Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need help - TDL4 Infection


  • This topic is locked This topic is locked
12 replies to this topic

#1 IndyCrash

IndyCrash

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 12:23 PM

My daughter's laptop began running slow and having hangups. When I tried to tune it up, I saw that there were MS updates not run, so I started with these, but many of the updates failed. She does have Comcast's Security Suite, but she usually sets it to "silent mode" because she doesn't want the computer to run any slower.
In trying to figure out the problem, I ran a Gmer scan. The scan results said that TDL4@MBR code has been found. Can I fix/repair a computer with a MBR infection?

I am posting from another computer. I took her laptop off the home network and the internet. I can run programs on it and copy the results to a memory stick to post here. Here is her system info:

------------------
System Information
------------------
Time of this report: 5/28/2012, 13:02:14
Machine name: KIMMJA01
Operating System: Windows XP Professional (5.1, Build 2600) Service Pack 3 (2600.xpsp_sp3_gdr.101209-1647)
Language: English (Regional Setting: English)
System Manufacturer: Dell Inc.
System Model: Latitude D820
BIOS: Phoenix ROM BIOS PLUS Version 1.10 A10
Processor: Genuine Intel® CPU T2400 @ 1.83GHz (2 CPUs)
Memory: 2046MB RAM
Page File: 663MB used, 3275MB available
Windows Dir: C:\WINDOWS
DirectX Version: DirectX 9.0c (4.09.0000.0904)
DX Setup Parameters: Not found
DxDiag Version: 5.03.2600.5512 32bit Unicode

---------------
Display Devices
---------------
Card name: NVIDIA Quadro NVS 110M
Manufacturer: NVIDIA
Chip type: Quadro NVS 110M
DAC type: Integrated RAMDAC
Device Key: Enum\PCI\VEN_10DE&DEV_01D7&SUBSYS_01CC1028&REV_A1
Display Memory: 256.0 MB
Current Mode: 1280 x 800 (32 bit) (60Hz)
Monitor: Default Monitor
Monitor Max Res:
Driver Name: nv4_disp.dll
Driver Version: 6.14.0011.5683 (English)
DDI Version: 9 (or higher)
Driver Attributes: Final Retail
Driver Date/Size: 11/17/2007 04:03:00, 5742720 bytes
WHQL Logo'd: Yes
-------------
Sound Devices
-------------
Description: SigmaTel Audio
Default Sound Playback: Yes
Default Voice Playback: Yes
Hardware ID: HDAUDIO\FUNC_01&VEN_8384&DEV_7690&SUBSYS_102801CC&REV_1022
Manufacturer ID: 1
Product ID: 100
Type: WDM
Driver Name: sthda.sys
Driver Version: 5.10.4823.0000 (English)
Driver Attributes: Final Retail
WHQL Logo'd: Yes
Date and Size: 11/16/2005 15:36:00, 1047816 bytes
Other Files:
Driver Provider: SigmaTel
HW Accel Level: Full
Cap Flags: 0xB5B
Min/Max Sample Rate: 44100, 96000
-----------
USB Devices
-----------
+ USB Root Hub
| Vendor/Product ID: 0x8086, 0x27CA
| Matching Device ID: usb\root_hub
| Service: usbhub
| Driver: usbhub.sys, 4/13/2008 14:45:37, 59520 bytes
| Driver: usbd.sys, 8/4/2004 08:00:00, 4736 bytes

------------------------
Disk & DVD/CD-ROM Drives
------------------------
Drive: C:
Free Space: 8.1 GB
Total Space: 57.1 GB
File System: NTFS
Model: n/a

Drive: D:
Model: PHILIPS DVD+-RW SDVD8820
Driver: c:\windows\system32\drivers\cdrom.sys, 5.01.2600.5512 (English), 4/13/2008 14:40:46, 62976 bytes

--------------



DDS text file:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Administrator at 23:29:57 on 2012-05-27
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1340 [GMT -4:00]
.
AV: Norton Security Suite *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.gettysburg.edu/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\3.8.3.6\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\3.8.3.6\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\3.8.3.6\coIEPlg.dll
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: worldwinner.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {555F1BBC-6EC2-474F-84AF-633EF097FF54} - hxxp://www.worldwinner.com/games/v52/wwhearts/wwhearts.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1151866472500
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {8F6E7FB2-E56B-4F66-A4E1-9765D2565280} - hxxp://www.worldwinner.com/games/launcher/ie/v2.22.01.0/iewwload.cab
DPF: {95A311CD-EC8E-452A-BCEC-B844EB616D03} - hxxp://www.worldwinner.com/games/v51/bejeweledtwist/bejeweledtwist.cab
DPF: {A021A215-6CDC-44B4-8C16-90491CED9605} - hxxp://www.worldwinner.com/games/v59/clue/clue.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} - hxxp://www.worldwinner.com/games/v67/swapit/swapit.cab
DPF: {B6FA2311-5F85-47D3-B885-7055340FC740} - hxxp://www.worldwinner.com/games/v46/grandslam/grandslamtrivia.cab
DPF: {BA35B9B8-DE9E-47C9-AFA7-3C77E3DDFD39} - hxxp://www.worldwinner.com/games/v46/monopoly/monopoly.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton security suite\engine\3.8.3.6\CoIEPlg.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [2006-5-4 251578]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308030.006\SymEFA.sys [2011-10-31 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308030.006\BHDrvx86.sys [2011-10-31 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308030.006\cchpx86.sys [2011-10-31 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20120511.001\IDSXpx86.sys [2012-5-11 356792]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\broadcom\asfipmon\AsfIpMon.exe [2005-10-18 61440]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-26 189736]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\3.8.3.6\ccSvcHst.exe [2011-10-31 117648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20120513.007\naveng.sys [2012-5-13 86136]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20120513.007\navex15.sys [2012-5-13 1576312]
S0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys --> c:\windows\system32\drivers\aac.sys [?]
S0 aarich;aarich;c:\windows\system32\drivers\aarich.sys --> c:\windows\system32\drivers\aarich.sys [?]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\microsoft fix it center\Matsvc.exe [2011-6-13 267568]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-4 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST96812AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A70949F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a710738]; MOV EAX, [0x8a7108ac]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A82DAB8]
3 CLASSPNP[0xBA118FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000094[0x8A838258]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A831D98]
\Driver\atapi[0x8A7A01E8] -> IRP_MJ_CREATE -> 0x8A70949F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A7092C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 23:31:29.65 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 28 May 2012 - 01:23 PM

Hello IndyCrash
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • In the upper right hand corner of the topic you will see a button called Watch Topic.I suggest you click it and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

  • Finally, please reply using the ADD REPLY button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TdssKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 01:38 PM

Hey Fireman4it,

Thanks for your quick reply. I am starting to follow your instructions now and will repost when complete.

#4 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 03:12 PM

Hi Fireman4it,

I ran the programs as requested. Here are the logs. In your ComboFix directions, you said that ComboFix would reboot if it found an infection. I left the room for a few minutes while it ran and when I returned the ComboFix log was on the screen. I dropped it down to see if there were any dialog boxes, but there weren't any. FYI, I had to reconnect to the internet to run ComboFix. It needed to connect with Microsoft for the Recovery Console. I left the connection open while ComboFix ran and then disabled the connection. Really, I don't know how it is functioning. Do you want me to reenable the Norton security suite and try to run MS updates?

