Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Gozi Trojan - Detected by university IT


  • This topic is locked This topic is locked
22 replies to this topic

#1 CMoney77

CMoney77

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 08 July 2012 - 09:29 PM

Hello,

I have been put in the 'penalty box' by my university IT department (i.e. blocked from network access) because IT has detected a virus on my computer that is causing harmful network traffic. This happened yesterday July 5th around 5:30pm EST. They have provided me the following information:

"Gozi Trojan C&C checkin around noon today to 79.137.214.18 in RU. Possible file name for downloaded exe causing infection is 9fbe8c2d5.exe (although it has probably morphed) Executable download predeeded the call to the C&C the exe may have MD5 of d93290d2eef024b7e85c431a60c6ef23 VirusTotal coverage is almost non-existant at 10:00 AM this morning for that MD5"

I ran a full scan with Sophos AV and it did not detect any threats. I was told that the IT software engineer determined that the virus is fairly new and most likely would not be picked up by AV software. I would rather try to clean the computer myself (with your help, of course) and save what is on it than let IT get their hands on it and wipe it clean. I cannot get the DDS program to run successfully, it seems to freeze a few seconds into the scan. I believe this is related to the fact that Sophos quarantines the program as soon as it starts, however I'm using a university licensed version of Sophos and therefore cannot disable it without completely uninstalling the program. I have attached the Ark.txt file, however, generated from GMER. Any help would be greatly appreciated! Thanks,

Corey

Attached Files

  • Attached File  Ark.txt   21.29KB   2 downloads


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,696 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 13 July 2012 - 09:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/459838 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 14 July 2012 - 11:18 AM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until I’ve given you the “All clear.” Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Click the Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time and paste them into your next post.
Please include the following in your next post:
  • OTL.txt and Extras.txt logs

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#4 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 14 July 2012 - 02:58 PM

Thanks for your response.

My Sophos is also blocking OTL from being run. When I try to open it, Sophos quarantines it and none of the buttons or settings ever load into the interface. Your instructions say not to uninstall any applications, so with your permission I will uninstall Sophos and then run both the DDS and the OTL scans. Again, I have a university license of Sophos on this machine because it is in a campus lab, so I don't have access to any of the on-access scanning options that I need to disable it.

#5 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 14 July 2012 - 07:58 PM

You may uninstall Sophos - I don't need both DDS and OTL though; whichever one you find easiest to run will suffice. Both tools produce two logs; be sure to post both for me.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#6 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 15 July 2012 - 03:42 PM

I was able to get OTL to run (still no luck with DDS though). I have pasted the two logs OTL.txt and Extras.txt into this reply, in that order.

OTL logfile created on: 7/15/2012 4:28:44 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Corey\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.51 Gb Available Physical Memory | 83.85% Memory free
4.84 Gb Paging File | 4.52 Gb Available in Paging File | 93.35% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 673.46 Gb Total Space | 566.46 Gb Free Space | 84.11% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 35.48 Gb Free Space | 3.81% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 0.64 Gb Free Space | 33.37% Space Free | Partition Type: FAT

Computer Name: THUNDER | User Name: Corey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/07/14 15:43:10 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Corey\Desktop\OTL.exe
PRC - [2012/07/05 10:22:53 | 001,192,664 | ---- | M] () -- C:\Documents and Settings\Corey\Application Data\Spotify\Data\SpotifyWebHelper.exe
PRC - [2012/06/15 12:26:22 | 000,095,232 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2011/10/07 05:40:42 | 001,387,288 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Logitech\SetPointP\SetPoint.exe
PRC - [2011/09/27 15:05:24 | 000,149,784 | ---- | M] (Logitech, Inc.) -- C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.exe
PRC - [2011/08/11 11:27:42 | 015,490,560 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\nexdef.exe
PRC - [2011/01/17 19:37:40 | 011,322,880 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.exe
PRC - [2011/01/17 19:37:40 | 011,314,688 | ---- | M] (OpenOffice.org) -- C:\Program Files\OpenOffice.org 3\program\soffice.bin
PRC - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
PRC - [2009/09/26 00:31:32 | 000,185,640 | ---- | M] (Seagate LLC) -- C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
PRC - [2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/03/20 17:00:04 | 000,282,624 | ---- | M] (SigmaTel, Inc.) -- C:\WINDOWS\stsystra.exe


========== Modules (No Company Name) ==========

MOD - [2012/07/05 10:22:53 | 001,192,664 | ---- | M] () -- C:\Documents and Settings\Corey\Application Data\Spotify\Data\SpotifyWebHelper.exe
MOD - [2011/11/22 11:42:08 | 000,985,088 | ---- | M] () -- C:\Program Files\OpenOffice.org 3\program\libxml2.dll
MOD - [2011/10/07 05:41:16 | 000,879,896 | ---- | M] () -- C:\Program Files\Logitech\SetPointP\Macros\MacroCore.dll
MOD - [2011/08/11 11:27:44 | 000,159,744 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\rt\jetrt\baseline720.dll
MOD - [2011/08/11 11:27:44 | 000,069,632 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\rt\bin\java.dll
MOD - [2011/08/11 11:27:42 | 015,490,560 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\nexdef.exe
MOD - [2011/08/11 11:27:40 | 000,126,976 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\rt\bin\zip.dll
MOD - [2011/08/11 11:27:40 | 000,020,480 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\rt\bin\jetvm\jvm.dll
MOD - [2009/11/03 16:51:42 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2008/09/18 00:55:00 | 000,466,944 | ---- | M] () -- C:\WINDOWS\system32\nvshell.dll
MOD - [2006/11/30 17:24:16 | 000,086,016 | ---- | M] () -- C:\WINDOWS\system32\custmon32.dll
MOD - [2001/07/31 03:17:12 | 000,094,274 | ---- | M] () -- C:\WINDOWS\system32\HPBHEALR.DLL


========== Win32 Services (SafeList) ==========

SRV - [2012/06/23 19:14:07 | 000,250,056 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/06/19 10:27:25 | 000,113,120 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/06/15 12:26:22 | 000,095,232 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2011/09/27 15:03:28 | 000,295,192 | ---- | M] (Logitech, Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\LogiShrd\Bluetooth\LBTServ.exe -- (LBTServ)
SRV - [2009/09/26 00:32:18 | 000,189,736 | ---- | M] (Seagate Technology LLC) [Auto | Running] -- C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe -- (FreeAgentGoNext Service)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2011/09/02 02:31:28 | 000,039,192 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LMouFilt.Sys -- (LMouFilt)
DRV - [2011/09/02 02:31:20 | 000,041,240 | ---- | M] (Logitech, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LHidFilt.Sys -- (LHidFilt)
DRV - [2011/09/02 02:30:58 | 000,012,184 | ---- | M] (Logitech, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\LBeepKE.sys -- (LBeepKE)
DRV - [2007/06/06 12:51:04 | 000,161,792 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\b57xp32.sys -- (b57w2k)
DRV - [2006/05/25 15:40:00 | 001,156,808 | ---- | M] (SigmaTel, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\sthda.sys -- (STHDA)
DRV - [2002/05/29 16:13:06 | 000,027,507 | ---- | M] (cypress semiconductor) [Kernel | Auto | Stopped] -- C:\WINDOWS\system32\drivers\ezusb.sys -- (EZUSB) Cypress General Purpose USB Driver (ezusb.sys)
DRV - [2001/08/22 08:42:58 | 000,013,632 | ---- | M] (Dell Computer Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\omci.sys -- (OMCI)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 7E 40 D7 E8 2F 42 CC 01 [binary data]
IE - HKCU\..\URLSearchHook: {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{41DFD345-D556-4ACF-B076-07FDD845870F}: "URL" = http://search.yahoo.com/search?fr=mcafee&p={SearchTerms}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "google.com"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.3
FF - prefs.js..keyword.URL: "http://search.yahoo.com/search?fr=mcafee&p="
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@Google.com/GoogleEarthPlugin: C:\Program Files\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@mcafee.com/SAFFPlugin: C:\Program Files\McAfee\SiteAdvisor\npmcffplg32.dll (McAfee, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@movenetworks.com/Quantum Media Player: C:\Documents and Settings\Cara\Application Data\Move Networks\plugins\npqmp071505000011.dll (Move Networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/GoogleTalkPlugin: C:\Documents and Settings\Corey\Application Data\Mozilla\plugins\npgoogletalk.dll (Google)
FF - HKCU\Software\MozillaPlugins\@talk.google.com/O3DPlugin: C:\Documents and Settings\Corey\Application Data\Mozilla\plugins\npgtpo3dautoplugin.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Corey\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Corey\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\extensions\\{4ED1F68A-5463-4931-9384-8FFF5ED91D92}: C:\Program Files\McAfee\SiteAdvisor [2012/07/05 17:15:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/06/19 10:27:27 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 13.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/04/27 10:54:27 | 000,000,000 | ---D | M]

