Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Services.exe infected by ZeroAccess trojan


  • This topic is locked This topic is locked
18 replies to this topic

#1 dabram

dabram

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 09 July 2012 - 01:57 PM

Hi,
I have a 64-bit Windows 7 Lenovo Ideapad Y450. I use Sophos Antivirus, and I keep getting "Threat detected by Sophos" popups for Troj/ZAccInf-B infecting my C:\windows\system32\services.exe file. Options are move or delete, but I don't want to delete this file since I believe it is essential (when not infected). Details on Sophos for the trojan indicate it might not be disinfectable and might need to be restored from backup.
Sophos also had a ZaccInf-A that came up with the option of cleaning, so I chose "clean" - only the ZAccInf-B remains in quarantine.
Initial searching of the problem brought me to this page:
http://nakedsecurity.sophos.com/2012/06/06/zeroaccess-rootkit-usermode/
It said one registry value may have been changed and one created by the trojan. I checked the first one, and the value was the correct one:

HKCR\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32
Correct value: %systemroot%\system32\wbem\wbemess.dll

I deleted the one it said was trojan-affiliated: HKCU\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}
I haven't noticed any difference in performance and am avoiding rebooting for now. I can't turn my firewall or Windows Security Center Service on.
I followed the directions for posting here (except for turning on firewall since I could not do this) and have attached the DDS file (skipped GMER since 64-bit)

I would greatly appreciate any help!

Thanks,
David

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by David Abram at 11:48:33 on 2012-07-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3933.1413 [GMT -7:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\System32\spoolsv.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\System32\svchost.exe -k NetworkService
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files (x86)\BitKinex\bitkinexsvc.exe
C:\windows\system32\Dwm.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
C:\PenExe\TcWS\Ver6.2.0\Bin\LCD.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files (x86)\Lenovo\Energy Management\utility.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
C:\Windows\System32\igfxpers.exe
C:\Users\David Abram\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALMon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
c:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe
C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
C:\windows\system32\svchost.exe -k SDRSVC
C:\Program Files (x86)\Internet Explorer\IELowutil.exe
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
C:\windows\splwow64.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\windows\explorer.exe
C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\wuauclt.exe
C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavMain.exe
C:\Users\David Abram\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\windows\system32\svchost.exe -k NetworkService
C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavProgress.exe
C:\windows\system32\SearchProtocolHost.exe
C:\windows\system32\SearchFilterHost.exe
C:\windows\SysWOW64\cmd.exe
C:\windows\system32\conhost.exe
C:\windows\SysWOW64\cscript.exe
C:\windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = https://ofweb.stanford.edu/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 192.168.*.*;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: FreeRIP Toolbar: {e634228a-03cf-4bc8-b0ab-668257f1fd8c} - C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO: {82EA3E77-7BD2-4744-A8F2-670770767EC5} - No File
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO: FreeRIP Toolbar: {e634228a-03cf-4bc8-b0ab-668257f1fd8c} - C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB: FreeRIP Toolbar: {e634228a-03cf-4bc8-b0ab-668257f1fd8c} - C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
uRun: [c__users_david_abram_appdata_local_google_update_googleupdate.exe] "C:\Users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [Google Update] "C:\Users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" /c
uRun: [SansaDispatch] C:\Users\David Abram\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe
uRunOnce: [FlashPlayerUpdate] C:\windows\SysWOW64\Macromed\Flash\FlashUtil11g_Plugin.exe -update plugin
mRun: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun: [<NO NAME>]
mRun: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
dRunOnce: [WLStart] "C:\Program Files (x86)\Windows Live\Installer\wlstart.exe" /nosearch /nohomepage
StartupFolder: C:\Users\DAVIDA~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Dropbox.lnk - C:\Users\David Abram\AppData\Roaming\Dropbox\bin\Dropbox.exe
StartupFolder: C:\PROGRA~3\MICROS~1\Windows\STARTM~1\Programs\Startup\VPNGUI~1.LNK - C:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download with BitKinex - C:\Program Files (x86)\BitKinex\ieext_cp.htm
IE: &Register in BitKinex - C:\Program Files (x86)\BitKinex\ieext_reg.htm
IE: Add to Google Photos Screensa&ver - C:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
LSP: mswsock.dll
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4_2-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://juniper.net/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128} : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128}\0596E6B64596765627 : DhcpNameServer = 24.217.0.5 24.217.201.67 68.113.206.10
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128}\071647866696E6465627 : DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128}\14262716D625F657475627D27657563747 : DhcpNameServer = 75.104.160.61
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128}\54C6B60234F667560294E6E6 : DhcpNameServer = 192.168.1.1 8.8.8.8
TCP: Interfaces\{746FDCEA-B7FD-4EBA-930D-C58F9AFC3128}\D425350223031323 : DhcpNameServer = 199.115.243.100 68.177.131.70
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLMF.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
AppInit_DLLs: acaptuser32.dll,C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: Sophos Web Content Scanner: {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SophosBHO.dll
BHO-X64: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre6\bin\ssv.dll
BHO-X64: {82EA3E77-7BD2-4744-A8F2-670770767EC5} - No File
BHO-X64: BHO_PROJECT - No File
BHO-X64: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO-X64: SkypeIEPluginBHO - No File
BHO-X64: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
BHO-X64: URLRedirectionBHO - No File
BHO-X64: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
BHO-X64: FreeRIP Toolbar: {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll
BHO-X64: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
BHO-X64: SmartSelect - No File
TB-X64: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
TB-X64: FreeRIP Toolbar: {E634228A-03CF-4BC8-B0AB-668257F1FD8C} - C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll
TB-X64: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
mRun-x64: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRun-x64: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
mRun-x64: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
mRun-x64: [(Default)]
mRun-x64: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Lenovo\Bluetooth Software\btsendto_ie.htm
AppInit_DLLs-X64: acaptuser32.dll,C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~1.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\David Abram\AppData\Roaming\Mozilla\Firefox\Profiles\dl3kehyw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
FF - prefs.js: network.proxy.type - 2
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Acrobat 9.0\Acrobat\Air\nppdf32.dll
FF - plugin: C:\Program Files (x86)\CambridgeSoft\ChemOffice2010\Chem3D\npChem3DPlugin.dll
FF - plugin: C:\Program Files (x86)\CambridgeSoft\ChemOffice2010\ChemDraw\NPCDP32.DLL
FF - plugin: C:\Program Files (x86)\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\David Abram\AppData\Local\Google\Update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: C:\Users\David Abram\AppData\Roaming\Mozilla\Firefox\Profiles\dl3kehyw.default\extensions\{000F1EA4-5E08-4564-A29B-29076F63A37A}\plugins\npsoe.dll
FF - plugin: C:\Users\David Abram\AppData\Roaming\Mozilla\Firefox\Profiles\dl3kehyw.default\extensions\DeviceDetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: C:\Users\David Abram\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
FF - plugin: C:\Users\David Abram\AppData\Roaming\Mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: C:\windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
---- FIREFOX POLICIES ----
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R1 funfrm;funfrm;C:\windows\system32\drivers\funfrm.sys --> C:\windows\system32\drivers\funfrm.sys [?]
R3 ACPIVPC;Lenovo Virtual Power Controller Driver;C:\windows\system32\DRIVERS\AcpiVpc.sys --> C:\windows\system32\DRIVERS\AcpiVpc.sys [?]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;C:\windows\system32\drivers\IntcHdmi.sys --> C:\windows\system32\drivers\IntcHdmi.sys [?]
R3 itecir;ITECIR Infrared Receiver;C:\windows\system32\DRIVERS\itecir.sys --> C:\windows\system32\DRIVERS\itecir.sys [?]
R3 ITECIRfilter;ITECIR Filter Driver;C:\windows\system32\DRIVERS\ITECIRfilter.sys --> C:\windows\system32\DRIVERS\ITECIRfilter.sys [?]
R3 JMCR;JMCR;C:\windows\system32\DRIVERS\jmcr.sys --> C:\windows\system32\DRIVERS\jmcr.sys [?]
R3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;C:\windows\system32\DRIVERS\k57nd60a.sys --> C:\windows\system32\DRIVERS\k57nd60a.sys [?]
S3 BTCFilterService;USB Networking Driver Filter Service;C:\windows\system32\DRIVERS\motfilt.sys --> C:\windows\system32\DRIVERS\motfilt.sys [?]
S3 btusbflt;Bluetooth USB Filter;C:\windows\system32\drivers\btusbflt.sys --> C:\windows\system32\drivers\btusbflt.sys [?]
S3 btwl2cap;Bluetooth L2CAP Service;C:\windows\system32\DRIVERS\btwl2cap.sys --> C:\windows\system32\DRIVERS\btwl2cap.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;C:\windows\system32\DRIVERS\motccgp.sys --> C:\windows\system32\DRIVERS\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;C:\windows\system32\DRIVERS\motccgpfl.sys --> C:\windows\system32\DRIVERS\motccgpfl.sys [?]
S3 Motousbnet;Motorola USB Networking Driver Service;C:\windows\system32\DRIVERS\Motousbnet.sys --> C:\windows\system32\DRIVERS\Motousbnet.sys [?]
S3 motusbdevice;Motorola USB Dev Driver;C:\windows\system32\DRIVERS\motusbdevice.sys --> C:\windows\system32\DRIVERS\motusbdevice.sys [?]
.
=============== Created Last 30 ================
.
2012-07-06 00:24:40 770384 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-06 00:24:40 421200 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-03 05:14:39 -------- d-----w- C:\Program Files (x86)\FreeRIP Toolbar
2012-07-03 05:14:39 -------- d-----w- C:\Program Files (x86)\Common Files\Spigot
2012-07-03 05:14:39 -------- d-----w- C:\Program Files (x86)\Application Updater
2012-06-27 00:12:32 -------- d-----w- C:\Users\David Abram\AppData\Local\{62241CAA-C651-4218-9008-10E667D4FC63}
2012-06-26 22:40:08 -------- d-----w- C:\Users\David Abram\AppData\Local\{7CFB8D30-3281-4F66-A073-C73A0D849C8E}
2012-06-26 18:50:52 -------- d-----w- C:\Program Files (x86)\OApps
2012-06-26 18:50:51 -------- d-----w- C:\Program Files (x86)\TorrentSearch
2012-06-26 18:49:15 -------- d-----w- C:\Program Files (x86)\intellidownload
2012-06-21 16:38:01 2622464 ----a-w- C:\windows\System32\wucltux.dll
2012-06-21 16:36:55 36864 ----a-w- C:\windows\System32\wuapp.exe
2012-06-21 16:36:55 186752 ----a-w- C:\windows\System32\wuwebv.dll
.
==================== Find3M ====================
.
2010-07-26 18:17:08 689560 ----a-w- C:\Program Files\iobituninstaller.exe
.
============= FINISH: 11:50:17.66 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 09 July 2012 - 02:56 PM

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 09 July 2012 - 06:34 PM

Thanks for the quick response, I greatly appreciate your help. I followed the instructions and the logs are below. I will await further instruction.

Also, the Mal/ZAccConf-A reappeared in the Sophos quarantine in 2 locations:
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}\@
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}\@


FRST.txt
Scan result of Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 09-07-2012 16:13:26
Running from H:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [IAAnotif] C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-08-06] (Intel Corporation)
HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1814312 2009-08-14] (Synaptics Incorporated)
HKLM\...\Run: [EnergyUtility] C:\Program Files (x86)\Lenovo\Energy Management\utility.exe [4366704 2009-09-29] (Lenovo(beijing) Limited)
HKLM\...\Run: [Energy Management] C:\Program Files (x86)\Lenovo\Energy Management\Energy Management.exe [5825536 2009-08-18] (Lenovo (Beijing) Limited)
HKLM\...\Run: [IgfxTray] C:\windows\system32\igfxtray.exe [162328 2011-02-11] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\windows\system32\hkcmd.exe [386584 2011-02-11] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\windows\system32\igfxpers.exe [417304 2011-02-11] (Intel Corporation)
HKLM-x32\...\Run: [Sophos AutoUpdate Monitor] C:\Program Files (x86)\Sophos\AutoUpdate\almon.exe [439536 2010-09-21] (Sophos Plc)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [34672 2008-06-12] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [59240 2012-02-20] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe" [421736 2012-03-06] (Apple Inc.)
HKLM-x32\...\Run: [] [x]
HKLM-x32\...\Run: [SearchSettings] "C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [1090440 2012-06-27] (Spigot, Inc.)
HKU\David Abram\...\Run: [c__users_david_abram_appdata_local_google_update_googleupdate.exe] "C:\Users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-27] (Google Inc.)
HKU\David Abram\...\Run: [Google Update] "C:\Users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" /c [136176 2010-03-27] (Google Inc.)
HKU\David Abram\...\Run: [SansaDispatch] C:\Users\David Abram\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe [79872 2012-01-02] (SanDisk Corporation)
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Tcpip\Parameters: [DhcpNameServer] 75.75.75.75 75.75.76.76
AppInit_DLLs: acaptuser64.dll,C:\PROGRA~2\Sophos\SOPHOS~1\SOPHOS~2.DLL
Startup: C:\Users\All Users\Start Menu\Programs\Startup\vpngui.exe.lnk
ShortcutTarget: vpngui.exe.lnk -> C:\windows\Installer\{467D5E81-8349-4892-9E81-C3674ED8E451}\Icon09DB8A851.exe ()
Startup: C:\Users\David Abram\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> (No File)

==================== Services (Whitelisted) ======

4 Adobe Version Cue CS4; "C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service [288112 2010-04-11] (Adobe Systems Incorporated)
2 Application Updater; "C:\Program Files (x86)\Application Updater\ApplicationUpdater.exe" [791488 2012-06-27] (Spigot, Inc.)
2 BcmSqlStartupSvc; "C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe" [30312 2008-01-11] (Microsoft Corporation)
2 BitKinex; C:\Program Files (x86)\BitKinex\bitkinexsvc.exe DISPATCH [32944 2010-07-12] ()
2 btwdins; C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe [864032 2009-07-01] (Broadcom Corporation.)
2 CVPND; "C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe" [1528616 2010-03-23] (Cisco Systems, Inc.)
2 DeviceMonitorService; "C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe" [87368 2011-09-19] (Nero AG)
2 lcdServiceTcWS(6.2.0); C:\PenExe\TcWS\Ver6.2.0\Bin\LCD.EXE [302610 2001-02-27] (PerkinElmer Instruments)
2 MotoHelper; C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe [214896 2011-12-06] ()
2 MotoHelper.exe; "C:\Program Files (x86)\Motorola\Moto Helper Service\MotoHelper.exe" [6656 2010-09-14] (Motorola)
2 MSSQL$CSSQL05; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe" -sCSSQL05 [29293408 2010-12-10] (Microsoft Corporation)
3 MSSQL$MSSMLBIZ; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sMSSMLBIZ [29293408 2010-12-10] (Microsoft Corporation)
2 RichVideo; "C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe" [244904 2009-07-17] ()
2 SAVAdminService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe" [163056 2010-10-08] (Sophos Plc)
2 SAVService; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe" [97520 2010-06-04] (Sophos Plc)
2 Sophos AutoUpdate Service; "C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe" [232472 2012-04-11] (Sophos Plc)
2 swi_service; "C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe" [1543704 2012-02-21] (Sophos Plc)
2 msftesql$CSSQL05; "C:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe" -s:MSSQL.2 -f:CSSQL05 [x]