14:49:50.0203 4040 TDSS rootkit removing tool 2.7.38.0 May 25 2012 17:35:31
14:49:50.0218 4040 ============================================================
14:49:50.0218 4040 Current date / time: 2012/05/28 14:49:50.0218
14:49:50.0218 4040 SystemInfo:
14:49:50.0218 4040
14:49:50.0218 4040 OS Version: 5.1.2600 ServicePack: 3.0
14:49:50.0218 4040 Product type: Workstation
14:49:50.0218 4040 ComputerName: KIMMJA01
14:49:50.0218 4040 UserName: Administrator
14:49:50.0218 4040 Windows directory: C:\WINDOWS
14:49:50.0218 4040 System windows directory: C:\WINDOWS
14:49:50.0218 4040 Processor architecture: Intel x86
14:49:50.0218 4040 Number of processors: 2
14:49:50.0218 4040 Page size: 0x1000
14:49:50.0218 4040 Boot type: Normal boot
14:49:50.0218 4040 ============================================================
14:49:51.0187 4040 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:49:51.0203 4040 ============================================================
14:49:51.0203 4040 \Device\Harddisk0\DR0:
14:49:51.0203 4040 MBR partitions:
14:49:51.0203 4040 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F10C, BlocksNum 0x6F94CB3
14:49:51.0203 4040 ============================================================
14:49:51.0328 4040 C: <-> \Device\Harddisk0\DR0\Partition0
14:49:51.0328 4040 ============================================================
14:49:51.0328 4040 Initialize success
14:49:51.0328 4040 ============================================================
14:49:59.0203 3756 ============================================================
14:49:59.0203 3756 Scan started
14:49:59.0203 3756 Mode: Manual;
14:49:59.0203 3756 ============================================================
14:49:59.0703 3756 a320raid (ce91060555920221df0ad2b4e16ffd3e) C:\WINDOWS\system32\DRIVERS\a320raid.sys
14:49:59.0703 3756 a320raid - ok
14:49:59.0703 3756 aac - ok
14:49:59.0718 3756 aarich - ok
14:49:59.0718 3756 Abiosdsk - ok
14:49:59.0718 3756 abp480n5 - ok
14:49:59.0781 3756 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:49:59.0781 3756 ACPI - ok
14:49:59.0812 3756 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
14:49:59.0812 3756 ACPIEC - ok
14:49:59.0828 3756 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:49:59.0828 3756 adpu160m - ok
14:49:59.0843 3756 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
14:49:59.0859 3756 aec - ok
14:49:59.0921 3756 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
14:49:59.0921 3756 AegisP - ok
14:49:59.0984 3756 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
14:50:00.0000 3756 AFD - ok
14:50:00.0046 3756 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
14:50:00.0046 3756 AFS2K - ok
14:50:00.0062 3756 Aha154x - ok
14:50:00.0062 3756 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:50:00.0062 3756 aic78u2 - ok
14:50:00.0078 3756 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:50:00.0078 3756 aic78xx - ok
14:50:00.0125 3756 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
14:50:00.0140 3756 Alerter - ok
14:50:00.0156 3756 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
14:50:00.0156 3756 ALG - ok
14:50:00.0171 3756 AliIde - ok
14:50:00.0171 3756 amsint - ok
14:50:00.0500 3756 AOL ACS (52e82740fdf434a625fe0ac5e119a51f) C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
14:50:00.0828 3756 AOL ACS - ok
14:50:01.0140 3756 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
14:50:01.0140 3756 ApfiltrService - ok
14:50:01.0296 3756 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:50:01.0312 3756 Apple Mobile Device - ok
14:50:01.0359 3756 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
14:50:01.0359 3756 AppMgmt - ok
14:50:01.0468 3756 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:50:01.0468 3756 Arp1394 - ok
14:50:01.0468 3756 asc - ok
14:50:01.0484 3756 asc3350p - ok
14:50:01.0484 3756 asc3550 - ok
14:50:01.0546 3756 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
14:50:01.0546 3756 ASCTRM - ok
14:50:01.0625 3756 ASFIPmon (a8fd25a183faedd810efcddb8118ca50) C:\Program Files\Broadcom\ASFIPMon\AsfIpMon.exe
14:50:01.0625 3756 ASFIPmon - ok
14:50:02.0109 3756 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:50:02.0109 3756 aspnet_state - ok
14:50:02.0125 3756 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:50:02.0125 3756 AsyncMac - ok
14:50:02.0171 3756 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
14:50:02.0171 3756 atapi - ok
14:50:02.0187 3756 Atdisk - ok
14:50:02.0218 3756 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:50:02.0218 3756 Atmarpc - ok
14:50:02.0265 3756 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
14:50:02.0265 3756 AudioSrv - ok
14:50:02.0328 3756 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
14:50:02.0328 3756 audstub - ok
14:50:02.0390 3756 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
14:50:02.0390 3756 b57w2k - ok
14:50:02.0500 3756 BASFND (3d87b0484be1093c6614062701f375c5) C:\Program Files\Broadcom\ASFIPMon\BASFND.sys
14:50:02.0500 3756 BASFND - ok
14:50:02.0562 3756 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
14:50:02.0562 3756 Beep - ok
14:50:02.0703 3756 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\N360\0308030.006\BHDrvx86.sys
14:50:02.0718 3756 BHDrvx86 - ok
14:50:02.0796 3756 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
14:50:02.0843 3756 BITS - ok
14:50:02.0968 3756 Bonjour Service (f2060a34c8a75bc24a9222eb4f8c07bd) C:\Program Files\Bonjour\mDNSResponder.exe
14:50:02.0984 3756 Bonjour Service - ok
14:50:03.0062 3756 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
14:50:03.0062 3756 Browser - ok
14:50:03.0062 3756 catchme - ok
14:50:03.0125 3756 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
14:50:03.0125 3756 cbidf2k - ok
14:50:03.0140 3756 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:50:03.0140 3756 CCDECODE - ok
14:50:03.0203 3756 ccHP (3182b846490dc4d71fabd4a8cb6b73ea) C:\WINDOWS\System32\Drivers\N360\0308030.006\ccHPx86.sys
14:50:03.0218 3756 ccHP - ok
14:50:03.0359 3756 CcmExec (e4b94f8edb3540d43a473d552c30d395) C:\WINDOWS\system32\CCM\CcmExec.exe
14:50:03.0390 3756 CcmExec - ok
14:50:03.0406 3756 cd20xrnt - ok
14:50:03.0515 3756 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
14:50:03.0515 3756 Cdaudio - ok
14:50:03.0546 3756 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
14:50:03.0546 3756 Cdfs - ok
14:50:03.0609 3756 cdrbsdrv (351735695e9ead93de6af85d8beb1ca8) C:\WINDOWS\system32\drivers\cdrbsdrv.sys
14:50:03.0609 3756 cdrbsdrv - ok
14:50:03.0609 3756 cdrbsvsd - ok
14:50:03.0625 3756 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:50:03.0625 3756 Cdrom - ok
14:50:03.0656 3756 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
14:50:03.0656 3756 cercsr6 - ok
14:50:03.0656 3756 Changer - ok
14:50:03.0718 3756 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
14:50:03.0718 3756 CiSvc - ok
14:50:03.0734 3756 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
14:50:03.0734 3756 ClipSrv - ok
14:50:03.0906 3756 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:50:03.0906 3756 clr_optimization_v2.0.50727_32 - ok
14:50:04.0031 3756 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:50:04.0031 3756 clr_optimization_v4.0.30319_32 - ok
14:50:04.0046 3756 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:50:04.0046 3756 CmBatt - ok
14:50:04.0046 3756 CmdIde - ok
14:50:04.0093 3756 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:50:04.0093 3756 Compbatt - ok
14:50:04.0093 3756 COMSysApp - ok
14:50:04.0093 3756 Cpqarray - ok
14:50:04.0156 3756 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
14:50:04.0156 3756 CryptSvc - ok
14:50:04.0156 3756 dac2w2k - ok
14:50:04.0171 3756 dac960nt - ok
14:50:04.0250 3756 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
14:50:04.0265 3756 DcomLaunch - ok
14:50:04.0296 3756 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
14:50:04.0296 3756 Dhcp - ok
14:50:04.0312 3756 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
14:50:04.0312 3756 Disk - ok
14:50:04.0312 3756 dmadmin - ok
14:50:04.0375 3756 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
14:50:04.0406 3756 dmboot - ok
14:50:04.0453 3756 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
14:50:04.0468 3756 dmio - ok
14:50:04.0500 3756 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
14:50:04.0500 3756 dmload - ok
14:50:04.0531 3756 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
14:50:04.0531 3756 dmserver - ok
14:50:04.0546 3756 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
14:50:04.0546 3756 DMusic - ok
14:50:04.0609 3756 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
14:50:04.0609 3756 Dnscache - ok
14:50:04.0671 3756 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
14:50:04.0671 3756 Dot3svc - ok
14:50:04.0687 3756 dpti2o - ok
14:50:04.0718 3756 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
14:50:04.0718 3756 drmkaud - ok
14:50:04.0781 3756 drvmcdb (24646242310499d75c6db4b32768a3b3) C:\WINDOWS\system32\drivers\drvmcdb.sys
14:50:04.0781 3756 drvmcdb - ok
14:50:04.0796 3756 drvnddm (2ff629c1c443e25d0149b9dfb77e43a8) C:\WINDOWS\system32\drivers\drvnddm.sys
14:50:04.0796 3756 drvnddm - ok
14:50:04.0828 3756 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
14:50:04.0828 3756 EapHost - ok
14:50:04.0968 3756 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
14:50:04.0968 3756 eeCtrl - ok
14:50:05.0031 3756 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
14:50:05.0031 3756 EraserUtilRebootDrv - ok
14:50:05.0078 3756 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
14:50:05.0093 3756 ERSvc - ok
14:50:05.0156 3756 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:50:05.0156 3756 Eventlog - ok
14:50:05.0234 3756 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
14:50:05.0250 3756 EventSystem - ok
14:50:05.0390 3756 EvtEng (ed9c755312f29d55b8c815eec7115635) C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
14:50:05.0390 3756 EvtEng - ok
14:50:05.0453 3756 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
14:50:05.0453 3756 Fastfat - ok
14:50:05.0453 3756 fasttx2k - ok
