012-03-09 03:51 . 2012-04-06 00:45 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 03:51 . 2012-04-06 00:45 192512 ----a-w- c:\windows\system32\ati2evxx.dll
2012-03-09 03:50 . 2012-04-06 00:45 643072 ----a-w- c:\windows\system32\ati2evxx.exe
2012-03-09 03:48 . 2012-04-06 00:45 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2012-03-09 03:46 . 2012-04-06 00:45 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 03:41 . 2012-04-06 00:45 847872 ----a-w- c:\windows\system32\atikvmag.dll
2012-03-09 03:36 . 2012-04-06 00:45 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:36 . 2012-04-06 00:45 17408 ----a-w- c:\windows\system32\atitvo32.dll
2012-03-09 03:29 . 2009-05-09 22:17 909312 ----a-w- c:\windows\system32\ati2cqag.dll
2012-04-26 01:53 . 2011-10-31 19:10 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Core Temp"="c:\documents and settings\Braden\Desktop\CoreTemp32\Core Temp.exe" [2009-05-10 319504]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-03-16 868352]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-16 981384]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Turtle Beach Riviera"="c:\program files\Turtle Beach\Riviera\TBRivieraTray.exe" [2007-09-06 1613824]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-11-05 281768]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 98304]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Braden^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Braden\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Braden^Start Menu^Programs^Startup^Trillian.lnk]
path=c:\documents and settings\Braden\Start Menu\Programs\Startup\Trillian.lnk
backup=c:\windows\pss\Trillian.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Watch]
2010-12-03 09:05 930032 ----a-w- c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-02-28 00:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
2008-12-29 13:10 25600 ----a-r- c:\windows\system32\Ctxfihlp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-27 07:47 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-04-17 19:41 196608 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2004-04-13 13:07 69632 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
2011-08-09 05:08 1242448 ----a-w- c:\program files\Steam\Steam.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-10-12 15:37 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2011-11-22 06:12 296056 ----a-w- c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-11 09:00 90112 ------w- c:\windows\Updreg.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Braden\\Desktop\\utorrent.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\steamapps\\tony4live3\\counter-strike source\\hl2.exe"=
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/14/2010 1:29 PM 136360]
R3 ALSysIO;ALSysIO;\??\c:\docume~1\Braden\LOCALS~1\Temp\ALSysIO.sys --> c:\docume~1\Braden\LOCALS~1\Temp\ALSysIO.sys [?]
R3 AtiHDAudioService;ATI Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdXP3.sys [4/5/2012 4:45 PM 100368]
R3 CT20XUT.SYS;CT20XUT.SYS;c:\windows\system32\drivers\CT20XUT.sys [2/27/2010 3:39 PM 171032]
R3 CTEXFIFX.SYS;CTEXFIFX.SYS;c:\windows\system32\drivers\CTEXFIFX.sys [2/27/2010 3:39 PM 1324056]
R3 CTHWIUT.SYS;CTHWIUT.SYS;c:\windows\system32\drivers\CTHWIUT.sys [2/27/2010 3:39 PM 72728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 apf001;apf001;\??\c:\game\SoftnyxGame\GunBoundIS\apf001.sys --> c:\game\SoftnyxGame\GunBoundIS\apf001.sys [?]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2/27/2010 3:37 PM 79360]
S3 CT20XUT;CT20XUT;c:\windows\system32\drivers\CT20XUT.sys [2/27/2010 3:39 PM 171032]
S3 CTEXFIFX;CTEXFIFX;c:\windows\system32\drivers\CTEXFIFX.sys [2/27/2010 3:39 PM 1324056]
S3 CTHWIUT;CTHWIUT;c:\windows\system32\drivers\CTHWIUT.sys [2/27/2010 3:39 PM 72728]
S3 dxdiag;dxdiag;\??\c:\docume~1\Braden\LOCALS~1\Temp\dxdiag.sys --> c:\docume~1\Braden\LOCALS~1\Temp\dxdiag.sys [?]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/3/2010 1:05 AM 1389400]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\kernexplorer.sys [12/3/2010 1:05 AM 15264]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 5:53 PM 129976]
S3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [12/1/2009 3:49 PM 34384]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 58986112
*NewlyCreated* - ASWMBR
*NewlyCreated* - WS2IFSL
*Deregistered* - 58986112
*Deregistered* - aswMBR
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\Braden\Application Data\Mozilla\Firefox\Profiles\oktqx4wi.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-11 06:25
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(968)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
Completion time: 2012-05-11 06:25:50
ComboFix-quarantined-files.txt 2012-05-11 14:25
ComboFix2.txt 2012-05-11 07:22
.
Pre-Run: 186,452,570,112 bytes free
Post-Run: 186,500,050,944 bytes free
.
- - End Of File - - 07D385E915EA9B51960F3245B631D20D