========================== Drivers (Whitelisted) =============

3 CVirtA; C:\Windows\System32\DRIVERS\CVirtA64.sys [14992 2010-02-08] (Cisco Systems, Inc.)
3 CVPNDRVA; C:\Windows\System32\Drivers\CVPNDRVA.sys [304784 2010-03-23] ()
3 DNE; C:\Windows\System32\DRIVERS\dne64x.sys [157968 2008-11-16] (Deterministic Networks, Inc.)
1 funfrm; C:\Windows\System32\Drivers\funfrm.sys [58896 2010-02-04] ()
3 ITECIRfilter; C:\Windows\System32\Drivers\ITECIRfilter.sys [28264 2011-03-22] (ITE Tech. Inc. )
1 SAVOnAccess; C:\Windows\System32\Drivers\SAVOnAccess.sys [142328 2010-10-08] (Sophos Plc)
3 sdcfilter; C:\Windows\System32\Drivers\sdcfilter.sys [25592 2009-07-30] (Sophos Plc)
4 SophosBootDriver; C:\Windows\System32\Drivers\SophosBootDriver.sys [25608 2010-07-08] (Sophos Plc)
3 MotDev; C:\Windows\System32\DRIVERS\motodrv.sys [x]
3 motport; C:\Windows\System32\DRIVERS\motport.sys [x]
3 wdmirror; C:\Windows\System32\DRIVERS\WDMirror.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-09 16:12 - 2012-07-09 16:13 - 00000000 ____D C:\FRST
2012-07-09 14:07 - 2012-07-09 14:07 - 00000000 ___DC C:\Users\David Abram\AppData\Local\MigWiz
2012-07-09 13:21 - 2012-07-09 13:21 - 00002340 ____A C:\Users\David Abram\Desktop\FSTR_Instructions.txt
2012-07-09 10:54 - 2012-07-09 10:54 - 00021513 ____A C:\Users\David Abram\Desktop\DDS1.txt
2012-07-09 10:54 - 2012-07-09 10:54 - 00010755 ____A C:\Users\David Abram\Desktop\Attach1.txt
2012-07-09 10:23 - 2012-07-09 10:23 - 00607260 ____R (Swearware) C:\Users\David Abram\Desktop\dds.scr
2012-07-02 21:14 - 2012-07-02 21:14 - 00000000 ____D C:\Program Files (x86)\FreeRIP Toolbar
2012-07-02 21:14 - 2012-07-02 21:14 - 00000000 ____D C:\Program Files (x86)\Application Updater
2012-06-26 16:12 - 2012-06-26 16:12 - 00000000 ____D C:\Users\David Abram\AppData\Local\{62241CAA-C651-4218-9008-10E667D4FC63}
2012-06-26 14:40 - 2012-06-26 14:40 - 00000000 ____D C:\Users\David Abram\AppData\Local\{7CFB8D30-3281-4F66-A073-C73A0D849C8E}
2012-06-26 10:50 - 2012-06-26 10:50 - 00000000 ____D C:\Program Files (x86)\TorrentSearch
2012-06-26 10:49 - 2012-06-26 10:51 - 00000000 ____D C:\Program Files (x86)\intellidownload
2012-06-21 08:38 - 2012-06-02 14:19 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-21 08:38 - 2012-06-02 14:19 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-21 08:38 - 2012-06-02 14:19 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-21 08:38 - 2012-06-02 14:15 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-21 08:37 - 2012-06-02 14:19 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-21 08:37 - 2012-06-02 14:19 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-21 08:37 - 2012-06-02 14:15 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-21 08:36 - 2012-06-02 14:19 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-21 08:36 - 2012-06-02 14:15 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe

============ 3 Months Modified Files ========================

2012-07-09 15:09 - 2009-07-13 21:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-09 15:08 - 2009-07-13 20:51 - 00194510 ____A C:\Windows\setupact.log
2012-07-09 15:04 - 2010-02-04 18:35 - 01369792 ____A C:\Windows\WindowsUpdate.log
2012-07-09 15:04 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-09 15:04 - 2009-07-13 20:45 - 00013632 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-09 15:02 - 2011-11-25 08:38 - 00000904 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-09 15:00 - 2010-02-04 19:20 - 00693756 ____A C:\Windows\PFRO.log
2012-07-09 14:54 - 2011-11-25 08:38 - 00000908 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-09 14:39 - 2010-03-27 10:42 - 00000932 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003UA.job
2012-07-09 14:22 - 2009-07-13 21:13 - 00907092 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-09 13:21 - 2012-07-09 13:21 - 00002340 ____A C:\Users\David Abram\Desktop\FSTR_Instructions.txt
2012-07-09 10:54 - 2012-07-09 10:54 - 00021513 ____A C:\Users\David Abram\Desktop\DDS1.txt
2012-07-09 10:54 - 2012-07-09 10:54 - 00010755 ____A C:\Users\David Abram\Desktop\Attach1.txt
2012-07-09 10:38 - 2010-03-27 10:42 - 00000880 ____A C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003Core.job
2012-07-09 10:23 - 2012-07-09 10:23 - 00607260 ____R (Swearware) C:\Users\David Abram\Desktop\dds.scr
2012-07-06 09:00 - 2011-02-04 15:40 - 00000584 ____A C:\Users\David Abram\Documents\grstyles.stl
2012-07-03 09:43 - 2011-12-05 19:39 - 00002083 ____A C:\Users\David Abram\Desktop\Badger.lnk
2012-07-01 20:44 - 2010-03-27 10:42 - 00002393 ____A C:\Users\David Abram\Desktop\Google Chrome.lnk
2012-06-09 21:20 - 2010-03-26 16:23 - 00001030 ____A C:\Users\David Abram\Desktop\Dropbox.lnk
2012-06-02 14:19 - 2012-06-21 08:38 - 02428952 ____A (Microsoft Corporation) C:\Windows\System32\wuaueng.dll
2012-06-02 14:19 - 2012-06-21 08:38 - 00057880 ____A (Microsoft Corporation) C:\Windows\System32\wuauclt.exe
2012-06-02 14:19 - 2012-06-21 08:38 - 00044056 ____A (Microsoft Corporation) C:\Windows\System32\wups2.dll
2012-06-02 14:19 - 2012-06-21 08:37 - 00701976 ____A (Microsoft Corporation) C:\Windows\System32\wuapi.dll
2012-06-02 14:19 - 2012-06-21 08:37 - 00038424 ____A (Microsoft Corporation) C:\Windows\System32\wups.dll
2012-06-02 14:19 - 2012-06-21 08:36 - 00186752 ____A (Microsoft Corporation) C:\Windows\System32\wuwebv.dll
2012-06-02 14:15 - 2012-06-21 08:38 - 02622464 ____A (Microsoft Corporation) C:\Windows\System32\wucltux.dll
2012-06-02 14:15 - 2012-06-21 08:37 - 00099840 ____A (Microsoft Corporation) C:\Windows\System32\wudriver.dll
2012-06-02 14:15 - 2012-06-21 08:36 - 00036864 ____A (Microsoft Corporation) C:\Windows\System32\wuapp.exe
2012-05-19 15:20 - 2009-07-13 20:45 - 03085304 ____A C:\Windows\System32\FNTCACHE.DAT
2012-05-19 14:54 - 2010-03-26 07:44 - 57848688 ____A (Microsoft Corporation) C:\Windows\System32\MRT.exe
2012-05-16 15:23 - 2011-06-09 14:54 - 00176346 ____A C:\Users\David Abram\Documents\My EndNote Library.enl
2012-04-14 14:33 - 2012-04-14 14:33 - 00206758 ____A C:\Users\David Abram\Downloads\TaxReturnPdf(2).aspx
2012-04-14 14:32 - 2012-04-14 14:32 - 00206758 ____A C:\Users\David Abram\Downloads\TaxReturnPdf(1).aspx

ZeroAccess:
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}\L
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}\n
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}\U

ZeroAccess:
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}\L
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}\n
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}\U

ZeroAccess:
C:\Windows\assembly\GAC_32\Desktop.ini

ZeroAccess:
C:\Windows\assembly\GAC_64\Desktop.ini

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3932.61 MB
Available physical RAM: 3302.93 MB
Total Pagefile: 3930.75 MB
Available Pagefile: 3299.39 MB
Total Virtual: 8192 MB
Available Virtual: 8191.88 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:252.81 GB) (Free:129.72 GB) NTFS
2 Drive d: (LENOVO) (Fixed) (Total:30.33 GB) (Free:29.17 GB) NTFS
5 Drive h: (KINGSTON) (Removable) (Total:7.26 GB) (Free:7.26 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
7 Drive y: () (Fixed) (Total:0.2 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 298 GB 1024 KB
Disk 1 No Media 0 B 0 B
Disk 2 Online 7441 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 200 MB 1024 KB
Partition 2 Primary 252 GB 201 MB
Partition 0 Extended 30 GB 253 GB
Partition 4 Logical 30 GB 253 GB
Partition 3 OEM 14 GB 283 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y NTFS Partition 200 MB Healthy

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C NTFS Partition 252 GB Healthy

==================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D LENOVO NTFS Partition 30 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 12
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 6 LENOVO_PART NTFS Partition 14 GB Healthy Hidden

==================================================================================

Partitions of Disk 2:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 7437 MB 4032 KB

==================================================================================

Disk: 2
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 5 H KINGSTON FAT32 Removable 7437 MB Healthy

==================================================================================

==========================================================

Last Boot: 2012-06-18 13:36

======================= End Of Log ==========================









Search.txt
Farbar Recovery Scan Tool Version: 09-07-2012
Ran by SYSTEM at 2012-07-09 16:15:31
Running from H:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 15:19] - [2009-07-13 17:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 09 July 2012 - 07:06 PM

Hi

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
SubSystems: [Windows] ==> ZeroAccess
HKLM-x32\...\Run: [] [x]
2012-06-26 16:12 - 2012-06-26 16:12 - 00000000 ____D C:\Users\David Abram\AppData\Local\{62241CAA-C651-4218-9008-10E667D4FC63}
2012-06-26 14:40 - 2012-06-26 14:40 - 00000000 ____D C:\Users\David Abram\AppData\Local\{7CFB8D30-3281-4F66-A073-C73A0D849C8E}
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 09 July 2012 - 08:02 PM

I did the previous two commands (FSRT fix and combofix). Logs are posted below.

BTW, thanks for the note on reboot if "illegal operation attempted on registry key that has been marked for deletion".





Fixlog.txt
Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 09-07-2012
Ran by SYSTEM at 2012-07-09 17:11:25 Run:1
Running from H:\

==============================================

HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\SubSystems\\Windows No ZeroAccess entry found.
HKEY_LOCAL_MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ Default Value restored successfully.
C:\Users\David Abram\AppData\Local\{62241CAA-C651-4218-9008-10E667D4FC63} moved successfully.
C:\Users\David Abram\AppData\Local\{7CFB8D30-3281-4F66-A073-C73A0D849C8E} moved successfully.
C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667} moved successfully.
C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667} moved successfully.
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


















ComboFix.txt
ComboFix 12-07-08.03 - David Abram 07/09/2012 17:26:22.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3933.2560 [GMT -7:00]
Running from: c:\users\David Abram\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\vpngui.exe.lnk
c:\windows\s.bat
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 00:12 . 2012-07-10 00:13 -------- d-----w- C:\FRST
2012-07-09 22:07 . 2012-07-09 22:07 -------- dc----w- c:\users\David Abram\AppData\Local\MigWiz
2012-07-06 00:24 . 2012-07-06 00:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-06 00:24 . 2012-07-06 00:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\Application Updater
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\FreeRIP Toolbar
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\Common Files\Spigot
2012-06-26 18:50 . 2012-06-26 18:52 -------- d-----w- c:\program files (x86)\OApps
2012-06-26 18:50 . 2012-06-26 18:50 -------- d-----w- c:\program files (x86)\TorrentSearch
2012-06-26 18:49 . 2012-06-26 18:51 -------- d-----w- c:\program files (x86)\intellidownload
2012-06-21 16:38 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 16:38 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 16:38 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 16:38 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 16:37 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 16:37 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 16:37 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 16:36 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 16:36 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-26 18:17 . 2010-07-26 18:36 689560 ----a-w- c:\program files\iobituninstaller.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c__users_david_abram_appdata_local_google_update_googleupdate.exe"="c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-27 136176]
"SansaDispatch"="c:\users\David Abram\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-01-02 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SearchSettings"="c:\program files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-06-28 1090440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
c:\users\David Abram\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\David Abram\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R2 MotoHelper.exe;Motorola Helper;c:\program files (x86)\Motorola\Moto Helper Service\MotoHelper.exe [2010-09-15 6656]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-30 6144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-08-06 35104]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-03-31 1038088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2011-04-04 21504]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-30 9216]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 26624]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-11-08 11776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-06 113120]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-05-14 5435904]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2009-07-30 25592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-02 1255736]
R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2010-04-12 288112]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-07-08 25608]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-08-12 55856]
S1 funfrm;funfrm; [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2010-10-08 142328]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Application Updater;Application Updater;c:\program files (x86)\Application Updater\ApplicationUpdater.exe [2012-06-28 791488]
S2 BitKinex;BitKinex File Transfer Service;c:\program files (x86)\BitKinex\bitkinexsvc.exe DISPATCH [x]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2010-01-21 172720]
S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2011-09-19 87368]
S2 lcdServiceTcWS(6.2.0);PEN LCD Service for TcWS Ver6.2.0;c:\penexe\TcWS\Ver6.2.0\Bin\LCD.EXE [2001-02-27 302610]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-12-06 214896]
S2 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [2010-03-26 91992]
S2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-10-08 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2010-06-04 97520]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-02-21 1543704]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 26128]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 139264]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
S3 ITECIRfilter;ITECIR Filter Driver;c:\windows\system32\DRIVERS\ITECIRfilter.sys [2011-03-22 28264]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 143320]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-16 6952960]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 16:37]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 16:37]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003Core.job
- c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-27 18:42]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003UA.job
- c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-27 18:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uStart Page = https://ofweb.stanford.edu/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 192.168.*.*;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download with BitKinex - c:\program files (x86)\BitKinex\ieext_cp.htm
IE: &Register in BitKinex - c:\program files (x86)\BitKinex\ieext_reg.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\users\David Abram\AppData\Roaming\Mozilla\Firefox\Profiles\dl3kehyw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
FF - prefs.js: network.proxy.type - 2
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-MCODS
Toolbar-Locked - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:CSSQL05"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1480281642-2266877034-3838737573-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1480281642-2266877034-3838737573-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
"Key"="ActionsPane3"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
c:\program files (x86)\BitKinex\bitkinexsvc.exe
c:\program files (x86)\Cisco Systems\VPN Client\cvpnd.exe
c:\program files (x86)\Juniper Networks\Common Files\dsNcService.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\program files (x86)\Cyberlink\Shared files\RichVideo.exe
c:\program files (x86)\Sophos\AutoUpdate\ALsvc.exe
c:\program files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files (x86)\Motorola\MotoHelper\MotoHelperAgent.exe
c:\program files (x86)\Internet Explorer\IELowutil.exe
.
**************************************************************************
.
Completion time: 2012-07-09 17:48:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-07-10 00:48
.
Pre-Run: 139,453,599,744 bytes free
Post-Run: 139,920,801,792 bytes free
.
- - End Of File - - B560862BBDE5F6588CD4609ED0FAD58B

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 09 July 2012 - 08:11 PM

Please run the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 10 July 2012 - 08:14 AM

Results from those two steps are below.
ESET scan took a long time, tried running it overnight. In the morning, I got a message saying an unexpected error has caused it to stop running (ran for ~8hrs), so I am not sure if it did a full scan / if I need to run ESET again.

Also, I had my browser open at the start of the scan and when I closed it, I noticed ~10 threats get found - the 'variant of win32/toolbar.widgi application' ones.

Lastly, when I opened Sophos back up, two new items had been quarantined in addition to previous two:
Troj/ZAccInf-B C:\FRST\Quarantine\services.exe
Troj/Browin-Gen C:\Program Files (x86)\intellidownload\vfd.exe



MBAM
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.07.10.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
David Abram :: MOM [administrator]

Protection: Enabled

7/9/2012 9:53:25 PM
mbam-log-2012-07-09 (21-53-25).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236442
Time elapsed: 8 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKLM\SOFTWARE\Google\Chrome\Extensions\kincjchfokkeneeofpeefomkikfkiedl (PUP.FCTPlugin) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



























ESETSCAN
C:\FRST\Quarantine\{05e9adae-d0d8-7665-a65f-38918cf32667}\n Win64/Sirefef.W trojan
C:\FRST\Quarantine\{05e9adae-d0d8-7665-a65f-38918cf32667}\{05e9adae-d0d8-7665-a65f-38918cf32667}\n Win64/Sirefef.W trojan
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9 a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll a variant of Win32/Toolbar.Widgi application
C:\Program Files (x86)\intellidownload\torrent.exe Win32/BundleInstaller application
C:\Program Files (x86)\RegInOut\engine.dll a variant of Win32/Adware.AntiMalwarePro.AD application
C:\Program Files (x86)\RegInOut\RegInOut.exe probably a variant of Win32/Adware.PCFresher.A application

Edited by dabram, 10 July 2012 - 08:19 AM.


