Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Evading Window opens and closes at boot time


  • This topic is locked This topic is locked
28 replies to this topic

#1 myselfasadam

myselfasadam

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 13 May 2012 - 05:24 AM

At start up of my win xp laptop I get a "window" open and then close. The window is very small, but if I hover over the place it appears on startup with my mouse it appears somewhere else, so I am unable to click on the window. Its difficult to tell but I would say my boot time has increased and that it is running slower. This is noticeable on the speed of my php programming environment. The debugger is getting painfully slow at times.

I have attempted to track down the problem with several programs: Malwarebytes, Super Anti Sptware, aswMBR, and others, this last one appears to have highlighted a .sys file that changes its name every time I run the program after a reboot. Its a variation of sp??.sys were ? is the variable letter; in the example from the log below it's spgf.sys.

09:36:47.452 Service sptd C:\WINDOWS\System32\Drivers\sptd.sys **LOCKED** 3209:36:53.190 Modules scanning
09:36:59.719 Disk 0 trace - called modules:
09:37:00.050 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys spgf.sys hal.dll >>UNKNOWN [0x8a803938]<<
09:37:00.060 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a7daab8]09:37:00.060 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a7d2d98]



.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31

Run by Owner at 20:17:52 on 2012-05-11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.2046.1288 [GMT 1:00]

.

.

============== Running Processes ===============

.

C:\WINDOWS\system32\svchost.exe -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

C:\WINDOWS\system32\S24EvMon.exe

svchost.exe

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

svchost.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\crypserv.exe

C:\Program Files\Apache Group\Apache2\bin\Apache.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\WINDOWS\system32\RegSrvc.exe

C:\WINDOWS\System32\svchost.exe -k imgsvc

C:\Program Files\Zend\ZendServer\bin\zdd.exe

C:\WINDOWS\system32\ZCfgSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\1XConfig.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe

C:\WINDOWS\System32\hkcmd.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\system32\WLTRAY.exe

C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe

C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

C:\Program Files\DataGuard\Dataguard.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Zend\Apache2\bin\ApacheMonitor.exe

C:\Program Files\Zend\ZendServer\bin\zendcontroller.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe

C:\Program Files\Mozilla Firefox 4.0 Beta 6\firefox.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.seeitonthenet.co.uk:81/index.php

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}

uInternet Settings,ProxyOverride = *.local;<local>

uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: IE Developer Toolbar BHO: {cc7e636d-39aa-49b6-b511-65413da137a1} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HttpWatch Basic: {f1f69322-008f-4895-b2bf-ad194219825a} - c:\program files\httpwatch\httpwatchsc.dll

EB: HttpWatch Basic: {2b4c4770-27fd-4a09-b17d-33ca580965fb} - c:\program files\httpwatch\httpwatch.dll

EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

EB: IE Developer Toolbar: {a202b231-ef71-4a08-bdb9-4ce5ae8bde0a} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [SigmaTel StacMon] c:\program files\sigmatel\sigmatel ac97 audio drivers\stacmon.exe

mRun: [IgfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe

mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe

mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe

mRun: [PRONoMgr.exe] c:\program files\intel\ncs\proset\PRONoMgr.exe

mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe

mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [StatusClient 2.6] c:\program files\hewlett-packard\toolbox\statusclient\StatusClient.exe /auto

mRun: [TomcatStartup 2.5] c:\program files\hewlett-packard\toolbox\hpbpsttp.exe

mRun: [HPLJ Config] c:\program files\hewlett-packard\hp laserjet 1160_1320 series\SetConfig.exe -c Direct -p DOT4_001 -pn "hp LaserJet 1320 PCL 6" -n 1 -l 1033 -sl 120000

mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe"

mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices

mRun: [DataGuard] c:\program files\dataguard\Dataguard.exe r

mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apache~1.lnk - c:\program files\zend\apache2\bin\ApacheMonitor.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zendco~1.lnk - c:\program files\zend\zendserver\bin\zendcontroller.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\wirele~1.lnk - c:\program files\linksys\wireless-g notebook adapter\Startup.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - c:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll

IE: {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - {CC962137-2E78-4F94-975E-FC0C07DBD78F} - c:\program files\microsoft\internet explorer developer toolbar\IEDevToolbar.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC} - {95188727-288F-4581-A48D-EAB3BD027314} - e:\zend\toolbars\ZENDIE~1.DLL

IE: {D103E85B-5D67-42c1-8C83-F01079DBAB26} - {2B4C4770-27FD-4A09-B17D-33CA580965FB} - c:\program files\httpwatch\httpwatch.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1247569307392

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1247569231763

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 87.194.255.154 87.194.255.155 192.168.1.1

TCP: Interfaces\{306CC7B1-033A-4608-B985-B7C2AD98A1D3} : DhcpNameServer = 87.194.255.154 87.194.255.155 192.168.1.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL

Notify: igfxcui - igfxsrvc.dll

Notify: Sebring - c:\windows\system32\LgNotify.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\owner\application data\mozilla\firefox\profiles\nw8mg5gi.default\

FF - prefs.js: browser.startup.homepage - hxxp://blekko.com/?source=fftb-2.1.1-home

FF - prefs.js: keyword.URL - hxxp://blekko.com/ws/?source=fftb-2.1.1-url&q=

FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL

FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll

FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll

.

---- FIREFOX POLICIES ----

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio for eclipse - 6.0.0\ZendStudio.exe

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio for eclipse - 6.0.0\ZendStudio.exe

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio - 7.0.0\ZendStudio.exe

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio for eclipse - 6.1.2\ZendStudio.exe

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio for eclipse - 6.1.2\ZendStudio.exe

FF - user.js: yahoo.homepage.dontask - true

FF - user.js: zend.ZDE_Path - c:\program files\zend\zend studio - 7.0.0\ZendStudio.exe

.

