Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.ZeroAccess infection.


  • This topic is locked This topic is locked
27 replies to this topic

#1 Jim_F

Jim_F

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 25 July 2012 - 03:09 AM

Dell laptop. The wife's browsing has picked up something that is beyond my capability of being able to clean up. Google is redirecting to obscure advertising sites, and you can tell it has been hijacked. Google chrome appears much more affected than IE.

I havea a corp version of Trend micro, officescan, and it is not easy to disable this, to allow certain scanning/cleaning, but I have found ways to remove its shutdown protection, so I think I can disable it for any cleaning needed.

Spyware Dr (pctools) was installed last night. It could detect this, from a registry entry, but not remove it. Also, several other malware were detected, but until the rootkit can be killed, those just keep being replaced, etc.

I have initially killed a fake AV (which was what tipped me off to the problems). It started popping up, was installed in a /usr docs/myname/appdata/somehexnumber directory. However, when trying to research this infection, was when I noticed the google was hijacked. This infection is gone, but the google hijack (i.e. the rootkit and likely other malware), are still here.

I have tried a specific removal tool for this rootkit from semantic. I turned off restore, then ran the tool, and it added some -onreboot run of itself, but upon reboot, a BSOD flashes, and the machine instant reboots, the only way to reboot, is to select use last good config.

I am not able to boot to safe made, the machine does not let me log in. I believe the account requires domain network support.

I am not on the corp network, just my own home LAN, behind a wireless router.

I have above average capabilities on being able to fix this. I am a systems developer, and did write and work with AV software firm back in the late 90's, so I do understand what they do, and how to handle them. My work here, was on office macro (built a macro detection engine), and on true viruses (pre PE, DOS viruses), and built an auto baiting/replication system. But that work has not continued, into the malware, worm/trojan/rootkit days of today. This information listed mostly so the person helping knows that I will not need baby stepped on things like how to open cmd.exe, or regedit, or how to run something with admin rights, etc.

Here are the logs requested (the runtime building these was very long)

------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by [Name-removed] at 20:49:41 on 2012-07-24
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2757 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Enabled/Updated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [Google Update] "c:\documents and settings\[name-removed]\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [<NO NAME>]
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [ISTray] "c:\program files\pc tools\pc tools security\pctsGui.exe" /hideGUI
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
Trusted Zone: aghost.net
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
Trusted Zone: 8080
Trusted Zone: aghost.net
Trusted Zone: disa.mil\edadocs.ogden
Trusted Zone: disa.mil\myinvoice.csd
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: eb.mil\wawf
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://trendappprod02:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320675334917
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2010-6-29 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2010-6-29 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2010-6-29 204800]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-29 187960]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2010-6-29 19200]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-7-24 383368]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-7-24 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-7-24 909728]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2010-6-29 63872]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-7-24 203120]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-7-24 575448]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-7-24 402368]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-7-24 1118680]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-11-7 59152]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 36624]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-11-7 113664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-11-7 109568]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-7-24 70768]
R3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-4-24 689416]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-12-22 77312]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-3 253600]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\pc tools\dmscanning\PCTSFiles.exe [2012-7-24 89048]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-11-3 65664]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2011-2-14 20096]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
.
=============== Created Last 30 ================
.
2012-07-25 01:38:19 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-25 01:26:40 -------- d-----w- c:\documents and settings\[name-removed]\local settings\application data\Threat Expert
2012-07-25 01:03:01 -------- d-----w- c:\documents and settings\[name-removed]\application data\FixZeroAccess
2012-07-24 23:31:32 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-07-24 23:31:31 767960 ----a-w- c:\windows\BDTSupport.dll
2012-07-24 23:31:30 149464 ----a-w- c:\windows\SGDetectionTool.dll
2012-07-24 23:31:29 2267096 ----a-w- c:\windows\PCTBDCore.dll
2012-07-24 23:31:29 1689560 ----a-w- c:\windows\PCTBDRes.dll
2012-07-24 23:30:36 254944 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-07-24 23:30:21 17880 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-07-24 23:30:11 70568 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-07-24 13:42:44 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-07-24 13:42:44 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-07-24 13:42:39 383368 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-07-24 13:42:39 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-07-24 13:42:28 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-24 13:42:28 -------- d-----w- c:\program files\common files\PC Tools
2012-07-24 13:42:27 -------- d-----w- c:\program files\PC Tools
2012-07-24 13:40:32 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-07-24 13:40:26 -------- d-----w- c:\documents and settings\[name-removed]\application data\TestApp
2012-07-24 01:09:14 22032 ----a-w- c:\windows\DCEBoot.exe
2012-07-23 12:50:33 -------- d-----w- c:\documents and settings\[name-removed]\local settings\application data\{52296A23-D39D-11E1-8270-B8AC6F996F26}
2012-07-22 01:34:30 455168 ----a-w- c:\documents and settings\[name-removed]\application data\murvcp.dll
2012-07-22 01:34:02 56320 ---ha-w- c:\windows\system32\msfercp.dll
2012-07-22 01:33:38 133120 --sha-w- c:\documents and settings\[name-removed]\application data\mapcs.dll
2012-07-13 23:33:21 -------- d-----w- c:\documents and settings\[name-removed]\local settings\application data\Sun
2012-07-13 23:29:41 -------- d-----w- c:\program files\Oracle
2012-07-13 23:29:25 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-07-06 03:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-06 03:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\ssleay32.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\libssl32.dll
2012-05-11 01:41:52 1100800 ----a-w- c:\windows\system32\libeay32.dll
.
============= FINISH: 21:06:51.40 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,699 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 30 July 2012 - 11:50 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/462373 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 30 July 2012 - 12:32 PM

This rootkit has been removed. I was able to follow along with enough other removal items that the smart folks here were using. I know the instructions were directed to specific infections on exact specific machines, but after enough research, I felt comfortable at least getting rid of the damn thing.

I did:

multiple tool scanning (GMER, malware bytes, aswMBR, etc). GMER seemed the best at this.