#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 10 July 2012 - 09:09 AM

Hi,

Please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Program Files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8 
C:\Program Files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9 
C:\Program Files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll 
C:\Program Files (x86)\intellidownload\torrent.exe 
C:\Program Files (x86)\RegInOut\engine.dll 
C:\Program Files (x86)\RegInOut\RegInOut.exe 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT



Your Java is out of date, so go to Start > Control Panel > Programs and Features > scroll down to the Java installation and Remove it, now download the latest Java version 7 update 5 and install it: http://java.com/en/download/index.jsp


NEXT



Please advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 10 July 2012 - 11:41 AM

Followed instructions, ComboFix log is below.
NOTE: Before ComboFix run, window said Sophos was still active, but I had closed it and didn't see it as an active process or application in taskmanager. At around Stage 32 completed, a window popped up saying PEV.exe had failed, but I didn't click anything. The window went away after Stage 50 had completed.
Sophos has now added a 5th item to quarantine after ComboFix ran: suspicious behavior; HIPS/RegMod-016; c:\Windows\regedit.exe

Also, I uninstalled the FreeRip Toolbar by Spigot, Inc., the same company responsible for some of the malware errors I saw in one of the scans.
I have yet to see any change in performance throughout the whole process, but it doesn't seem like the malware is gone.


ComboFix Log
ComboFix 12-07-10.01 - David Abram 07/10/2012 8:46.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3933.2161 [GMT -7:00]
Running from: c:\users\David Abram\Desktop\ComboFix.exe
Command switches used :: c:\users\David Abram\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
FILE ::
"c:\program files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.10"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.11"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.12"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.13"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.14"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.6"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.7"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.8"
"c:\program files (x86)\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.9"
"c:\program files (x86)\FreeRIP Toolbar\IE\6.0\freeripToolbarIE.dll"
"c:\program files (x86)\intellidownload\torrent.exe"
"c:\program files (x86)\RegInOut\engine.dll"
"c:\program files (x86)\RegInOut\RegInOut.exe"
.
.
((((((((((((((((((((((((( Files Created from 2012-06-10 to 2012-07-10 )))))))))))))))))))))))))))))))
.
.
2012-07-10 16:09 . 2012-07-10 16:09 -------- d-----w- c:\users\Twists\AppData\Local\temp
2012-07-10 16:09 . 2012-07-10 16:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-10 10:19 . 2012-07-10 10:19 69000 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E8253710-6370-4C98-8E9E-34D276BDFB3C}\offreg.dll
2012-07-10 10:15 . 2012-06-18 10:12 9013136 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E8253710-6370-4C98-8E9E-34D276BDFB3C}\mpengine.dll
2012-07-10 05:11 . 2012-07-10 05:11 -------- d-----w- c:\program files (x86)\ESET
2012-07-10 04:52 . 2012-07-10 04:52 -------- d-----w- c:\users\David Abram\AppData\Roaming\Malwarebytes
2012-07-10 04:52 . 2012-07-10 04:52 -------- d-----w- c:\programdata\Malwarebytes
2012-07-10 04:52 . 2012-04-04 22:56 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-10 04:52 . 2012-07-10 04:52 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-10 00:12 . 2012-07-10 00:13 -------- d-----w- C:\FRST
2012-07-09 22:07 . 2012-07-09 22:07 -------- dc----w- c:\users\David Abram\AppData\Local\MigWiz
2012-07-06 00:24 . 2012-07-06 00:24 770384 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr100.dll
2012-07-06 00:24 . 2012-07-06 00:24 421200 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp100.dll
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\Application Updater
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\FreeRIP Toolbar
2012-07-03 05:14 . 2012-07-03 05:14 -------- d-----w- c:\program files (x86)\Common Files\Spigot
2012-06-26 18:50 . 2012-06-26 18:52 -------- d-----w- c:\program files (x86)\OApps
2012-06-26 18:50 . 2012-06-26 18:50 -------- d-----w- c:\program files (x86)\TorrentSearch
2012-06-26 18:49 . 2012-06-26 18:51 -------- d-----w- c:\program files (x86)\intellidownload
2012-06-21 16:38 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-21 16:38 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-21 16:38 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-06-21 16:38 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-06-21 16:37 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-06-21 16:37 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-06-21 16:37 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-06-21 16:36 . 2012-06-02 22:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-06-21 16:36 . 2012-06-02 22:15 36864 ----a-w- c:\windows\system32\wuapp.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-31 19:25 . 2010-07-08 21:28 279656 ------w- c:\windows\system32\MpSigStub.exe
2010-07-26 18:17 . 2010-07-26 18:36 689560 ----a-w- c:\program files\iobituninstaller.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-10_00.42.37 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-07-14 04:54 . 2012-07-10 00:13 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-07-10 00:53 49152 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-07-10 00:53 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-10 00:13 81920 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-10 00:13 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-10 00:53 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-02-05 02:40 . 2012-07-10 00:56 54850 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-07-10 00:56 62348 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-03-26 15:57 . 2012-07-10 00:56 14544 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1480281642-2266877034-3838737573-1003_UserData.bin
- 2010-03-26 15:30 . 2012-06-07 22:55 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-26 15:30 . 2012-07-10 00:57 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2010-03-26 15:30 . 2012-07-10 00:57 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2010-03-26 15:30 . 2012-06-07 22:55 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-07-14 04:54 . 2012-06-07 22:55 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-10 00:57 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:46 . 2012-07-10 10:14 96016 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
- 2012-07-10 00:39 . 2012-07-10 00:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-10 00:53 . 2012-07-10 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-10 00:53 . 2012-07-10 00:53 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-10 00:39 . 2012-07-10 00:39 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-02-05 03:51 . 2012-07-10 15:34 497834 c:\windows\system32\wdi\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2009-07-14 05:01 . 2012-07-10 00:52 513240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-10 00:38 513240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c__users_david_abram_appdata_local_google_update_googleupdate.exe"="c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe" [2010-03-27 136176]
"SansaDispatch"="c:\users\David Abram\AppData\Roaming\SanDisk\Sansa Updater\SansaDispatch.exe" [2012-01-02 79872]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Sophos AutoUpdate Monitor"="c:\program files (x86)\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
"Adobe Reader Speed Launcher"="c:\program files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-07 421736]
"SearchSettings"="c:\program files (x86)\Common Files\Spigot\Search Settings\SearchSettings.exe" [2012-06-28 1090440]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"WLStart"="c:\program files (x86)\Windows Live\Installer\wlstart.exe" [2009-07-26 768336]
.
c:\users\David Abram\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\David Abram\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R2 MotoHelper.exe;Motorola Helper;c:\program files (x86)\Motorola\Moto Helper Service\MotoHelper.exe [2010-09-15 6656]
R3 BTCFilterService;USB Networking Driver Filter Service;c:\windows\system32\DRIVERS\motfilt.sys [2009-01-30 6144]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-04-14 54824]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2009-08-06 35104]
R3 FLEXnet Licensing Service 64;FLEXnet Licensing Service 64;c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe [2010-03-31 1038088]
R3 gupdatem;Google Update Service (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 136176]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2011-04-04 21504]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2009-01-30 9216]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [x]
R3 Motousbnet;Motorola USB Networking Driver Service;c:\windows\system32\DRIVERS\Motousbnet.sys [2010-04-01 26624]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [x]
R3 motusbdevice;Motorola USB Dev Driver;c:\windows\system32\DRIVERS\motusbdevice.sys [2011-11-08 11776]
R3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files (x86)\Mozilla Maintenance Service\maintenanceservice.exe [2012-07-06 113120]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys [2009-05-14 5435904]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2009-07-30 25592]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 59392]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2010-04-20 50688]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-02 1255736]
R3 wdmirror;wdmirror;c:\windows\system32\DRIVERS\WDMirror.sys [x]
R3 wsvd;wsvd;c:\windows\system32\DRIVERS\wsvd.sys [2009-07-21 121840]
R4 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [2010-04-12 288112]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-07-08 25608]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-08-12 55856]
S1 funfrm;funfrm; [x]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2010-10-08 142328]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 Application Updater;Application Updater;c:\program files (x86)\Application Updater\ApplicationUpdater.exe [2012-06-28 791488]
S2 BitKinex;BitKinex File Transfer Service;c:\program files (x86)\BitKinex\bitkinexsvc.exe DISPATCH [x]
S2 DDNIMSGService;DDNIMSGService;c:\program files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe [2010-01-21 172720]
S2 DeviceMonitorService;DeviceMonitorService;c:\program files (x86)\Motorola Media Link\Lite\NServiceEntry.exe [2011-09-19 87368]
S2 lcdServiceTcWS(6.2.0);PEN LCD Service for TcWS Ver6.2.0;c:\penexe\TcWS\Ver6.2.0\Bin\LCD.EXE [2001-02-27 302610]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 MotoHelper;MotoHelper Service;c:\program files (x86)\Motorola\MotoHelper\MotoHelperService.exe [2011-12-06 214896]
S2 msftesql$CSSQL05;SQL Server FullText Search (CSSQL05);c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe [2010-03-26 91992]
S2 MSSQL$CSSQL05;SQL Server (CSSQL05);c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\sqlservr.exe [2010-12-11 29293408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-10-08 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files (x86)\Sophos\Sophos Anti-Virus\SavService.exe [2010-06-04 97520]
S2 swi_service;Sophos Web Intelligence Service;c:\program files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-02-21 1543704]
S3 ACPIVPC;Lenovo Virtual Power Controller Driver;c:\windows\system32\DRIVERS\AcpiVpc.sys [2009-05-19 26128]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2009-07-09 139264]
S3 itecir;ITECIR Infrared Receiver;c:\windows\system32\DRIVERS\itecir.sys [2010-07-13 69736]
S3 ITECIRfilter;ITECIR Filter Driver;c:\windows\system32\DRIVERS\ITECIRfilter.sys [2011-03-22 28264]
S3 JMCR;JMCR;c:\windows\system32\DRIVERS\jmcr.sys [2009-05-18 143320]
S3 k57nd60a;Broadcom NetLink ™ Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60a.sys [2009-06-20 317480]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 24904]
S3 NETw5s64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows 7 - 64 Bit;c:\windows\system32\DRIVERS\NETw5s64.sys [2009-09-16 6952960]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBAMPROTECTOR
.
Contents of the 'Scheduled Tasks' folder
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 16:37]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-11-25 16:37]
.
2012-07-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003Core.job
- c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-27 18:42]
.
2012-07-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1480281642-2266877034-3838737573-1003UA.job
- c:\users\David Abram\AppData\Local\Google\Update\GoogleUpdate.exe [2010-03-27 18:42]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 97792 ----a-w- c:\users\David Abram\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2009-08-07 186904]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"EnergyUtility"="c:\program files (x86)\Lenovo\Energy Management\utility.exe" [2009-09-29 4366704]
"Energy Management"="c:\program files (x86)\Lenovo\Energy Management\Energy Management.exe" [2009-08-19 5825536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 162328]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 386584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 417304]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=c:\progra~2\Sophos\SOPHOS~1\sophos_detoured_x64.dll
.
------- Supplementary Scan -------
.
uStart Page = https://ofweb.stanford.edu/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 192.168.*.*;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Download with BitKinex - c:\program files (x86)\BitKinex\ieext_cp.htm
IE: &Register in BitKinex - c:\program files (x86)\BitKinex\ieext_reg.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~2\MICROS~1\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~2\MICROS~1\Office14\ONBttnIE.dll/105
IE: Send image to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\Lenovo\Bluetooth Software\btsendto_ie.htm
Trusted Zone: clonewarsadventures.com
Trusted Zone: freerealms.com
Trusted Zone: soe.com
Trusted Zone: sony.com
TCP: DhcpNameServer = 171.64.7.99 171.64.7.77 171.64.7.55
FF - ProfilePath - c:\users\David Abram\AppData\Roaming\Mozilla\Firefox\Profiles\dl3kehyw.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=WLETDF&PC=WLEM&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=greentree_ff1&ei=utf-8&ilc=12&type=386496&p=
FF - prefs.js: network.proxy.type - 2
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msftesql$CSSQL05]
"ImagePath"="\"c:\program files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe\" -s:MSSQL.2 -f:CSSQL05"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1480281642-2266877034-3838737573-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-1480281642-2266877034-3838737573-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10t_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\windows\\SysWOW64\\Macromed\\Flash\\Flash10t.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Schema Library\ActionsPane3\0]
"Location"="c:\\Program Files (x86)\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
"Key"="ActionsPane3"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-07-10 09:18:36
ComboFix-quarantined-files.txt 2012-07-10 16:18
ComboFix2.txt 2012-07-10 00:48
.
Pre-Run: 139,157,200,896 bytes free
Post-Run: 139,139,166,208 bytes free
.
- - End Of File - - FCD3DD55343C53204E93D291F7E3624A

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 10 July 2012 - 11:47 AM

please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Delete is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 10 July 2012 - 12:12 PM

TDSS log below.
5 objects still in Sophos quarantine.