============= SERVICES / DRIVERS ===============

.

R1 DataGuard AntiKeylogger Kernel Service;DataGuard AntiKeylogger Kernel Service;c:\windows\system32\drivers\dataguard.sys [2012-4-23 50176]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-1-6 654408]

R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]

R2 ZendDeployment;Zend Deployment;c:\program files\zend\zendserver\bin\zdd.exe [2012-2-29 707504]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-1-6 22344]

S0 mwbrh;mwbrh;c:\windows\system32\drivers\qrnjkla.sys --> c:\windows\system32\drivers\qrnjkla.sys [?]

S0 sytfkj;sytfkj;c:\windows\system32\drivers\iapuppu.sys --> c:\windows\system32\drivers\iapuppu.sys [?]

S2 Apache2.2-Zend;Apache2.2-Zend;c:\program files\zend\apache2\bin\httpd.exe [2012-2-29 27680]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 Crypto;Crypto;\??\c:\windows\system32\drivers\crypto.sys --> c:\windows\system32\drivers\Crypto.sys [?]

S2 RapportMgmtService;Rapport Management Service; [x]

S3 CBPMp50;CBPMp50 NDIS Protocol Driver;c:\windows\system32\drivers\cbpmp50.sys --> c:\windows\system32\drivers\CBPMp50.sys [?]

S3 CBPSp50;CBPSp50 NDIS Protocol Driver;c:\windows\system32\drivers\CBPSp50.sys [2011-9-25 27072]

S3 DQH;DQH; [x]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2011-6-12 31125880]

S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-10 112568]

S3 OAFI;OAFI; [x]

S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

S3 TetaSCDevice;TetaSCDevice;\??\c:\windows\system32\tetascop.sys --> c:\windows\system32\tetascop.SYS [?]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S4 ZendJobQueue;Zend Job Queue ;c:\program files\zend\zendserver\bin\jqd.exe [2012-2-29 795056]

S4 ZendMonitor;Zend Monitor;c:\program files\zend\zendserver\bin\MonitorNode.exe [2012-2-29 468912]

S4 ZendSessionClustering;Zend Session Clustering;c:\program files\zend\zendserver\bin\ZendSessionManager.exe [2012-2-29 777136]

.

=============== File Associations ===============

.

.txt=bftxtfile

.

=============== Created Last 30 ================

.

2016-04-12 04:03:57 -------- d-----w- c:\documents and settings\owner\local settings\application data\Deployment

2012-05-08 18:08:05 -------- d-----w- c:\program files\PHP

2012-05-03 22:29:34 -------- d-----w- c:\documents and settings\owner\Aptana Rubles

2012-05-03 22:26:40 -------- d-----w- c:\program files\Aptana

2012-05-03 15:27:39 -------- d-----w- c:\documents and settings\owner\application data\ActiveState

2012-05-03 15:27:32 -------- d-----w- c:\documents and settings\owner\local settings\application data\ActiveState

2012-05-03 14:41:25 -------- d-sh--w- c:\documents and settings\all users\application data\{67AB9237-55B9-46D5-A72F-EACBA312AF4D}

2012-05-03 14:41:17 -------- d-----w- c:\documents and settings\owner\local settings\application data\NuSphere

2012-05-03 14:41:13 -------- d-----w- c:\documents and settings\owner\application data\NuSphere

2012-05-03 14:22:03 -------- d-----w- c:\program files\NuSphere

2012-05-01 19:12:46 -------- d-----w- c:\documents and settings\owner\local settings\application data\Sonos,_Inc

2012-04-28 19:21:48 -------- d-----w- c:\documents and settings\owner\application data\SUPERAntiSpyware.com

2012-04-28 19:21:05 -------- d-----w- c:\program files\SUPERAntiSpyware

2012-04-28 19:21:05 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com

2012-04-27 16:32:08 -------- d-----w- c:\documents and settings\all users\application data\Sonos

2012-04-26 10:41:53 -------- d-----w- C:\TDSSKiller_Quarantine

2012-04-23 16:44:33 50176 ----a-w- c:\windows\system32\drivers\dataguard.sys

2012-04-23 16:44:29 -------- d-----w- c:\program files\DataGuard

2012-04-22 21:15:53 -------- d-----w- c:\documents and settings\all users\application data\Sonos,_Inc

2012-04-22 21:15:36 -------- d-----w- c:\program files\Sonos

2012-04-22 21:10:59 -------- d-----w- c:\program files\Wireshark

2012-04-12 19:47:54 -------- d-----w- c:\program files\Duplicate Photo Finder

.

==================== Find3M ====================

.

2012-04-04 14:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-03-11 15:21:53 131584 ----a-w- c:\windows\system32\SpoonUninstall.exe

2012-02-19 22:25:33 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-02-19 22:25:33 472808 ----a-w- c:\windows\system32\deployJava1.dll

2012-02-15 10:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll

2012-02-15 10:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys

.

============= FINISH: 20:19:21.07 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 15 May 2012 - 07:32 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 20 May 2012 - 07:56 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.
Posted Image
m0le is a proud member of UNITE

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 22 May 2012 - 06:08 PM

This topic has been re-opened at the request of the person who originally posted.
Posted Image
m0le is a proud member of UNITE

#5 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 23 May 2012 - 02:47 AM

Thanks for reopening this topic.
I'm on United Kingdom time so there may be a lag.

O I'v just noticed your based in London.

Adam

Edited by myselfasadam, 23 May 2012 - 08:50 AM.