14:50:05.0531 3756 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:50:05.0546 3756 FastUserSwitchingCompatibility - ok
14:50:05.0562 3756 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
14:50:05.0562 3756 Fdc - ok
14:50:05.0609 3756 FilterService (b73ec688c29f81f9da0fcf63682b3ecb) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
14:50:05.0609 3756 FilterService - ok
14:50:05.0640 3756 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
14:50:05.0640 3756 Fips - ok
14:50:05.0640 3756 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
14:50:05.0640 3756 Flpydisk - ok
14:50:05.0687 3756 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
14:50:05.0687 3756 FltMgr - ok
14:50:05.0875 3756 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:50:05.0875 3756 FontCache3.0.0.0 - ok
14:50:06.0062 3756 FreeAgentGoNext Service (9513b437b7adb1e6065b7f0d83d11ecf) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
14:50:06.0093 3756 FreeAgentGoNext Service - ok
14:50:06.0109 3756 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:50:06.0109 3756 Fs_Rec - ok
14:50:06.0125 3756 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:50:06.0125 3756 Ftdisk - ok
14:50:06.0171 3756 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
14:50:06.0171 3756 GEARAspiWDM - ok
14:50:06.0265 3756 GoToAssist (d3316f6e3c011435f36e3d6e49b3196c) C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
14:50:06.0265 3756 GoToAssist - ok
14:50:06.0312 3756 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:50:06.0312 3756 Gpc - ok
14:50:06.0375 3756 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:50:06.0375 3756 HDAudBus - ok
14:50:06.0484 3756 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:50:06.0484 3756 helpsvc - ok
14:50:06.0562 3756 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
14:50:06.0562 3756 HidServ - ok
14:50:06.0593 3756 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:50:06.0593 3756 hidusb - ok
14:50:06.0656 3756 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
14:50:06.0656 3756 hkmsvc - ok
14:50:06.0671 3756 hpn - ok
14:50:06.0687 3756 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:50:06.0703 3756 HPZid412 - ok
14:50:06.0718 3756 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:50:06.0718 3756 HPZipr12 - ok
14:50:06.0750 3756 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:50:06.0750 3756 HPZius12 - ok
14:50:06.0843 3756 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
14:50:06.0859 3756 HSF_DPV - ok
14:50:06.0875 3756 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
14:50:06.0875 3756 HSXHWAZL - ok
14:50:06.0953 3756 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
14:50:06.0953 3756 HTTP - ok
14:50:07.0015 3756 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
14:50:07.0015 3756 HTTPFilter - ok
14:50:07.0015 3756 i2omgmt - ok
14:50:07.0031 3756 i2omp - ok
14:50:07.0093 3756 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:50:07.0093 3756 i8042prt - ok
14:50:07.0203 3756 iastor (d593517879e65167df35f6015814ac59) C:\WINDOWS\system32\DRIVERS\iaStor.sys
14:50:07.0218 3756 iastor - ok
14:50:07.0390 3756 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
14:50:07.0406 3756 IDriverT - ok
14:50:07.0609 3756 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:50:07.0656 3756 idsvc - ok
14:50:08.0031 3756 IDSxpx86 (c924bf6d42b3d9292268ff1998596bd1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120511.001\IDSxpx86.sys
14:50:08.0031 3756 IDSxpx86 - ok
14:50:08.0187 3756 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
14:50:08.0187 3756 Imapi - ok
14:50:08.0250 3756 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
14:50:08.0265 3756 ImapiService - ok
14:50:08.0265 3756 ini910u - ok
14:50:08.0281 3756 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
14:50:08.0281 3756 IntelIde - ok
14:50:08.0406 3756 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:50:08.0406 3756 intelppm - ok
14:50:08.0437 3756 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
14:50:08.0437 3756 Ip6Fw - ok
14:50:08.0468 3756 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:50:08.0468 3756 IpFilterDriver - ok
14:50:08.0484 3756 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:50:08.0484 3756 IpInIp - ok
14:50:08.0531 3756 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:50:08.0531 3756 IpNat - ok
14:50:08.0750 3756 iPod Service (ca9d4b998bff311a539604ed87318fa0) C:\Program Files\iPod\bin\iPodService.exe
14:50:08.0781 3756 iPod Service - ok
14:50:08.0812 3756 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:50:08.0812 3756 IPSec - ok
14:50:08.0843 3756 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
14:50:08.0843 3756 IRENUM - ok
14:50:08.0875 3756 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:50:08.0875 3756 isapnp - ok
14:50:09.0078 3756 JavaQuickStarterService (77ac10db097dfd0cd3071465b644d0ab) C:\Program Files\Java\jre6\bin\jqs.exe
14:50:09.0093 3756 JavaQuickStarterService - ok
14:50:09.0109 3756 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:50:09.0109 3756 Kbdclass - ok
14:50:09.0125 3756 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:50:09.0125 3756 kbdhid - ok
14:50:09.0140 3756 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
14:50:09.0140 3756 kmixer - ok
14:50:09.0203 3756 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
14:50:09.0203 3756 KSecDD - ok
14:50:09.0265 3756 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
14:50:09.0281 3756 lanmanserver - ok
14:50:09.0296 3756 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
14:50:09.0312 3756 lanmanworkstation - ok
14:50:09.0312 3756 lbrtfdc - ok
14:50:09.0390 3756 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
14:50:09.0390 3756 LmHosts - ok
14:50:09.0437 3756 LVPr2Mon (1a7db7a00a4b0d8da24cd691a4547291) C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
14:50:09.0437 3756 LVPr2Mon - ok
14:50:09.0718 3756 LVPrcSrv (0ddfdcaa92c7f553328db06ba599bea9) C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
14:50:09.0718 3756 LVPrcSrv - ok
14:50:09.0796 3756 LVUSBSta (9e9306063ecd8aa91b3fb76678d3cee2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
14:50:09.0796 3756 LVUSBSta - ok
14:50:10.0171 3756 LVUVC (a240e42a7402e927a71b6e8aa4629b13) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
14:50:10.0546 3756 LVUVC - ok
14:50:10.0718 3756 MatSvc (ddf15a42e27e8efe27b18fd403151a86) C:\Program Files\Microsoft Fix it Center\Matsvc.exe
14:50:10.0718 3756 MatSvc - ok
14:50:10.0812 3756 MDM (11f714f85530a2bd134074dc30e99fca) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
14:50:10.0843 3756 MDM - ok
14:50:11.0281 3756 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:50:11.0281 3756 mdmxsdk - ok
14:50:11.0328 3756 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
14:50:11.0343 3756 Messenger - ok
14:50:11.0375 3756 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
14:50:11.0375 3756 mnmdd - ok
14:50:11.0421 3756 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
14:50:11.0421 3756 mnmsrvc - ok
14:50:11.0453 3756 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
14:50:11.0453 3756 Modem - ok
14:50:11.0515 3756 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:50:11.0515 3756 Mouclass - ok
14:50:11.0546 3756 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:50:11.0546 3756 mouhid - ok
14:50:11.0578 3756 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
14:50:11.0578 3756 MountMgr - ok
14:50:11.0593 3756 mraid35x - ok
14:50:11.0609 3756 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:50:11.0609 3756 MRxDAV - ok
14:50:11.0718 3756 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:50:11.0718 3756 MRxSmb - ok
14:50:11.0734 3756 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
14:50:11.0750 3756 MSDTC - ok
14:50:11.0750 3756 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
14:50:11.0750 3756 Msfs - ok
14:50:11.0765 3756 MSIServer - ok
14:50:11.0796 3756 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:50:11.0796 3756 MSKSSRV - ok
14:50:11.0828 3756 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:50:11.0843 3756 MSPCLOCK - ok
14:50:11.0843 3756 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
14:50:11.0843 3756 MSPQM - ok
14:50:11.0890 3756 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:50:11.0890 3756 mssmbios - ok
14:50:11.0937 3756 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
14:50:11.0937 3756 MSTEE - ok
14:50:11.0953 3756 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
14:50:11.0953 3756 Mup - ok
14:50:12.0078 3756 N360 (64c89db40949fd0e7c8ff303676a91f1) C:\Program Files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe
14:50:12.0093 3756 N360 - ok
14:50:12.0125 3756 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:50:12.0140 3756 NABTSFEC - ok
14:50:12.0234 3756 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
14:50:12.0250 3756 napagent - ok
14:50:12.0500 3756 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120513.007\NAVENG.SYS
14:50:12.0500 3756 NAVENG - ok
14:50:12.0593 3756 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120513.007\NAVEX15.SYS
14:50:12.0625 3756 NAVEX15 - ok
14:50:12.0921 3756 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
14:50:12.0921 3756 NDIS - ok
14:50:12.0953 3756 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:50:12.0953 3756 NdisIP - ok
14:50:13.0000 3756 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:50:13.0000 3756 NdisTapi - ok
14:50:13.0015 3756 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:50:13.0015 3756 Ndisuio - ok
14:50:13.0031 3756 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:50:13.0031 3756 NdisWan - ok
14:50:13.0093 3756 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
14:50:13.0093 3756 NDProxy - ok
14:50:13.0109 3756 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
14:50:13.0109 3756 NetBIOS - ok
14:50:13.0125 3756 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
14:50:13.0125 3756 NetBT - ok
14:50:13.0187 3756 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:13.0187 3756 NetDDE - ok