TDSSKiller.2.7.45.0_10.07.2012_09.53.42_log
09:53:42.0300 5568 TDSS rootkit removing tool 2.7.45.0 Jul 9 2012 12:46:35
09:53:42.0753 5568 ============================================================
09:53:42.0753 5568 Current date / time: 2012/07/10 09:53:42.0753
09:53:42.0753 5568 SystemInfo:
09:53:42.0753 5568
09:53:42.0753 5568 OS Version: 6.1.7601 ServicePack: 1.0
09:53:42.0753 5568 Product type: Workstation
09:53:42.0753 5568 ComputerName: MOM
09:53:42.0753 5568 UserName: David Abram
09:53:42.0753 5568 Windows directory: C:\windows
09:53:42.0753 5568 System windows directory: C:\windows
09:53:42.0753 5568 Running under WOW64
09:53:42.0753 5568 Processor architecture: Intel x64
09:53:42.0753 5568 Number of processors: 2
09:53:42.0768 5568 Page size: 0x1000
09:53:42.0768 5568 Boot type: Normal boot
09:53:42.0768 5568 ============================================================
09:53:43.0642 5568 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
09:53:43.0642 5568 ============================================================
09:53:43.0642 5568 \Device\Harddisk0\DR0:
09:53:43.0642 5568 MBR partitions:
09:53:43.0642 5568 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x64000
09:53:43.0642 5568 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x64800, BlocksNum 0x1F9A0000
09:53:43.0673 5568 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1FA05000, BlocksNum 0x3CA7000
09:53:43.0673 5568 ============================================================
09:53:43.0704 5568 C: <-> \Device\Harddisk0\DR0\Partition1
09:53:43.0751 5568 D: <-> \Device\Harddisk0\DR0\Partition2
09:53:43.0751 5568 ============================================================
09:53:43.0751 5568 Initialize success
09:53:43.0751 5568 ============================================================
09:53:58.0760 5736 ============================================================
09:53:58.0760 5736 Scan started
09:53:58.0760 5736 Mode: Manual; TDLFS;
09:53:58.0760 5736 ============================================================
09:53:59.0431 5736 1394ohci (a87d604aea360176311474c87a63bb88) C:\windows\system32\DRIVERS\1394ohci.sys
09:53:59.0478 5736 1394ohci - ok
09:53:59.0556 5736 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\windows\system32\drivers\ACPI.sys
09:53:59.0571 5736 ACPI - ok
09:53:59.0618 5736 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\windows\system32\drivers\acpipmi.sys
09:53:59.0634 5736 AcpiPmi - ok
09:53:59.0712 5736 ACPIVPC (2e68544bce94de6677f700cf1d582b6d) C:\windows\system32\DRIVERS\AcpiVpc.sys
09:53:59.0743 5736 ACPIVPC - ok
09:53:59.0790 5736 adfs (d44bcaf639e4e45307c2bc80715273d5) C:\windows\system32\drivers\adfs.sys
09:53:59.0805 5736 adfs - ok
09:53:59.0961 5736 Adobe Version Cue CS4 (9444a3530c2e88b7ed96a566ff9ccc13) C:\Program Files (x86)\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe
09:54:00.0071 5736 Adobe Version Cue CS4 - ok
09:54:00.0180 5736 AdobeARMservice (62b7936f9036dd6ed36e6a7efa805dc0) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
09:54:00.0227 5736 AdobeARMservice - ok
09:54:00.0351 5736 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\windows\system32\DRIVERS\adp94xx.sys
09:54:00.0414 5736 adp94xx - ok
09:54:00.0461 5736 adpahci (597f78224ee9224ea1a13d6350ced962) C:\windows\system32\DRIVERS\adpahci.sys
09:54:00.0523 5736 adpahci - ok
09:54:00.0570 5736 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\windows\system32\DRIVERS\adpu320.sys
09:54:00.0601 5736 adpu320 - ok
09:54:00.0663 5736 AeLookupSvc (4b78b431f225fd8624c5655cb1de7b61) C:\windows\System32\aelupsvc.dll
09:54:00.0695 5736 AeLookupSvc - ok
09:54:00.0819 5736 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\windows\system32\drivers\afd.sys
09:54:00.0851 5736 AFD - ok
09:54:00.0913 5736 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\windows\system32\drivers\agp440.sys
09:54:00.0944 5736 agp440 - ok
09:54:00.0960 5736 ALG (3290d6946b5e30e70414990574883ddb) C:\windows\System32\alg.exe
09:54:01.0022 5736 ALG - ok
09:54:01.0053 5736 aliide (5812713a477a3ad7363c7438ca2ee038) C:\windows\system32\drivers\aliide.sys
09:54:01.0100 5736 aliide - ok
09:54:01.0116 5736 amdide (1ff8b4431c353ce385c875f194924c0c) C:\windows\system32\drivers\amdide.sys
09:54:01.0163 5736 amdide - ok
09:54:01.0194 5736 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\windows\system32\DRIVERS\amdk8.sys
09:54:01.0225 5736 AmdK8 - ok
09:54:01.0241 5736 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\windows\system32\DRIVERS\amdppm.sys
09:54:01.0272 5736 AmdPPM - ok
09:54:01.0319 5736 amdsata (d4121ae6d0c0e7e13aa221aa57ef2d49) C:\windows\system32\drivers\amdsata.sys
09:54:01.0365 5736 amdsata - ok
09:54:01.0397 5736 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\windows\system32\DRIVERS\amdsbs.sys
09:54:01.0428 5736 amdsbs - ok
09:54:01.0443 5736 amdxata (540daf1cea6094886d72126fd7c33048) C:\windows\system32\drivers\amdxata.sys
09:54:01.0459 5736 amdxata - ok
09:54:01.0521 5736 AppID (89a69c3f2f319b43379399547526d952) C:\windows\system32\drivers\appid.sys
09:54:01.0537 5736 AppID - ok
09:54:01.0584 5736 AppIDSvc (0bc381a15355a3982216f7172f545de1) C:\windows\System32\appidsvc.dll
09:54:01.0599 5736 AppIDSvc - ok
09:54:01.0646 5736 Appinfo (3977d4a871ca0d4f2ed1e7db46829731) C:\windows\System32\appinfo.dll
09:54:01.0662 5736 Appinfo - ok
09:54:01.0787 5736 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
09:54:01.0787 5736 Apple Mobile Device - ok
09:54:01.0849 5736 arc (c484f8ceb1717c540242531db7845c4e) C:\windows\system32\DRIVERS\arc.sys
09:54:01.0865 5736 arc - ok
09:54:01.0896 5736 arcsas (019af6924aefe7839f61c830227fe79c) C:\windows\system32\DRIVERS\arcsas.sys
09:54:01.0927 5736 arcsas - ok
09:54:01.0943 5736 AsyncMac (769765ce2cc62867468cea93969b2242) C:\windows\system32\DRIVERS\asyncmac.sys
09:54:01.0958 5736 AsyncMac - ok
09:54:02.0005 5736 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\windows\system32\drivers\atapi.sys
09:54:02.0036 5736 atapi - ok
09:54:02.0130 5736 AudioEndpointBuilder (f23fef6d569fce88671949894a8becf1) C:\windows\System32\Audiosrv.dll
09:54:02.0177 5736 AudioEndpointBuilder - ok
09:54:02.0192 5736 AudioSrv (f23fef6d569fce88671949894a8becf1) C:\windows\System32\Audiosrv.dll
09:54:02.0192 5736 AudioSrv - ok
09:54:02.0255 5736 AxInstSV (a6bf31a71b409dfa8cac83159e1e2aff) C:\windows\System32\AxInstSV.dll
09:54:02.0286 5736 AxInstSV - ok
09:54:02.0348 5736 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\windows\system32\DRIVERS\bxvbda.sys
09:54:02.0379 5736 b06bdrv - ok
09:54:02.0426 5736 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\windows\system32\DRIVERS\b57nd60a.sys
09:54:02.0442 5736 b57nd60a - ok
09:54:02.0535 5736 BcmSqlStartupSvc (6163664c7e9cd110af70180c126c3fdc) C:\Program Files (x86)\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
09:54:02.0535 5736 BcmSqlStartupSvc - ok
09:54:02.0582 5736 BDESVC (fde360167101b4e45a96f939f388aeb0) C:\windows\System32\bdesvc.dll
09:54:02.0613 5736 BDESVC - ok
09:54:02.0629 5736 Beep (16a47ce2decc9b099349a5f840654746) C:\windows\system32\drivers\Beep.sys
09:54:02.0660 5736 Beep - ok
09:54:02.0754 5736 BFE (82974d6a2fd19445cc5171fc378668a4) C:\windows\System32\bfe.dll
09:54:02.0801 5736 BFE - ok
09:54:02.0863 5736 BitKinex - ok
09:54:02.0957 5736 BITS (1ea7969e3271cbc59e1730697dc74682) C:\windows\system32\qmgr.dll
09:54:03.0066 5736 BITS - ok
09:54:03.0144 5736 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\windows\system32\DRIVERS\blbdrive.sys
09:54:03.0159 5736 blbdrive - ok
09:54:03.0284 5736 Bonjour Service (ebbcd5dfbb1de70e8f4af8fa59e401fd) C:\Program Files\Bonjour\mDNSResponder.exe
09:54:03.0409 5736 Bonjour Service - ok
09:54:03.0471 5736 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\windows\system32\DRIVERS\bowser.sys
09:54:03.0487 5736 bowser - ok
09:54:03.0503 5736 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\windows\system32\DRIVERS\BrFiltLo.sys
09:54:03.0518 5736 BrFiltLo - ok
09:54:03.0549 5736 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\windows\system32\DRIVERS\BrFiltUp.sys
09:54:03.0565 5736 BrFiltUp - ok
09:54:03.0596 5736 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\windows\system32\DRIVERS\bridge.sys
09:54:03.0627 5736 BridgeMP - ok
09:54:03.0674 5736 Browser (8ef0d5c41ec907751b8429162b1239ed) C:\windows\System32\browser.dll
09:54:03.0705 5736 Browser - ok
09:54:03.0737 5736 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\windows\System32\Drivers\Brserid.sys
09:54:03.0768 5736 Brserid - ok
09:54:03.0768 5736 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\windows\System32\Drivers\BrSerWdm.sys
09:54:03.0799 5736 BrSerWdm - ok
09:54:03.0815 5736 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\windows\System32\Drivers\BrUsbMdm.sys
09:54:03.0830 5736 BrUsbMdm - ok
09:54:03.0846 5736 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\windows\System32\Drivers\BrUsbSer.sys
09:54:03.0861 5736 BrUsbSer - ok
09:54:03.0924 5736 BTCFilterService (ff7c57973eead140062238c5a0b7d455) C:\windows\system32\DRIVERS\motfilt.sys
09:54:03.0955 5736 BTCFilterService - ok
09:54:04.0017 5736 BthEnum (cf98190a94f62e405c8cb255018b2315) C:\windows\system32\drivers\BthEnum.sys
09:54:04.0033 5736 BthEnum - ok
09:54:04.0049 5736 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\windows\system32\DRIVERS\bthmodem.sys
09:54:04.0064 5736 BTHMODEM - ok
09:54:04.0095 5736 BthPan (02dd601b708dd0667e1331fa8518e9ff) C:\windows\system32\DRIVERS\bthpan.sys
09:54:04.0127 5736 BthPan - ok
09:54:04.0205 5736 BTHPORT (64c198198501f7560ee41d8d1efa7952) C:\windows\System32\Drivers\BTHport.sys
09:54:04.0251 5736 BTHPORT - ok
09:54:04.0298 5736 bthserv (95f9c2976059462cbbf227f7aab10de9) C:\windows\system32\bthserv.dll
09:54:04.0345 5736 bthserv - ok
09:54:04.0361 5736 BTHUSB (f188b7394d81010767b6df3178519a37) C:\windows\System32\Drivers\BTHUSB.sys
09:54:04.0376 5736 BTHUSB - ok
09:54:04.0423 5736 btusbflt (2641a3fe3d7b0646308f33b67f3b5300) C:\windows\system32\drivers\btusbflt.sys
09:54:04.0454 5736 btusbflt - ok
09:54:04.0470 5736 btwaudio (6bcfdc2b5b7f66d484486d4bd4b39a6b) C:\windows\system32\drivers\btwaudio.sys
09:54:04.0517 5736 btwaudio - ok
09:54:04.0532 5736 btwavdt (82dc8b7c626e526681c1bebed2bc3ff9) C:\windows\system32\DRIVERS\btwavdt.sys
09:54:04.0563 5736 btwavdt - ok
09:54:04.0719 5736 btwdins (d65aa164acd0f6706dbcfbbcc9731584) C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe
09:54:04.0782 5736 btwdins - ok
09:54:04.0813 5736 btwl2cap (6149301dc3f81d6f9667a3fbac410975) C:\windows\system32\DRIVERS\btwl2cap.sys
09:54:04.0829 5736 btwl2cap - ok
09:54:04.0860 5736 btwrchid (28e105ad3b79f440bf94780f507bf66a) C:\windows\system32\DRIVERS\btwrchid.sys
09:54:04.0875 5736 btwrchid - ok
09:54:05.0047 5736 Cam5607 (0dd5452eef4e0ba2ffd5453065d47b58) C:\windows\system32\Drivers\BisonC07.sys
09:54:05.0109 5736 Cam5607 - ok
09:54:05.0125 5736 catchme - ok
09:54:05.0172 5736 cdfs (b8bd2bb284668c84865658c77574381a) C:\windows\system32\DRIVERS\cdfs.sys
09:54:05.0187 5736 cdfs - ok
09:54:05.0265 5736 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\windows\system32\drivers\cdrom.sys
09:54:05.0297 5736 cdrom - ok
09:54:05.0343 5736 CertPropSvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\windows\System32\certprop.dll
09:54:05.0359 5736 CertPropSvc - ok
09:54:05.0390 5736 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\windows\system32\DRIVERS\circlass.sys
09:54:05.0421 5736 circlass - ok
09:54:05.0468 5736 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\windows\system32\CLFS.sys
09:54:05.0515 5736 CLFS - ok
09:54:05.0593 5736 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
09:54:05.0687 5736 clr_optimization_v2.0.50727_32 - ok
09:54:05.0733 5736 clr_optimization_v2.0.50727_64 (d1ceea2b47cb998321c579651ce3e4f8) C:\windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
09:54:05.0765 5736 clr_optimization_v2.0.50727_64 - ok
09:54:05.0889 5736 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
09:54:06.0077 5736 clr_optimization_v4.0.30319_32 - ok
09:54:06.0123 5736 clr_optimization_v4.0.30319_64 (c6f9af94dcd58122a4d7e89db6bed29d) C:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
09:54:06.0155 5736 clr_optimization_v4.0.30319_64 - ok
09:54:06.0201 5736 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\windows\system32\DRIVERS\CmBatt.sys
09:54:06.0217 5736 CmBatt - ok
09:54:06.0248 5736 cmdide (e19d3f095812725d88f9001985b94edd) C:\windows\system32\drivers\cmdide.sys
09:54:06.0279 5736 cmdide - ok
09:54:06.0357 5736 CNG (c4943b6c962e4b82197542447ad599f4) C:\windows\system32\Drivers\cng.sys
09:54:06.0389 5736 CNG - ok
09:54:06.0420 5736 Compbatt (102de219c3f61415f964c88e9085ad14) C:\windows\system32\DRIVERS\compbatt.sys
09:54:06.0435 5736 Compbatt - ok
09:54:06.0513 5736 CompositeBus (03edb043586cceba243d689bdda370a8) C:\windows\system32\drivers\CompositeBus.sys
09:54:06.0545 5736 CompositeBus - ok
09:54:06.0560 5736 COMSysApp - ok
09:54:06.0576 5736 crcdisk (1c827878a998c18847245fe1f34ee597) C:\windows\system32\DRIVERS\crcdisk.sys
09:54:06.0607 5736 crcdisk - ok
09:54:06.0654 5736 CryptSvc (15597883fbe9b056f276ada3ad87d9af) C:\windows\system32\cryptsvc.dll
09:54:06.0685 5736 CryptSvc - ok
09:54:06.0747 5736 CVirtA (44bddeb03c84a1c993c992ffb5700357) C:\windows\system32\DRIVERS\CVirtA64.sys
09:54:06.0763 5736 CVirtA - ok
09:54:06.0981 5736 CVPND (66257cb4e4fb69887cddc71663741435) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
09:54:06.0997 5736 CVPND - ok
09:54:07.0169 5736 CVPNDRVA (cc8e52daa9826064ba464dbe531f2bb5) C:\windows\system32\Drivers\CVPNDRVA.sys
09:54:07.0215 5736 CVPNDRVA - ok
09:54:07.0293 5736 DcomLaunch (5c627d1b1138676c0a7ab2c2c190d123) C:\windows\system32\rpcss.dll
09:54:07.0309 5736 DcomLaunch - ok
09:54:07.0403 5736 DDNIMSGService (1fa2e249364050217091ca073f5cf9eb) C:\Program Files (x86)\DDNI\Lenovo Idea Notes\DDNIMSGService.exe
09:54:07.0403 5736 DDNIMSGService - ok
09:54:07.0465 5736 defragsvc (3cec7631a84943677aa8fa8ee5b6b43d) C:\windows\System32\defragsvc.dll
09:54:07.0496 5736 defragsvc - ok
09:54:07.0605 5736 DeviceMonitorService (74c1305f6f784a725b0a40d693ff4a09) C:\Program Files (x86)\Motorola Media Link\Lite\NServiceEntry.exe
09:54:07.0605 5736 DeviceMonitorService - ok
09:54:07.0699 5736 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\windows\system32\Drivers\dfsc.sys
09:54:07.0715 5736 DfsC - ok
09:54:07.0793 5736 Dhcp (43d808f5d9e1a18e5eeb5ebc83969e4e) C:\windows\system32\dhcpcore.dll
09:54:07.0824 5736 Dhcp - ok
09:54:07.0855 5736 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\windows\system32\drivers\discache.sys
09:54:07.0886 5736 discache - ok
09:54:07.0933 5736 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\windows\system32\DRIVERS\disk.sys
09:54:07.0949 5736 Disk - ok
09:54:08.0011 5736 DNE (05cb5910b3ca6019fc3cca815ee06ffb) C:\windows\system32\DRIVERS\dne64x.sys
09:54:08.0011 5736 DNE - ok
09:54:08.0089 5736 Dnscache (16835866aaa693c7d7fceba8fff706e4) C:\windows\System32\dnsrslvr.dll
09:54:08.0120 5736 Dnscache - ok
09:54:08.0167 5736 dot3svc (b1fb3ddca0fdf408750d5843591afbc6) C:\windows\System32\dot3svc.dll
09:54:08.0198 5736 dot3svc - ok
09:54:08.0245 5736 DPS (b26f4f737e8f9df4f31af6cf31d05820) C:\windows\system32\dps.dll
09:54:08.0277 5736 DPS - ok
09:54:08.0309 5736 drmkaud (9b19f34400d24df84c858a421c205754) C:\windows\system32\drivers\drmkaud.sys
09:54:08.0324 5736 drmkaud - ok
09:54:08.0387 5736 dsNcAdpt (3eef0b3489edbf725564e17c77cabafd) C:\windows\system32\DRIVERS\dsNcAdpt.sys
09:54:08.0402 5736 dsNcAdpt - ok
09:54:08.0527 5736 dsNcService (5538eed60dc1bc13e9e534d067cc0f40) C:\Program Files (x86)\Juniper Networks\Common Files\dsNcService.exe
09:54:08.0527 5736 dsNcService - ok
09:54:08.0652 5736 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\windows\System32\drivers\dxgkrnl.sys
09:54:08.0714 5736 DXGKrnl - ok
09:54:08.0745 5736 EapHost (e2dda8726da9cb5b2c4000c9018a9633) C:\windows\System32\eapsvc.dll
09:54:08.0777 5736 EapHost - ok
09:54:09.0026 5736 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\windows\system32\DRIVERS\evbda.sys
09:54:09.0135 5736 ebdrv - ok
09:54:09.0292 5736 EFS (c118a82cd78818c29ab228366ebf81c3) C:\windows\System32\lsass.exe
09:54:09.0308 5736 EFS - ok
09:54:09.0448 5736 ehRecvr (c4002b6b41975f057d98c439030cea07) C:\windows\ehome\ehRecvr.exe
09:54:09.0495 5736 ehRecvr - ok
09:54:09.0526 5736 ehSched (4705e8ef9934482c5bb488ce28afc681) C:\windows\ehome\ehsched.exe