#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 23 May 2012 - 05:48 PM

We've got some definite malware on the logs - though these are stopped services at present. We need to check the UNKNOWN in the aswMBR and the best way to do that is to boot outside of Windows and get a Master Boot Record log

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Next download dumpit to your USB
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • Click on sdb1 (sdb1 represents the USB drive).
  • Double click on the dumpit file.
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Press Enter to exit the black window.
  • Click on HOME tab and choose Power Off to turn off xPUD.
  • Remove the USB drive and insert it back on your working computer.
  • Locate the mbr.zip file in your USB drive and attach it when you reply.

Posted Image
m0le is a proud member of UNITE

#7 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 24 May 2012 - 04:55 AM

Find attached file mbr.zip

Attached Files

  • Attached File  mbr.zip   2.15KB   2 downloads


#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 24 May 2012 - 02:33 PM

Okay, nothing wrong with that. Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 24 May 2012 - 05:38 PM

Combo took a long time to run the backup.

Adam

Attached Files



#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 25 May 2012 - 05:35 PM

There's some malware showing here, though its services have been stopped.

Please run Combofix, as shown

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

File::
c:\windows\system32\drivers\qrnjkla.sys
c:\windows\system32\drivers\iapuppu.sys

Driver::
mwbrh
sytfkj
DQH
OAFI


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Posted Image
m0le is a proud member of UNITE

#11 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 26 May 2012 - 04:29 AM

Hi, all ran well, but the window pops up as before.

Attached Files



#12 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 26 May 2012 - 07:23 AM

Hmmm, ghost windows can be signs of other things than malware but before we go down that route please run TDSSKiller

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#13 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 26 May 2012 - 07:39 AM

Hi, Nothing was found the log came up empty with " ÿþ1 " which doesn't say a lot to me.

