Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Battling Trojan


  • Please log in to reply
7 replies to this topic

#1 Dan.Newton

Dan.Newton

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 08:00 AM

Hello All,
A Google search for vp tray.exe brought up Bleeping Computer, and maybe someone here has had the same problem.
When I start up the computer, which runs XP pro 5.1 sp3,
The message says: Symantec Antivirus: VPTray.exe Ordinal not found.
The ordinal 1109 could not be located in the dynamic link library wsock32.dll.
Malware flashes a window every couple of seconds, listing potentially malicious sites the computer is trying to connect with but was blocked.
It is the same five sites, and here is the list:
195.3.145.57
94.242.214.28
94.242.214.18
204.137.28.195
78.41.203.117
I would be grateful for any help with this. I have run Malware, Symantec, Sophos, MS troubleshooter, and updated the software. My bag of tricks is now empty.
Thank you kindly, Dan Newton

Edited by hamluis, 21 May 2012 - 08:41 AM.
Moved from XP to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 Dan.Newton

Dan.Newton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 09:25 AM

Now the Malwarebytes popup is up most of the time, with a successive list of new sites the computer is searching for. With the computer slowing down, it seems like the trojan is gaining ground.
This computer is used for a business, and I am wondering if I should just get professional help, before it is destroyed.

#3 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:47 AM

Posted 21 May 2012 - 10:39 AM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)


Please download GMER from here(doesnot work on 64 bit OS)

http://www2.gmer.net/download.php

Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.

GMER will open to the Rootkit/Malware tab and perform an automatic Full Scan when first run. (do not use the computer while the scan is in progress)

If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.


Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

#4 Dan.Newton

Dan.Newton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 11:58 AM

12:52:24.0046 1352 TDSS rootkit removing tool 2.7.36.0 May 21 2012 16:40:16
12:52:24.0656 1352 ============================================================
12:52:24.0656 1352 Current date / time: 2012/05/21 12:52:24.0656
12:52:24.0656 1352 SystemInfo:
12:52:24.0656 1352
12:52:24.0656 1352 OS Version: 5.1.2600 ServicePack: 3.0
12:52:24.0656 1352 Product type: Workstation
12:52:24.0656 1352 ComputerName: MYHOME-17C8B773
12:52:24.0656 1352 UserName: Dan
12:52:24.0656 1352 Windows directory: C:\WINDOWS
12:52:24.0656 1352 System windows directory: C:\WINDOWS
12:52:24.0656 1352 Processor architecture: Intel x86
12:52:24.0656 1352 Number of processors: 1
12:52:24.0656 1352 Page size: 0x1000
12:52:24.0656 1352 Boot type: Normal boot
12:52:24.0656 1352 ============================================================
12:52:28.0468 1352 Drive \Device\Harddisk0\DR0 - Size: 0x3A35294400 (232.83 Gb), SectorSize: 0x200, Cylinders: 0x76BA, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
12:52:28.0468 1352 ============================================================
12:52:28.0468 1352 \Device\Harddisk0\DR0:
12:52:28.0468 1352 MBR partitions:
12:52:28.0468 1352 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x1D1A8800
12:52:28.0468 1352 ============================================================
12:52:28.0484 1352 C: <-> \Device\Harddisk0\DR0\Partition0
12:52:28.0484 1352 ============================================================
12:52:28.0484 1352 Initialize success
12:52:28.0484 1352 ============================================================
12:53:07.0640 1888 ============================================================
12:53:07.0640 1888 Scan started
12:53:07.0640 1888 Mode: Manual; TDLFS;
12:53:07.0640 1888 ============================================================
12:53:08.0578 1888 Abiosdsk - ok
12:53:08.0593 1888 abp480n5 - ok
12:53:08.0671 1888 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
12:53:08.0671 1888 ACPI - ok
12:53:08.0734 1888 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
12:53:08.0734 1888 ACPIEC - ok
12:53:08.0890 1888 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
12:53:08.0890 1888 AdobeFlashPlayerUpdateSvc - ok
12:53:08.0906 1888 adpu160m - ok
12:53:09.0000 1888 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
12:53:09.0000 1888 aec - ok
12:53:09.0093 1888 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
12:53:09.0109 1888 AFD - ok
12:53:09.0109 1888 Aha154x - ok
12:53:09.0125 1888 aic78u2 - ok
12:53:09.0125 1888 aic78xx - ok
12:53:09.0187 1888 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
12:53:09.0187 1888 Alerter - ok
12:53:09.0234 1888 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
12:53:09.0234 1888 ALG - ok
12:53:09.0234 1888 AliIde - ok
12:53:09.0250 1888 amsint - ok
12:53:09.0375 1888 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
12:53:09.0453 1888 Apple Mobile Device - ok
12:53:09.0562 1888 Application Updater (e9638d3e3b85de683a0a1b795b3ff6ef) C:\Program Files\Application Updater\ApplicationUpdater.exe
12:53:09.0687 1888 Application Updater - ok
12:53:09.0734 1888 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
12:53:09.0734 1888 AppMgmt - ok
12:53:09.0734 1888 asc - ok
12:53:09.0750 1888 asc3350p - ok
12:53:09.0750 1888 asc3550 - ok
12:53:09.0968 1888 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
12:53:10.0140 1888 aspnet_state - ok
12:53:10.0203 1888 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
12:53:10.0203 1888 AsyncMac - ok
12:53:10.0265 1888 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
12:53:10.0265 1888 atapi - ok
12:53:10.0265 1888 Atdisk - ok
12:53:10.0359 1888 Ati HotKey Poller (abc57a6f6070baf9786c318f59f29f0b) C:\WINDOWS\system32\Ati2evxx.exe
12:53:10.0359 1888 Ati HotKey Poller - ok
12:53:10.0484 1888 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
12:53:10.0531 1888 ati2mtag - ok
12:53:10.0562 1888 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
12:53:10.0562 1888 Atmarpc - ok
12:53:10.0625 1888 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
12:53:10.0625 1888 AudioSrv - ok
12:53:10.0703 1888 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
12:53:10.0703 1888 audstub - ok
12:53:10.0750 1888 b57w2k (2acf06176b9d011567d7f25b83ddd066) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
12:53:10.0750 1888 b57w2k - ok
12:53:10.0796 1888 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
12:53:10.0796 1888 Beep - ok
12:53:10.0890 1888 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
12:53:10.0921 1888 BITS - ok
12:53:11.0093 1888 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
12:53:11.0234 1888 Bonjour Service - ok
12:53:11.0265 1888 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
12:53:11.0265 1888 Browser - ok
12:53:11.0296 1888 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
12:53:11.0296 1888 cbidf2k - ok
12:53:11.0421 1888 CCALib8 (8ef654045e518ac00e52e7a1e2d3ad70) C:\Program Files\Canon\CAL\CALMAIN.exe
12:53:11.0437 1888 CCALib8 - ok
12:53:11.0500 1888 ccEvtMgr (e403a2d0f451500ff12638c19cffc87c) C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
12:53:11.0515 1888 ccEvtMgr - ok
12:53:11.0515 1888 ccSetMgr (64ca18128973124df92d516d50c03aef) C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
12:53:11.0578 1888 ccSetMgr - ok
12:53:11.0578 1888 cd20xrnt - ok
12:53:11.0593 1888 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
12:53:11.0593 1888 Cdaudio - ok
12:53:11.0625 1888 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
12:53:11.0625 1888 Cdfs - ok
12:53:11.0687 1888 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
12:53:11.0687 1888 Cdrom - ok
12:53:11.0703 1888 cerc6 - ok
12:53:11.0703 1888 Changer - ok
12:53:11.0781 1888 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
12:53:11.0781 1888 CiSvc - ok
12:53:11.0828 1888 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
12:53:11.0828 1888 ClipSrv - ok
12:53:12.0015 1888 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:53:12.0140 1888 clr_optimization_v2.0.50727_32 - ok
12:53:12.0265 1888 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:53:12.0281 1888 clr_optimization_v4.0.30319_32 - ok
12:53:12.0296 1888 CmdIde - ok
12:53:12.0296 1888 COMSysApp - ok
12:53:12.0312 1888 Cpqarray - ok
12:53:12.0359 1888 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
12:53:12.0359 1888 CryptSvc - ok
12:53:12.0359 1888 dac2w2k - ok
12:53:12.0375 1888 dac960nt - ok