09:54:09.0558 5736 ehSched - ok
09:54:09.0636 5736 elxstor (0e5da5369a0fcaea12456dd852545184) C:\windows\system32\DRIVERS\elxstor.sys
09:54:09.0682 5736 elxstor - ok
09:54:09.0729 5736 ErrDev (34a3c54752046e79a126e15c51db409b) C:\windows\system32\drivers\errdev.sys
09:54:09.0745 5736 ErrDev - ok
09:54:09.0807 5736 EventSystem (4166f82be4d24938977dd1746be9b8a0) C:\windows\system32\es.dll
09:54:09.0807 5736 EventSystem - ok
09:54:09.0838 5736 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\windows\system32\drivers\exfat.sys
09:54:09.0870 5736 exfat - ok
09:54:09.0916 5736 fastfat (0adc83218b66a6db380c330836f3e36d) C:\windows\system32\drivers\fastfat.sys
09:54:09.0948 5736 fastfat - ok
09:54:10.0057 5736 Fax (dbefd454f8318a0ef691fdd2eaab44eb) C:\windows\system32\fxssvc.exe
09:54:10.0104 5736 Fax - ok
09:54:10.0119 5736 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\windows\system32\DRIVERS\fdc.sys
09:54:10.0135 5736 fdc - ok
09:54:10.0166 5736 fdPHost (0438cab2e03f4fb61455a7956026fe86) C:\windows\system32\fdPHost.dll
09:54:10.0182 5736 fdPHost - ok
09:54:10.0197 5736 FDResPub (802496cb59a30349f9a6dd22d6947644) C:\windows\system32\fdrespub.dll
09:54:10.0228 5736 FDResPub - ok
09:54:10.0228 5736 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\windows\system32\drivers\fileinfo.sys
09:54:10.0260 5736 FileInfo - ok
09:54:10.0275 5736 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\windows\system32\drivers\filetrace.sys
09:54:10.0322 5736 Filetrace - ok
09:54:10.0431 5736 FLEXnet Licensing Service (1f63900e2eb00101b9aca2b7a870704e) C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
09:54:10.0572 5736 FLEXnet Licensing Service - ok
09:54:10.0774 5736 FLEXnet Licensing Service 64 (1c3fb052a0bb72edaed90785c34d6eed) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService64.exe
09:54:10.0868 5736 FLEXnet Licensing Service 64 - ok
09:54:11.0008 5736 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\windows\system32\DRIVERS\flpydisk.sys
09:54:11.0024 5736 flpydisk - ok
09:54:11.0086 5736 FltMgr (da6b67270fd9db3697b20fce94950741) C:\windows\system32\drivers\fltmgr.sys
09:54:11.0133 5736 FltMgr - ok
09:54:11.0274 5736 FontCache (5c4cb4086fb83115b153e47add961a0c) C:\windows\system32\FntCache.dll
09:54:11.0352 5736 FontCache - ok
09:54:11.0461 5736 FontCache3.0.0.0 (a8b7f3818ab65695e3a0bb3279f6dce6) C:\windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
09:54:11.0523 5736 FontCache3.0.0.0 - ok
09:54:11.0586 5736 FsDepends (d43703496149971890703b4b1b723eac) C:\windows\system32\drivers\FsDepends.sys
09:54:11.0617 5736 FsDepends - ok
09:54:11.0648 5736 Fs_Rec (6bd9295cc032dd3077c671fccf579a7b) C:\windows\system32\drivers\Fs_Rec.sys
09:54:11.0679 5736 Fs_Rec - ok
09:54:11.0710 5736 funfrm (6ccf66bca3d24146cb8b0930dba1448f) C:\windows\system32\drivers\funfrm.sys
09:54:11.0742 5736 funfrm - ok
09:54:11.0804 5736 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\windows\system32\DRIVERS\fvevol.sys
09:54:11.0835 5736 fvevol - ok
09:54:11.0866 5736 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\windows\system32\DRIVERS\gagp30kx.sys
09:54:11.0898 5736 gagp30kx - ok
09:54:11.0929 5736 GEARAspiWDM (e403aacf8c7bb11375122d2464560311) C:\windows\system32\DRIVERS\GEARAspiWDM.sys
09:54:11.0944 5736 GEARAspiWDM - ok
09:54:12.0038 5736 gpsvc (277bbc7e1aa1ee957f573a10eca7ef3a) C:\windows\System32\gpsvc.dll
09:54:12.0085 5736 gpsvc - ok
09:54:12.0225 5736 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
09:54:12.0225 5736 gupdate - ok
09:54:12.0256 5736 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
09:54:12.0256 5736 gupdatem - ok
09:54:12.0288 5736 gusvc (c1b577b2169900f4cf7190c39f085794) C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
09:54:12.0320 5736 gusvc - ok
09:54:12.0367 5736 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\windows\system32\drivers\hcw85cir.sys
09:54:12.0382 5736 hcw85cir - ok
09:54:12.0460 5736 HdAudAddService (975761c778e33cd22498059b91e7373a) C:\windows\system32\drivers\HdAudio.sys
09:54:12.0491 5736 HdAudAddService - ok
09:54:12.0585 5736 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\windows\system32\drivers\HDAudBus.sys
09:54:12.0585 5736 HDAudBus - ok
09:54:12.0601 5736 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\windows\system32\DRIVERS\HidBatt.sys
09:54:12.0632 5736 HidBatt - ok
09:54:12.0647 5736 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\windows\system32\DRIVERS\hidbth.sys
09:54:12.0679 5736 HidBth - ok
09:54:12.0710 5736 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\windows\system32\DRIVERS\hidir.sys
09:54:12.0725 5736 HidIr - ok
09:54:12.0757 5736 hidserv (bd9eb3958f213f96b97b1d897dee006d) C:\windows\System32\hidserv.dll
09:54:12.0788 5736 hidserv - ok
09:54:12.0819 5736 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\windows\system32\DRIVERS\hidusb.sys
09:54:12.0835 5736 HidUsb - ok
09:54:12.0913 5736 hkmsvc (387e72e739e15e3d37907a86d9ff98e2) C:\windows\system32\kmsvc.dll
09:54:12.0991 5736 hkmsvc - ok
09:54:13.0053 5736 HomeGroupListener (efdfb3dd38a4376f93e7985173813abd) C:\windows\system32\ListSvc.dll
09:54:13.0131 5736 HomeGroupListener - ok
09:54:13.0178 5736 HomeGroupProvider (908acb1f594274965a53926b10c81e89) C:\windows\system32\provsvc.dll
09:54:13.0209 5736 HomeGroupProvider - ok
09:54:13.0256 5736 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\windows\system32\drivers\HpSAMD.sys
09:54:13.0271 5736 HpSAMD - ok
09:54:13.0365 5736 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\windows\system32\drivers\HTTP.sys
09:54:13.0427 5736 HTTP - ok
09:54:13.0474 5736 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\windows\system32\drivers\hwpolicy.sys
09:54:13.0505 5736 hwpolicy - ok
09:54:13.0568 5736 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\windows\system32\drivers\i8042prt.sys
09:54:13.0599 5736 i8042prt - ok
09:54:13.0708 5736 IAANTMON (0e899d0db39617aa0b2f992e7e95b5eb) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTMon.exe
09:54:13.0724 5736 IAANTMON - ok
09:54:13.0786 5736 iaStor (bbb3b6df1abb0fe35802ede85cc1c011) C:\windows\system32\DRIVERS\iaStor.sys
09:54:13.0802 5736 iaStor - ok
09:54:13.0880 5736 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\windows\system32\drivers\iaStorV.sys
09:54:13.0942 5736 iaStorV - ok
09:54:14.0083 5736 idsvc (5988fc40f8db5b0739cd1e3a5d0d78bd) C:\windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
09:54:14.0285 5736 idsvc - ok
09:54:15.0097 5736 igfx (c6238c6abd6ac99f5d152da4e9439a3d) C:\windows\system32\DRIVERS\igdkmd64.sys
09:54:15.0393 5736 igfx - ok
09:54:15.0549 5736 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\windows\system32\DRIVERS\iirsp.sys
09:54:15.0565 5736 iirsp - ok
09:54:15.0689 5736 IKEEXT (fcd84c381e0140af901e58d48882d26b) C:\windows\System32\ikeext.dll
09:54:15.0721 5736 IKEEXT - ok
09:54:15.0923 5736 IntcAzAudAddService (bea724f57b1525883b72856fb8caa410) C:\windows\system32\drivers\RTKVHD64.sys
09:54:16.0033 5736 IntcAzAudAddService - ok
09:54:16.0204 5736 IntcHdmiAddService (88a20fa54c73ded4e8dac764e9130ae9) C:\windows\system32\drivers\IntcHdmi.sys
09:54:16.0235 5736 IntcHdmiAddService - ok
09:54:16.0298 5736 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\windows\system32\drivers\intelide.sys
09:54:16.0329 5736 intelide - ok
09:54:16.0376 5736 intelppm (ada036632c664caa754079041cf1f8c1) C:\windows\system32\DRIVERS\intelppm.sys
09:54:16.0376 5736 intelppm - ok
09:54:16.0407 5736 IPBusEnum (098a91c54546a3b878dad6a7e90a455b) C:\windows\system32\ipbusenum.dll
09:54:16.0438 5736 IPBusEnum - ok
09:54:16.0501 5736 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\windows\system32\DRIVERS\ipfltdrv.sys
09:54:16.0516 5736 IpFilterDriver - ok
09:54:16.0594 5736 iphlpsvc (a34a587fffd45fa649fba6d03784d257) C:\windows\System32\iphlpsvc.dll
09:54:16.0610 5736 iphlpsvc - ok
09:54:16.0657 5736 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\windows\system32\drivers\IPMIDrv.sys
09:54:16.0688 5736 IPMIDRV - ok
09:54:16.0735 5736 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\windows\system32\drivers\ipnat.sys
09:54:16.0766 5736 IPNAT - ok
09:54:16.0922 5736 iPod Service (755e4ba6dce627a2683bb7640553c8d6) C:\Program Files\iPod\bin\iPodService.exe
09:54:16.0984 5736 iPod Service - ok
09:54:17.0015 5736 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\windows\system32\drivers\irenum.sys
09:54:17.0047 5736 IRENUM - ok
09:54:17.0078 5736 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\windows\system32\drivers\isapnp.sys
09:54:17.0093 5736 isapnp - ok
09:54:17.0156 5736 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\windows\system32\drivers\msiscsi.sys
09:54:17.0187 5736 iScsiPrt - ok
09:54:17.0234 5736 itecir (8d990a44b4f2b68e2c56a3724ec3eb84) C:\windows\system32\DRIVERS\itecir.sys
09:54:17.0265 5736 itecir - ok
09:54:17.0327 5736 ITECIRfilter (e5aac07b053d15ba8f67ba7d49c20971) C:\windows\system32\DRIVERS\ITECIRfilter.sys
09:54:17.0343 5736 ITECIRfilter - ok
09:54:17.0390 5736 JMCR (80a1de467adf200390134d63e359937a) C:\windows\system32\DRIVERS\jmcr.sys
09:54:17.0437 5736 JMCR - ok
09:54:17.0483 5736 k57nd60a (249ee2d26cb1530f3bede0ac8b9e3099) C:\windows\system32\DRIVERS\k57nd60a.sys
09:54:17.0530 5736 k57nd60a - ok
09:54:17.0577 5736 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\windows\system32\drivers\kbdclass.sys
09:54:17.0593 5736 kbdclass - ok
09:54:17.0639 5736 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\windows\system32\drivers\kbdhid.sys
09:54:17.0671 5736 kbdhid - ok
09:54:17.0702 5736 KeyIso (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
09:54:17.0717 5736 KeyIso - ok
09:54:17.0733 5736 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\windows\system32\Drivers\ksecdd.sys
09:54:17.0749 5736 KSecDD - ok
09:54:17.0780 5736 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\windows\system32\Drivers\ksecpkg.sys
09:54:17.0827 5736 KSecPkg - ok
09:54:17.0858 5736 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\windows\system32\drivers\ksthunk.sys
09:54:17.0873 5736 ksthunk - ok
09:54:17.0936 5736 KtmRm (6ab66e16aa859232f64deb66887a8c9c) C:\windows\system32\msdtckrm.dll
09:54:17.0967 5736 KtmRm - ok
09:54:18.0029 5736 LanmanServer (d9f42719019740baa6d1c6d536cbdaa6) C:\windows\System32\srvsvc.dll
09:54:18.0061 5736 LanmanServer - ok
09:54:18.0107 5736 LanmanWorkstation (851a1382eed3e3a7476db004f4ee3e1a) C:\windows\System32\wkssvc.dll
09:54:18.0139 5736 LanmanWorkstation - ok
09:54:18.0279 5736 lcdServiceTcWS(6.2.0) (c9aa80de3eb495cdc5d46977a5d95c82) C:\PenExe\TcWS\Ver6.2.0\Bin\LCD.EXE
09:54:18.0279 5736 lcdServiceTcWS(6.2.0) - ok
09:54:18.0326 5736 LHidFilt (241f2648adf090e2a10095bd6d6f5dcb) C:\windows\system32\DRIVERS\LHidFilt.Sys
09:54:18.0357 5736 LHidFilt - ok
09:54:18.0419 5736 lltdio (1538831cf8ad2979a04c423779465827) C:\windows\system32\DRIVERS\lltdio.sys
09:54:18.0435 5736 lltdio - ok
09:54:18.0497 5736 lltdsvc (c1185803384ab3feed115f79f109427f) C:\windows\System32\lltdsvc.dll
09:54:18.0575 5736 lltdsvc - ok
09:54:18.0591 5736 lmhosts (f993a32249b66c9d622ea5592a8b76b8) C:\windows\System32\lmhsvc.dll
09:54:18.0622 5736 lmhosts - ok
09:54:18.0638 5736 LMouFilt (342ed5a4b3326014438f36d22d803737) C:\windows\system32\DRIVERS\LMouFilt.Sys
09:54:18.0669 5736 LMouFilt - ok
09:54:18.0716 5736 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\windows\system32\DRIVERS\lsi_fc.sys
09:54:18.0747 5736 LSI_FC - ok
09:54:18.0778 5736 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\windows\system32\DRIVERS\lsi_sas.sys
09:54:18.0809 5736 LSI_SAS - ok
09:54:18.0841 5736 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\windows\system32\DRIVERS\lsi_sas2.sys
09:54:18.0856 5736 LSI_SAS2 - ok
09:54:18.0903 5736 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\windows\system32\DRIVERS\lsi_scsi.sys
09:54:18.0934 5736 LSI_SCSI - ok
09:54:18.0981 5736 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\windows\system32\drivers\luafv.sys
09:54:19.0012 5736 luafv - ok
09:54:19.0075 5736 LUsbFilt (29c733e1de824670dc9315cfc9bdbcd3) C:\windows\system32\Drivers\LUsbFilt.Sys
09:54:19.0090 5736 LUsbFilt - ok
09:54:19.0153 5736 MBAMProtector (dbc08862a71459e74f7538b432c114cc) C:\windows\system32\drivers\mbam.sys
09:54:19.0184 5736 MBAMProtector - ok
09:54:19.0309 5736 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
09:54:19.0340 5736 MBAMService - ok
09:54:19.0402 5736 Mcx2Svc (0be09cd858abf9df6ed259d57a1a1663) C:\windows\system32\Mcx2Svc.dll
09:54:19.0465 5736 Mcx2Svc - ok
09:54:19.0574 5736 MDM (7cf1b716372b89568ae4c0fe769f5869) C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
09:54:19.0574 5736 MDM - ok
09:54:19.0605 5736 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\windows\system32\DRIVERS\megasas.sys
09:54:19.0636 5736 megasas - ok
09:54:19.0667 5736 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\windows\system32\DRIVERS\MegaSR.sys
09:54:19.0699 5736 MegaSR - ok
09:54:19.0730 5736 MMCSS (e40e80d0304a73e8d269f7141d77250b) C:\windows\system32\mmcss.dll
09:54:19.0745 5736 MMCSS - ok
09:54:19.0761 5736 Modem (800ba92f7010378b09f9ed9270f07137) C:\windows\system32\drivers\modem.sys
09:54:19.0777 5736 Modem - ok
09:54:19.0808 5736 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\windows\system32\DRIVERS\monitor.sys
09:54:19.0808 5736 monitor - ok
09:54:19.0855 5736 motccgp (c94a2ea3fdfa5d650884926b710b7db1) C:\windows\system32\DRIVERS\motccgp.sys
09:54:19.0886 5736 motccgp - ok
09:54:19.0933 5736 motccgpfl (d51e009baeda07ebc107d49d224c2414) C:\windows\system32\DRIVERS\motccgpfl.sys
09:54:19.0948 5736 motccgpfl - ok
09:54:19.0964 5736 MotDev - ok
09:54:20.0011 5736 motmodem (060f0ef84f430802df3788f3dcfd009c) C:\windows\system32\DRIVERS\motmodem.sys
09:54:20.0042 5736 motmodem - ok
09:54:20.0135 5736 MotoHelper (9dfd34e6841c460b5d992a1c5327ae69) C:\Program Files (x86)\Motorola\MotoHelper\MotoHelperService.exe
09:54:20.0151 5736 MotoHelper - ok
09:54:20.0198 5736 MotoHelper.exe (2708dfe5e9adfc94e56daea76dde614d) C:\Program Files (x86)\Motorola\Moto Helper Service\MotoHelper.exe
09:54:20.0229 5736 MotoHelper.exe - ok
09:54:20.0260 5736 MotoSwitchService (ebd05f60cafc5bba2602b8d7101082d3) C:\windows\system32\DRIVERS\motswch.sys
09:54:20.0276 5736 MotoSwitchService - ok
09:54:20.0323 5736 Motousbnet (87701078c3f720ac7a028e937994cc49) C:\windows\system32\DRIVERS\Motousbnet.sys
09:54:20.0338 5736 Motousbnet - ok
09:54:20.0354 5736 motport - ok
09:54:20.0401 5736 motusbdevice (d075b1d964a314d240f5498773ee89df) C:\windows\system32\DRIVERS\motusbdevice.sys
09:54:20.0416 5736 motusbdevice - ok
09:54:20.0479 5736 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\windows\system32\DRIVERS\mouclass.sys
09:54:20.0510 5736 mouclass - ok
09:54:20.0541 5736 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\windows\system32\DRIVERS\mouhid.sys
09:54:20.0557 5736 mouhid - ok
09:54:20.0603 5736 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\windows\system32\drivers\mountmgr.sys
09:54:20.0635 5736 mountmgr - ok
09:54:20.0713 5736 MozillaMaintenance (15d5398eed42c2504bb3d4fc875c15d1) C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
09:54:20.0759 5736 MozillaMaintenance - ok
09:54:20.0806 5736 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\windows\system32\drivers\mpio.sys
09:54:20.0837 5736 mpio - ok
09:54:20.0869 5736 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\windows\system32\drivers\mpsdrv.sys
09:54:20.0900 5736 mpsdrv - ok
09:54:21.0009 5736 MpsSvc (54ffc9c8898113ace189d4aa7199d2c1) C:\windows\system32\mpssvc.dll
09:54:21.0025 5736 MpsSvc - ok
09:54:21.0071 5736 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\windows\system32\drivers\mrxdav.sys
09:54:21.0103 5736 MRxDAV - ok
09:54:21.0149 5736 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\windows\system32\DRIVERS\mrxsmb.sys
09:54:21.0181 5736 mrxsmb - ok
09:54:21.0243 5736 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\windows\system32\DRIVERS\mrxsmb10.sys
09:54:21.0305 5736 mrxsmb10 - ok
09:54:21.0368 5736 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\windows\system32\DRIVERS\mrxsmb20.sys
09:54:21.0399 5736 mrxsmb20 - ok
09:54:21.0446 5736 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\windows\system32\drivers\msahci.sys
09:54:21.0461 5736 msahci - ok
09:54:21.0508 5736 msdsm (db801a638d011b9633829eb6f663c900) C:\windows\system32\drivers\msdsm.sys
09:54:21.0539 5736 msdsm - ok
09:54:21.0586 5736 MSDTC (de0ece52236cfa3ed2dbfc03f28253a8) C:\windows\System32\msdtc.exe