[2011/01/19 18:20:03 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Corey\Application Data\Mozilla\Extensions
[2012/05/07 02:01:55 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\cun08eh2.default\extensions
[2012/04/27 10:59:03 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/19 10:27:26 | 000,085,472 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/01/27 15:00:56 | 000,288,568 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\ieatgpc.dll
[2012/01/27 15:00:44 | 000,171,320 | ---- | M] (Cisco WebEx LLC) -- C:\Program Files\mozilla firefox\plugins\npatgpc.dll
[2012/04/18 16:48:05 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/04/27 10:58:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/05/07 01:58:19 | 000,002,024 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\McSiteAdvisor.xml
[2012/04/27 10:58:11 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2004/08/04 08:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O2 - BHO: (MSN Toolbar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (MSN Toolbar) - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1125.0\msneshellx.dll (Microsoft Corp.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No CLSID value found.
O4 - HKLM..\Run: [EvtMgr6] C:\Program Files\Logitech\SetPointP\SetPoint.exe (Logitech, Inc.)
O4 - HKLM..\Run: [IDTSysTrayApp] sttray.exe File not found
O4 - HKLM..\Run: [MaxMenuMgr] C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (Seagate LLC)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O4 - HKCU..\Run: [Spotify Web Helper] C:\Documents and Settings\Corey\Application Data\Spotify\Data\SpotifyWebHelper.exe ()
O4 - Startup: C:\Documents and Settings\Corey\Start Menu\Programs\Startup\NexDef Plug-in.lnk = C:\Documents and Settings\Corey\Local Settings\Application Data\Autobahn\nexdef.exe ()
O4 - Startup: C:\Documents and Settings\Corey\Start Menu\Programs\Startup\OpenOffice.org 3.3.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1255006021477 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab (Java Plug-in 1.6.0_22)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\LBTWlgn: DllName - (c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll) - c:\Program Files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll (Logitech, Inc.)
O24 - Desktop WallPaper: C:\Documents and Settings\Corey\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Corey\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/10/07 14:54:51 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{ac0a39a3-0c7b-11e1-bf88-00188b2575c4}\Shell - "" = AutoRun
O33 - MountPoints2\{ac0a39a3-0c7b-11e1-bf88-00188b2575c4}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{ac0a39a3-0c7b-11e1-bf88-00188b2575c4}\Shell\AutoRun\command - "" = F:\LaunchU3.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O36 - AppCertDlls: ie4uycfg - (C:\WINDOWS\system32\labeprov.dll) - C:\WINDOWS\system32\labeprov.dll (Irvine Onnuri Church)
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/07/15 16:19:10 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/07/15 15:39:45 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Corey\Desktop\dds.scr
[2012/07/15 15:18:29 | 000,000,000 | -H-D | C] -- C:\WINDOWS\PIF
[2012/07/14 15:42:57 | 000,596,480 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Corey\Desktop\OTL.exe
[2012/07/06 10:50:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Corey\Desktop\gmer
[2012/07/05 13:33:14 | 000,091,648 | ---- | C] (Irvine Onnuri Church) -- C:\WINDOWS\System32\labeprov.dll
[2012/06/20 10:35:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Corey\Application Data\Google
[2012/06/20 10:34:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Google Earth
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/07/15 16:21:30 | 000,651,852 | ---- | M] () -- C:\WINDOWS\System32\nvwsapps.xml
[2012/07/15 16:21:23 | 000,000,880 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/07/15 16:21:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/07/15 16:14:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/07/15 16:06:35 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/07/15 15:44:02 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Corey\Desktop\dds.scr
[2012/07/15 15:38:00 | 000,000,884 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/07/15 15:37:00 | 000,000,978 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1614895754-682003330-1014UA.job
[2012/07/15 01:37:00 | 000,000,926 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1614895754-682003330-1014Core.job
[2012/07/14 15:43:10 | 000,596,480 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Corey\Desktop\OTL.exe
[2012/07/09 10:32:51 | 000,000,000 | ---- | M] () -- C:\extensions.sqlite
[2012/07/09 03:56:21 | 000,000,008 | RHS- | M] () -- C:\Documents and Settings\All Users\ntuser.pol
[2012/07/08 18:19:53 | 000,016,400 | ---- | M] (Logitech, Inc.) -- C:\WINDOWS\System32\drivers\LNonPnP.sys
[2012/07/06 10:45:10 | 006,096,470 | ---- | M] () -- C:\Documents and Settings\Corey\Desktop\Error_penalty.bmp
[2012/07/06 10:12:22 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Corey\defogger_reenable
[2012/07/06 10:11:02 | 000,294,216 | ---- | M] () -- C:\Documents and Settings\Corey\Desktop\gmer.zip
[2012/07/06 10:09:16 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Corey\Desktop\Defogger.exe
[2012/07/05 17:11:03 | 000,000,600 | ---- | M] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\PUTTY.RND
[2012/07/05 13:33:14 | 000,091,648 | ---- | M] (Irvine Onnuri Church) -- C:\WINDOWS\System32\labeprov.dll
[2012/06/23 19:14:06 | 000,426,184 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/06/23 19:14:06 | 000,070,344 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[4 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/07/09 10:32:51 | 000,000,000 | ---- | C] () -- C:\extensions.sqlite
[2012/07/06 10:45:09 | 006,096,470 | ---- | C] () -- C:\Documents and Settings\Corey\Desktop\Error_penalty.bmp
[2012/07/06 10:12:22 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Corey\defogger_reenable
[2012/07/06 10:11:35 | 000,294,216 | ---- | C] () -- C:\Documents and Settings\Corey\Desktop\gmer.zip
[2012/07/06 10:11:35 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Corey\Desktop\Defogger.exe
[2012/06/20 10:33:31 | 000,000,884 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2012/06/20 10:33:30 | 000,000,880 | ---- | C] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2012/06/12 11:09:35 | 000,004,960 | ---- | C] () -- C:\Documents and Settings\Corey\.recently-used.xbel
[2012/02/14 18:22:26 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2012/01/05 12:11:29 | 000,005,304 | ---- | C] () -- C:\WINDOWS\lopltt2.bin
[2012/01/05 12:10:53 | 000,001,347 | ---- | C] () -- C:\WINDOWS\aisinsp.ini
[2012/01/05 12:09:42 | 000,119,811 | ---- | C] () -- C:\WINDOWS\unstall.exe
[2012/01/05 12:09:13 | 000,000,256 | ---- | C] () -- C:\WINDOWS\System32\bcut.dll
[2011/06/09 16:41:41 | 000,000,008 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2011/05/13 13:03:03 | 173,721,600 | ---- | C] () -- C:\Documents and Settings\Corey\Windows 7 64-bit Repair Disc.iso
[2011/04/12 14:47:48 | 000,036,752 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat
[2011/02/04 17:54:28 | 000,025,088 | ---- | C] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/03 19:37:52 | 000,086,016 | ---- | C] () -- C:\WINDOWS\System32\custmon32.dll
[2011/01/19 19:51:37 | 000,000,600 | ---- | C] () -- C:\Documents and Settings\Corey\Local Settings\Application Data\PUTTY.RND
[2011/01/19 18:06:54 | 000,000,008 | ---- | C] () -- C:\WINDOWS\System32\nvModes.dat