12:53:12.0453 1888 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:53:12.0453 1888 DcomLaunch - ok
12:53:12.0531 1888 DefWatch (213153e1ee098feef56098536b2a6dd7) C:\Program Files\Symantec AntiVirus\DefWatch.exe
12:53:12.0562 1888 DefWatch - ok
12:53:12.0578 1888 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
12:53:12.0593 1888 Dhcp - ok
12:53:12.0593 1888 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
12:53:12.0593 1888 Disk - ok
12:53:12.0609 1888 dmadmin - ok
12:53:12.0796 1888 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
12:53:12.0812 1888 dmboot - ok
12:53:12.0828 1888 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
12:53:12.0828 1888 dmio - ok
12:53:12.0875 1888 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
12:53:12.0890 1888 dmload - ok
12:53:12.0890 1888 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
12:53:12.0906 1888 dmserver - ok
12:53:12.0953 1888 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
12:53:12.0953 1888 DMusic - ok
12:53:13.0000 1888 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
12:53:13.0000 1888 Dnscache - ok
12:53:13.0031 1888 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
12:53:13.0031 1888 Dot3svc - ok
12:53:13.0046 1888 dpti2o - ok
12:53:13.0062 1888 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
12:53:13.0062 1888 drmkaud - ok
12:53:13.0078 1888 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
12:53:13.0078 1888 EapHost - ok
12:53:13.0234 1888 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
12:53:13.0250 1888 eeCtrl - ok
12:53:13.0328 1888 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
12:53:13.0343 1888 EraserUtilRebootDrv - ok
12:53:13.0390 1888 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
12:53:13.0390 1888 ERSvc - ok
12:53:13.0453 1888 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:53:13.0453 1888 Eventlog - ok
12:53:13.0531 1888 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
12:53:13.0546 1888 EventSystem - ok
12:53:13.0593 1888 exFat (3ef58f2eae3aecab45d682152db2f67d) C:\WINDOWS\system32\drivers\exFat.sys
12:53:13.0593 1888 exFat - ok
12:53:13.0656 1888 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
12:53:13.0656 1888 Fastfat - ok
12:53:13.0687 1888 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:53:13.0687 1888 FastUserSwitchingCompatibility - ok
12:53:13.0703 1888 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
12:53:13.0703 1888 Fdc - ok
12:53:13.0718 1888 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
12:53:13.0718 1888 Fips - ok
12:53:13.0734 1888 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
12:53:13.0734 1888 Flpydisk - ok
12:53:13.0812 1888 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
12:53:13.0812 1888 FltMgr - ok
12:53:13.0953 1888 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
12:53:13.0968 1888 FontCache3.0.0.0 - ok
12:53:14.0031 1888 Fs_Rec (c865b83411d7347627a4beec22543fb1) C:\WINDOWS\system32\drivers\Fs_Rec.sys
12:53:14.0031 1888 Fs_Rec - ok
12:53:14.0078 1888 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
12:53:14.0078 1888 Ftdisk - ok
12:53:14.0187 1888 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
12:53:14.0187 1888 GEARAspiWDM - ok
12:53:14.0203 1888 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
12:53:14.0203 1888 Gpc - ok
12:53:14.0390 1888 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:53:14.0390 1888 gupdate - ok
12:53:14.0406 1888 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
12:53:14.0406 1888 gupdatem - ok
12:53:14.0500 1888 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
12:53:14.0500 1888 gusvc - ok
12:53:14.0578 1888 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
12:53:14.0578 1888 helpsvc - ok
12:53:14.0625 1888 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
12:53:14.0625 1888 HidServ - ok
12:53:14.0671 1888 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
12:53:14.0671 1888 HidUsb - ok
12:53:14.0750 1888 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
12:53:14.0750 1888 hkmsvc - ok
12:53:14.0765 1888 hpn - ok
12:53:14.0843 1888 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
12:53:14.0843 1888 HPZid412 - ok
12:53:14.0859 1888 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
12:53:14.0859 1888 HPZipr12 - ok
12:53:14.0921 1888 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
12:53:14.0937 1888 HPZius12 - ok
12:53:15.0000 1888 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
12:53:15.0015 1888 HTTP - ok
12:53:15.0046 1888 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
12:53:15.0046 1888 HTTPFilter - ok
12:53:15.0062 1888 i2omgmt - ok
12:53:15.0062 1888 i2omp - ok
12:53:15.0125 1888 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
12:53:15.0125 1888 i8042prt - ok
12:53:15.0250 1888 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:53:15.0281 1888 idsvc - ok
12:53:15.0593 1888 IHA_MessageCenter (c135bff15563592b8ea070ea109967f7) C:\Program Files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe
12:53:15.0609 1888 IHA_MessageCenter - ok
12:53:15.0656 1888 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
12:53:15.0656 1888 Imapi - ok
12:53:15.0703 1888 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
12:53:15.0703 1888 ImapiService - ok
12:53:15.0703 1888 ini910u - ok
12:53:15.0781 1888 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
12:53:15.0781 1888 IntelIde - ok
12:53:15.0859 1888 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
12:53:15.0859 1888 intelppm - ok
12:53:15.0875 1888 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
12:53:15.0875 1888 Ip6Fw - ok
12:53:15.0921 1888 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
12:53:15.0921 1888 IpFilterDriver - ok
12:53:15.0953 1888 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
12:53:15.0953 1888 IpInIp - ok
12:53:15.0984 1888 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
12:53:15.0984 1888 IpNat - ok
12:53:16.0125 1888 iPod Service (49918803b661367023bf325cf602afdc) C:\Program Files\iPod\bin\iPodService.exe
12:53:16.0171 1888 iPod Service - ok
12:53:16.0187 1888 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
12:53:16.0187 1888 IPSec - ok
12:53:16.0265 1888 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
12:53:16.0265 1888 IRENUM - ok
12:53:16.0312 1888 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
12:53:16.0312 1888 isapnp - ok
12:53:16.0484 1888 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
12:53:17.0828 1888 JavaQuickStarterService - ok
12:53:17.0890 1888 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