09:54:21.0633 5736 MSDTC - ok
09:54:21.0664 5736 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\windows\system32\drivers\Msfs.sys
09:54:21.0695 5736 Msfs - ok
09:54:21.0789 5736 msftesql$CSSQL05 (54819fc5c79e4b2c6e896f9de440494d) c:\Program Files (x86)\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
09:54:21.0789 5736 msftesql$CSSQL05 - ok
09:54:21.0820 5736 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\windows\System32\drivers\mshidkmdf.sys
09:54:21.0851 5736 mshidkmdf - ok
09:54:21.0883 5736 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\windows\system32\drivers\msisadrv.sys
09:54:21.0914 5736 msisadrv - ok
09:54:21.0945 5736 MSiSCSI (808e98ff49b155c522e6400953177b08) C:\windows\system32\iscsiexe.dll
09:54:22.0054 5736 MSiSCSI - ok
09:54:22.0054 5736 msiserver - ok
09:54:22.0101 5736 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\windows\system32\drivers\MSKSSRV.sys
09:54:22.0117 5736 MSKSSRV - ok
09:54:22.0148 5736 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\windows\system32\drivers\MSPCLOCK.sys
09:54:22.0163 5736 MSPCLOCK - ok
09:54:22.0179 5736 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\windows\system32\drivers\MSPQM.sys
09:54:22.0195 5736 MSPQM - ok
09:54:22.0273 5736 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\windows\system32\drivers\MsRPC.sys
09:54:22.0319 5736 MsRPC - ok
09:54:22.0335 5736 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\windows\system32\drivers\mssmbios.sys
09:54:22.0335 5736 mssmbios - ok
09:54:22.0351 5736 MSSQL$CSSQL05 - ok
09:54:22.0397 5736 MSSQL$MSSMLBIZ - ok
09:54:22.0444 5736 MSSQLServerADHelper (1d89eb4e2a99cabd4e81225f4f4c4b25) c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqladhlp90.exe
09:54:22.0460 5736 MSSQLServerADHelper - ok
09:54:22.0507 5736 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\windows\system32\drivers\MSTEE.sys
09:54:22.0522 5736 MSTEE - ok
09:54:22.0538 5736 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\windows\system32\DRIVERS\MTConfig.sys
09:54:22.0553 5736 MTConfig - ok
09:54:22.0600 5736 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\windows\system32\Drivers\mup.sys
09:54:22.0616 5736 Mup - ok
09:54:22.0694 5736 napagent (582ac6d9873e31dfa28a4547270862dd) C:\windows\system32\qagentRT.dll
09:54:22.0694 5736 napagent - ok
09:54:22.0772 5736 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\windows\system32\DRIVERS\nwifi.sys
09:54:22.0819 5736 NativeWifiP - ok
09:54:22.0897 5736 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\windows\system32\drivers\ndis.sys
09:54:22.0912 5736 NDIS - ok
09:54:22.0928 5736 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\windows\system32\DRIVERS\ndiscap.sys
09:54:22.0943 5736 NdisCap - ok
09:54:22.0975 5736 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\windows\system32\DRIVERS\ndistapi.sys
09:54:23.0006 5736 NdisTapi - ok
09:54:23.0037 5736 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\windows\system32\DRIVERS\ndisuio.sys
09:54:23.0068 5736 Ndisuio - ok
09:54:23.0115 5736 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\windows\system32\DRIVERS\ndiswan.sys
09:54:23.0146 5736 NdisWan - ok
09:54:23.0193 5736 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\windows\system32\drivers\NDProxy.sys
09:54:23.0209 5736 NDProxy - ok
09:54:23.0224 5736 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\windows\system32\DRIVERS\netbios.sys
09:54:23.0255 5736 NetBIOS - ok
09:54:23.0318 5736 NetBT (09594d1089c523423b32a4229263f068) C:\windows\system32\DRIVERS\netbt.sys
09:54:23.0365 5736 NetBT - ok
09:54:23.0427 5736 Netlogon (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
09:54:23.0427 5736 Netlogon - ok
09:54:23.0489 5736 Netman (847d3ae376c0817161a14a82c8922a9e) C:\windows\System32\netman.dll
09:54:23.0536 5736 Netman - ok
09:54:23.0583 5736 netprofm (5f28111c648f1e24f7dbc87cdeb091b8) C:\windows\System32\netprofm.dll
09:54:23.0599 5736 netprofm - ok
09:54:23.0677 5736 NetTcpPortSharing (3e5a36127e201ddf663176b66828fafe) C:\windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
09:54:23.0817 5736 NetTcpPortSharing - ok
09:54:24.0363 5736 NETw5s64 (4d85a450edef10c38882182753a49aae) C:\windows\system32\DRIVERS\NETw5s64.sys
09:54:24.0535 5736 NETw5s64 - ok
09:54:24.0987 5736 netw5v64 (705283c02177809ca9fa7cc58a4f1e77) C:\windows\system32\DRIVERS\netw5v64.sys
09:54:25.0159 5736 netw5v64 - ok
09:54:25.0330 5736 nfrd960 (77889813be4d166cdab78ddba990da92) C:\windows\system32\DRIVERS\nfrd960.sys
09:54:25.0361 5736 nfrd960 - ok
09:54:25.0424 5736 NlaSvc (1ee99a89cc788ada662441d1e9830529) C:\windows\System32\nlasvc.dll
09:54:25.0471 5736 NlaSvc - ok
09:54:25.0486 5736 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\windows\system32\drivers\Npfs.sys
09:54:25.0502 5736 Npfs - ok
09:54:25.0549 5736 nsi (d54bfdf3e0c953f823b3d0bfe4732528) C:\windows\system32\nsisvc.dll
09:54:25.0564 5736 nsi - ok
09:54:25.0580 5736 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\windows\system32\drivers\nsiproxy.sys
09:54:25.0595 5736 nsiproxy - ok
09:54:25.0767 5736 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\windows\system32\drivers\Ntfs.sys
09:54:25.0845 5736 Ntfs - ok
09:54:25.0985 5736 Null (9899284589f75fa8724ff3d16aed75c1) C:\windows\system32\drivers\Null.sys
09:54:26.0001 5736 Null - ok
09:54:26.0063 5736 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\windows\system32\drivers\nvraid.sys
09:54:26.0095 5736 nvraid - ok
09:54:26.0126 5736 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\windows\system32\drivers\nvstor.sys
09:54:26.0157 5736 nvstor - ok
09:54:26.0204 5736 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\windows\system32\drivers\nv_agp.sys
09:54:26.0235 5736 nv_agp - ok
09:54:26.0282 5736 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\windows\system32\DRIVERS\ohci1394.sys
09:54:26.0282 5736 ohci1394 - ok
09:54:26.0391 5736 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:54:26.0422 5736 ose - ok
09:54:26.0890 5736 osppsvc (61bffb5f57ad12f83ab64b7181829b34) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
09:54:27.0327 5736 osppsvc - ok
09:54:27.0499 5736 p2pimsvc (3eac4455472cc2c97107b5291e0dcafe) C:\windows\system32\pnrpsvc.dll
09:54:27.0499 5736 p2pimsvc - ok
09:54:27.0545 5736 p2psvc (927463ecb02179f88e4b9a17568c63c3) C:\windows\system32\p2psvc.dll
09:54:27.0592 5736 p2psvc - ok
09:54:27.0639 5736 Parport (0086431c29c35be1dbc43f52cc273887) C:\windows\system32\DRIVERS\parport.sys
09:54:27.0670 5736 Parport - ok
09:54:27.0717 5736 partmgr (e9766131eeade40a27dc27d2d68fba9c) C:\windows\system32\drivers\partmgr.sys
09:54:27.0733 5736 partmgr - ok
09:54:27.0764 5736 PcaSvc (3aeaa8b561e63452c655dc0584922257) C:\windows\System32\pcasvc.dll
09:54:27.0795 5736 PcaSvc - ok
09:54:27.0842 5736 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\windows\system32\drivers\pci.sys
09:54:27.0873 5736 pci - ok
09:54:27.0889 5736 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\windows\system32\drivers\pciide.sys
09:54:27.0920 5736 pciide - ok
09:54:27.0951 5736 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\windows\system32\DRIVERS\pcmcia.sys
09:54:27.0982 5736 pcmcia - ok
09:54:27.0998 5736 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\windows\system32\drivers\pcw.sys
09:54:28.0013 5736 pcw - ok
09:54:28.0076 5736 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\windows\system32\drivers\peauth.sys
09:54:28.0123 5736 PEAUTH - ok
09:54:28.0216 5736 PerfHost (e495e408c93141e8fc72dc0c6046ddfa) C:\windows\SysWow64\perfhost.exe
09:54:28.0232 5736 PerfHost - ok
09:54:28.0450 5736 pla (c7cf6a6e137463219e1259e3f0f0dd6c) C:\windows\system32\pla.dll
09:54:28.0513 5736 pla - ok
09:54:28.0669 5736 PlugPlay (25fbdef06c4d92815b353f6e792c8129) C:\windows\system32\umpnpmgr.dll
09:54:28.0669 5736 PlugPlay - ok
09:54:28.0731 5736 Pml Driver HPZ12 (f485770eec8959684cc4c4786b63c06c) C:\windows\system32\HPZipm12.dll
09:54:28.0809 5736 Pml Driver HPZ12 - ok
09:54:28.0840 5736 PNRPAutoReg (7195581cec9bb7d12abe54036acc2e38) C:\windows\system32\pnrpauto.dll
09:54:28.0856 5736 PNRPAutoReg - ok
09:54:28.0887 5736 PNRPsvc (3eac4455472cc2c97107b5291e0dcafe) C:\windows\system32\pnrpsvc.dll
09:54:28.0903 5736 PNRPsvc - ok
09:54:28.0965 5736 PolicyAgent (4f15d75adf6156bf56eced6d4a55c389) C:\windows\System32\ipsecsvc.dll
09:54:29.0012 5736 PolicyAgent - ok
09:54:29.0043 5736 Power (6ba9d927dded70bd1a9caded45f8b184) C:\windows\system32\umpo.dll
09:54:29.0059 5736 Power - ok
09:54:29.0137 5736 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\windows\system32\DRIVERS\raspptp.sys
09:54:29.0168 5736 PptpMiniport - ok
09:54:29.0199 5736 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\windows\system32\DRIVERS\processr.sys
09:54:29.0246 5736 Processor - ok
09:54:29.0324 5736 ProfSvc (5c78838b4d166d1a27db3a8a820c799a) C:\windows\system32\profsvc.dll
09:54:29.0339 5736 ProfSvc - ok
09:54:29.0402 5736 ProtectedStorage (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
09:54:29.0402 5736 ProtectedStorage - ok
09:54:29.0464 5736 Psched (0557cf5a2556bd58e26384169d72438d) C:\windows\system32\DRIVERS\pacer.sys
09:54:29.0464 5736 Psched - ok
09:54:29.0511 5736 PxHlpa64 (87b04878a6d59d6c79251dc960c674c1) C:\windows\system32\Drivers\PxHlpa64.sys
09:54:29.0527 5736 PxHlpa64 - ok
09:54:29.0651 5736 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\windows\system32\DRIVERS\ql2300.sys
09:54:29.0729 5736 ql2300 - ok
09:54:29.0885 5736 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\windows\system32\DRIVERS\ql40xx.sys
09:54:29.0917 5736 ql40xx - ok
09:54:29.0963 5736 QWAVE (906191634e99aea92c4816150bda3732) C:\windows\system32\qwave.dll
09:54:29.0995 5736 QWAVE - ok
09:54:30.0010 5736 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\windows\system32\drivers\qwavedrv.sys
09:54:30.0026 5736 QWAVEdrv - ok
09:54:30.0041 5736 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\windows\system32\DRIVERS\rasacd.sys
09:54:30.0057 5736 RasAcd - ok
09:54:30.0104 5736 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\windows\system32\DRIVERS\AgileVpn.sys
09:54:30.0119 5736 RasAgileVpn - ok
09:54:30.0151 5736 RasAuto (8f26510c5383b8dbe976de1cd00fc8c7) C:\windows\System32\rasauto.dll
09:54:30.0275 5736 RasAuto - ok
09:54:30.0322 5736 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\windows\system32\DRIVERS\rasl2tp.sys
09:54:30.0353 5736 Rasl2tp - ok
09:54:30.0431 5736 RasMan (ee867a0870fc9e4972ba9eaad35651e2) C:\windows\System32\rasmans.dll
09:54:30.0463 5736 RasMan - ok
09:54:30.0478 5736 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\windows\system32\DRIVERS\raspppoe.sys
09:54:30.0509 5736 RasPppoe - ok
09:54:30.0525 5736 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\windows\system32\DRIVERS\rassstp.sys
09:54:30.0541 5736 RasSstp - ok
09:54:30.0603 5736 rdbss (77f665941019a1594d887a74f301fa2f) C:\windows\system32\DRIVERS\rdbss.sys
09:54:30.0650 5736 rdbss - ok
09:54:30.0665 5736 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\windows\system32\DRIVERS\rdpbus.sys
09:54:30.0681 5736 rdpbus - ok
09:54:30.0712 5736 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\windows\system32\DRIVERS\RDPCDD.sys
09:54:30.0728 5736 RDPCDD - ok
09:54:30.0759 5736 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\windows\system32\drivers\rdpencdd.sys
09:54:30.0790 5736 RDPENCDD - ok
09:54:30.0806 5736 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\windows\system32\drivers\rdprefmp.sys
09:54:30.0837 5736 RDPREFMP - ok
09:54:30.0884 5736 RDPWD (6d76e6433574b058adcb0c50df834492) C:\windows\system32\drivers\RDPWD.sys
09:54:30.0915 5736 RDPWD - ok
09:54:30.0962 5736 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\windows\system32\drivers\rdyboost.sys
09:54:30.0993 5736 rdyboost - ok
09:54:31.0040 5736 RemoteAccess (254fb7a22d74e5511c73a3f6d802f192) C:\windows\System32\mprdim.dll
09:54:31.0071 5736 RemoteAccess - ok
09:54:31.0118 5736 RemoteRegistry (e4d94f24081440b5fc5aa556c7c62702) C:\windows\system32\regsvc.dll
09:54:31.0149 5736 RemoteRegistry - ok
09:54:31.0211 5736 RFCOMM (3dd798846e2c28102b922c56e71b7932) C:\windows\system32\DRIVERS\rfcomm.sys
09:54:31.0243 5736 RFCOMM - ok
09:54:31.0367 5736 RichVideo (f12a68ed55053940cadd59ca5e3468dd) C:\Program Files (x86)\Cyberlink\Shared files\RichVideo.exe
09:54:31.0367 5736 RichVideo - ok
09:54:31.0445 5736 RpcEptMapper (e4dc58cf7b3ea515ae917ff0d402a7bb) C:\windows\System32\RpcEpMap.dll
09:54:31.0477 5736 RpcEptMapper - ok
09:54:31.0492 5736 RpcLocator (d5ba242d4cf8e384db90e6a8ed850b8c) C:\windows\system32\locator.exe
09:54:31.0508 5736 RpcLocator - ok
09:54:31.0586 5736 RpcSs (5c627d1b1138676c0a7ab2c2c190d123) C:\windows\system32\rpcss.dll
09:54:31.0586 5736 RpcSs - ok
09:54:31.0633 5736 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\windows\system32\DRIVERS\rspndr.sys
09:54:31.0648 5736 rspndr - ok
09:54:31.0711 5736 SamSs (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
09:54:31.0711 5736 SamSs - ok
09:54:31.0773 5736 SAVAdminService (bd57b12fa4c21b1ce7da3570410bf12d) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SAVAdminService.exe
09:54:31.0773 5736 SAVAdminService - ok
09:54:31.0835 5736 SAVOnAccess (d9057e8ca97628e275979a09ea66b34b) C:\windows\system32\DRIVERS\savonaccess.sys
09:54:31.0867 5736 SAVOnAccess - ok
09:54:31.0898 5736 SAVService (836aec603665f6db83965ee57b3dcf57) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\SavService.exe
09:54:31.0898 5736 SAVService - ok
09:54:31.0945 5736 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\windows\system32\drivers\sbp2port.sys
09:54:31.0976 5736 sbp2port - ok
09:54:32.0007 5736 SCardSvr (9b7395789e3791a3b6d000fe6f8b131e) C:\windows\System32\SCardSvr.dll
09:54:32.0038 5736 SCardSvr - ok
09:54:32.0085 5736 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\windows\system32\DRIVERS\scfilter.sys
09:54:32.0101 5736 scfilter - ok
09:54:32.0225 5736 Schedule (262f6592c3299c005fd6bec90fc4463a) C:\windows\system32\schedsvc.dll
09:54:32.0288 5736 Schedule - ok
09:54:32.0335 5736 SCPolicySvc (f17d1d393bbc69c5322fbfafaca28c7f) C:\windows\System32\certprop.dll
09:54:32.0335 5736 SCPolicySvc - ok
09:54:32.0397 5736 sdbus (111e0ebc0ad79cb0fa014b907b231cf0) C:\windows\system32\drivers\sdbus.sys
09:54:32.0444 5736 sdbus - ok
09:54:32.0475 5736 sdcfilter (894bfbec492e9e838d9e4406a90a3edb) C:\windows\system32\DRIVERS\sdcfilter.sys
09:54:32.0506 5736 sdcfilter - ok
09:54:32.0537 5736 SDRSVC (6ea4234dc55346e0709560fe7c2c1972) C:\windows\System32\SDRSVC.dll
09:54:32.0569 5736 SDRSVC - ok
09:54:32.0600 5736 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\windows\system32\drivers\secdrv.sys
09:54:32.0615 5736 secdrv - ok
09:54:32.0662 5736 seclogon (bc617a4e1b4fa8df523a061739a0bd87) C:\windows\system32\seclogon.dll
09:54:32.0693 5736 seclogon - ok
09:54:32.0725 5736 SENS (c32ab8fa018ef34c0f113bd501436d21) C:\windows\system32\sens.dll
09:54:32.0756 5736 SENS - ok
09:54:32.0771 5736 SensrSvc (0336cffafaab87a11541f1cf1594b2b2) C:\windows\system32\sensrsvc.dll
09:54:32.0787 5736 SensrSvc - ok
09:54:32.0803 5736 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\windows\system32\DRIVERS\serenum.sys
09:54:32.0834 5736 Serenum - ok
09:54:32.0865 5736 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\windows\system32\DRIVERS\serial.sys
09:54:32.0881 5736 Serial - ok
09:54:32.0927 5736 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\windows\system32\DRIVERS\sermouse.sys
09:54:32.0943 5736 sermouse - ok
09:54:33.0021 5736 SessionEnv (0b6231bf38174a1628c4ac812cc75804) C:\windows\system32\sessenv.dll
09:54:33.0052 5736 SessionEnv - ok
09:54:33.0099 5736 sffdisk (a554811bcd09279536440c964ae35bbf) C:\windows\system32\drivers\sffdisk.sys
09:54:33.0115 5736 sffdisk - ok
09:54:33.0146 5736 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\windows\system32\drivers\sffp_mmc.sys
09:54:33.0177 5736 sffp_mmc - ok
09:54:33.0193 5736 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\windows\system32\drivers\sffp_sd.sys
09:54:33.0208 5736 sffp_sd - ok
09:54:33.0224 5736 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\windows\system32\DRIVERS\sfloppy.sys
09:54:33.0255 5736 sfloppy - ok
09:54:33.0349 5736 SharedAccess (b95f6501a2f8b2e78c697fec401970ce) C:\windows\System32\ipnathlp.dll
09:54:33.0957 5736 SharedAccess - ok
09:54:34.0035 5736 ShellHWDetection (aaf932b4011d14052955d4b212a4da8d) C:\windows\System32\shsvcs.dll