< End of report >





OTL Extras logfile created on: 7/15/2012 4:28:44 PM - Run 1
OTL by OldTimer - Version 3.2.54.0 Folder = C:\Documents and Settings\Corey\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.51 Gb Available Physical Memory | 83.85% Memory free
4.84 Gb Paging File | 4.52 Gb Available in Paging File | 93.35% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 673.46 Gb Total Space | 566.46 Gb Free Space | 84.11% Space Free | Partition Type: NTFS
Drive D: | 931.51 Gb Total Space | 35.48 Gb Free Space | 3.81% Space Free | Partition Type: NTFS
Drive F: | 1.90 Gb Total Space | 0.64 Gb Free Space | 33.37% Space Free | Partition Type: FAT

Computer Name: THUNDER | User Name: Corey | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"5900:TCP" = 5900:TCP:*:Enabled:vnc5900
"5800:TCP" = 5800:TCP:*:Enabled:vnc5800
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Enabled:@xpsp2res.dll,-22009

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\UltraVNC\winvnc.exe" = C:\Program Files\UltraVNC\winvnc.exe:*:Enabled:VNC server for Win32 -- (UltraVNC)
"C:\Program Files\StarNet\X-Win32 9.5\xwin32.exe" = C:\Program Files\StarNet\X-Win32 9.5\xwin32.exe:*:Enabled:X-Win32 PC X Server -- (StarNet Communications Corp)
"C:\Program Files\StarNet\X-Win32 9.5\esd.exe" = C:\Program Files\StarNet\X-Win32 9.5\esd.exe:*:Enabled:esd -- ()
"C:\Program Files\Xming\Xming.exe" = C:\Program Files\Xming\Xming.exe:*:Enabled:Xming X Server -- ()
"C:\Program Files\MATLAB\R2010b\bin\win32\MATLAB.exe" = C:\Program Files\MATLAB\R2010b\bin\win32\MATLAB.exe:*:Enabled:MATLAB (R2010b) -- (The MathWorks Inc.)
"C:\Program Files\MATLAB\R2010b\bin\win32\mpiexec.exe" = C:\Program Files\MATLAB\R2010b\bin\win32\mpiexec.exe:*:Enabled:mpiexec -- ()
"C:\Program Files\MATLAB\R2010b\bin\win32\smpd.exe" = C:\Program Files\MATLAB\R2010b\bin\win32\smpd.exe:*:Enabled:smpd -- ()
"C:\Documents and Settings\Corey\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe" = C:\Documents and Settings\Corey\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe:*:Enabled:Google Talk Plugin -- (Google)
"C:\Documents and Settings\Corey\Application Data\Spotify\spotify.exe" = C:\Documents and Settings\Corey\Application Data\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify Ltd)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{044F9133-B8D7-4d11-BF39-803FA20F5C8B}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32
"{0868BB9D-5EA0-40AF-A1CC-A38ED4E5BC67}" = 32 Bit HP CIO Components Installer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26A24AE4-039D-4CA4-87B4-2F83216022F0}" = Java™ 6 Update 22
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java™ 6 Update 31
"{26E1BFB0-E87E-4696-9F89-B467F01F81E5}" = Broadcom Advanced Control Suite
"{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"{32A3A4F4-B792-11D6-A78A-00B0D0160170}" = Java™ SE Development Kit 6 Update 17
"{33286280-8617-11E1-8FF6-B8AC6F97B88E}" = Google Earth Plug-in
"{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}" = SQL Server System CLR Types
"{3502E451-CBBA-4DD0-924D-BDD816761AA5}" = X-Win32 9.5
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{353FE16B-30FE-469A-BF55-B978F4218003}" = iTunes
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729
"{3E171899-0175-47CC-84C4-562ACDD4C021}" = OpenOffice.org 3.3
"{3EE9BCAE-E9A9-45E5-9B1C-83A4D357E05C}" = eReg
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime
"{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}" = Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu
"{6EECB283-E65F-40EF-86D3-D51BF02A8D43}" = Microsoft Office Converter Pack
"{74E2CD0C-D4A2-11D3-95A6-0000E86CFDE5}" = SSH Secure Shell
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{853A4763-6643-4604-8D64-28BDD8925F4C}" = Apple Application Support
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{926C96FB-9D0A-4504-8000-C6D3A4A3118E}" = Java DB 10.4.2.1
"{975C3A93-2491-3D44-A071-F6CBF153E46D}" = Google Talk Plugin
"{98177940-C048-4831-A279-F3888B1E2C7F}" = InstallMgr
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}" = Microsoft Search Enhancement Pack
"{9DA74E27-6DF8-482F-939E-7A59FA0CBA1B}" = Ap_int_usb
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{A8AC89BA-D8CB-4372-9743-1C54D23286B0}" = MSN Toolbar
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{B6EF6DCE-078E-4952-A7FA-352A9C349EB0}" = MSN Toolbar
"{B7148D71-0A8F-4501-96B4-4E1CC67F874E}" = Microsoft Default Manager
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour
"{C41300B9-185D-475E-BFEC-39EF732F19B1}" = Apple Software Update
"{CACAEB5F-174D-4C7C-AC56-A33289A807CA}" = Apple Mobile Device Support
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240D2}" = WinZip 16.5
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{D8087907-E255-3A41-A46D-D0F798709C71}" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"{F5E87B12-3C27-452F-8E78-21D42164FD83}" = Microsoft SQL Server 2008 Management Objects
"{FC57FC53-104C-415C-98D7-B05E659461A9}" = Broadcom Gigabit Integrated Controller
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Autobahn" = NexDef Plug-in
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"ie8" = Windows Internet Explorer 8
"ImageJ_is1" = ImageJ 1.43u
"InfraRecorder" = InfraRecorder
"Inkscape" = Inkscape 0.48.2
"InstallShield_{2A30052B-831C-41D3-8044-3C0388066350}" = Seagate Manager Installer
"IrfanView" = IrfanView (remove only)
"MatlabR2010b" = MATLAB R2010b
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft Visual C++ 2008 Express Edition with SP1 - ENU" = Microsoft Visual C++ 2008 Express Edition with SP1 - ENU
"MiKTeX 2.9" = MiKTeX 2.9
"Mozilla Firefox 13.0.1 (x86 en-US)" = Mozilla Firefox 13.0.1 (x86 en-US)
"MozillaMaintenanceService" = Mozilla Maintenance Service
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"NVIDIA Drivers" = NVIDIA Drivers
"PDF Writer" = PDF Writer
"PuTTY_is1" = PuTTY version 0.60
"sp6" = Logitech SetPoint 6.32
"TeXnicCenter_is1" = TeXnicCenter Version 1.0 Stable RC1
"Ultravnc2_is1" = UltraVNC 1.0.5
"Wdf01009" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinEdt_is1" = WinEdt
"WinShell_is1" = WinShell
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Xming_is1" = Xming 6.9.0.31
"YTdetect" = Yahoo! Detect

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Spotify" = Spotify

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 7/7/2012 10:39:29 AM | Computer Name = THUNDER | Source = Application Error | ID = 1004
Description = Faulting application swi_service.exe, version 0.0.0.0, faulting module
unknown, version 0.0.0.0, fault address 0x00000000.