I opened it with bluefish editor instead of Notebook

13:41:47.0374 2832 TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
13:41:47.0614 2832 ============================================================
13:41:47.0614 2832 Current date / time: 2012/05/26 13:41:47.0614
13:41:47.0614 2832 SystemInfo:
13:41:47.0614 2832
13:41:47.0614 2832 OS Version: 5.1.2600 ServicePack: 3.0
13:41:47.0614 2832 Product type: Workstation
13:41:47.0614 2832 ComputerName: LEE-1501
13:41:47.0614 2832 UserName: Owner
13:41:47.0614 2832 Windows directory: C:\WINDOWS
13:41:47.0614 2832 System windows directory: C:\WINDOWS
13:41:47.0614 2832 Processor architecture: Intel x86
13:41:47.0614 2832 Number of processors: 1
13:41:47.0614 2832 Page size: 0x1000
13:41:47.0614 2832 Boot type: Normal boot
13:41:47.0614 2832 ============================================================
13:41:49.0247 2832 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:41:49.0247 2832 ============================================================
13:41:49.0247 2832 \Device\Harddisk0\DR0:
13:41:49.0247 2832 MBR partitions:
13:41:49.0247 2832 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x9C5935E
13:41:49.0247 2832 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x9C59800, BlocksNum 0x4E20000
13:41:49.0247 2832 ============================================================
13:41:49.0647 2832 C: <-> \Device\Harddisk0\DR0\Partition0
13:41:49.0798 2832 E: <-> \Device\Harddisk0\DR0\Partition1
13:41:49.0798 2832 ============================================================
13:41:49.0798 2832 Initialize success
13:41:49.0798 2832 ============================================================
13:41:52.0081 1236 ============================================================
13:41:52.0081 1236 Scan started
13:41:52.0081 1236 Mode: Manual;
13:41:52.0081 1236 ============================================================
13:41:53.0002 1236 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
13:41:53.0002 1236 !SASCORE - ok
13:41:53.0182 1236 Abiosdsk - ok
13:41:53.0202 1236 abp480n5 - ok
13:41:53.0263 1236 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:41:53.0263 1236 ACPI - ok
13:41:53.0303 1236 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:41:53.0303 1236 ACPIEC - ok
13:41:53.0323 1236 adpu160m - ok
13:41:53.0393 1236 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:41:53.0393 1236 aec - ok
13:41:53.0443 1236 AegisP (2c5c22990156a1063e19ad162191dc1d) C:\WINDOWS\system32\DRIVERS\AegisP.sys
13:41:53.0443 1236 AegisP - ok
13:41:53.0493 1236 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:41:53.0493 1236 AFD - ok
13:41:53.0513 1236 Aha154x - ok
13:41:53.0523 1236 aic78u2 - ok
13:41:53.0543 1236 aic78xx - ok
13:41:53.0623 1236 AIRPLUS (8b9ccded592a52e9c27e862f11a29c4d) C:\WINDOWS\system32\DRIVERS\airplus.sys
13:41:53.0623 1236 AIRPLUS - ok
13:41:53.0673 1236 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
13:41:53.0673 1236 Alerter - ok
13:41:53.0713 1236 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
13:41:53.0713 1236 ALG - ok
13:41:53.0733 1236 AliIde - ok
13:41:53.0753 1236 amsint - ok
13:41:53.0833 1236 Apache2 (3c8b7e1e3f136c000c96690ac008c799) C:\Program Files\Apache Group\Apache2\bin\Apache.exe
13:41:53.0833 1236 Apache2 - ok
13:41:53.0954 1236 Apache2.2-Zend (af6c19476d69be87fcf7dc0e69766026) C:\Program Files\Zend\Apache2\bin\httpd.exe
13:41:53.0954 1236 Apache2.2-Zend - ok
13:41:54.0034 1236 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:41:54.0034 1236 Apple Mobile Device - ok
13:41:54.0054 1236 AppMgmt - ok
13:41:54.0074 1236 asc - ok
13:41:54.0084 1236 asc3350p - ok
13:41:54.0104 1236 asc3550 - ok
13:41:54.0224 1236 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
13:41:54.0224 1236 aspnet_state - ok
13:41:54.0274 1236 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:41:54.0274 1236 AsyncMac - ok
13:41:54.0324 1236 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:41:54.0324 1236 atapi - ok
13:41:54.0344 1236 Atdisk - ok
13:41:54.0384 1236 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:41:54.0384 1236 Atmarpc - ok
13:41:54.0434 1236 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
13:41:54.0434 1236 AudioSrv - ok
13:41:54.0484 1236 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:41:54.0484 1236 audstub - ok
13:41:54.0614 1236 BCM43XX (b89bcf0a25aeb3b47030ac83287f894a) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
13:41:54.0625 1236 BCM43XX - ok
13:41:54.0665 1236 bcm4sbxp (e727776a56a51b7e6b7c87c02ea8b405) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
13:41:54.0665 1236 bcm4sbxp - ok
13:41:54.0715 1236 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:41:54.0715 1236 Beep - ok
13:41:54.0795 1236 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
13:41:54.0805 1236 BITS - ok
13:41:54.0935 1236 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
13:41:54.0935 1236 Bonjour Service - ok
13:41:54.0985 1236 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
13:41:54.0995 1236 Browser - ok
13:41:55.0005 1236 catchme - ok
13:41:55.0055 1236 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:41:55.0055 1236 cbidf2k - ok
13:41:55.0075 1236 CBPMp50 - ok
13:41:55.0125 1236 CBPSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\CBPSp50.sys
13:41:55.0125 1236 CBPSp50 - ok
13:41:55.0165 1236 CBTNDIS5 (181b4a19965024a2afa01fa2102b2a2d) C:\WINDOWS\system32\CBTNDIS5.SYS
13:41:55.0165 1236 CBTNDIS5 - ok
13:41:55.0195 1236 cd20xrnt - ok
13:41:55.0245 1236 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:41:55.0245 1236 Cdaudio - ok
13:41:55.0295 1236 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:41:55.0295 1236 Cdfs - ok
13:41:55.0326 1236 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:41:55.0326 1236 Cdrom - ok
13:41:55.0356 1236 Changer - ok
13:41:55.0396 1236 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
13:41:55.0406 1236 CiSvc - ok
13:41:55.0436 1236 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
13:41:55.0436 1236 ClipSrv - ok
13:41:55.0526 1236 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:41:55.0526 1236 clr_optimization_v2.0.50727_32 - ok
13:41:55.0626 1236 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
13:41:55.0626 1236 clr_optimization_v4.0.30319_32 - ok
13:41:55.0656 1236 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
13:41:55.0656 1236 CmBatt - ok
13:41:55.0676 1236 CmdIde - ok
13:41:55.0716 1236 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
13:41:55.0716 1236 Compbatt - ok
13:41:55.0736 1236 COMSysApp - ok
13:41:55.0766 1236 Cpqarray - ok
13:41:55.0776 1236 Crypkey License - ok
13:41:55.0796 1236 Crypto - ok
13:41:55.0846 1236 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
13:41:55.0846 1236 CryptSvc - ok
13:41:55.0866 1236 dac2w2k - ok
13:41:55.0886 1236 dac960nt - ok
13:41:55.0956 1236 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
13:41:55.0966 1236 DcomLaunch - ok
13:41:56.0017 1236 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
13:41:56.0027 1236 Dhcp - ok
13:41:56.0057 1236 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:41:56.0057 1236 Disk - ok
13:41:56.0077 1236 dmadmin - ok
13:41:56.0197 1236 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:41:56.0207 1236 dmboot - ok
13:41:56.0257 1236 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:41:56.0257 1236 dmio - ok
13:41:56.0297 1236 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:41:56.0297 1236 dmload - ok
13:41:56.0347 1236 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
13:41:56.0347 1236 dmserver - ok
13:41:56.0407 1236 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:41:56.0407 1236 DMusic - ok
13:41:56.0487 1236 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
13:41:56.0487 1236 Dnscache - ok
13:41:56.0547 1236 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
13:41:56.0547 1236 Dot3svc - ok
13:41:56.0617 1236 Dot4 (3e4b043f8bc6be1d4820cc6c9c500306) C:\WINDOWS\system32\DRIVERS\Dot4.sys
13:41:56.0627 1236 Dot4 - ok
13:41:56.0657 1236 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
13:41:56.0657 1236 Dot4Print - ok