I found and documented all files that made up the root kit (and a couple other malwares that were downloaded due to browser redirects). I also documented exactly which files were 'hooked'.

I booted into ubuntu. In there, I copied all infected files, and all system files listing hooked to a usb stick. I was able to validate that all system files were non modified. The infection was only hooking into the memory image, and not modifying the file on disk.

I then was able to kill the rootkit using Combofix.

However, the files were not cleaned up. I then was able to see the files, and delete them, and remove the damage I knew about. I then ran malware bytes until all of the infections were cleaned up. Required a couple of boots, due to some 'on-boot' fixup's causing the 'reboot to last known good config' to have to be done (some of my early attempts before finding the wealth of information here at bleeping-computer). I had to reboot twice, once with the boot to last known good, and then reboot again, which was clean. After that, malware bytes could properly clean things up, which it did.

I have already used Revo unistaller, and smoked ALL installs from Adobe, all java instances, and all Apple stuff (such as quick time). I have installed the proper (current) Adobe flash. I switched over to FoxIt for pdf reading (vs Adobe acrobat), hoping for less chance of hackers targeting that platform, since it is such a smaller user base for targets.


Well now the 'infection' is gone. However, I still need a little help getting rid of the bad side effects it left. The network connections on this system are a little on the flaky side. I just wonder if there were some safety issues that were done by this bugger, which need to be put back in place.

I certainly need help from the knowledgeable experts here, so that I do not get a clean system, but one that is open to the world to get hit easily again.

NOTE, I am not at the system at this time. When I get home tonight, I will run scans requested, and post properly, so the information about the current condition is listed. The prior (during infection) scans are listed in the OP of this thread. I know this forum requests that users do not go out on their own, and do their own 'fixes'. I simply could not keep my system offline for that long.

Jim.

#4 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 31 July 2012 - 09:43 PM

Here is an update. I really do look forward to getting a helping hand by the experts here.

1. I am not 100% sure the rootkit is gone. I started a GMER run last night, and this morning, it did list a rootkit. Said explorer had c:\Program (just Program), as a loaded hidden lib. I killed the exporer, and did a re-scan of GMER. 2 hours later when it completed, it found nothing. I have rebooted, and it took a LONG time to boot. It did finally boot. I ran GMER again, and again (after 2 hours), it shows clean.

There were also some errors, about problems writing to the MFT Also, there were initially some complaints about hte recycle bin being corrupted, however, those warnings are gone, since the garbage virus files have been deleted.

Also, the I.E. (I removed chrome for now) connection is not working properly. I am not able to diagnose if this is still due to RK issues, or if the malware has screwed up network settings to make the machine less secure. However, it certainly is not as responsive as it should be.