Error - 7/7/2012 11:04:16 PM | Computer Name = THUNDER | Source = Sophos Anti-Virus | ID = 2424841
Description =

Error - 7/15/2012 2:57:14 PM | Computer Name = THUNDER | Source = MsiInstaller | ID = 10005
Description = Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only
be uninstalled by users that are members of the SophosAdministrator user group.

Error - 7/15/2012 2:58:49 PM | Computer Name = THUNDER | Source = MsiInstaller | ID = 10005
Description = Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only
be uninstalled by users that are members of the SophosAdministrator user group.

Error - 7/15/2012 3:00:26 PM | Computer Name = THUNDER | Source = MsiInstaller | ID = 10005
Description = Product: Sophos Anti-Virus -- Error 3005.Sophos Anti-Virus can only
be uninstalled by users that are members of the SophosAdministrator user group.

[ System Events ]
Error - 7/12/2012 3:03:04 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058

Error - 7/12/2012 3:03:34 PM | Computer Name = THUNDER | Source = DCOM | ID = 10010
Description = The server {4EB61BAC-A3B6-4760-9581-655041EF4D69} did not register
with DCOM within the required timeout.

Error - 7/13/2012 10:39:43 AM | Computer Name = THUNDER | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 7/14/2012 3:46:31 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058

Error - 7/15/2012 10:39:44 AM | Computer Name = THUNDER | Source = Windows Update Agent | ID = 16
Description = Unable to Connect: Windows is unable to connect to the automatic updates
service and therefore cannot download and install updates according to the set
schedule. Windows will continue to try to establish a connection.

Error - 7/15/2012 3:12:11 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058

Error - 7/15/2012 3:23:12 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058

Error - 7/15/2012 3:36:10 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058

Error - 7/15/2012 3:48:13 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 7/15/2012 4:07:02 PM | Computer Name = THUNDER | Source = Service Control Manager | ID = 7000
Description = The Cypress General Purpose USB Driver (ezusb.sys) service failed
to start due to the following error: %%1058


< End of report >

#7 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 15 July 2012 - 03:58 PM

For what it's worth, even after uninstalling Sophos both DDS and OTL wouldn't run correctly. Only when I ran OTL.exe using a specific user account (right-click, 'run as'), logging in specifically through my own account (selecting 'the following user' and picking the same account I was already in and re-entering my password), even though that was the same account I was already logged in to in the first place, would it load correctly. Even when I tried 'run as' the 'current user' it would not work. I'm not exactly sure what was blocking it, I'm not convinced it was Sophos. Since DDS is a .scr, I don't have the 'run as' option and still can't get it to not freeze after two #s.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 15 July 2012 - 07:41 PM

Please do this now:

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.7.1.0_19.01.2012_17.24.26_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

  • Once the Microsoft Windows Recovery Console is installed click on Yes[/b], to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 16 July 2012 - 10:12 AM

I have included the TDSSKiller log here. I attempted to run ComboFix, however it informed me that I don't have the current Windows Recovery Console installed on my machine. In order to download it through ComboFix, an internet connection is required. Since access to the network has been blocked by IT, I cannot download anything directly onto that machine. I clicked don't download hoping that it would exit the scan, but I believe it started the scan anyway. It was only running for about one second before I closed ComboFix manually since there are so many warnings about the recovery console being recommended. As per the instructions, I have not 're-run' ComboFix yet, but was curious if I should install the recovery console manually at this point and if I can run ComboFix again since it didn't get past the WRC installation the first time. Sorry for the confusion, let me know. Thanks.