13:41:56.0687 1236 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
13:41:56.0687 1236 dot4usb - ok
13:41:56.0707 1236 dpti2o - ok
13:41:56.0748 1236 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:41:56.0748 1236 drmkaud - ok
13:41:56.0788 1236 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
13:41:56.0798 1236 EapHost - ok
13:41:56.0838 1236 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
13:41:56.0838 1236 ERSvc - ok
13:41:56.0918 1236 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:41:56.0918 1236 Eventlog - ok
13:41:56.0978 1236 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\System32\es.dll
13:41:56.0988 1236 EventSystem - ok
13:41:57.0038 1236 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:41:57.0038 1236 Fastfat - ok
13:41:57.0088 1236 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:41:57.0088 1236 FastUserSwitchingCompatibility - ok
13:41:57.0118 1236 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
13:41:57.0118 1236 Fdc - ok
13:41:57.0178 1236 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:41:57.0178 1236 Fips - ok
13:41:57.0208 1236 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
13:41:57.0208 1236 Flpydisk - ok
13:41:57.0278 1236 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:41:57.0278 1236 FltMgr - ok
13:41:57.0409 1236 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:41:57.0409 1236 FontCache3.0.0.0 - ok
13:41:57.0459 1236 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:41:57.0459 1236 Fs_Rec - ok
13:41:57.0489 1236 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:41:57.0489 1236 Ftdisk - ok
13:41:57.0539 1236 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:41:57.0539 1236 GEARAspiWDM - ok
13:41:57.0589 1236 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:41:57.0589 1236 Gpc - ok
13:41:57.0669 1236 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:41:57.0669 1236 helpsvc - ok
13:41:57.0709 1236 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
13:41:57.0709 1236 HidServ - ok
13:41:57.0779 1236 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:41:57.0779 1236 HidUsb - ok
13:41:57.0819 1236 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
13:41:57.0819 1236 hkmsvc - ok
13:41:57.0839 1236 hpn - ok
13:41:57.0919 1236 HSFHWICH (c2a7d9109b7f10a455d13b2432837b16) C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
13:41:57.0919 1236 HSFHWICH - ok
13:41:58.0029 1236 HSF_DP (9a0d0c461ef2b3d80cb7875b4b995e47) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
13:41:58.0049 1236 HSF_DP - ok
13:41:58.0110 1236 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:41:58.0120 1236 HTTP - ok
13:41:58.0160 1236 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
13:41:58.0160 1236 HTTPFilter - ok
13:41:58.0220 1236 hwdatacard (200ab8daf659c7324601fcc824d7f910) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
13:41:58.0220 1236 hwdatacard - ok
13:41:58.0240 1236 i2omgmt - ok
13:41:58.0260 1236 i2omp - ok
13:41:58.0310 1236 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:41:58.0310 1236 i8042prt - ok
13:41:58.0400 1236 ialm (43d989987efa0056ad04e1d8996c5567) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
13:41:58.0410 1236 ialm - ok
13:41:58.0530 1236 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
13:41:58.0530 1236 IDriverT - ok
13:41:58.0740 1236 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:41:58.0750 1236 idsvc - ok
13:41:58.0871 1236 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:41:58.0871 1236 Imapi - ok
13:41:58.0941 1236 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
13:41:58.0941 1236 ImapiService - ok
13:41:58.0961 1236 ini910u - ok
13:41:59.0011 1236 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:41:59.0011 1236 IntelIde - ok
13:41:59.0051 1236 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:41:59.0051 1236 intelppm - ok
13:41:59.0081 1236 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:41:59.0081 1236 ip6fw - ok
13:41:59.0111 1236 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:41:59.0111 1236 IpFilterDriver - ok
13:41:59.0151 1236 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:41:59.0151 1236 IpInIp - ok
13:41:59.0211 1236 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:41:59.0211 1236 IpNat - ok
13:41:59.0401 1236 iPod Service (ce004777b92dea56fe14ec900d20baa4) C:\Program Files\iPod\bin\iPodService.exe
13:41:59.0401 1236 iPod Service - ok
13:41:59.0451 1236 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:41:59.0461 1236 IPSec - ok
13:41:59.0512 1236 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:41:59.0512 1236 IRENUM - ok
13:41:59.0552 1236 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:41:59.0552 1236 isapnp - ok
13:41:59.0672 1236 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
13:41:59.0672 1236 JavaQuickStarterService - ok
13:41:59.0712 1236 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:41:59.0722 1236 Kbdclass - ok
13:41:59.0742 1236 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:41:59.0742 1236 kbdhid - ok
13:41:59.0812 1236 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:41:59.0812 1236 kmixer - ok
13:41:59.0852 1236 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:41:59.0862 1236 KSecDD - ok
13:41:59.0912 1236 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
13:41:59.0912 1236 lanmanserver - ok
13:41:59.0982 1236 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
13:41:59.0982 1236 lanmanworkstation - ok
13:42:00.0002 1236 lbrtfdc - ok
13:42:00.0062 1236 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
13:42:00.0062 1236 LmHosts - ok
13:42:00.0102 1236 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
13:42:00.0102 1236 MBAMProtector - ok
13:42:00.0223 1236 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
13:42:00.0233 1236 MBAMService - ok
13:42:00.0753 1236 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
13:42:00.0753 1236 mdmxsdk - ok
13:42:00.0793 1236 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
13:42:00.0793 1236 Messenger - ok
13:42:00.0843 1236 mf (a7da20ab18a1bdae28b0f349e57da0d1) C:\WINDOWS\system32\DRIVERS\mf.sys
13:42:00.0843 1236 mf - ok
13:42:00.0914 1236 Microsoft SharePoint Workspace Audit Service - ok
13:42:00.0944 1236 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:42:00.0944 1236 mnmdd - ok
13:42:00.0974 1236 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\System32\mnmsrvc.exe
13:42:00.0974 1236 mnmsrvc - ok
13:42:01.0014 1236 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:42:01.0014 1236 Modem - ok
13:42:01.0054 1236 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:42:01.0054 1236 Mouclass - ok
13:42:01.0084 1236 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:42:01.0084 1236 mouhid - ok
13:42:01.0114 1236 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:42:01.0114 1236 MountMgr - ok
13:42:01.0174 1236 MozillaMaintenance (166f0cbff55d16552161c154317287ca) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
13:42:01.0174 1236 MozillaMaintenance - ok
13:42:01.0204 1236 mraid35x - ok
13:42:01.0244 1236 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:42:01.0244 1236 MRxDAV - ok
13:42:01.0314 1236 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:42:01.0314 1236 MRxSmb - ok
13:42:01.0354 1236 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\System32\msdtc.exe
13:42:01.0354 1236 MSDTC - ok
13:42:01.0404 1236 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:42:01.0404 1236 Msfs - ok
13:42:01.0414 1236 MSIServer - ok
13:42:01.0464 1236 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:42:01.0464 1236 MSKSSRV - ok
13:42:01.0494 1236 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:42:01.0494 1236 MSPCLOCK - ok
13:42:01.0524 1236 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:42:01.0534 1236 MSPQM - ok
13:42:01.0574 1236 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:42:01.0574 1236 mssmbios - ok
13:42:01.0605 1236 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:42:01.0605 1236 Mup - ok
13:42:01.0645 1236 NAL (ebbef7d3ddeb24239ab8d067f3a27ccf) C:\WINDOWS\system32\Drivers\iqvw32.sys