Logs are:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jim.Fougeron at 1:20:18 on 2012-07-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2472 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r267815\payload\wdm\stacsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\pc tools\pc tools security\bdt\PCTBrowserDefender.dll
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.e xe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.e xe" -HideWindow
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
Trusted Zone: aghost.net
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
Trusted Zone: 8080
Trusted Zone: aghost.net
Trusted Zone: disa.mil\edadocs.ogden
Trusted Zone: disa.mil\myinvoice.csd
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: eb.mil\wawf
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://trendappprod02:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320675334917
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2010-6-29 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2010-6-29 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2010-6-29 204800]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-29 187960]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2010-6-29 19200]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-7-24 383368]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-7-24 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-7-24 909728]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2010-6-29 63872]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [2012-7-24 203120]
R1 TSKNFA00.SYS;TSKNFA00.SYS;c:\windows\system32\drivers\Tsknfa00.sys [2012-7-26 18560]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-12-22 77312]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-11-7 59152]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 36624]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-11-7 113664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-11-7 109568]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [2012-7-24 70768]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\pc tools\pc tools security\bdt\BDTUpdateService.exe [2012-7-24 575448]
S2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
S2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\pc tools\dmscanning\PCTSFiles.exe [2012-7-24 89048]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-7-29 27064]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-11-3 65664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\pc tools security\pctsAuxs.exe [2012-7-24 402368]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools\pc tools security\pctsSvc.exe [2012-7-24 1118680]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2011-2-14 20096]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-4-24 689416]
.
=============== Created Last 30 ================
.
2012-07-30 13:58:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-30 13:58:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-29 23:17:29 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\VS Revo Group
2012-07-29 23:17:24 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-07-29 23:17:22 -------- d-----w- c:\program files\VS Revo Group
2012-07-29 14:56:24 54016 ----a-w- c:\windows\system32\drivers\hbhuwxd.sys
2012-07-27 07:32:47 -------- d-----w- c:\program files\mIRC
2012-07-27 07:32:47 -------- d-----w- c:\documents and settings\jim.fougeron\application data\mIRC
2012-07-27 06:51:35 54016 ----a-w- c:\windows\system32\drivers\vwpnpc.sys
2012-07-27 06:20:23 -------- d-----w- c:\documents and settings\jim.fougeron\application data\Malwarebytes
2012-07-27 06:20:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-27 06:20:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-27 06:20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-27 05:40:46 -------- d-sha-r- C:\cmdcons
2012-07-27 05:37:24 256000 ----a-w- c:\windows\PEV.exe
2012-07-27 05:37:24 208896 ----a-w- c:\windows\MBR.exe
2012-07-27 05:37:23 98816 ----a-w- c:\windows\sed.exe
2012-07-27 05:37:23 518144 ----a-w- c:\windows\SWREG.exe
2012-07-26 05:05:00 18560 ----a-w- c:\windows\system32\drivers\Tsknfa00.sys
2012-07-26 05:04:59 -------- d-----w- c:\program files\Iarsn
2012-07-25 01:26:40 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\Threat Expert
2012-07-25 01:03:01 -------- d-----w- c:\documents and settings\jim.fougeron\application data\FixZeroAccess
2012-07-24 23:31:32 70768 ----a-w- c:\windows\system32\drivers\PCTBD.sys
2012-07-24 23:31:31 767960 ----a-w- c:\windows\BDTSupport.dll
2012-07-24 23:31:30 149464 ----a-w- c:\windows\SGDetectionTool.dll
2012-07-24 23:31:29 2267096 ----a-w- c:\windows\PCTBDCore.dll
2012-07-24 23:31:29 1689560 ----a-w- c:\windows\PCTBDRes.dll
2012-07-24 23:30:36 254944 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-07-24 23:30:21 17880 ----a-w- c:\windows\system32\drivers\pctBTFix.sys
2012-07-24 23:30:11 70568 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-07-24 13:42:44 909728 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-07-24 13:42:44 342168 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-07-24 13:42:39 383368 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-07-24 13:42:39 162584 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-07-24 13:42:28 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-24 13:42:28 -------- d-----w- c:\program files\common files\PC Tools
2012-07-24 13:42:27 -------- d-----w- c:\program files\PC Tools
2012-07-24 13:40:32 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-07-24 13:40:26 -------- d-----w- c:\documents and settings\jim.fougeron\application data\TestApp
2012-07-24 01:09:14 22032 ----a-w- c:\windows\DCEBoot.exe
2012-07-13 23:33:21 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\Sun
2012-07-13 23:29:25 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-07-06 03:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\ssleay32.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\libssl32.dll
2012-05-11 01:41:52 1100800 ----a-w- c:\windows\system32\libeay32.dll
.
============= FINISH: 1:20:31.90 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/7/2011 8:12:49 AM
System Uptime: 7/29/2012 3:18:22 PM (34 hours ago)
.
Motherboard: Dell Inc. | | 0D695C
Processor: Intel® Core™2 Duo CPU T7250 @ 2.00GHz | Microprocessor | 1993/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 149 GiB total, 113.317 GiB free.
D: is CDROM (UDF)
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0000
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0000
Service: CVirtA
.
==== System Restore Points ===================
.
RP1: 7/29/2012 3:16:33 PM - System Checkpoint
RP2: 7/29/2012 6:18:10 PM - Revo Uninstaller Pro's restore point - Adobe Flash Player 11 ActiveX
RP3: 7/29/2012 6:21:40 PM - Revo Uninstaller Pro's restore point - Acrobat.com
RP4: 7/29/2012 6:22:29 PM - Revo Uninstaller Pro's restore point - Acrobat.com
RP5: 7/29/2012 6:23:19 PM - Revo Uninstaller Pro's restore point - Adobe AIR
RP6: 7/29/2012 6:24:04 PM - Revo Uninstaller Pro's restore point - Adobe Flash Player 11 ActiveX
RP7: 7/29/2012 6:24:31 PM - Revo Uninstaller Pro's restore point - Adobe Reader 9
RP8: 7/29/2012 6:24:53 PM - Removed Adobe Reader 9.
RP9: 7/29/2012 6:26:04 PM - Revo Uninstaller Pro's restore point - Google Chrome
RP10: 7/29/2012 6:28:45 PM - Revo Uninstaller Pro's restore point - Windows Search 4.0
RP11: 7/29/2012 6:29:33 PM - Revo Uninstaller Pro's restore point - Visual Studio Tools for the Office system 3.0 Runtime
RP12: 7/29/2012 6:30:24 PM - Revo Uninstaller Pro's restore point - RealPlayer
RP13: 7/29/2012 6:36:38 PM - Revo Uninstaller Pro's restore point - ProphetX Addin
RP14: 7/29/2012 6:37:20 PM - Revo Uninstaller Pro's restore point - ProphetX
RP15: 7/29/2012 6:38:38 PM - Revo Uninstaller Pro's restore point - JavaFX 2.1.1
RP16: 7/29/2012 6:38:52 PM - Removed JavaFX 2.1.1
RP17: 7/29/2012 6:39:39 PM - Revo Uninstaller Pro's restore point - Java™ 7 Update 5
RP18: 7/29/2012 6:39:50 PM - Removed Java™ 7 Update 5
RP19: 7/29/2012 6:42:34 PM - Revo Uninstaller Pro's restore point - Java™ 6 Update 31
RP20: 7/29/2012 6:43:00 PM - Removed Java™ 6 Update 31
RP21: 7/30/2012 8:03:02 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
Adobe Flash Player 11 ActiveX
AlcoDens 2.2
Aspell English Dictionary-0.50-2
AuthenTec Fingerprint Software
AutoIt v3.3.8.1
BioAPI Framework
BOINC
Broadcom TPM Driver Installer
Browser Guard 4.0
Cisco Systems VPN Client 5.0.05.0290
Configuration Manager Client
Cookie Monster
Dell Control Point
Dell ControlPoint Connection Manager
Dell ControlPoint Security Manager