10:51:58.0687 3600 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
10:51:58.0703 3600 ============================================================
10:51:58.0703 3600 Current date / time: 2012/07/16 10:51:58.0703
10:51:58.0703 3600 SystemInfo:
10:51:58.0703 3600
10:51:58.0703 3600 OS Version: 5.1.2600 ServicePack: 3.0
10:51:58.0703 3600 Product type: Workstation
10:51:58.0703 3600 ComputerName: THUNDER
10:51:58.0703 3600 UserName: Corey
10:51:58.0703 3600 Windows directory: C:\WINDOWS
10:51:58.0703 3600 System windows directory: C:\WINDOWS
10:51:58.0703 3600 Processor architecture: Intel x86
10:51:58.0703 3600 Number of processors: 8
10:51:58.0703 3600 Page size: 0x1000
10:51:58.0703 3600 Boot type: Normal boot
10:51:58.0703 3600 ============================================================
10:51:59.0453 3600 Drive \Device\Harddisk0\DR0 - Size: 0xAEA8CDE000 (698.64 Gb), SectorSize: 0x200, Cylinders: 0x16441, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:51:59.0453 3600 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:51:59.0453 3600 ============================================================
10:51:59.0453 3600 \Device\Harddisk0\DR0:
10:51:59.0453 3600 MBR partitions:
10:51:59.0453 3600 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x542ED1AB
10:51:59.0484 3600 \Device\Harddisk1\DR1:
10:51:59.0484 3600 MBR partitions:
10:51:59.0484 3600 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74705982
10:51:59.0484 3600 ============================================================
10:51:59.0531 3600 C: <-> \Device\Harddisk0\DR0\Partition0
10:51:59.0562 3600 D: <-> \Device\Harddisk1\DR1\Partition0
10:51:59.0562 3600 ============================================================
10:51:59.0562 3600 Initialize success
10:51:59.0562 3600 ============================================================
10:52:22.0687 2256 ============================================================
10:52:22.0687 2256 Scan started
10:52:22.0687 2256 Mode: Manual; TDLFS;
10:52:22.0687 2256 ============================================================
10:52:23.0109 2256 Abiosdsk - ok
10:52:23.0109 2256 abp480n5 - ok
10:52:23.0171 2256 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:52:23.0171 2256 ACPI - ok
10:52:23.0218 2256 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:52:23.0218 2256 ACPIEC - ok
10:52:23.0296 2256 AdobeFlashPlayerUpdateSvc (990dc6edc9f933194d7cd4e65146bc94) C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
10:52:23.0312 2256 AdobeFlashPlayerUpdateSvc - ok
10:52:23.0312 2256 adpu160m - ok
10:52:23.0359 2256 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:52:23.0359 2256 aec - ok
10:52:23.0421 2256 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:52:23.0421 2256 AFD - ok
10:52:23.0437 2256 Aha154x - ok
10:52:23.0437 2256 aic78u2 - ok
10:52:23.0437 2256 aic78xx - ok
10:52:23.0468 2256 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:52:23.0468 2256 Alerter - ok
10:52:23.0484 2256 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:52:23.0500 2256 ALG - ok
10:52:23.0500 2256 AliIde - ok
10:52:23.0500 2256 amsint - ok
10:52:23.0578 2256 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
10:52:23.0593 2256 Apple Mobile Device - ok
10:52:23.0625 2256 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
10:52:23.0640 2256 AppMgmt - ok
10:52:23.0640 2256 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:52:23.0640 2256 Arp1394 - ok
10:52:23.0656 2256 asc - ok
10:52:23.0656 2256 asc3350p - ok
10:52:23.0656 2256 asc3550 - ok
10:52:23.0734 2256 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:52:23.0750 2256 aspnet_state - ok
10:52:23.0750 2256 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:52:23.0750 2256 AsyncMac - ok
10:52:23.0796 2256 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:52:23.0796 2256 atapi - ok
10:52:23.0812 2256 Atdisk - ok
10:52:23.0812 2256 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:52:23.0812 2256 Atmarpc - ok
10:52:23.0875 2256 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:52:23.0875 2256 AudioSrv - ok
10:52:23.0906 2256 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:52:23.0906 2256 audstub - ok
10:52:23.0937 2256 b57w2k (d0692f7b8217e3b82d2bfac535816117) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
10:52:23.0953 2256 b57w2k - ok
10:52:23.0984 2256 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:52:23.0984 2256 Beep - ok
10:52:24.0031 2256 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
10:52:24.0046 2256 BITS - ok
10:52:24.0125 2256 Bonjour Service (f2060a34c8a75bc24a9222eb4f8c07bd) C:\Program Files\Bonjour\mDNSResponder.exe
10:52:24.0140 2256 Bonjour Service - ok
10:52:24.0187 2256 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:52:24.0187 2256 Browser - ok
10:52:24.0218 2256 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:52:24.0218 2256 cbidf2k - ok
10:52:24.0218 2256 cd20xrnt - ok
10:52:24.0218 2256 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:52:24.0218 2256 Cdaudio - ok
10:52:24.0281 2256 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:52:24.0281 2256 Cdfs - ok
10:52:24.0281 2256 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:52:24.0281 2256 Cdrom - ok
10:52:24.0281 2256 Changer - ok
10:52:24.0312 2256 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:52:24.0312 2256 CiSvc - ok
10:52:24.0312 2256 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:52:24.0312 2256 ClipSrv - ok
10:52:24.0406 2256 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:52:24.0406 2256 clr_optimization_v2.0.50727_32 - ok
10:52:24.0406 2256 CmdIde - ok
10:52:24.0406 2256 COMSysApp - ok
10:52:24.0421 2256 Cpqarray - ok
10:52:24.0437 2256 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:52:24.0437 2256 CryptSvc - ok
10:52:24.0437 2256 dac2w2k - ok
10:52:24.0437 2256 dac960nt - ok
10:52:24.0500 2256 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:52:24.0515 2256 DcomLaunch - ok
10:52:24.0562 2256 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:52:24.0562 2256 Dhcp - ok
10:52:24.0578 2256 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:52:24.0578 2256 Disk - ok
10:52:24.0578 2256 dmadmin - ok
10:52:24.0625 2256 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:52:24.0640 2256 dmboot - ok
10:52:24.0656 2256 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:52:24.0656 2256 dmio - ok
10:52:24.0687 2256 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:52:24.0687 2256 dmload - ok
10:52:24.0703 2256 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:52:24.0703 2256 dmserver - ok
10:52:24.0750 2256 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:52:24.0750 2256 DMusic - ok
10:52:24.0781 2256 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
10:52:24.0781 2256 Dnscache - ok
10:52:24.0828 2256 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:52:24.0828 2256 Dot3svc - ok
10:52:24.0828 2256 dpti2o - ok
10:52:24.0859 2256 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:52:24.0859 2256 drmkaud - ok
10:52:24.0890 2256 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:52:24.0890 2256 EapHost - ok
10:52:24.0890 2256 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:52:24.0890 2256 ERSvc - ok
10:52:24.0921 2256 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:52:24.0937 2256 Eventlog - ok
10:52:24.0984 2256 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
10:52:25.0000 2256 EventSystem - ok
10:52:25.0031 2256 EZUSB (3501a9554b5c584a102b2c66f95916dc) C:\WINDOWS\system32\Drivers\ezusb.sys
10:52:25.0031 2256 EZUSB - ok
10:52:25.0062 2256 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:52:25.0062 2256 Fastfat - ok
10:52:25.0109 2256 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:52:25.0109 2256 FastUserSwitchingCompatibility - ok
10:52:25.0156 2256 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:52:25.0156 2256 Fdc - ok
10:52:25.0171 2256 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:52:25.0171 2256 Fips - ok
10:52:25.0187 2256 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:52:25.0187 2256 Flpydisk - ok
10:52:25.0218 2256 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:52:25.0234 2256 FltMgr - ok
10:52:25.0328 2256 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:52:25.0328 2256 FontCache3.0.0.0 - ok
10:52:25.0468 2256 FreeAgentGoNext Service (9513b437b7adb1e6065b7f0d83d11ecf) C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
10:52:25.0484 2256 FreeAgentGoNext Service - ok
10:52:25.0500 2256 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:52:25.0500 2256 Fs_Rec - ok
10:52:25.0515 2256 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:52:25.0531 2256 Ftdisk - ok
10:52:25.0578 2256 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:52:25.0578 2256 GEARAspiWDM - ok
10:52:25.0609 2256 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:52:25.0609 2256 Gpc - ok
10:52:25.0687 2256 gupdate (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files\Google\Update\GoogleUpdate.exe
10:52:25.0703 2256 gupdate - ok
10:52:25.0703 2256 gupdatem (506708142bc63daba64f2d3ad1dcd5bf) C:\Program Files\Google\Update\GoogleUpdate.exe
10:52:25.0703 2256 gupdatem - ok
10:52:25.0718 2256 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
10:52:25.0718 2256 HDAudBus - ok
10:52:25.0750 2256 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:52:25.0750 2256 helpsvc - ok
10:52:25.0796 2256 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
10:52:25.0796 2256 HidServ - ok
10:52:25.0796 2256 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:52:25.0812 2256 hidusb - ok
10:52:25.0828 2256 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:52:25.0828 2256 hkmsvc - ok
10:52:25.0843 2256 hpn - ok
10:52:25.0859 2256 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:52:25.0859 2256 HPZid412 - ok
10:52:25.0859 2256 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:52:25.0859 2256 HPZipr12 - ok