14:50:13.0203 3756 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
14:50:13.0203 3756 NetDDEdsdm - ok
14:50:13.0250 3756 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:13.0250 3756 Netlogon - ok
14:50:13.0281 3756 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
14:50:13.0312 3756 Netman - ok
14:50:13.0500 3756 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:50:13.0500 3756 NetTcpPortSharing - ok
14:50:13.0531 3756 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:50:13.0531 3756 NIC1394 - ok
14:50:13.0609 3756 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
14:50:13.0625 3756 Nla - ok
14:50:13.0640 3756 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
14:50:13.0640 3756 Npfs - ok
14:50:13.0734 3756 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
14:50:13.0750 3756 Ntfs - ok
14:50:13.0812 3756 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:13.0812 3756 NtLmSsp - ok
14:50:13.0875 3756 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
14:50:13.0906 3756 NtmsSvc - ok
14:50:13.0968 3756 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
14:50:13.0968 3756 Null - ok
14:50:14.0375 3756 nv (77f427e51479c66c09f967d15b639b37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:50:14.0453 3756 nv - ok
14:50:14.0562 3756 NVSvc (143f50273cfb6d970f06a1c2d7fbbf78) C:\WINDOWS\system32\nvsvc32.exe
14:50:14.0578 3756 NVSvc - ok
14:50:14.0640 3756 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:50:14.0640 3756 NwlnkFlt - ok
14:50:14.0656 3756 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:50:14.0656 3756 NwlnkFwd - ok
14:50:14.0890 3756 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
14:50:14.0937 3756 odserv - ok
14:50:15.0000 3756 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:50:15.0000 3756 ohci1394 - ok
14:50:15.0000 3756 omci - ok
14:50:15.0078 3756 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:50:15.0093 3756 ose - ok
14:50:15.0140 3756 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
14:50:15.0140 3756 Parport - ok
14:50:15.0140 3756 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
14:50:15.0140 3756 PartMgr - ok
14:50:15.0187 3756 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
14:50:15.0187 3756 ParVdm - ok
14:50:15.0203 3756 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
14:50:15.0203 3756 PCI - ok
14:50:15.0203 3756 PCIDump - ok
14:50:15.0234 3756 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
14:50:15.0234 3756 PCIIde - ok
14:50:15.0281 3756 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:50:15.0296 3756 Pcmcia - ok
14:50:15.0296 3756 PDCOMP - ok
14:50:15.0296 3756 PDFRAME - ok
14:50:15.0312 3756 PDRELI - ok
14:50:15.0312 3756 PDRFRAME - ok
14:50:15.0328 3756 pepifilter - ok
14:50:15.0328 3756 perc2 - ok
14:50:15.0328 3756 perc2hib - ok
14:50:15.0359 3756 PID_08A0 - ok
14:50:15.0437 3756 PID_PEPI (0da6c5e0c8da6cebe52daacfe7ae9de6) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
14:50:15.0515 3756 PID_PEPI - ok
14:50:15.0671 3756 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
14:50:15.0671 3756 PlugPlay - ok
14:50:15.0781 3756 Pml Driver HPZ12 (2d091a99624fb9e7eef0a86d872ec0c3) C:\WINDOWS\system32\HPZipm12.exe
14:50:15.0781 3756 Pml Driver HPZ12 - ok
14:50:15.0890 3756 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:15.0890 3756 PolicyAgent - ok
14:50:15.0953 3756 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:50:15.0953 3756 PptpMiniport - ok
14:50:16.0062 3756 prepdrvr (19505c4134f3181fc2203e087140c192) C:\WINDOWS\system32\CCM\prepdrv.sys
14:50:16.0062 3756 prepdrvr - ok
14:50:16.0078 3756 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:16.0078 3756 ProtectedStorage - ok
14:50:16.0109 3756 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
14:50:16.0109 3756 PSched - ok
14:50:16.0171 3756 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:50:16.0171 3756 Ptilink - ok
14:50:16.0218 3756 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:50:16.0218 3756 PxHelp20 - ok
14:50:16.0218 3756 ql1080 - ok
14:50:16.0234 3756 Ql10wnt - ok
14:50:16.0234 3756 ql12160 - ok
14:50:16.0250 3756 ql1240 - ok
14:50:16.0250 3756 ql1280 - ok
14:50:16.0312 3756 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:50:16.0312 3756 RasAcd - ok
14:50:16.0359 3756 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
14:50:16.0359 3756 RasAuto - ok
14:50:16.0406 3756 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:50:16.0406 3756 Rasl2tp - ok
14:50:16.0468 3756 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
14:50:16.0484 3756 RasMan - ok
14:50:16.0500 3756 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:50:16.0515 3756 RasPppoe - ok
14:50:16.0515 3756 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
14:50:16.0515 3756 Raspti - ok
14:50:16.0531 3756 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:50:16.0531 3756 Rdbss - ok
14:50:16.0593 3756 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:50:16.0593 3756 RDPCDD - ok
14:50:16.0671 3756 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:50:16.0671 3756 rdpdr - ok
14:50:16.0718 3756 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
14:50:16.0734 3756 RDPWD - ok
14:50:16.0828 3756 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
14:50:16.0843 3756 RDSessMgr - ok
14:50:16.0859 3756 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
14:50:16.0875 3756 redbook - ok
14:50:17.0109 3756 RegSrvc (6f81c8a63fb824eb8a2401ab45795553) C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
14:50:17.0109 3756 RegSrvc - ok
14:50:17.0171 3756 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
14:50:17.0171 3756 RemoteAccess - ok
14:50:17.0218 3756 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
14:50:17.0218 3756 RemoteRegistry - ok
14:50:17.0265 3756 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
14:50:17.0281 3756 RimUsb - ok
14:50:17.0312 3756 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
14:50:17.0312 3756 RimVSerPort - ok
14:50:17.0359 3756 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
14:50:17.0375 3756 ROOTMODEM - ok
14:50:17.0453 3756 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
14:50:17.0453 3756 RpcLocator - ok
14:50:17.0531 3756 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
14:50:17.0531 3756 RpcSs - ok
14:50:17.0562 3756 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
14:50:17.0578 3756 RSVP - ok
14:50:17.0656 3756 S24EventMonitor (b792f2c647b1fc3e4987de582ee00fe3) C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
14:50:17.0671 3756 S24EventMonitor - ok
14:50:17.0687 3756 s24trans (2e4e912ce95f5ef4d4a5079f6ce367fc) C:\WINDOWS\system32\DRIVERS\s24trans.sys
14:50:17.0687 3756 s24trans - ok
14:50:17.0750 3756 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
14:50:17.0750 3756 SamSs - ok
14:50:17.0781 3756 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
14:50:17.0796 3756 SCardSvr - ok
14:50:17.0875 3756 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
14:50:17.0890 3756 Schedule - ok
14:50:17.0953 3756 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:50:17.0953 3756 Secdrv - ok
14:50:17.0968 3756 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
14:50:17.0968 3756 seclogon - ok
14:50:18.0000 3756 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
14:50:18.0000 3756 SENS - ok
14:50:18.0000 3756 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
14:50:18.0000 3756 Serenum - ok
14:50:18.0015 3756 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
14:50:18.0031 3756 Serial - ok
14:50:18.0062 3756 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
14:50:18.0062 3756 Sfloppy - ok
14:50:18.0140 3756 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
14:50:18.0156 3756 SharedAccess - ok
14:50:18.0218 3756 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:50:18.0218 3756 ShellHWDetection - ok
14:50:18.0218 3756 Simbad - ok
14:50:18.0250 3756 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:50:18.0250 3756 SLIP - ok
14:50:18.0281 3756 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
14:50:18.0281 3756 SONYPVU1 - ok
14:50:18.0281 3756 Sparrow - ok
14:50:18.0328 3756 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
14:50:18.0328 3756 splitter - ok
14:50:18.0375 3756 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
14:50:18.0390 3756 Spooler - ok
14:50:18.0406 3756 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
14:50:18.0406 3756 sr - ok
14:50:18.0484 3756 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
14:50:18.0500 3756 srservice - ok
14:50:18.0640 3756 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\N360\0308030.006\SRTSP.SYS
14:50:18.0640 3756 SRTSP - ok
14:50:18.0703 3756 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\N360\0308030.006\SRTSPX.SYS
14:50:18.0703 3756 SRTSPX - ok
14:50:18.0781 3756 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
14:50:18.0781 3756 Srv - ok
14:50:18.0828 3756 sscdbhk5 (1cbd1b58a32de97899f5290b05f856db) C:\WINDOWS\system32\drivers\sscdbhk5.sys
14:50:18.0828 3756 sscdbhk5 - ok
14:50:18.0859 3756 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
14:50:18.0875 3756 SSDPSRV - ok
14:50:18.0875 3756 ssrtln (7fb07ac152d7a87e66204860002bd9a4) C:\WINDOWS\system32\drivers\ssrtln.sys
14:50:18.0875 3756 ssrtln - ok
14:50:18.0984 3756 STHDA (2a2dc39623adef8ab3703ab9fac4b440) C:\WINDOWS\system32\drivers\sthda.sys
14:50:19.0000 3756 STHDA - ok
14:50:19.0031 3756 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
14:50:19.0062 3756 stisvc - ok
14:50:19.0171 3756 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:50:19.0171 3756 streamip - ok
14:50:19.0203 3756 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
14:50:19.0203 3756 swenum - ok
14:50:19.0250 3756 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
14:50:19.0250 3756 swmidi - ok
14:50:19.0265 3756 SwPrv - ok
14:50:19.0265 3756 symc810 - ok
14:50:19.0281 3756 symc8xx - ok
14:50:19.0421 3756 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\N360\0308030.006\SYMEFA.SYS
14:50:19.0437 3756 SymEFA - ok
14:50:19.0515 3756 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