12:53:17.0890 1888 Kbdclass - ok
12:53:17.0906 1888 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
12:53:17.0906 1888 kbdhid - ok
12:53:17.0937 1888 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
12:53:17.0953 1888 kmixer - ok
12:53:17.0984 1888 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
12:53:17.0984 1888 KSecDD - ok
12:53:18.0078 1888 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
12:53:18.0078 1888 LanmanServer - ok
12:53:18.0109 1888 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
12:53:18.0109 1888 lanmanworkstation - ok
12:53:18.0125 1888 lbrtfdc - ok
12:53:18.0375 1888 LiveUpdate (010fd2b41e75a98e3a4d23f44405f5c9) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
12:53:18.0546 1888 LiveUpdate - ok
12:53:18.0703 1888 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
12:53:18.0703 1888 LmHosts - ok
12:53:18.0750 1888 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
12:53:18.0750 1888 MBAMProtector - ok
12:53:18.0890 1888 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
12:53:18.0984 1888 MBAMService - ok
12:53:19.0078 1888 McciCMService (f8b823414a22dbf3bec10dcaa5f93cd8) C:\Program Files\Common Files\Motive\McciCMService.exe
12:53:19.0171 1888 McciCMService - ok
12:53:19.0203 1888 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
12:53:19.0203 1888 Messenger - ok
12:53:19.0250 1888 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
12:53:19.0250 1888 mnmdd - ok
12:53:19.0328 1888 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
12:53:19.0328 1888 mnmsrvc - ok
12:53:19.0343 1888 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
12:53:19.0343 1888 Modem - ok
12:53:19.0421 1888 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
12:53:19.0421 1888 Mouclass - ok
12:53:19.0437 1888 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
12:53:19.0437 1888 mouhid - ok
12:53:19.0453 1888 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
12:53:19.0453 1888 MountMgr - ok
12:53:19.0453 1888 mraid35x - ok
12:53:19.0515 1888 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
12:53:19.0546 1888 MREMP50 - ok
12:53:19.0546 1888 MREMPR5 - ok
12:53:19.0562 1888 MRENDIS5 - ok
12:53:19.0562 1888 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
12:53:19.0578 1888 MRESP50 - ok
12:53:19.0609 1888 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
12:53:19.0609 1888 MRxDAV - ok
12:53:19.0703 1888 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
12:53:19.0703 1888 MRxSmb - ok
12:53:19.0781 1888 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
12:53:19.0781 1888 MSDTC - ok
12:53:19.0796 1888 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
12:53:19.0796 1888 Msfs - ok
12:53:19.0796 1888 MSIServer - ok
12:53:19.0859 1888 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
12:53:19.0859 1888 MSKSSRV - ok
12:53:19.0875 1888 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
12:53:19.0875 1888 MSPCLOCK - ok
12:53:19.0890 1888 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
12:53:19.0890 1888 MSPQM - ok
12:53:19.0953 1888 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
12:53:19.0953 1888 mssmbios - ok
12:53:20.0062 1888 MSSQL$ESHA - ok
12:53:20.0140 1888 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
12:53:20.0203 1888 MSSQLServerADHelper - ok
12:53:20.0265 1888 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
12:53:20.0265 1888 Mup - ok
12:53:20.0296 1888 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
12:53:20.0296 1888 napagent - ok
12:53:20.0515 1888 NAVENG (f11033730b38260b6892e837c457fb4b) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120518.006\naveng.sys
12:53:20.0515 1888 NAVENG - ok
12:53:20.0625 1888 NAVEX15 (4e4e7c0259d3bb97de24a636c0e06aba) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120518.006\navex15.sys
12:53:20.0671 1888 NAVEX15 - ok
12:53:20.0843 1888 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
12:53:20.0843 1888 NDIS - ok
12:53:20.0937 1888 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
12:53:20.0937 1888 NdisTapi - ok
12:53:20.0953 1888 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
12:53:20.0953 1888 Ndisuio - ok
12:53:20.0968 1888 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
12:53:20.0968 1888 NdisWan - ok
12:53:21.0046 1888 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
12:53:21.0046 1888 NDProxy - ok
12:53:21.0062 1888 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
12:53:21.0062 1888 NetBIOS - ok
12:53:21.0109 1888 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
12:53:21.0109 1888 NetBT - ok
12:53:21.0187 1888 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:53:21.0187 1888 NetDDE - ok
12:53:21.0203 1888 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
12:53:21.0218 1888 NetDDEdsdm - ok
12:53:21.0250 1888 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:53:21.0250 1888 Netlogon - ok
12:53:21.0359 1888 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
12:53:21.0375 1888 Netman - ok
12:53:21.0531 1888 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:53:21.0562 1888 NetTcpPortSharing - ok
12:53:21.0609 1888 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
12:53:21.0625 1888 Nla - ok
12:53:21.0625 1888 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
12:53:21.0625 1888 Npfs - ok
12:53:21.0703 1888 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
12:53:21.0703 1888 Ntfs - ok
12:53:21.0718 1888 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:53:21.0718 1888 NtLmSsp - ok
12:53:21.0812 1888 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
12:53:21.0828 1888 NtmsSvc - ok
12:53:21.0890 1888 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
12:53:21.0890 1888 Null - ok
12:53:21.0968 1888 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
12:53:21.0968 1888 NwlnkFlt - ok
12:53:21.0984 1888 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
12:53:22.0000 1888 NwlnkFwd - ok
12:53:22.0328 1888 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
12:53:22.0812 1888 odserv - ok
12:53:22.0859 1888 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:53:24.0781 1888 ose - ok
12:53:24.0843 1888 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
12:53:24.0859 1888 Parport - ok
12:53:24.0859 1888 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
12:53:24.0859 1888 PartMgr - ok
12:53:24.0906 1888 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
12:53:24.0906 1888 ParVdm - ok
12:53:24.0937 1888 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
12:53:24.0937 1888 PCI - ok
12:53:24.0937 1888 PCIDump - ok