Dell ControlPoint System Manager
Dell Embassy Trust Suite by Wave Systems
Dell Security Device Driver Pack
Dell Touchpad
Document Manager Lite
DW WLAN Card
EMBASSY Security Center
EMBASSY Security Setup
ESC Home Page Plugin
FileZilla Client 3.5.2
Gemalto
GNU Aspell 0.50-3
Google Earth
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB835221
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Office (KB950278)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Intel® Graphics Media Accelerator Driver
LG Verizon United Drivers
Malwarebytes Anti-Malware version 1.62.0.1300
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 3.0 - ENU
Microsoft Document Explorer 2008
Microsoft Kernel-Mode Driver Framework Feature Pack 1.9
Microsoft Office 2007 Service Pack 2 (SP2)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Communicator 2005
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional Plus 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30411
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
mIRC
MSDN Library for Visual Studio 2008 - ENU
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Notepad++
NTRU TCG Software Stack
OpenSSL 1.0.0j (32-bit)
PC Tools Spyware Doctor 9.0
Preboot Manager
Private Information Manager
RDC
Revo Uninstaller Pro 2.5.8
Security Update for 2007 Microsoft Office System (KB2288621)
Security Update for 2007 Microsoft Office System (KB2288931)
Security Update for 2007 Microsoft Office System (KB2345043)
Security Update for 2007 Microsoft Office System (KB2553089)
Security Update for 2007 Microsoft Office System (KB2553090)
Security Update for 2007 Microsoft Office System (KB2584063)
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB976321)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office Access 2007 (KB979440)
Security Update for Microsoft Office InfoPath 2007 (KB2510061)
Security Update for Microsoft Office InfoPath 2007 (KB979441)
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Microsoft Office Word 2007 (KB2344993)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2586448)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Wizards
Simple Sudoku 4.2
SpeedFan (remove only)
TaskInfo 10.0.0.336
Trend Micro OfficeScan Client
Trusted Drive Manager
Tweak UI
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 System (KB2539530)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office Outlook 2007 (KB2583910)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Microsoft Visual Studio Web Authoring Component (KB945140)
Update for Microsoft Windows (KB971513)
Update for Outlook 2007 Junk Email Filter (KB2596560)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2616676-v2)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
UPEK TouchChip Fingerprint Reader
Visual C++ 2008 IA64 Runtime - (v9.0.30729)
Visual C++ 2008 IA64 Runtime - v9.0.30729.01
Visual C++ 2008 x64 Runtime - (v9.0.30729)
Visual C++ 2008 x64 Runtime - v9.0.30729.01
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
Wave Infrastructure Installer
Wave Support Software
WebFldrs XP
WIMGAPI
Windows Driver Package - AuthenTec Inc. (ATSwpWDF) Biometric (05/13/2009 8.4.2.0)
Windows Driver Package - Dell Inc. PBADRV System (09/11/2009 1.0.1.6)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Management Framework Core
Windows Media Format 11 runtime
Windows Media Player 11
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
Windows Search 4.0
WinMerge 2.12.4
WinPcap 4.1.2
WinZip
Wireshark 1.6.5
.
==== Event Viewer Messages From Past Week ========
.
7/29/2012 9:27:44 AM, error: Service Control Manager [7000] - The rimmptsk service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
7/26/2012 12:25:18 AM, error: Service Control Manager [7034] - The Browser Defender Update Service service terminated unexpectedly. It has done this 1 time(s).
7/26/2012 12:24:00 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/26/2012 12:23:59 AM, error: Service Control Manager [7023] - The Security Center service terminated with the following error: The system cannot find the file specified.
7/26/2012 12:23:55 AM, error: NETLOGON [5719] - No Domain Controller is available for domain DTN due to the following: There are currently no logon servers available to service the logon request. . Make sure that the computer is connected to the network and try again. If the problem persists, please contact your domain administrator.
7/25/2012 9:01:03 AM, error: Service Control Manager [7034] - The Dell ControlPoint System Manager service terminated unexpectedly. It has done this 1 time(s).
7/25/2012 9:00:58 AM, error: Service Control Manager [7034] - The Dell ControlPoint Button Service service terminated unexpectedly. It has done this 1 time(s).
7/25/2012 8:57:57 AM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000034' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
7/25/2012 8:40:37 AM, error: Service Control Manager [7031] - The OfficeScan NT RealTime Scan service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/25/2012 8:28:12 AM, error: PCTCore [280] -
7/25/2012 8:05:55 PM, error: Service Control Manager [7023] - The Network Location Awareness (NLA) service terminated with the following error: The specified procedure could not be found.
7/25/2012 6:57:01 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
7/25/2012 6:54:20 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/25/2012 11:42:35 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
7/25/2012 11:31:07 PM, error: Service Control Manager [7034] - The Google Update Service (gupdate) service terminated unexpectedly. It has done this 1 time(s).
7/25/2012 11:21:41 PM, error: Service Control Manager [7034] - The TdmService service terminated unexpectedly. It has done this 1 time(s).
7/25/2012 11:13:46 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {24FF4FDC-1D9F-4195-8C79-0DA39248FF48} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
7/25/2012 11:12:01 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
7/24/2012 8:25:59 PM, error: Service Control Manager [7034] - The Audio Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 8:25:55 PM, error: Service Control Manager [7034] - The Smith Micro Connection Manager Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 8:25:04 PM, error: Service Control Manager [7034] - The AuthenTec Fingerprint Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 8:24:27 PM, error: Service Control Manager [7031] - The OfficeScan NT Listener service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:21:02 PM, error: Service Control Manager [7031] - The OfficeScan NT RealTime Scan service terminated unexpectedly. It has done this 3 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:20:21 PM, error: Service Control Manager [7031] - The OfficeScan NT Listener service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:20:18 PM, error: Service Control Manager [7031] - The OfficeScan NT Proxy Service service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:20:07 PM, error: Service Control Manager [7034] - The Cisco Systems, Inc. VPN Service service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 8:20:03 PM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
7/24/2012 8:19:55 PM, error: Service Control Manager [7031] - The OfficeScan NT RealTime Scan service terminated unexpectedly. It has done this 2 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:18:33 PM, error: Service Control Manager [7031] - The OfficeScan NT Proxy Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
7/24/2012 8:15:35 PM, error: DCOM [10016] - The application-specific permission settings do not grant Local Launch permission for the COM Server application with CLSID {7E89FF0B-F649-4F9A-A9C3-F05DFAAA3DA1} to the user NT AUTHORITY\SYSTEM SID (S-1-5-18). This security permission can be modified using the Component Services administrative tool.
7/24/2012 8:11:50 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: a320raid aac aarich adpu160m adpu320 AFD ahcix86 aic78u2 aic78xx cercsr6 fasttx2k Fips iaStor IntelIde intelppm IPSec megasas MRxSmb NetBIOS NetBT nvatabus nvraid ohci1394 PCTSD RasAcd Rdbss SiSRaid4 Symmpi Tcpip tmtdi WS2IFSL
7/24/2012 8:11:50 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 8:11:50 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 8:11:50 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 8:11:50 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/24/2012 8:05:53 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC000003A' while processing the file '_filelst.cfg' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
.
==== End Of File ===========================