14:50:19.0515 3756 SymEvent - ok
14:50:19.0578 3756 SYMFW (a8c45c36309ee066f9191e511f88ed76) C:\WINDOWS\System32\Drivers\N360\0308030.006\SYMFW.SYS
14:50:19.0578 3756 SYMFW - ok
14:50:19.0640 3756 SYMIDS (f4db00bc0c25be3e05d4bbb8637cc3a3) C:\WINDOWS\System32\Drivers\N360\0308030.006\SYMIDS.SYS
14:50:19.0640 3756 SYMIDS - ok
14:50:19.0718 3756 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
14:50:19.0718 3756 SymIM - ok
14:50:19.0781 3756 Symmpi (ea776423fa3762802a19a6a74310730a) C:\WINDOWS\system32\DRIVERS\symmpi.sys
14:50:19.0781 3756 Symmpi - ok
14:50:19.0796 3756 SYMNDIS (06a8ecfc68d61a26a67f0e96ff1ca9cc) C:\WINDOWS\System32\Drivers\N360\0308030.006\SYMNDIS.SYS
14:50:19.0796 3756 SYMNDIS - ok
14:50:19.0812 3756 SYMTDI (26bc80ec79d7ba478249c266cbdf17b4) C:\WINDOWS\System32\Drivers\N360\0308030.006\SYMTDI.SYS
14:50:19.0812 3756 SYMTDI - ok
14:50:19.0812 3756 sym_hi - ok
14:50:19.0828 3756 sym_u3 - ok
14:50:19.0890 3756 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
14:50:19.0890 3756 sysaudio - ok
14:50:19.0953 3756 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
14:50:19.0968 3756 SysmonLog - ok
14:50:20.0000 3756 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
14:50:20.0015 3756 TapiSrv - ok
14:50:20.0046 3756 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:50:20.0046 3756 Tcpip - ok
14:50:20.0078 3756 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
14:50:20.0078 3756 TDPIPE - ok
14:50:20.0093 3756 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
14:50:20.0093 3756 TDTCP - ok
14:50:20.0125 3756 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
14:50:20.0125 3756 TermDD - ok
14:50:20.0156 3756 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
14:50:20.0171 3756 TermService - ok
14:50:20.0390 3756 tfsnboio (c89daabdff5bd984181f45adf6ddb24a) C:\WINDOWS\system32\dla\tfsnboio.sys
14:50:20.0390 3756 tfsnboio - ok
14:50:20.0390 3756 tfsncofs (f093906c27fc9c59bd03d84807266107) C:\WINDOWS\system32\dla\tfsncofs.sys
14:50:20.0406 3756 tfsncofs - ok
14:50:20.0406 3756 tfsndrct (9294575cdad17d1dadfcd98a2ca26e7a) C:\WINDOWS\system32\dla\tfsndrct.sys
14:50:20.0406 3756 tfsndrct - ok
14:50:20.0421 3756 tfsndres (cdcc394cbaac183f9bdebf6d2f97c5c6) C:\WINDOWS\system32\dla\tfsndres.sys
14:50:20.0421 3756 tfsndres - ok
14:50:20.0453 3756 tfsnifs (0a6c7c989dd76bb8989fd958ac5601d0) C:\WINDOWS\system32\dla\tfsnifs.sys
14:50:20.0453 3756 tfsnifs - ok
14:50:20.0468 3756 tfsnopio (92a17c0d73500f9b9c3028da9e4cdba6) C:\WINDOWS\system32\dla\tfsnopio.sys
14:50:20.0468 3756 tfsnopio - ok
14:50:20.0484 3756 tfsnpool (15ab1a2bb2b35eb1dcda39405114afc6) C:\WINDOWS\system32\dla\tfsnpool.sys
14:50:20.0484 3756 tfsnpool - ok
14:50:20.0500 3756 tfsnudf (370d2779668bf3b8d14f34356c41ab9c) C:\WINDOWS\system32\dla\tfsnudf.sys
14:50:20.0500 3756 tfsnudf - ok
14:50:20.0515 3756 tfsnudfa (4564799868c4bcdf28c8efc6d4c48c4b) C:\WINDOWS\system32\dla\tfsnudfa.sys
14:50:20.0515 3756 tfsnudfa - ok
14:50:20.0578 3756 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
14:50:20.0578 3756 Themes - ok
14:50:20.0625 3756 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
14:50:20.0625 3756 TlntSvr - ok
14:50:20.0640 3756 TosIde - ok
14:50:20.0687 3756 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
14:50:20.0703 3756 TrkWks - ok
14:50:20.0750 3756 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
14:50:20.0750 3756 Udfs - ok
14:50:20.0765 3756 ultra - ok
14:50:20.0828 3756 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
14:50:20.0843 3756 Update - ok
14:50:20.0890 3756 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
14:50:20.0921 3756 upnphost - ok
14:50:20.0937 3756 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
14:50:20.0937 3756 UPS - ok
14:50:20.0984 3756 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
14:50:20.0984 3756 USBAAPL - ok
14:50:21.0000 3756 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
14:50:21.0015 3756 usbaudio - ok
14:50:21.0031 3756 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
14:50:21.0031 3756 usbbus - ok
14:50:21.0062 3756 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:50:21.0062 3756 usbccgp - ok
14:50:21.0109 3756 USBCCID (2825e0e294686a26506690059e1f437a) C:\WINDOWS\system32\DRIVERS\usbccid.sys
14:50:21.0109 3756 USBCCID - ok
14:50:21.0156 3756 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
14:50:21.0156 3756 UsbDiag - ok
14:50:21.0218 3756 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:50:21.0218 3756 usbehci - ok
14:50:21.0234 3756 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:50:21.0234 3756 usbhub - ok
14:50:21.0265 3756 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
14:50:21.0265 3756 USBModem - ok
14:50:21.0281 3756 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:50:21.0281 3756 usbprint - ok
14:50:21.0296 3756 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:50:21.0312 3756 usbscan - ok
14:50:21.0437 3756 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:50:21.0437 3756 USBSTOR - ok
14:50:21.0500 3756 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:50:21.0500 3756 usbuhci - ok
14:50:21.0531 3756 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
14:50:21.0546 3756 usbvideo - ok
14:50:21.0609 3756 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
14:50:21.0609 3756 VgaSave - ok
14:50:21.0609 3756 ViaIde - ok
14:50:21.0609 3756 vmscsi - ok
14:50:21.0750 3756 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
14:50:21.0750 3756 VolSnap - ok
14:50:21.0812 3756 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
14:50:21.0843 3756 VSS - ok
14:50:21.0921 3756 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
14:50:21.0937 3756 W32Time - ok
14:50:22.0078 3756 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
14:50:22.0093 3756 w39n51 - ok
14:50:22.0218 3756 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:50:22.0218 3756 Wanarp - ok
14:50:22.0281 3756 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
14:50:22.0281 3756 wanatw - ok
14:50:22.0296 3756 WANMiniportService (eb9a99ab5d17b1727034ff191e6448d7) C:\WINDOWS\wanmpsvc.exe
14:50:22.0296 3756 WANMiniportService - ok
14:50:22.0390 3756 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:50:22.0390 3756 Wdf01000 - ok
14:50:22.0390 3756 WDICA - ok
14:50:22.0468 3756 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
14:50:22.0468 3756 wdmaud - ok
14:50:22.0531 3756 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
14:50:22.0531 3756 WebClient - ok
14:50:22.0718 3756 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
14:50:22.0734 3756 winachsf - ok
14:50:22.0843 3756 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
14:50:22.0843 3756 winmgmt - ok
14:50:22.0968 3756 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
14:50:23.0031 3756 WinRM - ok
14:50:23.0250 3756 WLANKEEPER (afb5a2a79bb01699a269c316d8b9bef1) C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
14:50:23.0250 3756 WLANKEEPER - ok
14:50:23.0390 3756 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
14:50:23.0390 3756 WmdmPmSN - ok
14:50:23.0468 3756 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
14:50:23.0500 3756 Wmi - ok
14:50:23.0625 3756 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
14:50:23.0625 3756 WmiAcpi - ok
14:50:23.0703 3756 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:50:23.0703 3756 WmiApSrv - ok
14:50:23.0859 3756 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
14:50:23.0968 3756 WMPNetworkSvc - ok
14:50:24.0234 3756 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
14:50:24.0281 3756 WPFFontCache_v0400 - ok
14:50:24.0421 3756 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
14:50:24.0421 3756 wscsvc - ok
14:50:24.0437 3756 WSearch - ok
14:50:24.0484 3756 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:50:24.0484 3756 WSTCODEC - ok
14:50:24.0515 3756 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
14:50:24.0515 3756 wuauserv - ok
14:50:24.0578 3756 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:50:24.0578 3756 WudfPf - ok
14:50:24.0593 3756 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:50:24.0609 3756 WudfRd - ok
14:50:24.0671 3756 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
14:50:24.0671 3756 WudfSvc - ok
14:50:24.0750 3756 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
14:50:24.0781 3756 WZCSVC - ok
14:50:24.0828 3756 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
14:50:24.0843 3756 xmlprov - ok
14:50:24.0875 3756 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
14:50:24.0906 3756 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
14:50:24.0906 3756 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
14:50:24.0921 3756 Boot (0x1200) (ac4d0018fdfec8cbe8b10cf1462b5deb) \Device\Harddisk0\DR0\Partition0
14:50:24.0937 3756 \Device\Harddisk0\DR0\Partition0 - ok
14:50:24.0937 3756 ============================================================
14:50:24.0937 3756 Scan finished
14:50:24.0937 3756 ============================================================
14:50:24.0937 1792 Detected object count: 1
14:50:24.0937 1792 Actual detected object count: 1
14:51:00.0953 1792 \Device\Harddisk0\DR0\# - copied to quarantine
14:51:00.0953 1792 \Device\Harddisk0\DR0 - copied to quarantine
14:51:00.0984 1792 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
14:51:01.0000 1792 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
14:51:01.0015 1792 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
14:51:01.0015 1792 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
14:51:01.0015 1792 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
14:51:01.0031 1792 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
14:51:01.0078 1792 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
14:51:01.0093 1792 \Device\Harddisk0\DR0\TDLFS\xh.dll - copied to quarantine
14:51:01.0125 1792 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
14:51:01.0125 1792 \Device\Harddisk0\DR0 - ok
14:51:01.0125 1792 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
14:51:06.0781 4016 Deinitialize success