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 01:10 PM

Hello

The ride is not over yet but will be allot smother from this point on.

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
Adobe Reader 9.1
Java™ 6 Update 16
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 09:02 PM

1. Log from MBAM

Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.11.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Braden :: BRADEN-DESKTOP [administrator]

Protection: Disabled

5/11/2012 6:42:04 PM
mbam-log-2012-05-11 (18-42-04).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 202837
Time elapsed: 1 minute(s), 35 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

2. Report from Hijackthis

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:51:50 PM, on 5/11/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Creative\Shared Files\CTAudSvc.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Documents and Settings\Braden\Desktop\CoreTemp32\Core Temp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Core Temp] "C:\Documents and Settings\Braden\Desktop\CoreTemp32\Core Temp.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6895 bytes

3. After restarting I now have two unknown devices asking to install drivers. I'm not sure what they could be, as I have nothing extra (as in USB, etc) plugged into my computer. My sound and graphics (the only expansion slots I'm using) work fine.

Also I noticed default browser switched to IE, though I switched back to Firefox.

Also I believe my BIOS are kind of funky, as when I "restart" from Windows I always get a "CPU Fan error" during bios boot up, even though the fan is working fine. This does not happen when I use "shut down" and then turn on the computer.

4. Other than everything in #3, I seem to be functioning okay.

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 09:15 PM

Hello osubraden

I want you to go into device manager and look for something with a yellow ? or a yellow !


let me know what you find



if you don't know how to get into device manager just let me know



gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 10:22 PM

Two "unknown device" listed under the "other devices" tree

I have a picture for you: http://imageshack.us/photo/my-images/38/unknowndeviceo.jpg/

Under the details tab the "Device Instance Id" that says "ACPI\ATK0110\1010110" for the first, and "ROOT\LEGACY_SASKUTIL\0000" for the second.

Edited by osubraden, 11 May 2012 - 10:28 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 10:38 PM

uninstall both of them and restart the computer


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 10:55 PM

Okay,

After uninstalling and restarting I still have the CPU Fan error message. Additionally, it now asks very briefly whether I want to boot to Recovery Console or Windows XP, but quickly just starts windows normally before I have a chance to choose. I restarted twice to see if this kept happening, and it does each time.

I'm down to one unknown device seeking drivers after windows loads--the "ACPI\ATK0110\1010110" one.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:48 PM

Posted 11 May 2012 - 11:07 PM

Hello


The cpu fan error I don't know how to help you with and when we are done I would check in the hardware forum


I'm down to one unknown device seeking drivers after windows loads--the "ACPI\ATK0110\1010110" one. - have you uninstalled this one?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 osubraden

osubraden
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:48 AM

Posted 11 May 2012 - 11:14 PM

" I'm down to one unknown device seeking drivers after windows loads--the "ACPI\ATK0110\1010110" one. - have you uninstalled this one? "

Yes, I restart and it comes back each time asking for a driver. Also confirmed that after each restart it is asking me which operating system to start--recovery console, one other, and Windows XP. Seems to very quickly just choose WindowsXP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users