10:52:25.0859 2256 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:52:25.0859 2256 HPZius12 - ok
10:52:25.0906 2256 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:52:25.0921 2256 HTTP - ok
10:52:25.0937 2256 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:52:25.0937 2256 HTTPFilter - ok
10:52:25.0953 2256 i2omgmt - ok
10:52:25.0953 2256 i2omp - ok
10:52:25.0984 2256 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\drivers\i8042prt.sys
10:52:25.0984 2256 i8042prt - ok
10:52:26.0031 2256 iaStor (1c77a81756d4777ccb0425ae8107fe96) C:\WINDOWS\system32\drivers\iaStor.sys
10:52:26.0031 2256 iaStor - ok
10:52:26.0250 2256 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:52:26.0296 2256 idsvc - ok
10:52:26.0312 2256 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:52:26.0312 2256 Imapi - ok
10:52:26.0359 2256 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:52:26.0375 2256 ImapiService - ok
10:52:26.0375 2256 ini910u - ok
10:52:26.0375 2256 IntelIde - ok
10:52:26.0421 2256 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:52:26.0421 2256 intelppm - ok
10:52:26.0437 2256 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:52:26.0437 2256 Ip6Fw - ok
10:52:26.0468 2256 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:52:26.0468 2256 IpFilterDriver - ok
10:52:26.0468 2256 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:52:26.0468 2256 IpInIp - ok
10:52:26.0500 2256 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:52:26.0515 2256 IpNat - ok
10:52:26.0609 2256 iPod Service (ca9d4b998bff311a539604ed87318fa0) C:\Program Files\iPod\bin\iPodService.exe
10:52:26.0640 2256 iPod Service - ok
10:52:26.0640 2256 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:52:26.0640 2256 IPSec - ok
10:52:26.0656 2256 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:52:26.0656 2256 IRENUM - ok
10:52:26.0687 2256 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:52:26.0687 2256 isapnp - ok
10:52:26.0796 2256 JavaQuickStarterService (0a5709543986843d37a92290b7838340) C:\Program Files\Java\jre6\bin\jqs.exe
10:52:26.0796 2256 JavaQuickStarterService - ok
10:52:26.0812 2256 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:52:26.0812 2256 Kbdclass - ok
10:52:26.0812 2256 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:52:26.0812 2256 kbdhid - ok
10:52:26.0859 2256 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:52:26.0875 2256 kmixer - ok
10:52:26.0890 2256 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:52:26.0890 2256 KSecDD - ok
10:52:26.0921 2256 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
10:52:26.0921 2256 lanmanserver - ok
10:52:26.0968 2256 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
10:52:26.0984 2256 lanmanworkstation - ok
10:52:27.0015 2256 LBeepKE (be2dc24d403643a2d1d98f33c7087b38) C:\WINDOWS\system32\Drivers\LBeepKE.sys
10:52:27.0015 2256 LBeepKE - ok
10:52:27.0015 2256 lbrtfdc - ok
10:52:27.0187 2256 LBTServ (910344e2a984010435ae84783b25e5eb) C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
10:52:27.0203 2256 LBTServ - ok
10:52:27.0218 2256 LHidFilt (01cc7fb6e790ef044b411377f3a1ff41) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
10:52:27.0218 2256 LHidFilt - ok
10:52:27.0250 2256 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:52:27.0250 2256 LmHosts - ok
10:52:27.0250 2256 LMouFilt (a2e7eae8898d7b4b8c302b8f4e836bb5) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
10:52:27.0250 2256 LMouFilt - ok
10:52:27.0343 2256 McAfee SiteAdvisor Service (c226ce46cd17fce6261a9de406f01c8b) c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
10:52:27.0343 2256 McAfee SiteAdvisor Service - ok
10:52:27.0375 2256 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:52:27.0375 2256 Messenger - ok
10:52:27.0406 2256 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:52:27.0406 2256 mnmdd - ok
10:52:27.0421 2256 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:52:27.0437 2256 mnmsrvc - ok
10:52:27.0437 2256 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:52:27.0437 2256 Modem - ok
10:52:27.0453 2256 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:52:27.0453 2256 Mouclass - ok
10:52:27.0468 2256 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:52:27.0468 2256 mouhid - ok
10:52:27.0484 2256 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:52:27.0484 2256 MountMgr - ok
10:52:27.0546 2256 MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
10:52:27.0562 2256 MozillaMaintenance - ok
10:52:27.0562 2256 mraid35x - ok
10:52:27.0578 2256 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:52:27.0593 2256 MRxDAV - ok
10:52:27.0656 2256 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:52:27.0671 2256 MRxSmb - ok
10:52:27.0687 2256 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:52:27.0687 2256 MSDTC - ok
10:52:27.0703 2256 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:52:27.0703 2256 Msfs - ok
10:52:27.0718 2256 MSIServer - ok
10:52:27.0750 2256 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:52:27.0765 2256 MSKSSRV - ok
10:52:27.0765 2256 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:52:27.0765 2256 MSPCLOCK - ok
10:52:27.0765 2256 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:52:27.0765 2256 MSPQM - ok
10:52:27.0812 2256 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:52:27.0812 2256 mssmbios - ok
10:52:27.0843 2256 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:52:27.0843 2256 Mup - ok
10:52:27.0890 2256 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:52:27.0906 2256 napagent - ok
10:52:27.0937 2256 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:52:27.0953 2256 NDIS - ok
10:52:27.0984 2256 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:52:27.0984 2256 NdisTapi - ok
10:52:28.0000 2256 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:52:28.0000 2256 Ndisuio - ok
10:52:28.0000 2256 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:52:28.0015 2256 NdisWan - ok
10:52:28.0031 2256 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:52:28.0031 2256 NDProxy - ok
10:52:28.0062 2256 Net Driver HPZ12 (69c503c004f49aee8b8e3067cc047ba7) C:\WINDOWS\system32\HPZinw12.dll
10:52:28.0062 2256 Net Driver HPZ12 - ok
10:52:28.0062 2256 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:52:28.0062 2256 NetBIOS - ok
10:52:28.0093 2256 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:52:28.0093 2256 NetBT - ok
10:52:28.0140 2256 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:52:28.0140 2256 NetDDE - ok
10:52:28.0156 2256 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:52:28.0156 2256 NetDDEdsdm - ok
10:52:28.0187 2256 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:52:28.0187 2256 Netlogon - ok
10:52:28.0203 2256 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:52:28.0218 2256 Netman - ok
10:52:28.0343 2256 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:52:28.0343 2256 NetTcpPortSharing - ok
10:52:28.0375 2256 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:52:28.0375 2256 NIC1394 - ok
10:52:28.0421 2256 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
10:52:28.0421 2256 Nla - ok
10:52:28.0437 2256 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:52:28.0437 2256 Npfs - ok
10:52:28.0515 2256 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:52:28.0531 2256 Ntfs - ok
10:52:28.0531 2256 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:52:28.0531 2256 NtLmSsp - ok
10:52:28.0578 2256 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:52:28.0593 2256 NtmsSvc - ok
10:52:28.0609 2256 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:52:28.0609 2256 Null - ok
10:52:28.0937 2256 nv (70cb8915895ccb92ddf23ce890c4f5be) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:52:29.0078 2256 nv - ok
10:52:29.0156 2256 NVSvc (f96df45cfbdc670584293e03c2ab602a) C:\WINDOWS\system32\nvsvc32.exe
10:52:29.0171 2256 NVSvc - ok
10:52:29.0265 2256 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:52:29.0265 2256 NwlnkFlt - ok
10:52:29.0265 2256 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:52:29.0265 2256 NwlnkFwd - ok
10:52:29.0281 2256 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:52:29.0281 2256 ohci1394 - ok
10:52:29.0312 2256 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
10:52:29.0312 2256 OMCI - ok
10:52:29.0375 2256 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:52:29.0390 2256 ose - ok
10:52:29.0421 2256 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:52:29.0421 2256 Parport - ok
10:52:29.0421 2256 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:52:29.0421 2256 PartMgr - ok
10:52:29.0453 2256 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:52:29.0453 2256 ParVdm - ok
10:52:29.0484 2256 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:52:29.0484 2256 PCI - ok
10:52:29.0484 2256 PCIDump - ok
10:52:29.0484 2256 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:52:29.0484 2256 PCIIde - ok
10:52:29.0500 2256 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:52:29.0515 2256 Pcmcia - ok
10:52:29.0515 2256 PDCOMP - ok
10:52:29.0515 2256 PDFRAME - ok
10:52:29.0515 2256 PDRELI - ok
10:52:29.0531 2256 PDRFRAME - ok
10:52:29.0531 2256 perc2 - ok
10:52:29.0531 2256 perc2hib - ok
10:52:29.0578 2256 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:52:29.0578 2256 PlugPlay - ok
10:52:29.0625 2256 Pml Driver HPZ12 (12b4549d515cb26bb8d375038017ca65) C:\WINDOWS\system32\HPZipm12.dll
10:52:29.0625 2256 Pml Driver HPZ12 - ok
10:52:29.0625 2256 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:52:29.0625 2256 PolicyAgent - ok
10:52:29.0656 2256 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:52:29.0656 2256 PptpMiniport - ok
10:52:29.0671 2256 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:52:29.0671 2256 ProtectedStorage - ok
10:52:29.0671 2256 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:52:29.0671 2256 PSched - ok
10:52:29.0703 2256 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:52:29.0703 2256 Ptilink - ok