ComboFix 12-05-28.05 - Administrator 05/28/2012 15:15:51.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1418 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: Norton Security Suite *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\GoToAssistDownloadHelper.exe
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\kimmja01\WINDOWS
c:\windows\EventSystem.log
.
.
((((((((((((((((((((((((( Files Created from 2012-04-28 to 2012-05-28 )))))))))))))))))))))))))))))))
.
.
2012-05-28 18:51 . 2012-05-28 18:51 -------- d-----w- C:\TDSSKiller_Quarantine
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-12-02 21:50 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-823518204-1801674531-58894\Scripts\Logoff\0\0]
"Script"=sendLogOut.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-823518204-1801674531-58894\Scripts\Logon\0\0]
"Script"=sendLogIn.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-823518204-1801674531-61032\Scripts\Logoff\0\0]
"Script"=sendLogOut.vbs
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-583907252-823518204-1801674531-61032\Scripts\Logon\0\0]
"Script"=sendLogIn.vbs
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=c:\windows\pss\Picture Package Menu.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=c:\windows\pss\Picture Package VCD Maker.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
2006-08-01 19:35 67112 ----a-w- c:\program files\AIM\aim.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2005-10-07 18:13 176128 ----a-r- c:\program files\Apoint\Apoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlackBerryAutoUpdate]
2009-08-24 20:27 623960 ----a-w- c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-12-10 00:29 49152 ----a-w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-05-10 00:24 50760 ----a-w- c:\program files\Common Files\AOL\1159919149\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 20:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2004-12-22 16:40 172032 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb99.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon07]
2005-03-17 04:59 622592 ----a-w- c:\windows\system32\hphmon07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHped07]
2005-03-17 18:08 339968 ----a-w- c:\progra~1\HP\{C8EEA~1\PExpress\HPHPED07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD07]
2005-03-17 05:08 49152 ----a-w- c:\program files\HP\{C8EEAA89-0A3E-441f-B646-17A46F5D6954}\hphupd07.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IE New Window Maximizer]
2005-02-09 04:06 356352 ----a-w- c:\program files\IE New Window Maximizer\iemaximizer.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-12-28 15:56 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
2006-02-17 16:59 124520 ----a-w- c:\program files\Common Files\AOL\IPHSend\IPHSend.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
2004-07-27 20:50 221184 ----a-w- c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
2005-06-10 14:44 81920 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\issch.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-04-14 15:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\progra~1\MESSEN~1\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-11-17 08:03 8495104 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-11-17 08:03 1626112 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 21:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2006-08-18 15:52 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2005-11-16 19:35 397312 ----a-w- c:\windows\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 a320raid;a320raid;c:\windows\system32\drivers\A320RAID.SYS [5/4/2006 3:14 PM 251578]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308030.006\SymEFA.sys [10/31/2011 8:57 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308030.006\BHDrvx86.sys [10/31/2011 8:57 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308030.006\cchpx86.sys [10/31/2011 8:57 PM 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20120525.001\IDSXpx86.sys [5/28/2012 3:14 PM 356792]
R2 ASFIPmon;Broadcom ASF IP Monitor;c:\program files\Broadcom\ASFIPMon\AsfIpMon.exe [10/18/2005 6:11 PM 61440]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe [10/31/2011 8:56 PM 117648]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2/4/2012 5:57 AM 106104]
S0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\DRIVERS\aac.sys --> c:\windows\system32\DRIVERS\aac.sys [?]
S0 aarich;aarich;c:\windows\system32\DRIVERS\aarich.sys --> c:\windows\system32\DRIVERS\aarich.sys [?]
S0 vmscsi;vmscsi;c:\windows\system32\drivers\vmscsi.sys --> c:\windows\system32\drivers\vmscsi.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 2:16 PM 130384]
S3 MatSvc;Microsoft Automated Troubleshooting Service;c:\program files\Microsoft Fix it Center\Matsvc.exe [6/13/2011 11:09 PM 267568]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/4/2004 8:00 AM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 2:16 PM 753504]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = hxxp://www.gettysburg.edu/
uInternet Settings,ProxyOverride = 127.0.0.1;localhost;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: worldwinner.com\www
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-LDM - c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
MSConfigStartUp-LogitechSoftwareUpdate - c:\program files\Logitech\Video\ManifestEngine.exe
MSConfigStartUp-LogitechVideoRepair - c:\program files\Logitech\Video\ISStart.exe
MSConfigStartUp-LogitechVideoTray - c:\program files\Logitech\Video\LogiTray.exe
MSConfigStartUp-LVCOMSX - c:\windows\system32\LVCOMSX.EXE
MSConfigStartUp-Messenger (Yahoo!) - c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-28 15:30
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\3.8.3.6\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\3.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1722428857-3431956265-2815590985-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,ef,e7,eb,05,d8,d5,43,93,5d,f6,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,da,ef,e7,eb,05,d8,d5,43,93,5d,f6,\
.
[HKEY_USERS\S-1-5-21-1722428857-3431956265-2815590985-500\Software\SecuROM\License information*]
"datasecu"=hex:14,18,d8,bd,56,1a,ac,e1,45,e0,fd,f0,5a,0b,b3,8c,67,77,5f,8a,56,
46,e7,74,f1,c2,34,52,80,2d,b2,0f,87,62,39,a1,0b,93,ba,38,d6,23,68,91,54,f0,\
"rkeysecu"=hex:b2,23,d3,6a,a0,3f,0e,4a,8a,24,b8,84,77,cb,b4,fc
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\*& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\ *& 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
[HKEY_LOCAL_MACHINE\software\INTEL\Wireless\Folders\Æ 2*]
"Path"="c:\\WINDOWS\\system32\\config\\systemprofile\\Application Data\\Intel\\Wireless\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(708)
c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll
.
Completion time: 2012-05-28 15:34:38
ComboFix-quarantined-files.txt 2012-05-28 19:34
ComboFix2.txt 2010-01-31 20:02
.
Pre-Run: 8,448,331,776 bytes free
Post-Run: 9,229,529,088 bytes free
.
- - End Of File - - 840D07AE4C71DF30A1A14FA8B7C74578