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-31 21:22:19
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHZ2160BJ_FFS_G2 rev.0085001C
Running: xdrjht4y.exe; Driver: C:\DOCUME~1\JIM~1.FOU\LOCALS~1\Temp\fxdyapow.sys


---- System - GMER 1.0.15 ----

SSDT 8B5DE4D4 ZwCreateKey
SSDT 8A6DE00C ZwCreateMutant
SSDT 8B6C3A5C ZwCreateProcess
SSDT 8B7BB56C ZwCreateProcessEx
SSDT 8A6DE0E4 ZwCreateSymbolicLinkObject
SSDT 8AFFAAB4 ZwCreateThread
SSDT 8B5DE454 ZwDeleteKey
SSDT 8AFFAB74 ZwDeleteValueKey
SSDT 8A6DE0A4 ZwDuplicateObject
SSDT 8AFFAA74 ZwLoadDriver
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9B1F1FC]
SSDT 8AF1191C ZwOpenProcess
SSDT 8AFFAB34 ZwOpenSection
SSDT 8B5DE414 ZwRenameKey
SSDT 8B5DE3D4 ZwRestoreKey
SSDT 8A6DE124 ZwSetSystemInformation
SSDT 8B5DE494 ZwSetValueKey
SSDT 8B6C3A1C ZwTerminateProcess
SSDT 8B6B2114 ZwTerminateThread
SSDT 8AFFAAF4 ZwWriteVirtualMemory

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\CCM\Logs\StatusAgent-20120731-164905.log 250206 bytes

---- EOF - GMER 1.0.15 ----

#5 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 01 August 2012 - 10:21 AM

Hello, Jim_F.

My name is etavares and I will be helping you with this log.

Here are some guidelines to ensure we are able to get your machine back under your control.

  • Please do not run any unsupervised scans, fixes, etc. We can work against each other and end up in a worse place.
  • Please subscribe to this topic if you have not already done so. Please check back just in case, as the email system can fail at times.
  • Just because your machine is running better does not mean it is completely cleaned. Please wait for the 'all clear' from me to say when we are done.
  • Please reply within 3 days to be fair to other people asking for help.
  • When in doubt, please stop and ask first. There's no harm in asking questions!

Backdoor Warning
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you do decide to proceed, please continue with the fix below.












Trusted Zone Warning

Having trusted sites may not be a good idea. The reason why I say it's not a good idea is because the security settings for the internet is not extremely high and once you put a site in your trusted zone, basically almost anymore or thing, including hackers or other malicious software have full access to that site which can lead to hijacking that site and may even have access to your computer. Are you sure you trust a site to that degree?

It is recommended NOT to have ANY sites in your Trusted Zone unless the site requires it to function properly and you trust it very well. Other than that, it is not necessary for you to add any sites into the trusted zone. If you're not sure, and/or you do not need these in your trusted zone to facilitate access or you did not knowingly permit this access yourself, then please remove those sites from your trusted zone.

They can be accessed in Internet Explorer via Tools>>Internet Options>>Security>>Trusted Zone>>Sites. Remove if there are any there.



Step 1


Your logs show ZeroAccess is still on your system.

Please also note that you mentioned this is a corporate computer. I am not responsible for any damage to this computer, nor do I know if you are violating any IT policies at work. Continuing this thread means you understand you understand this and accept responsibility.



  • Download TDSSKiller.exe and save it to your desktop.
  • Double-click TDSSKiller.exe to run it.
  • Under "Objects to scan" ensure both "Services and Drivers" and "Boot Sectors" are checked.
  • Click Start scan and allow it to scan for Malicious objects.
  • If malicious objects are found, the default action will be Cure, ensure Cure is selected then click Continue.
  • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents of the logfile in your next reply



Step 2

Important: Please delete your copy of Combofix and download a fresh one.

Next, please download ComboFix from one of these locations:
* IMPORTANT !!! Save ComboFix.exe to your Desktop as etavaresCF.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on etavaresCF.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply, along with any symptoms that are present after it runs.

Note: After running Combofix, you may receive an error about "illegal operation on a registry key that has been marked for deletion." If you receive this error, please reboot and it should disappear.

etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#6 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 01 August 2012 - 04:24 PM

i have pulled proper new versions of all software, on a clean system. I will burn them to CD, since the computer being worked on, under your recommendation, has had the radio turned off, and does not have a physical ethernet connection. That system will be off the internet, until this issue has been resolved.

As for the Trusted zones, I will remove all that are not within our work's intranet. The others (within intranet) are needed. There were several *.mil addresses. Yes, these certainly were not right, and I thought I had removed them, but I do see them in the last scans. I will make sure they are not in Trusted zone.

I will be leaving this computer offline, and using other systems to xfer files back and forth, and to continue on this thread.

Once I have performed the tasks listed, I will post again, with the log files these steps generate, and any explanation of how the computer is operating (off the network).

etavares, !THANK YOU! for taking the time to help others.

Jim.

#7 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 01 August 2012 - 07:31 PM

No problem...I'll look for the logs. Be careful when you transfer them via flash drive. XP has autorun enabled by default. Press and hold down SHIFT before you plug in the USB flashdrive, and keep SHIFT held down until Windows tells you your hardware is installed and ready to use (message will appear by the clock). It may take 30-60 seconds to see that after you plug in the drive. Then you can let go of SHIFT. THat will just help to protect yourself in case the malware tries to jump to the drive.


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#8 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 01 August 2012 - 08:18 PM

I always turn off autoplay on all CD's and usb's to avoid the bad things that can hide in autostart.inf files, and what they load, but thank you for the warning.

First, looking at the internet options, I do not see the *mil.net entries in safe zone, but they are listed on the reports.

The machine is discon from the internet. I ran tdskiller and combofix (both renamed). Here are the logs. Neither reported any problems (I think).

I 'believe' the HD3 reported by tdskiller is the USB stick. I think it was plugged in during the scan.

Jim.