13:42:01.0645 1236 NAL - ok
13:42:01.0725 1236 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
13:42:01.0725 1236 napagent - ok
13:42:01.0785 1236 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:42:01.0795 1236 NDIS - ok
13:42:01.0835 1236 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:42:01.0835 1236 NdisTapi - ok
13:42:01.0875 1236 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:42:01.0875 1236 Ndisuio - ok
13:42:01.0905 1236 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:42:01.0905 1236 NdisWan - ok
13:42:01.0945 1236 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:42:01.0945 1236 NDProxy - ok
13:42:01.0965 1236 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:42:01.0965 1236 NetBIOS - ok
13:42:02.0005 1236 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:42:02.0005 1236 NetBT - ok
13:42:02.0045 1236 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:42:02.0055 1236 NetDDE - ok
13:42:02.0065 1236 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:42:02.0075 1236 NetDDEdsdm - ok
13:42:02.0115 1236 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:42:02.0115 1236 Netlogon - ok
13:42:02.0165 1236 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
13:42:02.0165 1236 Netman - ok
13:42:02.0286 1236 NetSvc (25d4fd2151185172b6643c94f34f36be) C:\Program Files\Intel\NCS\Sync\NetSvc.exe
13:42:02.0286 1236 NetSvc - ok
13:42:02.0406 1236 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
13:42:02.0406 1236 NetTcpPortSharing - ok
13:42:02.0446 1236 NetworkX (2ea47e8ecf73c91bc6cd7ab47fd6cf9c) C:\WINDOWS\system32\ckldrv.sys
13:42:02.0456 1236 NetworkX - ok
13:42:02.0526 1236 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
13:42:02.0536 1236 Nla - ok
13:42:02.0586 1236 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
13:42:02.0586 1236 NPF - ok
13:42:02.0636 1236 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:42:02.0646 1236 Npfs - ok
13:42:02.0736 1236 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:42:02.0746 1236 Ntfs - ok
13:42:02.0796 1236 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\System32\lsass.exe
13:42:02.0796 1236 NtLmSsp - ok
13:42:02.0886 1236 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
13:42:02.0896 1236 NtmsSvc - ok
13:42:02.0936 1236 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:42:02.0946 1236 Null - ok
13:42:03.0017 1236 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:42:03.0017 1236 NwlnkFlt - ok
13:42:03.0037 1236 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:42:03.0037 1236 NwlnkFwd - ok
13:42:03.0087 1236 odysseyIM3 (dd03bdd1459d1966ee640f63221c175a) C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys
13:42:03.0087 1236 odysseyIM3 - ok
13:42:03.0137 1236 OMCI (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys
13:42:03.0147 1236 OMCI - ok
13:42:03.0267 1236 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:42:03.0267 1236 ose - ok
13:42:03.0938 1236 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
13:42:03.0998 1236 osppsvc - ok
13:42:04.0138 1236 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:42:04.0138 1236 Parport - ok
13:42:04.0168 1236 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:42:04.0178 1236 PartMgr - ok
13:42:04.0208 1236 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:42:04.0208 1236 ParVdm - ok
13:42:04.0248 1236 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:42:04.0248 1236 PCI - ok
13:42:04.0268 1236 PCIDump - ok
13:42:04.0308 1236 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:42:04.0318 1236 PCIIde - ok
13:42:04.0358 1236 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
13:42:04.0358 1236 Pcmcia - ok
13:42:04.0379 1236 PDCOMP - ok
13:42:04.0389 1236 PDFRAME - ok
13:42:04.0409 1236 PDRELI - ok
13:42:04.0429 1236 PDRFRAME - ok
13:42:04.0449 1236 perc2 - ok
13:42:04.0469 1236 perc2hib - ok
13:42:04.0559 1236 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:42:04.0559 1236 PlugPlay - ok
13:42:04.0609 1236 Pml Driver HPZ12 (f9d3bb81bdf8b279e1f37282cd52a9b5) C:\WINDOWS\system32\HPZipm12.exe
13:42:04.0619 1236 Pml Driver HPZ12 - ok
13:42:04.0659 1236 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:42:04.0659 1236 PolicyAgent - ok
13:42:04.0719 1236 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:42:04.0729 1236 PptpMiniport - ok
13:42:04.0779 1236 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
13:42:04.0779 1236 Processor - ok
13:42:04.0799 1236 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:42:04.0799 1236 ProtectedStorage - ok
13:42:04.0829 1236 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:42:04.0829 1236 PSched - ok
13:42:04.0869 1236 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:42:04.0879 1236 Ptilink - ok
13:42:04.0889 1236 ql1080 - ok
13:42:04.0909 1236 Ql10wnt - ok
13:42:04.0929 1236 ql12160 - ok
13:42:04.0949 1236 ql1240 - ok
13:42:04.0969 1236 ql1280 - ok
13:42:04.0999 1236 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:42:04.0999 1236 RasAcd - ok
13:42:05.0039 1236 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
13:42:05.0049 1236 RasAuto - ok
13:42:05.0080 1236 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:42:05.0090 1236 Rasl2tp - ok
13:42:05.0140 1236 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
13:42:05.0140 1236 RasMan - ok
13:42:05.0180 1236 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:42:05.0180 1236 RasPppoe - ok
13:42:05.0200 1236 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:42:05.0200 1236 Raspti - ok
13:42:05.0240 1236 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:42:05.0240 1236 Rdbss - ok
13:42:05.0270 1236 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:42:05.0270 1236 RDPCDD - ok
13:42:05.0340 1236 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
13:42:05.0350 1236 RDPWD - ok
13:42:05.0410 1236 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
13:42:05.0410 1236 RDSessMgr - ok
13:42:05.0460 1236 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:42:05.0470 1236 redbook - ok
13:42:05.0510 1236 RegSrvc (06b6e4cc67dd02434f8ff80ccb922909) C:\WINDOWS\system32\RegSrvc.exe
13:42:05.0520 1236 RegSrvc - ok
13:42:05.0560 1236 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
13:42:05.0560 1236 RemoteAccess - ok
13:42:05.0670 1236 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe
13:42:05.0670 1236 rpcapd - ok
13:42:05.0730 1236 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\System32\locator.exe
13:42:05.0730 1236 RpcLocator - ok
13:42:05.0811 1236 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
13:42:05.0821 1236 RpcSs - ok
13:42:05.0871 1236 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\System32\rsvp.exe
13:42:05.0871 1236 RSVP - ok
13:42:05.0961 1236 S24EventMonitor (672cf74e8fa09e6ce6f49ab9a272d562) C:\WINDOWS\system32\S24EvMon.exe
13:42:05.0971 1236 S24EventMonitor - ok
13:42:06.0031 1236 s24trans (423ae506c8d55bba9e429eeeec035a40) C:\WINDOWS\system32\DRIVERS\s24trans.sys
13:42:06.0031 1236 s24trans - ok
13:42:06.0051 1236 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:42:06.0051 1236 SamSs - ok
13:42:06.0131 1236 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
13:42:06.0131 1236 SASDIFSV - ok
13:42:06.0171 1236 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
13:42:06.0171 1236 SASKUTIL - ok
13:42:06.0221 1236 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
13:42:06.0231 1236 SCardSvr - ok
13:42:06.0291 1236 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
13:42:06.0301 1236 Schedule - ok
13:42:06.0361 1236 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:42:06.0361 1236 Secdrv - ok
13:42:06.0391 1236 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
13:42:06.0391 1236 seclogon - ok
13:42:06.0431 1236 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
13:42:06.0431 1236 SENS - ok
13:42:06.0472 1236 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:42:06.0472 1236 Serenum - ok
13:42:06.0522 1236 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:42:06.0522 1236 Serial - ok
13:42:06.0592 1236 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:42:06.0592 1236 Sfloppy - ok