09:54:34.0097 5736 ShellHWDetection - ok
09:54:34.0129 5736 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\windows\system32\DRIVERS\SiSRaid2.sys
09:54:34.0144 5736 SiSRaid2 - ok
09:54:34.0160 5736 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\windows\system32\DRIVERS\sisraid4.sys
09:54:34.0191 5736 SiSRaid4 - ok
09:54:34.0222 5736 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\windows\system32\DRIVERS\smb.sys
09:54:34.0238 5736 Smb - ok
09:54:34.0285 5736 SNMPTRAP (6313f223e817cc09aa41811daa7f541d) C:\windows\System32\snmptrap.exe
09:54:34.0316 5736 SNMPTRAP - ok
09:54:34.0425 5736 Sophos AutoUpdate Service (b5774835a13b5ed31378aabd07746262) C:\Program Files (x86)\Sophos\AutoUpdate\ALsvc.exe
09:54:34.0425 5736 Sophos AutoUpdate Service - ok
09:54:34.0472 5736 SophosBootDriver (69fbe35a8165adbc313aa7f64b868ca1) C:\windows\system32\DRIVERS\SophosBootDriver.sys
09:54:34.0487 5736 SophosBootDriver - ok
09:54:34.0519 5736 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\windows\system32\drivers\spldr.sys
09:54:34.0534 5736 spldr - ok
09:54:34.0612 5736 Spooler (b96c17b5dc1424d56eea3a99e97428cd) C:\windows\System32\spoolsv.exe
09:54:34.0659 5736 Spooler - ok
09:54:34.0955 5736 sppsvc (e17e0188bb90fae42d83e98707efa59c) C:\windows\system32\sppsvc.exe
09:54:35.0486 5736 sppsvc - ok
09:54:35.0657 5736 sppuinotify (93d7d61317f3d4bc4f4e9f8a96a7de45) C:\windows\system32\sppuinotify.dll
09:54:35.0673 5736 sppuinotify - ok
09:54:35.0782 5736 SQLBrowser (86ebd8b1f23e743aad21f4d5b4d40985) c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
09:54:35.0782 5736 SQLBrowser - ok
09:54:35.0860 5736 SQLWriter (3c432a96363097870995e2a3c8b66abd) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
09:54:35.0891 5736 SQLWriter - ok
09:54:36.0001 5736 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\windows\system32\DRIVERS\srv.sys
09:54:36.0032 5736 srv - ok
09:54:36.0110 5736 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\windows\system32\DRIVERS\srv2.sys
09:54:36.0141 5736 srv2 - ok
09:54:36.0172 5736 srvnet (27e461f0be5bff5fc737328f749538c3) C:\windows\system32\DRIVERS\srvnet.sys
09:54:36.0203 5736 srvnet - ok
09:54:36.0250 5736 SSDPSRV (51b52fbd583cde8aa9ba62b8b4298f33) C:\windows\System32\ssdpsrv.dll
09:54:36.0281 5736 SSDPSRV - ok
09:54:36.0313 5736 SstpSvc (ab7aebf58dad8daab7a6c45e6a8885cb) C:\windows\system32\sstpsvc.dll
09:54:36.0313 5736 SstpSvc - ok
09:54:36.0344 5736 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\windows\system32\DRIVERS\stexstor.sys
09:54:36.0359 5736 stexstor - ok
09:54:36.0437 5736 stisvc (8dd52e8e6128f4b2da92ce27402871c1) C:\windows\System32\wiaservc.dll
09:54:36.0484 5736 stisvc - ok
09:54:36.0531 5736 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\windows\system32\drivers\swenum.sys
09:54:36.0547 5736 swenum - ok
09:54:36.0749 5736 swi_service (aa5ca4a5f87c1576ff550a0372b3ed84) C:\Program Files (x86)\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
09:54:36.0765 5736 swi_service - ok
09:54:36.0937 5736 swprv (e08e46fdd841b7184194011ca1955a0b) C:\windows\System32\swprv.dll
09:54:36.0937 5736 swprv - ok
09:54:37.0030 5736 SynTP (924d711941956f7420a4925592be8253) C:\windows\system32\DRIVERS\SynTP.sys
09:54:37.0077 5736 SynTP - ok
09:54:37.0233 5736 SysMain (bf9ccc0bf39b418c8d0ae8b05cf95b7d) C:\windows\system32\sysmain.dll
09:54:37.0264 5736 SysMain - ok
09:54:37.0405 5736 TabletInputService (e3c61fd7b7c2557e1f1b0b4cec713585) C:\windows\System32\TabSvc.dll
09:54:37.0436 5736 TabletInputService - ok
09:54:37.0514 5736 TapiSrv (40f0849f65d13ee87b9a9ae3c1dd6823) C:\windows\System32\tapisrv.dll
09:54:37.0545 5736 TapiSrv - ok
09:54:37.0576 5736 TBS (1be03ac720f4d302ea01d40f588162f6) C:\windows\System32\tbssvc.dll
09:54:37.0576 5736 TBS - ok
09:54:37.0763 5736 Tcpip (acb82bda8f46c84f465c1afa517dc4b9) C:\windows\system32\drivers\tcpip.sys
09:54:37.0857 5736 Tcpip - ok
09:54:38.0122 5736 TCPIP6 (acb82bda8f46c84f465c1afa517dc4b9) C:\windows\system32\DRIVERS\tcpip.sys
09:54:38.0138 5736 TCPIP6 - ok
09:54:38.0247 5736 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\windows\system32\drivers\tcpipreg.sys
09:54:38.0263 5736 tcpipreg - ok
09:54:38.0309 5736 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\windows\system32\drivers\tdpipe.sys
09:54:38.0325 5736 TDPIPE - ok
09:54:38.0372 5736 TDTCP (51c5eceb1cdee2468a1748be550cfbc8) C:\windows\system32\drivers\tdtcp.sys
09:54:38.0387 5736 TDTCP - ok
09:54:38.0434 5736 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\windows\system32\DRIVERS\tdx.sys
09:54:38.0465 5736 tdx - ok
09:54:38.0512 5736 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\windows\system32\drivers\termdd.sys
09:54:38.0543 5736 TermDD - ok
09:54:38.0606 5736 TermService (2e648163254233755035b46dd7b89123) C:\windows\System32\termsrv.dll
09:54:38.0653 5736 TermService - ok
09:54:38.0684 5736 Themes (f0344071948d1a1fa732231785a0664c) C:\windows\system32\themeservice.dll
09:54:38.0699 5736 Themes - ok
09:54:38.0731 5736 THREADORDER (e40e80d0304a73e8d269f7141d77250b) C:\windows\system32\mmcss.dll
09:54:38.0746 5736 THREADORDER - ok
09:54:38.0762 5736 TrkWks (7e7afd841694f6ac397e99d75cead49d) C:\windows\System32\trkwks.dll
09:54:38.0793 5736 TrkWks - ok
09:54:38.0855 5736 TrustedInstaller (773212b2aaa24c1e31f10246b15b276c) C:\windows\servicing\TrustedInstaller.exe
09:54:38.0855 5736 TrustedInstaller - ok
09:54:38.0918 5736 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\windows\system32\DRIVERS\tssecsrv.sys
09:54:38.0949 5736 tssecsrv - ok
09:54:39.0027 5736 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\windows\system32\drivers\tsusbflt.sys
09:54:39.0043 5736 TsUsbFlt - ok
09:54:39.0121 5736 tunnel (3566a8daafa27af944f5d705eaa64894) C:\windows\system32\DRIVERS\tunnel.sys
09:54:39.0121 5736 tunnel - ok
09:54:39.0167 5736 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\windows\system32\DRIVERS\uagp35.sys
09:54:39.0183 5736 uagp35 - ok
09:54:39.0261 5736 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\windows\system32\DRIVERS\udfs.sys
09:54:39.0308 5736 udfs - ok
09:54:39.0339 5736 UI0Detect (3cbdec8d06b9968aba702eba076364a1) C:\windows\system32\UI0Detect.exe
09:54:39.0370 5736 UI0Detect - ok
09:54:39.0417 5736 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\windows\system32\drivers\uliagpkx.sys
09:54:39.0448 5736 uliagpkx - ok
09:54:39.0495 5736 umbus (dc54a574663a895c8763af0fa1ff7561) C:\windows\system32\drivers\umbus.sys
09:54:39.0511 5736 umbus - ok
09:54:39.0526 5736 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\windows\system32\DRIVERS\umpass.sys
09:54:39.0557 5736 UmPass - ok
09:54:39.0589 5736 upnphost (d47ec6a8e81633dd18d2436b19baf6de) C:\windows\System32\upnphost.dll
09:54:39.0729 5736 upnphost - ok
09:54:39.0776 5736 USBAAPL64 (cd03479f2da26500b203ed075c146a7a) C:\windows\system32\Drivers\usbaapl64.sys
09:54:39.0791 5736 USBAAPL64 - ok
09:54:39.0823 5736 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\windows\system32\DRIVERS\usbccgp.sys
09:54:39.0854 5736 usbccgp - ok
09:54:39.0916 5736 usbcir (af0892a803fdda7492f595368e3b68e7) C:\windows\system32\drivers\usbcir.sys
09:54:39.0963 5736 usbcir - ok
09:54:39.0994 5736 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\windows\system32\DRIVERS\usbehci.sys
09:54:40.0010 5736 usbehci - ok
09:54:40.0072 5736 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\windows\system32\DRIVERS\usbhub.sys
09:54:40.0103 5736 usbhub - ok
09:54:40.0119 5736 usbohci (58e546bbaf87664fc57e0f6081e4f609) C:\windows\system32\DRIVERS\usbohci.sys
09:54:40.0135 5736 usbohci - ok
09:54:40.0166 5736 usbprint (73188f58fb384e75c4063d29413cee3d) C:\windows\system32\DRIVERS\usbprint.sys
09:54:40.0181 5736 usbprint - ok
09:54:40.0228 5736 usbscan (aaa2513c8aed8b54b189fd0c6b1634c0) C:\windows\system32\DRIVERS\usbscan.sys
09:54:40.0244 5736 usbscan - ok
09:54:40.0275 5736 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\windows\system32\DRIVERS\USBSTOR.SYS
09:54:40.0306 5736 USBSTOR - ok
09:54:40.0322 5736 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\windows\system32\DRIVERS\usbuhci.sys
09:54:40.0353 5736 usbuhci - ok
09:54:40.0431 5736 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\windows\System32\Drivers\usbvideo.sys
09:54:40.0447 5736 usbvideo - ok
09:54:40.0478 5736 UxSms (edbb23cbcf2cdf727d64ff9b51a6070e) C:\windows\System32\uxsms.dll
09:54:40.0509 5736 UxSms - ok
09:54:40.0540 5736 VaultSvc (c118a82cd78818c29ab228366ebf81c3) C:\windows\system32\lsass.exe
09:54:40.0556 5736 VaultSvc - ok
09:54:40.0603 5736 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\windows\system32\drivers\vdrvroot.sys
09:54:40.0634 5736 vdrvroot - ok
09:54:40.0712 5736 vds (8d6b481601d01a456e75c3210f1830be) C:\windows\System32\vds.exe
09:54:40.0743 5736 vds - ok
09:54:40.0774 5736 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\windows\system32\DRIVERS\vgapnp.sys
09:54:40.0790 5736 vga - ok
09:54:40.0821 5736 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\windows\System32\drivers\vga.sys
09:54:40.0837 5736 VgaSave - ok
09:54:40.0883 5736 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\windows\system32\drivers\vhdmp.sys
09:54:40.0930 5736 vhdmp - ok
09:54:40.0946 5736 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\windows\system32\drivers\viaide.sys
09:54:40.0977 5736 viaide - ok
09:54:41.0024 5736 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\windows\system32\drivers\volmgr.sys
09:54:41.0039 5736 volmgr - ok
09:54:41.0117 5736 volmgrx (a255814907c89be58b79ef2f189b843b) C:\windows\system32\drivers\volmgrx.sys
09:54:41.0149 5736 volmgrx - ok
09:54:41.0195 5736 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\windows\system32\drivers\volsnap.sys
09:54:41.0227 5736 volsnap - ok
09:54:41.0273 5736 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\windows\system32\DRIVERS\vsmraid.sys
09:54:41.0336 5736 vsmraid - ok
09:54:41.0492 5736 VSS (b60ba0bc31b0cb414593e169f6f21cc2) C:\windows\system32\vssvc.exe
09:54:41.0523 5736 VSS - ok
09:54:41.0679 5736 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\windows\System32\drivers\vwifibus.sys
09:54:41.0695 5736 vwifibus - ok
09:54:41.0710 5736 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\windows\system32\DRIVERS\vwififlt.sys
09:54:41.0741 5736 vwififlt - ok
09:54:41.0757 5736 vwifimp (6a638fc4bfddc4d9b186c28c91bd1a01) C:\windows\system32\DRIVERS\vwifimp.sys
09:54:41.0773 5736 vwifimp - ok
09:54:41.0835 5736 W32Time (1c9d80cc3849b3788048078c26486e1a) C:\windows\system32\w32time.dll
09:54:41.0866 5736 W32Time - ok
09:54:41.0897 5736 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\windows\system32\DRIVERS\wacompen.sys
09:54:41.0913 5736 WacomPen - ok
09:54:41.0975 5736 WANARP (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
09:54:41.0991 5736 WANARP - ok
09:54:42.0007 5736 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\windows\system32\DRIVERS\wanarp.sys
09:54:42.0007 5736 Wanarpv6 - ok
09:54:42.0147 5736 WatAdminSvc (3cec96de223e49eaae3651fcf8faea6c) C:\windows\system32\Wat\WatAdminSvc.exe
09:54:42.0537 5736 WatAdminSvc - ok
09:54:42.0709 5736 wbengine (78f4e7f5c56cb9716238eb57da4b6a75) C:\windows\system32\wbengine.exe
09:54:42.0771 5736 wbengine - ok
09:54:42.0927 5736 WbioSrvc (3aa101e8edab2db4131333f4325c76a3) C:\windows\System32\wbiosrvc.dll
09:54:42.0943 5736 WbioSrvc - ok
09:54:43.0021 5736 wcncsvc (7368a2afd46e5a4481d1de9d14848edd) C:\windows\System32\wcncsvc.dll
09:54:43.0052 5736 wcncsvc - ok
09:54:43.0067 5736 WcsPlugInService (20f7441334b18cee52027661df4a6129) C:\windows\System32\WcsPlugInService.dll
09:54:43.0099 5736 WcsPlugInService - ok
09:54:43.0130 5736 Wd (72889e16ff12ba0f235467d6091b17dc) C:\windows\system32\DRIVERS\wd.sys
09:54:43.0161 5736 Wd - ok
09:54:43.0208 5736 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\windows\system32\drivers\Wdf01000.sys
09:54:43.0270 5736 Wdf01000 - ok
09:54:43.0301 5736 WdiServiceHost (bf1fc3f79b863c914687a737c2f3d681) C:\windows\system32\wdi.dll
09:54:43.0333 5736 WdiServiceHost - ok
09:54:43.0348 5736 WdiSystemHost (bf1fc3f79b863c914687a737c2f3d681) C:\windows\system32\wdi.dll
09:54:43.0348 5736 WdiSystemHost - ok
09:54:43.0364 5736 wdmirror - ok
09:54:43.0442 5736 WebClient (3db6d04e1c64272f8b14eb8bc4616280) C:\windows\System32\webclnt.dll
09:54:43.0473 5736 WebClient - ok
09:54:43.0504 5736 Wecsvc (c749025a679c5103e575e3b48e092c43) C:\windows\system32\wecsvc.dll
09:54:43.0535 5736 Wecsvc - ok
09:54:43.0551 5736 wercplsupport (7e591867422dc788b9e5bd337a669a08) C:\windows\System32\wercplsupport.dll
09:54:43.0582 5736 wercplsupport - ok
09:54:43.0613 5736 WerSvc (6d137963730144698cbd10f202e9f251) C:\windows\System32\WerSvc.dll
09:54:43.0629 5736 WerSvc - ok
09:54:43.0660 5736 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\windows\system32\DRIVERS\wfplwf.sys
09:54:43.0676 5736 WfpLwf - ok
09:54:43.0738 5736 WimFltr (b14ef15bd757fa488f9c970eee9c0d35) C:\windows\system32\DRIVERS\wimfltr.sys
09:54:43.0769 5736 WimFltr - ok
09:54:43.0785 5736 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\windows\system32\drivers\wimmount.sys
09:54:43.0801 5736 WIMMount - ok
09:54:43.0832 5736 WinDefend - ok
09:54:43.0847 5736 WinHttpAutoProxySvc - ok
09:54:43.0925 5736 Winmgmt (19b07e7e8915d701225da41cb3877306) C:\windows\system32\wbem\WMIsvc.dll
09:54:43.0957 5736 Winmgmt - ok
09:54:44.0144 5736 WinRM (bcb1310604aa415c4508708975b3931e) C:\windows\system32\WsmSvc.dll
09:54:44.0222 5736 WinRM - ok
09:54:44.0393 5736 WinUsb (fe88b288356e7b47b74b13372add906d) C:\windows\system32\DRIVERS\WinUsb.sys
09:54:44.0409 5736 WinUsb - ok
09:54:44.0503 5736 Wlansvc (4fada86e62f18a1b2f42ba18ae24e6aa) C:\windows\System32\wlansvc.dll
09:54:44.0565 5736 Wlansvc - ok
09:54:44.0799 5736 wlidsvc (7e47c328fc4768cb8beafbcfafa70362) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
09:54:45.0220 5736 wlidsvc - ok
09:54:45.0392 5736 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\windows\system32\drivers\wmiacpi.sys
09:54:45.0392 5736 WmiAcpi - ok
09:54:45.0485 5736 wmiApSrv (38b84c94c5a8af291adfea478ae54f93) C:\windows\system32\wbem\WmiApSrv.exe
09:54:45.0485 5736 wmiApSrv - ok
09:54:45.0548 5736 WMPNetworkSvc - ok
09:54:45.0595 5736 WPCSvc (96c6e7100d724c69fcf9e7bf590d1dca) C:\windows\System32\wpcsvc.dll
09:54:45.0610 5736 WPCSvc - ok
09:54:45.0657 5736 WPDBusEnum (93221146d4ebbf314c29b23cd6cc391d) C:\windows\system32\wpdbusenum.dll
09:54:45.0688 5736 WPDBusEnum - ok
09:54:45.0719 5736 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\windows\system32\drivers\ws2ifsl.sys
09:54:45.0735 5736 ws2ifsl - ok
09:54:45.0766 5736 wscsvc (e8b1fe6669397d1772d8196df0e57a9e) C:\windows\system32\wscsvc.dll
09:54:45.0797 5736 wscsvc - ok
09:54:45.0813 5736 WSearch - ok
09:54:45.0860 5736 wsvd (83575c43b2bfe9ab0661a7f957e843c0) C:\windows\system32\DRIVERS\wsvd.sys
09:54:45.0891 5736 wsvd - ok
09:54:46.0094 5736 wuauserv (d9ef901dca379cfe914e9fa13b73b4c4) C:\windows\system32\wuaueng.dll
09:54:46.0125 5736 wuauserv - ok
09:54:46.0297 5736 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\windows\system32\drivers\WudfPf.sys
09:54:46.0328 5736 WudfPf - ok
09:54:46.0375 5736 WUDFRd (cf8d590be3373029d57af80914190682) C:\windows\system32\DRIVERS\WUDFRd.sys
09:54:46.0406 5736 WUDFRd - ok
09:54:46.0437 5736 wudfsvc (7a95c95b6c4cf292d689106bcae49543) C:\windows\System32\WUDFSvc.dll
09:54:46.0484 5736 wudfsvc - ok
09:54:46.0531 5736 WwanSvc (9a3452b3c2a46c073166c5cf49fad1ae) C:\windows\System32\wwansvc.dll
09:54:46.0562 5736 WwanSvc - ok
09:54:46.0655 5736 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
09:54:46.0936 5736 \Device\Harddisk0\DR0 - ok
09:54:46.0936 5736 Boot (0x1200) (c819d0db10218061b1b96e95f442091e) \Device\Harddisk0\DR0\Partition0
09:54:46.0936 5736 \Device\Harddisk0\DR0\Partition0 - ok
09:54:46.0967 5736 Boot (0x1200) (e8d777dabeab6fefb5a93c9734acf2ca) \Device\Harddisk0\DR0\Partition1
09:54:46.0967 5736 \Device\Harddisk0\DR0\Partition1 - ok
09:54:46.0999 5736 Boot (0x1200) (0cd63cde8fb9cb537b98e4eba97e1014) \Device\Harddisk0\DR0\Partition2
09:54:46.0999 5736 \Device\Harddisk0\DR0\Partition2 - ok
09:54:46.0999 5736 ============================================================
09:54:46.0999 5736 Scan finished
09:54:46.0999 5736 ============================================================
09:54:47.0030 5000 Detected object count: 0
09:54:47.0030 5000 Actual detected object count: 0
09:55:30.0482 3264 Deinitialize success