#5 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 28 May 2012 - 04:32 PM

Hello,

Please try and run windows updates with out Norton running.

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#6 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 05:13 PM

Since I had disabled the Norton Security Suite, I enabled the built in Microsoft firewall to run while I am on the internet. The computer is running fine. I did run the FSS and will paste below. I just wanted to tell you that I am currently installing MS updates. MS updater has 45 "high priority" to download and install. That was part of the problem, I could download updates but most of them failed. Right now, 17 have installed and none have failed.

YFarbar Service Scanner Version: 27-05-2012
Ran by Administrator (administrator) on 28-05-2012 at 17:47:59
Running from "E:\"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=DWORD:0


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============

File Check:ay!

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 28 May 2012 - 05:22 PM

Let me know when all the updates have completed we will move on to the next phase. :thumbup2:

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 06:40 PM

OK Fireman4it,
All of the MS updates are installed. Norton is still turned off. At your convenience, let me know the next steps. Thanks for getting us this far, I was really reluctant to let her use this computer on the internet without security updates.

#9 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 28 May 2012 - 07:57 PM

Hello,

Please run the following to look for any leftovers. After these tools are ran you can turn back on Norton and try the internet.


1.
Please download Malwarebytes Anti-Malware and save it to your desktop.
  • Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

  • Make sure you are connected to the Internet and double-click on the renamed file to install the application.
    For instructions with screenshots, please refer to this Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • Malwarebytes will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • Under the Scanner tab, make sure the "Perform Quick Scan" option is selected.
  • Click on the Scan button.
  • When finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
Note: If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.