12:53:24.0953 1888 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
12:53:24.0953 1888 PCIIde - ok
12:53:25.0015 1888 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
12:53:25.0015 1888 Pcmcia - ok
12:53:25.0031 1888 PDCOMP - ok
12:53:25.0031 1888 PDFRAME - ok
12:53:25.0046 1888 PDRELI - ok
12:53:25.0062 1888 PDRFRAME - ok
12:53:25.0078 1888 perc2 - ok
12:53:25.0093 1888 perc2hib - ok
12:53:25.0187 1888 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
12:53:25.0187 1888 PlugPlay - ok
12:53:25.0265 1888 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
12:53:25.0265 1888 Pml Driver HPZ12 - ok
12:53:25.0312 1888 Point32 (cf7c1868b90c90a265fc3f60ce46265b) C:\WINDOWS\system32\DRIVERS\point32.sys
12:53:25.0312 1888 Point32 - ok
12:53:25.0328 1888 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:53:25.0328 1888 PolicyAgent - ok
12:53:25.0343 1888 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
12:53:25.0343 1888 PptpMiniport - ok
12:53:25.0343 1888 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:53:25.0343 1888 ProtectedStorage - ok
12:53:25.0359 1888 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
12:53:25.0359 1888 PSched - ok
12:53:25.0406 1888 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
12:53:25.0421 1888 Ptilink - ok
12:53:25.0421 1888 ql1080 - ok
12:53:25.0437 1888 Ql10wnt - ok
12:53:25.0437 1888 ql12160 - ok
12:53:25.0453 1888 ql1240 - ok
12:53:25.0453 1888 ql1280 - ok
12:53:25.0468 1888 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
12:53:25.0468 1888 RasAcd - ok
12:53:25.0500 1888 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
12:53:25.0500 1888 RasAuto - ok
12:53:25.0515 1888 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
12:53:25.0515 1888 Rasl2tp - ok
12:53:25.0578 1888 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
12:53:25.0578 1888 RasMan - ok
12:53:25.0593 1888 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
12:53:25.0593 1888 RasPppoe - ok
12:53:25.0640 1888 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
12:53:25.0640 1888 Raspti - ok
12:53:25.0671 1888 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
12:53:25.0671 1888 Rdbss - ok
12:53:25.0671 1888 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
12:53:25.0671 1888 RDPCDD - ok
12:53:25.0734 1888 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
12:53:25.0734 1888 rdpdr - ok
12:53:25.0828 1888 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
12:53:25.0828 1888 RDPWD - ok
12:53:25.0875 1888 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
12:53:25.0875 1888 RDSessMgr - ok
12:53:25.0890 1888 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
12:53:25.0890 1888 redbook - ok
12:53:25.0953 1888 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
12:53:25.0968 1888 RemoteAccess - ok
12:53:26.0000 1888 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
12:53:26.0000 1888 RemoteRegistry - ok
12:53:26.0062 1888 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
12:53:26.0078 1888 RpcLocator - ok
12:53:26.0187 1888 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
12:53:26.0187 1888 RpcSs - ok
12:53:26.0265 1888 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
12:53:26.0265 1888 RSVP - ok
12:53:26.0296 1888 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
12:53:26.0296 1888 SamSs - ok
12:53:26.0437 1888 SavRoam (735debf79a6da44d56542e12edf51b75) C:\Program Files\Symantec AntiVirus\SavRoam.exe
12:53:26.0578 1888 SavRoam - ok
12:53:26.0625 1888 SAVRT (e768eff5753906272e375282d7a511e0) C:\Program Files\Symantec AntiVirus\savrt.sys
12:53:26.0687 1888 SAVRT - ok
12:53:26.0703 1888 SAVRTPEL (d9d45ad65063e8966acafb1f574c8617) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
12:53:26.0734 1888 SAVRTPEL - ok
12:53:26.0812 1888 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
12:53:26.0812 1888 SCardSvr - ok
12:53:26.0890 1888 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
12:53:26.0890 1888 Schedule - ok
12:53:26.0937 1888 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
12:53:26.0937 1888 Secdrv - ok
12:53:26.0968 1888 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
12:53:26.0984 1888 seclogon - ok
12:53:27.0187 1888 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
12:53:27.0234 1888 senfilt - ok
12:53:27.0265 1888 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
12:53:27.0265 1888 SENS - ok
12:53:27.0281 1888 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
12:53:27.0281 1888 serenum - ok
12:53:27.0296 1888 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
12:53:27.0296 1888 Serial - ok
12:53:27.0500 1888 ServicepointService (b23501f8d35e7b1bd04da8c75acd3585) C:\Program Files\Verizon\VSP\ServicepointService.exe
12:53:28.0359 1888 ServicepointService - ok
12:53:28.0406 1888 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
12:53:28.0406 1888 Sfloppy - ok
12:53:28.0484 1888 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:53:28.0484 1888 ShellHWDetection - ok
12:53:28.0500 1888 Simbad - ok
12:53:28.0796 1888 Skype C2C Service (192d93ee7ae6a3c599c96cd8d736e914) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
12:53:30.0703 1888 Skype C2C Service - ok
12:53:30.0968 1888 SkypeUpdate (68ea68d03bf58389fe6ad2b38fad798c) C:\Program Files\Skype\Updater\Updater.exe
12:53:32.0140 1888 SkypeUpdate - ok
12:53:32.0328 1888 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
12:53:32.0328 1888 smwdm - ok
12:53:32.0421 1888 SNDSrvc (092eac5e31bc10a7ab47196ea2a2a809) C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
12:53:32.0640 1888 SNDSrvc - ok
12:53:32.0656 1888 Sparrow - ok
12:53:32.0703 1888 SPBBCDrv (60053e9c1fc4f6887c296c19cb825244) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
12:53:32.0750 1888 SPBBCDrv - ok
12:53:32.0937 1888 SPBBCSvc (8a09ab7a1fd856acc469bd0cd4e98351) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
12:53:33.0078 1888 SPBBCSvc - ok
12:53:33.0312 1888 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
12:53:33.0312 1888 splitter - ok
12:53:33.0390 1888 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
12:53:33.0390 1888 Spooler - ok
12:53:33.0421 1888 sprtsvc_verizondm - ok
12:53:33.0562 1888 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
12:53:35.0031 1888 SQLBrowser - ok
12:53:35.0109 1888 SQLWriter (d89083c4eb02daca8f944b0e05e57f9d) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
12:53:35.0140 1888 SQLWriter - ok
12:53:35.0218 1888 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
12:53:35.0218 1888 sr - ok
12:53:35.0250 1888 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