13:42:06.0672 1236 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
13:42:06.0672 1236 SharedAccess - ok
13:42:06.0732 1236 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:42:06.0742 1236 ShellHWDetection - ok
13:42:06.0752 1236 Simbad - ok
13:42:06.0782 1236 Sparrow - ok
13:42:06.0812 1236 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:42:06.0812 1236 splitter - ok
13:42:06.0862 1236 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
13:42:06.0862 1236 Spooler - ok
13:42:06.0982 1236 sptd (d15da1ba189770d93eea2d7e18f95af9) C:\WINDOWS\System32\Drivers\sptd.sys
13:42:06.0992 1236 sptd - ok
13:42:07.0022 1236 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:42:07.0022 1236 sr - ok
13:42:07.0082 1236 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
13:42:07.0082 1236 srservice - ok
13:42:07.0153 1236 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:42:07.0163 1236 Srv - ok
13:42:07.0193 1236 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
13:42:07.0193 1236 SSDPSRV - ok
13:42:07.0253 1236 STAC97 (b3034de9020cde2c46f653d972446bf2) C:\WINDOWS\system32\drivers\stac97.sys
13:42:07.0263 1236 STAC97 - ok
13:42:07.0333 1236 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
13:42:07.0343 1236 stisvc - ok
13:42:07.0393 1236 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:42:07.0393 1236 swenum - ok
13:42:07.0433 1236 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:42:07.0433 1236 swmidi - ok
13:42:07.0453 1236 SwPrv - ok
13:42:07.0473 1236 symc810 - ok
13:42:07.0493 1236 symc8xx - ok
13:42:07.0513 1236 sym_hi - ok
13:42:07.0533 1236 sym_u3 - ok
13:42:07.0623 1236 SynTP (36460e94bbb8c1a1a1c22e45a28fb955) C:\WINDOWS\system32\DRIVERS\SynTP.sys
13:42:07.0623 1236 SynTP - ok
13:42:07.0653 1236 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:42:07.0653 1236 sysaudio - ok
13:42:07.0693 1236 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
13:42:07.0703 1236 SysmonLog - ok
13:42:07.0753 1236 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
13:42:07.0763 1236 TapiSrv - ok
13:42:07.0833 1236 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:42:07.0844 1236 Tcpip - ok
13:42:07.0884 1236 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:42:07.0884 1236 TDPIPE - ok
13:42:07.0924 1236 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:42:07.0924 1236 TDTCP - ok
13:42:07.0964 1236 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:42:07.0964 1236 TermDD - ok
13:42:08.0024 1236 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
13:42:08.0024 1236 TermService - ok
13:42:08.0054 1236 TetaSCDevice - ok
13:42:08.0114 1236 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:42:08.0114 1236 Themes - ok
13:42:08.0144 1236 TosIde - ok
13:42:08.0184 1236 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
13:42:08.0194 1236 TrkWks - ok
13:42:08.0234 1236 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:42:08.0234 1236 Udfs - ok
13:42:08.0254 1236 ultra - ok
13:42:08.0334 1236 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:42:08.0344 1236 Update - ok
13:42:08.0384 1236 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
13:42:08.0394 1236 upnphost - ok
13:42:08.0414 1236 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
13:42:08.0424 1236 UPS - ok
13:42:08.0464 1236 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:42:08.0464 1236 USBAAPL - ok
13:42:08.0524 1236 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
13:42:08.0524 1236 usbaudio - ok
13:42:08.0565 1236 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:42:08.0565 1236 usbccgp - ok
13:42:08.0605 1236 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:42:08.0605 1236 usbehci - ok
13:42:08.0655 1236 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:42:08.0665 1236 usbhub - ok
13:42:08.0695 1236 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:42:08.0695 1236 usbscan - ok
13:42:08.0725 1236 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:42:08.0725 1236 USBSTOR - ok
13:42:08.0755 1236 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:42:08.0755 1236 usbuhci - ok
13:42:08.0775 1236 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:42:08.0775 1236 VgaSave - ok
13:42:08.0795 1236 ViaIde - ok
13:42:08.0865 1236 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:42:08.0875 1236 VolSnap - ok
13:42:08.0955 1236 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
13:42:08.0965 1236 VSS - ok
13:42:09.0015 1236 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
13:42:09.0015 1236 W32Time - ok
13:42:09.0095 1236 W8335XP (10ad08a04ea46b96a7968eb65ee9db39) C:\WINDOWS\system32\DRIVERS\MRV8335XP.sys
13:42:09.0095 1236 W8335XP - ok
13:42:09.0125 1236 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:42:09.0125 1236 Wanarp - ok
13:42:09.0145 1236 WDICA - ok
13:42:09.0205 1236 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:42:09.0205 1236 wdmaud - ok
13:42:09.0256 1236 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
13:42:09.0256 1236 WebClient - ok
13:42:09.0386 1236 winachsf (ce545a84bf3411e7516fa8da51ad9d93) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
13:42:09.0396 1236 winachsf - ok
13:42:09.0496 1236 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
13:42:09.0496 1236 winmgmt - ok
13:42:09.0556 1236 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
13:42:09.0556 1236 WmdmPmSN - ok
13:42:09.0626 1236 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\System32\wbem\wmiapsrv.exe
13:42:09.0626 1236 WmiApSrv - ok
13:42:09.0806 1236 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
13:42:09.0816 1236 WMPNetworkSvc - ok
13:42:09.0886 1236 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
13:42:09.0886 1236 WpdUsb - ok
13:42:10.0097 1236 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
13:42:10.0107 1236 WPFFontCache_v0400 - ok
13:42:10.0157 1236 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:42:10.0157 1236 WS2IFSL - ok
13:42:10.0207 1236 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
13:42:10.0207 1236 wscsvc - ok
13:42:10.0257 1236 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
13:42:10.0257 1236 wuauserv - ok
13:42:10.0307 1236 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:42:10.0307 1236 WudfPf - ok
13:42:10.0357 1236 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:42:10.0357 1236 WudfRd - ok
13:42:10.0407 1236 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
13:42:10.0407 1236 WudfSvc - ok
13:42:10.0487 1236 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
13:42:10.0497 1236 WZCSVC - ok
13:42:10.0557 1236 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
13:42:10.0567 1236 xmlprov - ok
13:42:10.0778 1236 ZendDeployment (f54b988fe5a1fbf88b9af805fe1de028) C:\Program Files\Zend\ZendServer\bin\zdd.exe
13:42:10.0788 1236 ZendDeployment - ok
13:42:10.0898 1236 ZendJobQueue (08f724fdebae04a7c57e0dc64efed742) C:\Program Files\Zend\ZendServer\bin\jqd.exe
13:42:10.0908 1236 ZendJobQueue - ok
13:42:10.0978 1236 ZendMonitor (78e92b4a8fabea735fe7f3a9c1fd299c) C:\Program Files\Zend\ZendServer\bin\MonitorNode.exe
13:42:10.0988 1236 ZendMonitor - ok
13:42:11.0078 1236 ZendSessionClustering (6f2364660a4559a666ad553e06024793) C:\Program Files\Zend\ZendServer\bin\ZendSessionManager.exe
13:42:11.0088 1236 ZendSessionClustering - ok
13:42:11.0158 1236 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
13:42:11.0919 1236 \Device\Harddisk0\DR0 - ok
13:42:11.0939 1236 Boot (0x1200) (58e1923f812d0fe3d8436ddf9f26d98e) \Device\Harddisk0\DR0\Partition0
13:42:11.0939 1236 \Device\Harddisk0\DR0\Partition0 - ok
13:42:11.0969 1236 Boot (0x1200) (cca1cff8ec4ac6aa5ecbe54ae116efb0) \Device\Harddisk0\DR0\Partition1
13:42:11.0979 1236 \Device\Harddisk0\DR0\Partition1 - ok
13:42:11.0979 1236 ============================================================
13:42:11.0979 1236 Scan finished
13:42:11.0979 1236 ============================================================
13:42:12.0010 0508 Detected object count: 0
13:42:12.0010 0508 Actual detected object count: 0
13:42:14.0673 2572 Deinitialize success