2.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


Things to include in your next reply::
MBAM log
Eset log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#10 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 28 May 2012 - 11:18 PM

Hello Fireman4it,

There was no problem running Mbam but it didn't find anything on Quick Scan. The ESAT scan would start, but after a few minutes (5 or less), the scan would freeze and then return to the accept/permission to start. After the third restart, I followed the directions for non-IE browsers, downloaded the program, set the scanner setting as instructed and it finally ran to completion. The results suprised me since MBAM scanned clean. Sorry to say, I have to hit the rack for tonight soon, but I'll check before work and again when I get home. Thanks for your help tonight.

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.28.04

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Administrator :: KIMMJA01 [administrator]

5/28/2012 9:27:01 PM
mbam-log-2012-05-28 (21-27-01).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 237876
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-18d52a71 Java/Agent.BV trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-5e921ab1 a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-19a2ea1b Java/Agent.BV trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-331a5ea8 probably a variant of Java/Agent.BR trojan deleted - quarantined
C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-5251ddaf Java/Agent.BV trojan deleted - quarantined
C:\MGtools\Process.exe Win32/PrcView application cleaned by deleting - quarantined
C:\System Volume Information\_restore{BF54F3A3-2426-41F8-A48C-D29752635E95}\RP1342\A0227275.exe Win32/PrcView application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.05.2012_14.49.50\mbr0000\tdlfs0000\tsk0002.dta a variant of Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.05.2012_14.49.50\mbr0000\tdlfs0000\tsk0004.dta Win32/Olmarik.AWO trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.05.2012_14.49.50\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.HP trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\28.05.2012_14.49.50\mbr0000\tdlfs0000\tsk0007.dta Win32/Olmarik.AYG trojan cleaned by deleting - quarantined

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 29 May 2012 - 01:33 PM

Hello, IndyCrash.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".



Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Important Note: Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 7 and save it to your desktop.
  • Look for "Java Platform, Standard Edition".
  • Click the "Download JRE" button to the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • From the list, select your OS and Platform (32-bit or 64-bit).
  • If a download for an Offline Installation is available, it is recommended to choose that and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Posted Image > Control Panel, double-click on Add/Remove Programs or Programs and Features in Vista/Windows 7 and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-7-windows-i586.exe to install the newest version.
  • If using Windows 7 or Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
  • The McAfee Security Scan Plus tool is installed by default unless you uncheck the McAfee installation box when updating Java.
Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications but it's not necessary.
To disable the JQS service if you don't want to use it:
  • Go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter.
  • Click Ok and reboot your computer.






One of the most common questions found when cleaning malware is "how did my machine get infected?"

There are a variety of reasons, but the most common ones are that you are not practicing Safe Internet, you are not running the proper security software or that your computer's security settings are set too low.

Below I have outlined a series of categories that outline how you can increase the security of your computer to help reduce the chance of being infected again in the future.

Do not use P2P programs
Peer-to-peer or file-sharing programs (such as uTorrent, Limewire and Bitorrent) are probably the primary route of infection nowadays. These programs allow file sharing between users as the name(s) suggest. It is almost impossible to know whether the file you’re downloading through P2P programs is safe.

It is therefore possible to be infected by downloading infected files via peer-to-peer programs and so I recommend that you do not use these programs. Should you wish to use them, they must be used with extreme care. Some further reading on this subject, along with included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

In addition, P2P programs facilitate cyber crime and help distribute pirated software, movies and other illegal material.

Practice Safe Internet
Another one of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.

Below are a list of simple precautions to take to keep your computer clean and running securely:
  • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
  • If you receive an attachment and it ends with a .exe, .com, .bat, or .pif do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
  • If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know who is themselves infected with malware which is trying to infect everyone in their address book. A key thing to look out for here is: does the email sound as though it’s from the person you know? Often, the email may simply have a web link or a “Run this file to make your PC run fast” message in it.
  • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of pop-ups, or Foistware, you should read this article: Foistware, And how to avoid it.
    There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. Removal instructions for a lot of these "rogues" can be found here.
  • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you, or will download a file to your PC without your knowledge. You can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake. DO NOT click on these windows, instead close them by finding the open window on your http://en.wikipedia.org/wiki/Taskbar#Screenshots '>Taskbar, right click and chose close.
  • Do not visit pornographic websites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do, as this can often form part of their funding.
  • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link you should message back to the person asking if it is legit.
  • Stay away from Warez and Crack sites! As with Peer-2-Peer programs, in addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
  • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download files from a site, and are not sure if they are legitimate, you can use tools such as BitDefender Traffic Light, Norton Safe Web, or McAfee SiteAdvisor to look up info on the site and stay protected against malicious sites. Please be sure to only choose and install one of those tool bars.
  • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
    Sometimes even legitimate programs will try to bundle extra, unwanted, software with the program you want - this is done to raise money for the program. Be sure to untick any boxes which may indicate that other programs will be downloaded.

Keep Windows up-to-date
Microsoft continually releases security and stability updates for its supported operating systems and you should always apply these to help keep your PC secure.

  • Windows XP users
    You should visit Windows Update to check for the latest updates to your system. The latest service pack (SP3) can be obtained directly from Microsoft here.
  • Windows Vista users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP2) can be obtained directly from Microsoft here.
  • Windows 7 users
    You should run the Windows Update program from your start menu to access the latest updates to your operating system (information can be found here). The latest service pack (SP1) can be obtained directly from Microsoft here


Keep your browser secure
Most modern browsers have come on in leaps and bounds with their inbuilt, default security. The best way to keep your browser secure nowadays is simply to keep it up-to-date.

The latest versions of the three common browsers can be found below:

Use an AntiVirus Software
It is very important that your computer has an up-to-date anti-virus software on it which has a real-time agent running. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs: Virus, Spyware, and Malware Protection and Removal Resources, a couple of free Anti-Virus programs you may be interested in are Microsoft Security Essentials and Avast.

It is imperative that you update your Antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. If you use a commercial antivirus program you must make sure you keep renewing your subscription. Otherwise, once your subscription runs out, you may not be able to update the programs virus definitions.

Use a Firewall
I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly.

All versions of Windows starting from XP have an in-built firewall. With Windows XP this firewall will protect you from incoming traffic (i.e. hackers). Starting with Windows Vista, the firewall was beefed up to also protect you against outgoing traffic (i.e. malicious programs installed on your machine should be blocked from sending data, such as your bank details and passwords, out).

In addition, if you connect to the internet via a router, this will normally have a firewall in-built.

Some people will recommend installing a different firewall (instead of the Windows’ built one), this is personal choice, but the message is to definitely have one! For a tutorial on Firewalls and a listing of some available ones see this link: Understanding and Using Firewalls

Install an Anti-Malware program
Recommended, and free, Anti-Malware programs are Malwarebytes Anti-Malware and SuperAntiSpyware.

You should regularly (perhaps once a week) scan your computer with an Anti-Malware program just as you would with an antivirus software.

Make sure your applications have all of their updates
It is also possible for other programs on your computer to have security vulnerability that can allow malware to infect you. Therefore, it is very important to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities (such as Adobe Reader and Java). You can check these by visiting Secunia Software Inspector.

Follow this list and your potential for being infected again will reduce dramatically.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 IndyCrash

IndyCrash
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:18 AM

Posted 29 May 2012 - 06:40 PM

Fireman4it,

My daughter and I are so grateful for your assistance and advice. The night before I posted, a Tech guy for a bank told me that if I had this (TDL) infection, the only way to get rid of it would be reformatting! Thank you for sharing your knowledge, for the quick responses and for KILLING the rootkit without any loss of data.
I will follow the directions and advice you gave me in your last post tonight and when I hand the laptop back to my daughter, it will be open to the last post. She can read the info/advice in the post and then click on donate to the site. Since she has a fully functional computer, it will be our pleasure. :clapping: The computer seems to be running fine, but if I have any questions, I'll post them inthe next 24 hours. Thanks again,

IndyCrash



#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:04:18 AM

Posted 31 May 2012 - 03:23 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users