12:53:35.0250 1888 srservice - ok
12:53:35.0328 1888 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
12:53:35.0343 1888 Srv - ok
12:53:35.0390 1888 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
12:53:35.0390 1888 SSDPSRV - ok
12:53:35.0437 1888 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
12:53:35.0437 1888 stisvc - ok
12:53:35.0500 1888 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
12:53:35.0515 1888 swenum - ok
12:53:35.0625 1888 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
12:53:35.0625 1888 swmidi - ok
12:53:35.0640 1888 SwPrv - ok
12:53:35.0890 1888 Symantec AntiVirus (26b3e57f33d3f6fe7e88beac82aeb12a) C:\Program Files\Symantec AntiVirus\Rtvscan.exe
12:53:35.0968 1888 Symantec AntiVirus - ok
12:53:36.0125 1888 symc810 - ok
12:53:36.0125 1888 symc8xx - ok
12:53:36.0218 1888 SymEvent (c5eafb6a8c73fb26b73ee613c1a5aef6) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
12:53:36.0218 1888 SymEvent - ok
12:53:36.0296 1888 SYMREDRV (4ed314756eb2811a9d4226ed4385d35c) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
12:53:36.0296 1888 SYMREDRV - ok
12:53:36.0375 1888 SYMTDI (4aed788390802b1500e6b05127af3a2e) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
12:53:36.0375 1888 SYMTDI - ok
12:53:36.0375 1888 sym_hi - ok
12:53:36.0390 1888 sym_u3 - ok
12:53:36.0468 1888 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
12:53:36.0468 1888 sysaudio - ok
12:53:36.0562 1888 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
12:53:36.0562 1888 SysmonLog - ok
12:53:36.0593 1888 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
12:53:36.0609 1888 TapiSrv - ok
12:53:36.0703 1888 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
12:53:36.0718 1888 Tcpip - ok
12:53:36.0781 1888 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
12:53:36.0781 1888 TDPIPE - ok
12:53:36.0828 1888 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
12:53:36.0828 1888 TDTCP - ok
12:53:36.0906 1888 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
12:53:36.0906 1888 TermDD - ok
12:53:36.0984 1888 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
12:53:36.0984 1888 TermService - ok
12:53:37.0140 1888 tgsrvc_verizondm - ok
12:53:37.0234 1888 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
12:53:37.0234 1888 Themes - ok
12:53:37.0281 1888 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
12:53:37.0281 1888 TlntSvr - ok
12:53:37.0296 1888 TosIde - ok
12:53:37.0343 1888 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
12:53:37.0343 1888 TrkWks - ok
12:53:37.0375 1888 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
12:53:37.0375 1888 Udfs - ok
12:53:37.0390 1888 ultra - ok
12:53:37.0484 1888 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
12:53:37.0484 1888 Update - ok
12:53:37.0546 1888 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
12:53:37.0546 1888 upnphost - ok
12:53:37.0562 1888 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
12:53:37.0578 1888 UPS - ok
12:53:37.0656 1888 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
12:53:37.0656 1888 USBAAPL - ok
12:53:37.0718 1888 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
12:53:37.0718 1888 usbaudio - ok
12:53:37.0781 1888 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
12:53:37.0781 1888 usbccgp - ok
12:53:37.0875 1888 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
12:53:37.0875 1888 usbehci - ok
12:53:37.0890 1888 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
12:53:37.0890 1888 usbhub - ok
12:53:37.0968 1888 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
12:53:37.0968 1888 usbprint - ok
12:53:38.0046 1888 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
12:53:38.0046 1888 usbscan - ok
12:53:38.0125 1888 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
12:53:38.0125 1888 USBSTOR - ok
12:53:38.0140 1888 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
12:53:38.0140 1888 usbuhci - ok
12:53:38.0234 1888 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
12:53:38.0234 1888 VgaSave - ok
12:53:38.0234 1888 ViaIde - ok
12:53:38.0296 1888 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
12:53:38.0296 1888 VolSnap - ok
12:53:38.0375 1888 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
12:53:38.0375 1888 VSS - ok
12:53:38.0468 1888 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
12:53:38.0468 1888 W32Time - ok
12:53:38.0484 1888 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
12:53:38.0500 1888 Wanarp - ok
12:53:38.0500 1888 WDICA - ok
12:53:38.0562 1888 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
12:53:38.0562 1888 wdmaud - ok
12:53:38.0593 1888 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
12:53:38.0593 1888 WebClient - ok
12:53:38.0750 1888 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
12:53:38.0750 1888 winmgmt - ok
12:53:38.0828 1888 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
12:53:38.0828 1888 WmdmPmSN - ok
12:53:38.0953 1888 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
12:53:38.0984 1888 Wmi - ok
12:53:39.0046 1888 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
12:53:39.0046 1888 WmiApSrv - ok
12:53:39.0281 1888 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
12:53:39.0531 1888 WMPNetworkSvc - ok
12:53:39.0843 1888 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:53:40.0265 1888 WPFFontCache_v0400 - ok
12:53:40.0375 1888 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
12:53:40.0406 1888 wuauserv - ok
12:53:40.0421 1888 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
12:53:40.0437 1888 WudfPf - ok
12:53:40.0468 1888 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
12:53:40.0468 1888 WudfRd - ok
12:53:40.0500 1888 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
12:53:40.0500 1888 WudfSvc - ok
12:53:40.0640 1888 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
12:53:40.0640 1888 WZCSVC - ok
12:53:40.0656 1888 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
12:53:40.0656 1888 xmlprov - ok
12:53:40.0703 1888 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
12:53:41.0281 1888 \Device\Harddisk0\DR0 - ok
12:53:41.0281 1888 Boot (0x1200) (a94604e545b0588e61875cbc672f1189) \Device\Harddisk0\DR0\Partition0
12:53:41.0281 1888 \Device\Harddisk0\DR0\Partition0 - ok
12:53:41.0296 1888 ============================================================
12:53:41.0296 1888 Scan finished
12:53:41.0296 1888 ============================================================
12:53:41.0296 2192 Detected object count: 0
12:53:41.0296 2192 Actual detected object count: 0