18:33:12.0859 3352 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
18:33:13.0031 3352 ============================================================
18:33:13.0031 3352 Current date / time: 2012/08/01 18:33:13.0031
18:33:13.0031 3352 SystemInfo:
18:33:13.0031 3352
18:33:13.0031 3352 OS Version: 5.1.2600 ServicePack: 3.0
18:33:13.0031 3352 Product type: Workstation
18:33:13.0031 3352 ComputerName: DHKH9XG1
18:33:13.0047 3352 UserName: Jim.Fougeron
18:33:13.0047 3352 Windows directory: C:\WINDOWS
18:33:13.0047 3352 System windows directory: C:\WINDOWS
18:33:13.0047 3352 Processor architecture: Intel x86
18:33:13.0047 3352 Number of processors: 2
18:33:13.0047 3352 Page size: 0x1000
18:33:13.0047 3352 Boot type: Normal boot
18:33:13.0047 3352 ============================================================
18:33:17.0015 3352 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
18:33:17.0187 3352 Drive \Device\Harddisk1\DR3 - Size: 0x3BAFF8000 (14.92 Gb), SectorSize: 0x200, Cylinders: 0x79B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:33:17.0187 3352 ============================================================
18:33:17.0187 3352 \Device\Harddisk0\DR0:
18:33:17.0187 3352 MBR partitions:
18:33:17.0203 3352 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x12A18A82
18:33:17.0203 3352 \Device\Harddisk1\DR3:
18:33:17.0203 3352 MBR partitions:
18:33:17.0203 3352 \Device\Harddisk1\DR3\Partition0: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x1DD7B81
18:33:17.0203 3352 ============================================================
18:33:17.0375 3352 C: <-> \Device\Harddisk0\DR0\Partition0
18:33:17.0375 3352 ============================================================
18:33:17.0375 3352 Initialize success
18:33:17.0375 3352 ============================================================
18:34:01.0593 0696 ============================================================
18:34:01.0593 0696 Scan started
18:34:01.0593 0696 Mode: Manual; TDLFS;
18:34:01.0593 0696 ============================================================
18:34:02.0281 0696 a320raid (28615e07c5b8803841a038418406b98e) C:\WINDOWS\system32\DRIVERS\a320raid.sys
18:34:02.0406 0696 a320raid - ok
18:34:02.0437 0696 aac (74365ea0c390d9af5d2ee720c65be2a9) C:\WINDOWS\system32\DRIVERS\aac.sys
18:34:02.0468 0696 aac - ok
18:34:02.0609 0696 aarich (b7dbe200b5395fe2937ea2b69e413dad) C:\WINDOWS\system32\DRIVERS\aarich.sys
18:34:02.0734 0696 aarich - ok
18:34:02.0734 0696 Abiosdsk - ok
18:34:02.0750 0696 abp480n5 - ok
18:34:02.0890 0696 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
18:34:03.0000 0696 ACPI - ok
18:34:03.0047 0696 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
18:34:03.0047 0696 ACPIEC - ok
18:34:03.0109 0696 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
18:34:03.0172 0696 adpu160m - ok
18:34:03.0265 0696 adpu320 (e4e13ce4c85c7e45a643ba54b8c8b16b) C:\WINDOWS\system32\drivers\adpu320.sys
18:34:03.0375 0696 adpu320 - ok
18:34:03.0515 0696 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
18:34:03.0593 0696 aec - ok
18:34:03.0718 0696 AESTAud (822d53766d57c90c437536232ece9023) C:\WINDOWS\system32\drivers\AESTAud.sys
18:34:03.0781 0696 AESTAud - ok
18:34:03.0968 0696 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
18:34:04.0047 0696 AFD - ok
18:34:04.0047 0696 Aha154x - ok
18:34:04.0172 0696 ahcix86 (93b5133e966df72b54df89ccfa529df1) C:\WINDOWS\system32\drivers\ahcix86.sys
18:34:04.0281 0696 ahcix86 - ok
18:34:04.0312 0696 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
18:34:04.0343 0696 aic78u2 - ok
18:34:04.0390 0696 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
18:34:04.0422 0696 aic78xx - ok
18:34:04.0453 0696 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
18:34:04.0468 0696 Alerter - ok
18:34:04.0515 0696 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
18:34:04.0547 0696 ALG - ok
18:34:04.0547 0696 AliIde - ok
18:34:04.0562 0696 amsint - ok
18:34:04.0734 0696 ApfiltrService (22403504e15810e99a563782e9d45311) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
18:34:04.0875 0696 ApfiltrService - ok
18:34:05.0000 0696 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
18:34:05.0093 0696 AppMgmt - ok
18:34:05.0140 0696 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
18:34:05.0187 0696 Arp1394 - ok
18:34:05.0187 0696 asc - ok
18:34:05.0187 0696 asc3350p - ok
18:34:05.0203 0696 asc3550 - ok
18:34:05.0359 0696 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
18:34:05.0390 0696 aspnet_state - ok
18:34:05.0437 0696 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
18:34:05.0437 0696 AsyncMac - ok
18:34:05.0562 0696 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
18:34:05.0625 0696 atapi - ok
18:34:05.0625 0696 Atdisk - ok
18:34:05.0687 0696 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
18:34:05.0718 0696 Atmarpc - ok
18:34:06.0953 0696 ATService (ff270313c14fc180b6c49bb0b302e0fb) C:\Program Files\Fingerprint Sensor\AtService.exe
18:34:07.0953 0696 ATService - ok
18:34:08.0422 0696 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
18:34:08.0437 0696 AudioSrv - ok
18:34:08.0531 0696 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
18:34:08.0531 0696 audstub - ok
18:34:08.0703 0696 b57w2k (ea377a8e8e1000877210259750cbbf5f) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
18:34:08.0812 0696 b57w2k - ok
18:34:10.0453 0696 BCM43XX (345d38f298368dd6b0df5c4f37457a22) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
18:34:11.0984 0696 BCM43XX - ok
18:34:12.0312 0696 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
18:34:12.0312 0696 Beep - ok
18:34:12.0578 0696 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
18:34:12.0828 0696 BITS - ok
18:34:12.0890 0696 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
18:34:12.0937 0696 Browser - ok
18:34:13.0437 0696 Browser Defender Update Service (7effccd7b6ea4d3428f5b3ace8de8f5a) C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe
18:34:13.0765 0696 Browser Defender Update Service - ok