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 10 July 2012 - 12:42 PM

how is the computer running now?

Are there any outstanding issues?

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 10 July 2012 - 01:37 PM

I never noticed a change in performance; I just saw the warnings in Sophos and was worried I had data mining bugs in my computer and didn't feel safe to use it for banking etc.

I still have 5 items in the Sophos quarantine, but I haven't been getting continual popups for the Troj/ZAccInf-B affecting services.exe, so that is an improvement. I am not sure what to do with these items; i.e., are they supposed to naturally go away or will they remain even if the problems are solved.

The items are

<li>Virus/spyware; Troj/ZAccInf-B; C:\windows\system32\services.exe
<li>Virus/spyware; Troj/ZAccInf-B; C:\FRST\Quarantine\services.exe
<li>Virus/spyware; Troj/Browin-Gen; C:\Program Files (x86)\intellidownload\vfd.exe
<li>Virus/spyware; Mal/ZAccConf-A; C:\Windows\Installer\{05e9adae-d0d8-7665-a65f-38918cf32667}\@ & C:\Users\David Abram\AppData\Local\{05e9adae-d0d8-7665-a65f-38918cf32667}\@
<li>Suspicious behavior; HIPS/RegMod-016; C:\Windows\SysWOW64\regedit.exe

#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:16 AM

Posted 10 July 2012 - 02:18 PM

It appears it is finding items in quarantine that we have dealt with already

please delete the items in Sophos quarantine, update the definitions then give it a full scan, let me know if it finds anything new

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 dabram

dabram
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:16 AM

Posted 10 July 2012 - 06:31 PM

I cleared the items in the quarantine and ran a full scan. A few errors showed up with some files, but nothing worth putting in quarantine. It appears as if the trojan was removed, is there anything further to be done?

I am planning on uninstalling / deleting the tools used (fstr,combofix,mbam,eset,and tdss) unless you think I should keep any for some reason.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users