10:52:29.0703 2256 ql1080 - ok
10:52:29.0703 2256 Ql10wnt - ok
10:52:29.0703 2256 ql12160 - ok
10:52:29.0718 2256 ql1240 - ok
10:52:29.0718 2256 ql1280 - ok
10:52:29.0718 2256 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:52:29.0718 2256 RasAcd - ok
10:52:29.0750 2256 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:52:29.0750 2256 RasAuto - ok
10:52:29.0781 2256 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:52:29.0781 2256 Rasl2tp - ok
10:52:29.0796 2256 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:52:29.0812 2256 RasMan - ok
10:52:29.0812 2256 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:52:29.0812 2256 RasPppoe - ok
10:52:29.0828 2256 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:52:29.0828 2256 Raspti - ok
10:52:29.0843 2256 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:52:29.0843 2256 Rdbss - ok
10:52:29.0859 2256 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:52:29.0859 2256 RDPCDD - ok
10:52:29.0875 2256 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:52:29.0875 2256 rdpdr - ok
10:52:29.0921 2256 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
10:52:29.0921 2256 RDPWD - ok
10:52:29.0953 2256 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:52:29.0953 2256 RDSessMgr - ok
10:52:29.0968 2256 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:52:29.0968 2256 redbook - ok
10:52:30.0000 2256 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:52:30.0000 2256 RemoteAccess - ok
10:52:30.0015 2256 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
10:52:30.0015 2256 RemoteRegistry - ok
10:52:30.0046 2256 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:52:30.0046 2256 RpcLocator - ok
10:52:30.0093 2256 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:52:30.0093 2256 RpcSs - ok
10:52:30.0125 2256 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:52:30.0140 2256 RSVP - ok
10:52:30.0156 2256 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:52:30.0171 2256 SamSs - ok
10:52:30.0203 2256 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:52:30.0203 2256 SCardSvr - ok
10:52:30.0234 2256 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:52:30.0250 2256 Schedule - ok
10:52:30.0359 2256 SeaPort (d358e077a0a05d9b12da22d137ee8464) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
10:52:30.0375 2256 SeaPort - ok
10:52:30.0406 2256 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:52:30.0406 2256 Secdrv - ok
10:52:30.0421 2256 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:52:30.0421 2256 seclogon - ok
10:52:30.0421 2256 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:52:30.0421 2256 SENS - ok
10:52:30.0453 2256 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:52:30.0453 2256 serenum - ok
10:52:30.0468 2256 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:52:30.0468 2256 Serial - ok
10:52:30.0515 2256 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:52:30.0515 2256 Sfloppy - ok
10:52:30.0593 2256 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
10:52:30.0609 2256 SharedAccess - ok
10:52:30.0656 2256 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:52:30.0656 2256 ShellHWDetection - ok
10:52:30.0656 2256 Simbad - ok
10:52:30.0671 2256 Sparrow - ok
10:52:30.0703 2256 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:52:30.0703 2256 splitter - ok
10:52:30.0750 2256 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
10:52:30.0750 2256 Spooler - ok
10:52:30.0765 2256 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:52:30.0765 2256 sr - ok
10:52:30.0781 2256 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:52:30.0781 2256 srservice - ok
10:52:30.0812 2256 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:52:30.0828 2256 Srv - ok
10:52:30.0859 2256 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:52:30.0859 2256 SSDPSRV - ok
10:52:30.0953 2256 STHDA (9db5dbed65f2d74acd1d20a53898af79) C:\WINDOWS\system32\drivers\sthda.sys
10:52:30.0968 2256 STHDA - ok
10:52:31.0000 2256 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:52:31.0031 2256 stisvc - ok
10:52:31.0062 2256 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:52:31.0062 2256 swenum - ok
10:52:31.0093 2256 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:52:31.0093 2256 swmidi - ok
10:52:31.0093 2256 SwPrv - ok
10:52:31.0093 2256 symc810 - ok
10:52:31.0109 2256 symc8xx - ok
10:52:31.0109 2256 sym_hi - ok
10:52:31.0109 2256 sym_u3 - ok
10:52:31.0140 2256 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:52:31.0156 2256 sysaudio - ok
10:52:31.0171 2256 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:52:31.0171 2256 SysmonLog - ok
10:52:31.0203 2256 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:52:31.0218 2256 TapiSrv - ok
10:52:31.0250 2256 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:52:31.0265 2256 Tcpip - ok
10:52:31.0281 2256 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:52:31.0281 2256 TDPIPE - ok
10:52:31.0296 2256 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:52:31.0296 2256 TDTCP - ok
10:52:31.0296 2256 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:52:31.0296 2256 TermDD - ok
10:52:31.0328 2256 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:52:31.0343 2256 TermService - ok
10:52:31.0406 2256 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:52:31.0406 2256 Themes - ok
10:52:31.0468 2256 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
10:52:31.0468 2256 TlntSvr - ok
10:52:31.0468 2256 TosIde - ok
10:52:31.0515 2256 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:52:31.0515 2256 TrkWks - ok
10:52:31.0531 2256 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:52:31.0531 2256 Udfs - ok
10:52:31.0531 2256 ultra - ok
10:52:31.0593 2256 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:52:31.0609 2256 Update - ok
10:52:31.0640 2256 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:52:31.0640 2256 upnphost - ok
10:52:31.0671 2256 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:52:31.0671 2256 UPS - ok
10:52:31.0687 2256 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:52:31.0687 2256 usbccgp - ok
10:52:31.0718 2256 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:52:31.0718 2256 usbehci - ok
10:52:31.0718 2256 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:52:31.0718 2256 usbhub - ok
10:52:31.0765 2256 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:52:31.0765 2256 USBSTOR - ok
10:52:31.0796 2256 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:52:31.0796 2256 usbuhci - ok
10:52:31.0812 2256 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:52:31.0812 2256 VgaSave - ok
10:52:31.0812 2256 ViaIde - ok
10:52:31.0828 2256 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:52:31.0828 2256 VolSnap - ok
10:52:31.0875 2256 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:52:31.0890 2256 VSS - ok
10:52:31.0906 2256 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:52:31.0921 2256 W32Time - ok
10:52:31.0937 2256 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:52:31.0937 2256 Wanarp - ok
10:52:32.0000 2256 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
10:52:32.0000 2256 Wdf01000 - ok
10:52:32.0000 2256 WDICA - ok
10:52:32.0046 2256 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:52:32.0046 2256 wdmaud - ok
10:52:32.0078 2256 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:52:32.0078 2256 WebClient - ok
10:52:32.0156 2256 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:52:32.0156 2256 winmgmt - ok
10:52:32.0203 2256 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
10:52:32.0203 2256 WmdmPmSN - ok
10:52:32.0281 2256 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
10:52:32.0296 2256 Wmi - ok
10:52:32.0328 2256 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:52:32.0328 2256 WmiApSrv - ok
10:52:32.0468 2256 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:52:32.0484 2256 WMPNetworkSvc - ok
10:52:32.0531 2256 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
10:52:32.0531 2256 wscsvc - ok
10:52:32.0546 2256 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
10:52:32.0546 2256 wuauserv - ok
10:52:32.0593 2256 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:52:32.0593 2256 WudfPf - ok
10:52:32.0593 2256 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:52:32.0609 2256 WudfRd - ok
10:52:32.0625 2256 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:52:32.0625 2256 WudfSvc - ok
10:52:32.0671 2256 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:52:32.0718 2256 WZCSVC - ok
10:52:32.0750 2256 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:52:32.0750 2256 xmlprov - ok
10:52:32.0781 2256 MBR (0x1B8) (587f1bf40479d66675a13b610e5e7f9e) \Device\Harddisk0\DR0
10:52:32.0796 2256 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
10:52:32.0796 2256 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
10:52:32.0921 2256 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
10:52:32.0984 2256 \Device\Harddisk1\DR1 - ok
10:52:33.0000 2256 Boot (0x1200) (a0f032df67cf0ea7525f39a64daa8ad8) \Device\Harddisk0\DR0\Partition0
10:52:33.0000 2256 \Device\Harddisk0\DR0\Partition0 - ok
10:52:33.0000 2256 Boot (0x1200) (58e4a0fc0f479e762c7373ea349f50fc) \Device\Harddisk1\DR1\Partition0
10:52:33.0000 2256 \Device\Harddisk1\DR1\Partition0 - ok
10:52:33.0000 2256 ============================================================
10:52:33.0000 2256 Scan finished
10:52:33.0000 2256 ============================================================
10:52:33.0015 0884 Detected object count: 1
10:52:33.0015 0884 Actual detected object count: 1
10:53:18.0265 0884 \Device\Harddisk0\DR0\# - copied to quarantine
10:53:18.0265 0884 \Device\Harddisk0\DR0 - copied to quarantine
10:53:18.0296 0884 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
10:53:18.0328 0884 \Device\Harddisk0\DR0 - ok
10:53:18.0328 0884 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
10:53:24.0593 3864 Deinitialize success