18:34:14.0031 0696 buttonsvc32 (d9846a19208e76604e1074bb30228ac8) C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
18:34:14.0187 0696 buttonsvc32 - ok
18:34:14.0297 0696 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
18:34:14.0297 0696 cbidf2k - ok
18:34:14.0828 0696 CcmExec (a454a9baa25b8c8e76735dd86bd4b017) C:\WINDOWS\system32\CCM\CcmExec.exe
18:34:15.0265 0696 CcmExec - ok
18:34:15.0281 0696 cd20xrnt - ok
18:34:15.0297 0696 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
18:34:15.0312 0696 Cdaudio - ok
18:34:15.0422 0696 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
18:34:15.0453 0696 Cdfs - ok
18:34:15.0547 0696 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
18:34:15.0578 0696 Cdrom - ok
18:34:15.0656 0696 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
18:34:15.0687 0696 cercsr6 - ok
18:34:15.0687 0696 Changer - ok
18:34:15.0718 0696 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
18:34:15.0734 0696 CiSvc - ok
18:34:15.0765 0696 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
18:34:15.0781 0696 ClipSrv - ok
18:34:15.0953 0696 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:34:16.0015 0696 clr_optimization_v2.0.50727_32 - ok
18:34:16.0062 0696 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
18:34:16.0078 0696 CmBatt - ok
18:34:16.0078 0696 CmdIde - ok
18:34:16.0093 0696 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
18:34:16.0093 0696 Compbatt - ok
18:34:16.0109 0696 COMSysApp - ok
18:34:16.0125 0696 Cpqarray - ok
18:34:16.0187 0696 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
18:34:16.0234 0696 CryptSvc - ok
18:34:16.0297 0696 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
18:34:16.0297 0696 CVirtA - ok
18:34:17.0359 0696 CVPND (5ce32922f8f74a0d2d6ecc30cdad01e0) C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
18:34:18.0250 0696 CVPND - ok
18:34:18.0906 0696 CVPNDRVA (d46b2e0eeaf349f2085f8b164e462156) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
18:34:19.0078 0696 CVPNDRVA - ok
18:34:19.0078 0696 dac2w2k - ok
18:34:19.0093 0696 dac960nt - ok
18:34:19.0390 0696 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:34:19.0625 0696 DcomLaunch - ok
18:34:19.0922 0696 dcpsysmgrsvc (7ef6e8af4d06e5fdf30e93158028cb7b) c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
18:34:20.0140 0696 dcpsysmgrsvc - ok
18:34:20.0281 0696 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
18:34:20.0343 0696 Dhcp - ok
18:34:20.0390 0696 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
18:34:20.0406 0696 Disk - ok
18:34:20.0422 0696 dmadmin - ok
18:34:20.0937 0696 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
18:34:21.0422 0696 dmboot - ok
18:34:21.0515 0696 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
18:34:21.0609 0696 dmio - ok
18:34:21.0640 0696 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
18:34:21.0656 0696 dmload - ok
18:34:21.0703 0696 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
18:34:21.0718 0696 dmserver - ok
18:34:21.0812 0696 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
18:34:21.0828 0696 DMusic - ok
18:34:22.0187 0696 DNE (694616f813fb627a32c9e32dec133078) C:\WINDOWS\system32\DRIVERS\dne2000.sys
18:34:22.0234 0696 DNE - ok
18:34:22.0328 0696 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
18:34:22.0343 0696 Dnscache - ok
18:34:22.0437 0696 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
18:34:22.0484 0696 Dot3svc - ok
18:34:22.0484 0696 dpti2o - ok
18:34:22.0500 0696 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
18:34:22.0500 0696 drmkaud - ok
18:34:22.0547 0696 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
18:34:22.0547 0696 EapHost - ok
18:34:22.0562 0696 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
18:34:22.0578 0696 ERSvc - ok
18:34:22.0672 0696 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:34:22.0734 0696 Eventlog - ok
18:34:22.0890 0696 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
18:34:23.0031 0696 EventSystem - ok
18:34:23.0187 0696 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
18:34:23.0265 0696 Fastfat - ok
18:34:23.0375 0696 fasttx2k (b62ba9f5e991d64c28dd75121aa38c81) C:\WINDOWS\system32\DRIVERS\fasttx2k.sys
18:34:23.0453 0696 fasttx2k - ok
18:34:23.0578 0696 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:34:23.0656 0696 FastUserSwitchingCompatibility - ok
18:34:23.0718 0696 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
18:34:23.0734 0696 Fdc - ok
18:34:23.0797 0696 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
18:34:23.0812 0696 Fips - ok
18:34:23.0859 0696 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
18:34:23.0875 0696 Flpydisk - ok
18:34:23.0968 0696 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
18:34:24.0047 0696 FltMgr - ok
18:34:24.0218 0696 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
18:34:24.0250 0696 FontCache3.0.0.0 - ok
18:34:24.0312 0696 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
18:34:24.0328 0696 Fs_Rec - ok
18:34:24.0406 0696 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
18:34:24.0468 0696 Ftdisk - ok
18:34:24.0531 0696 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
18:34:24.0547 0696 gameenum - ok
18:34:24.0593 0696 giveio (77ebf3e9386daa51551af429052d88d0) C:\WINDOWS\system32\giveio.sys
18:34:24.0593 0696 giveio - ok
18:34:24.0672 0696 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
18:34:24.0703 0696 Gpc - ok
18:34:24.0906 0696 gupdate (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:34:24.0984 0696 gupdate - ok
18:34:25.0000 0696 gupdatem (f02a533f517eb38333cb12a9e8963773) C:\Program Files\Google\Update\GoogleUpdate.exe
18:34:25.0000 0696 gupdatem - ok
18:34:25.0125 0696 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
18:34:25.0218 0696 gusvc - ok
18:34:25.0375 0696 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
18:34:25.0453 0696 HDAudBus - ok
18:34:25.0547 0696 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
18:34:25.0562 0696 helpsvc - ok