#5 Dan.Newton

Dan.Newton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 01:39 PM

Here are the gmer results:GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-05-21 14:34:03
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500JD-75HBB0 rev.08.02D08
Running: pknudszn[1].exe; Driver: C:\DOCUME~1\Dan\LOCALS~1\Temp\kwpyrfob.sys


---- System - GMER 1.0.15 ----

SSDT 89CAB698 ZwAlertResumeThread
SSDT 89D48F50 ZwAlertThread
SSDT 89C111E0 ZwAllocateVirtualMemory
SSDT 89CD9D80 ZwConnectPort
SSDT 89CAE2D0 ZwCreateMutant
SSDT 89D16008 ZwCreateThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB1890690]
SSDT 89C59200 ZwFreeVirtualMemory
SSDT 89CAFAD8 ZwImpersonateAnonymousToken
SSDT 89CB0718 ZwImpersonateThread
SSDT 89D18C20 ZwMapViewOfSection
SSDT 89CCCA28 ZwOpenEvent
SSDT 89D34B28 ZwOpenProcessToken
SSDT 89C841E8 ZwOpenThreadToken
SSDT 89DD4CC8 ZwQueryValueKey
SSDT 89BD3AF0 ZwResumeThread
SSDT 89E41628 ZwSetContextThread
SSDT 89C86518 ZwSetInformationProcess
SSDT 89E021F8 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB18908E0]
SSDT 89D06B08 ZwSuspendProcess
SSDT 89BCCFD0 ZwSuspendThread
SSDT 89D35610 ZwTerminateProcess
SSDT 89C7E170 ZwTerminateThread
SSDT 89C5E210 ZwUnmapViewOfSection
SSDT 89C2D230 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2580 80501D90 4 Bytes CALL 86D9E5D6
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9B56F80]
? system32\drivers\02700733.sys The system cannot find the path specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 100013AD C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] ADVAPI32.dll!RegSetValueW 77E36116 6 Bytes JMP 1000138A C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[2804] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 100013AD C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] ADVAPI32.dll!RegSetValueW 77E36116 6 Bytes JMP 1000138A C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A92F52 7 Bytes JMP 0414ECC0
.text C:\Program Files\Internet Explorer\iexplore.exe[3620] CRYPT32.dll!CertComparePublicKeyInfo + 1E8 77A9B751 7 Bytes JMP 0414ECA0
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] ADVAPI32.dll!RegSetValueExW 77DDD767 6 Bytes JMP 100013AD C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] ADVAPI32.dll!RegSetValueW 77E36116 6 Bytes JMP 1000138A C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AA5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD119 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E254686 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53AF C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52E1 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E534C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51B2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E5214 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E5412 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E5276 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDB70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E5717 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A92F52 7 Bytes JMP 02C5ECC0
.text C:\Program Files\Internet Explorer\iexplore.exe[5744] CRYPT32.dll!CertComparePublicKeyInfo + 1E8 77A9B751 7 Bytes JMP 02C5ECA0