Adam

Edited by myselfasadam, 26 May 2012 - 09:24 AM.


#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:02:43 PM

Posted 26 May 2012 - 05:02 PM

Yeah, I figured this was going to find nothing.

Let's run Process Explorer

  • Download and extract Process Explorer
  • Open the program
  • Leave it until the window appears, Process Explorer will show a new entry in green (starting) or red (stopping)
  • Double click on the process and it will tell you how it starts and what program is involved (and where to find it).
  • Let me know what it finds
Note: Under View in PE you can change the update speed making the process last longer in the list.
Posted Image
m0le is a proud member of UNITE

#15 myselfasadam

myselfasadam
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:43 PM

Posted 26 May 2012 - 06:14 PM

Hi, the link you gave didn't work for me. I had to cut it down to the website and search for it on the MS site which is quick to.

The only item opening and closing was C:\WINDOWS\system32\HPBPRO.EXE the program indicated it was unverified.

I attempted to start Process Explorer to catch the window opening but it opens before I can get it to start manually.

That said the window has slowed down as it opens and appears to have "zen" in the window title.

I had a java file sent over in march that I clicked on that before I had thought about the security issues. The file opened and I shut it down as I was expecting a text file. I still have it and there's a lot in it for what was surposted to be a test key for a zend produce.

Adam

Edited by myselfasadam, 27 May 2012 - 06:17 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users