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 16 July 2012 - 11:03 AM

Hi,

Go ahead and run ComboFix without installing the RC right now.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 16 July 2012 - 11:25 AM

Here is the ComboFix log


ComboFix 12-07-16.01 - Corey 07/16/2012 12:11:08.1.8 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2533 [GMT -4:00]
Running from: c:\documents and settings\Corey\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Corey\Desktop\Scanner.lnk
c:\documents and settings\Corey\WINDOWS
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\SET380.tmp
c:\windows\system32\SET385.tmp
c:\windows\system32\SET3D4.tmp
.
.
((((((((((((((((((((((((( Files Created from 2012-06-16 to 2012-07-16 )))))))))))))))))))))))))))))))
.
.
2012-07-16 14:53 . 2012-07-16 14:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-15 19:18 . 2012-07-15 19:18 -------- d--h--w- c:\windows\PIF
2012-07-05 17:33 . 2012-07-05 17:33 91648 ----a-w- c:\windows\system32\labeprov.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-08 22:19 . 2011-01-19 22:24 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2012-06-23 23:14 . 2012-04-03 17:51 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-23 23:14 . 2011-05-24 17:29 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-02 19:19 . 2009-10-08 12:47 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19 . 2009-10-08 12:47 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19 . 2009-10-07 18:52 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 19:19 . 2009-10-07 18:52 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19 . 2009-10-07 18:52 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 19:19 . 2009-10-08 12:47 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 19:19 . 2009-10-08 12:47 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19 . 2009-10-07 18:52 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 19:19 . 2009-10-07 18:52 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 19:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 19:19 . 2009-10-08 12:47 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:19 . 2009-10-07 18:52 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 19:19 . 2009-10-07 18:52 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2004-08-04 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 14:42 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-05-04 13:16 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-04 12:32 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-02 13:46 . 2009-10-07 18:50 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-18 20:48 . 2010-05-28 13:43 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-04-18 20:48 . 2010-05-28 13:43 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-01-27 19:00 . 2012-01-27 19:01 288568 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2012-06-19 14:27 . 2012-04-27 14:58 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\Corey\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-07-05 1192664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-18 13574144]
"nwiz"="nwiz.exe" [2008-09-18 1657376]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-02-03 233304]
"MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2009-09-26 185640]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-09-18 86016]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\Corey\Start Menu\Programs\Startup\
NexDef Plug-in.lnk - c:\documents and settings\Corey\Local Settings\Application Data\Autobahn\nexdef.exe [2011-8-11 15490560]
OpenOffice.org 3.3.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UltraVNC\\winvnc.exe"=
"c:\\Program Files\\StarNet\\X-Win32 9.5\\xwin32.exe"=
"c:\\Program Files\\StarNet\\X-Win32 9.5\\esd.exe"=
"c:\\Program Files\\Xming\\Xming.exe"=
"c:\\Program Files\\MATLAB\\R2010b\\bin\\win32\\MATLAB.exe"=
"c:\\Program Files\\MATLAB\\R2010b\\bin\\win32\\mpiexec.exe"=
"c:\\Program Files\\MATLAB\\R2010b\\bin\\win32\\smpd.exe"=
"c:\\Documents and Settings\\Corey\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Corey\\Application Data\\Spotify\\spotify.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [9/26/2009 12:32 AM 189736]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [1/19/2011 6:23 PM 12184]
S2 EZUSB;Cypress General Purpose USB Driver (ezusb.sys);c:\windows\system32\drivers\ezusb.sys [5/29/2002 4:13 PM 27507]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2012 10:33 AM 116648]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [1/19/2011 6:28 PM 95232]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [4/3/2012 1:51 PM 250056]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [6/20/2012 10:33 AM 116648]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/27/2012 10:59 AM 113120]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-16 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 23:14]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-20 14:33]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-06-20 14:33]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1614895754-682003330-1014Core.job
- c:\documents and settings\Corey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-21 22:57]
.
2012-07-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1123561945-1614895754-682003330-1014UA.job
- c:\documents and settings\Corey\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-02-21 22:57]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Corey\Application Data\Mozilla\Firefox\Profiles\cun08eh2.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-IDTSysTrayApp - sttray.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-07-16 12:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\docume~1\Corey\LOCALS~1\Temp\catchme.dll 53248 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(764)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
Completion time: 2012-07-16 12:22:05
ComboFix-quarantined-files.txt 2012-07-16 16:22
.
Pre-Run: 609,085,202,432 bytes free
Post-Run: 609,580,720,128 bytes free
.
- - End Of File - - 99291C86F9887DAC5D1D06AA998D07AE

#12 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 16 July 2012 - 05:19 PM

Please do this next, (I understand that you won't be able to update the definitions right now):

Posted Image Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full Scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Be sure that everything else is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please post the results.
Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#13 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 July 2012 - 10:15 AM

Here is the MBAM log


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.03.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Corey :: THUNDER [administrator]

Protection: Enabled

7/16/2012 10:45:49 PM
mbam-log-2012-07-16 (22-45-49).txt

Scan type: Full scan (C:\|D:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 690514
Time elapsed: 4 hour(s), 36 minute(s), 27 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#14 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:16 AM

Posted 17 July 2012 - 10:38 AM

Can you please jump through whatever hoops you need to with the campus IT folks to get your internet access restored? I'm confident that we've removed the active infection, but there are still some steps I wish to take that require you to have internet access. If they won't grant you access do you have somewhere you could take the laptop to connect to the internet?

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#15 CMoney77

CMoney77
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:03:16 AM

Posted 17 July 2012 - 10:49 AM

Yes, I can have them let me back on the network. Go ahead and let me know what else you would like me to do, and when I get connected I will get those steps done. If the virus is still active, however, I will be automatically removed again. If that is the case, I will let you know. And if necessary, I can take the computer to an off-campus location for internet access. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users