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Internet Explorer\iexplore.exe[3620] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)
IAT C:\Program Files\Internet Explorer\iexplore.exe[5744] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\79808174 \Device\KLMD16012012_207010 02700733.sys

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
---- Processes - GMER 1.0.15 ----

Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1160] 0x02B60000
Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1368] 0x01700000

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00000563.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00006917.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00007382.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00012077.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00018988.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00020377.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00025535.tmp 0 bytes
File C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\00026833.tmp 0 bytes

---- EOF - GMER 1.0.15 ----

#6 Dan.Newton

Dan.Newton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 03:16 PM

And the aswMBR log:
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-21 14:43:55
-----------------------------
14:43:55.437 OS Version: Windows 5.1.2600 Service Pack 3
14:43:55.437 Number of processors: 1 586 0x605
14:43:55.437 ComputerName: MYHOME-17C8B773 UserName: Dan
14:43:58.906 Initialize success
14:52:13.203 AVAST engine defs: 12052100
14:52:24.656 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:52:24.656 Disk 0 Vendor: WDC_WD2500JD-75HBB0 08.02D08 Size: 238418MB BusType: 3
14:52:24.750 Disk 0 MBR read successfully
14:52:24.750 Disk 0 MBR scan
14:52:24.812 Disk 0 Windows XP default MBR code
14:52:24.843 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 238417 MB offset 2048
14:52:24.984 Disk 0 scanning sectors +488280064
14:52:25.234 Disk 0 scanning C:\WINDOWS\system32\drivers
14:52:56.406 Service scanning
14:53:35.125 Modules scanning
14:54:20.187 Disk 0 trace - called modules:
14:54:20.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
14:54:20.250 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89e0eab8]
14:54:20.750 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x89e01d98]
14:54:22.687 AVAST engine scan C:\WINDOWS
14:56:00.859 AVAST engine scan C:\WINDOWS\system32
15:21:45.046 AVAST engine scan C:\WINDOWS\system32\drivers
15:23:42.203 AVAST engine scan C:\Documents and Settings\Dan
15:32:21.875 File: C:\Documents and Settings\Dan\Application Data\Sun\Java\Deployment\cache\6.0\57\225fb39-29596569 **INFECTED** Win32:Karagany-HB [Trj]
15:47:41.796 File: C:\Documents and Settings\Dan\Local Settings\Application Data\{1ad4135c-b36a-5032-e9d8-d2df74d2e69a}\n **INFECTED** Win32:SmokeLoader-PV [Trj]
15:47:44.250 File: C:\Documents and Settings\Dan\Local Settings\Application Data\{1ad4135c-b36a-5032-e9d8-d2df74d2e69a}\U\80000000.@ **INFECTED** Win64:Sirefef-A [Trj]
15:55:46.296 File: C:\Documents and Settings\Dan\Local Settings\Temp\~!#28F.tmp **INFECTED** Win32:Downloader-OMA [Trj]
16:02:56.531 AVAST engine scan C:\Documents and Settings\All Users
16:08:24.562 Scan finished successfully
16:09:23.656 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Dan\Desktop\MBR.dat"
16:09:23.671 The log file has been saved successfully to "C:\Documents and Settings\Dan\Desktop\aswMBR.txt"

#7 Dan.Newton

Dan.Newton
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 21 May 2012 - 03:47 PM

Hi narenxp. The email message said there was a new post, but when I got here I couldn't find that. Anyway, the avast program seems to have identified four different things as virus, and seemed ready to get rid of them. Should I run that again and have it fix?

Thank you so much for your help. This is a very valuable thing you're doing for people.

#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:02:47 AM

Posted 21 May 2012 - 04:59 PM

C:\Documents and Settings\Dan\Local Settings\Application Data\{1ad4135c-b36a-5032-e9d8-d2df74d2e69a}\U\80000000.@ **INFECTED** Win64:Sirefef-A [Trj]

Actually this is a new variant of zero access rootkit going around.

We need advanced tools to remove it

Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users