18:34:25.0625 0696 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
18:34:25.0625 0696 HidServ - ok
18:34:25.0672 0696 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
18:34:25.0672 0696 HidUsb - ok
18:34:25.0734 0696 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
18:34:25.0781 0696 hkmsvc - ok
18:34:25.0781 0696 hpn - ok
18:34:25.0984 0696 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
18:34:26.0172 0696 HTTP - ok
18:34:26.0218 0696 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
18:34:26.0234 0696 HTTPFilter - ok
18:34:26.0234 0696 i2omgmt - ok
18:34:26.0250 0696 i2omp - ok
18:34:26.0312 0696 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
18:34:26.0343 0696 i8042prt - ok
18:34:30.0125 0696 ialm (3b743262b6456167888d15f1121b3bf7) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
18:34:33.0672 0696 ialm - ok
18:34:34.0453 0696 iaStor (26541a068572f650a2fa490726fe81be) C:\WINDOWS\system32\drivers\iaStor.sys
18:34:34.0703 0696 iaStor - ok
18:34:35.0328 0696 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
18:34:35.0828 0696 idsvc - ok
18:34:35.0922 0696 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
18:34:35.0937 0696 Imapi - ok
18:34:36.0047 0696 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
18:34:36.0125 0696 ImapiService - ok
18:34:36.0140 0696 ini910u - ok
18:34:36.0297 0696 IntcHdmiAddService (f32a62c765885bd8e4352a1565f702a6) C:\WINDOWS\system32\drivers\IntcHdmi.sys
18:34:36.0359 0696 IntcHdmiAddService - ok
18:34:36.0390 0696 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
18:34:36.0406 0696 IntelIde - ok
18:34:36.0437 0696 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
18:34:36.0453 0696 intelppm - ok
18:34:36.0484 0696 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
18:34:36.0515 0696 Ip6Fw - ok
18:34:36.0562 0696 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
18:34:36.0578 0696 IpFilterDriver - ok
18:34:36.0609 0696 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
18:34:36.0609 0696 IpInIp - ok
18:34:36.0734 0696 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
18:34:36.0828 0696 IpNat - ok
18:34:36.0875 0696 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
18:34:36.0922 0696 IPSec - ok
18:34:36.0953 0696 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
18:34:36.0953 0696 IRENUM - ok
18:34:37.0031 0696 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
18:34:37.0047 0696 isapnp - ok
18:34:37.0078 0696 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
18:34:37.0078 0696 Kbdclass - ok
18:34:37.0109 0696 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
18:34:37.0125 0696 kbdhid - ok
18:34:37.0265 0696 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
18:34:37.0375 0696 kmixer - ok
18:34:37.0484 0696 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
18:34:37.0531 0696 KSecDD - ok
18:34:37.0640 0696 LanmanServer (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
18:34:37.0703 0696 LanmanServer - ok
18:34:37.0781 0696 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
18:34:37.0875 0696 lanmanworkstation - ok
18:34:37.0875 0696 lbrtfdc - ok
18:34:37.0937 0696 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
18:34:37.0953 0696 LmHosts - ok
18:34:38.0000 0696 megasas (62fa55518f5164a982aac2d165ab1f13) C:\WINDOWS\system32\drivers\megasas.sys
18:34:38.0015 0696 megasas - ok
18:34:38.0047 0696 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
18:34:38.0078 0696 Messenger - ok
18:34:38.0125 0696 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
18:34:38.0125 0696 mnmdd - ok
18:34:38.0172 0696 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
18:34:38.0203 0696 mnmsrvc - ok
18:34:38.0234 0696 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
18:34:38.0250 0696 Modem - ok
18:34:38.0297 0696 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
18:34:38.0312 0696 Mouclass - ok
18:34:38.0328 0696 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
18:34:38.0328 0696 mouhid - ok
18:34:38.0422 0696 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
18:34:38.0437 0696 MountMgr - ok
18:34:38.0453 0696 mraid35x - ok
18:34:38.0609 0696 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
18:34:38.0703 0696 MRxDAV - ok
18:34:39.0062 0696 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
18:34:39.0312 0696 MRxSmb - ok
18:34:39.0375 0696 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
18:34:39.0406 0696 MSDTC - ok
18:34:39.0437 0696 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
18:34:39.0437 0696 Msfs - ok
18:34:39.0453 0696 MSIServer - ok
18:34:39.0484 0696 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
18:34:39.0484 0696 MSKSSRV - ok
18:34:39.0531 0696 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
18:34:39.0531 0696 MSPCLOCK - ok
18:34:39.0578 0696 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
18:34:39.0578 0696 MSPQM - ok
18:34:39.0640 0696 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
18:34:39.0656 0696 mssmbios - ok
18:34:41.0734 0696 msvsmon90 (e514d0493c272aecbac7c6c1dac635d1) C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe
18:34:43.0265 0696 msvsmon90 - ok
18:34:43.0797 0696 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
18:34:43.0859 0696 Mup - ok
18:34:44.0062 0696 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
18:34:44.0250 0696 napagent - ok
18:34:44.0390 0696 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
18:34:44.0500 0696 NDIS - ok
18:34:44.0515 0696 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
18:34:44.0515 0696 NdisTapi - ok
18:34:44.0547 0696 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
18:34:44.0562 0696 Ndisuio - ok
18:34:44.0625 0696 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
18:34:44.0672 0696 NdisWan - ok
18:34:44.0734 0696 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
18:34:44.0765 0696 NDProxy - ok
18:34:44.0797 0696 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
18:34:44.0812 0696 NetBIOS - ok
18:34:44.0937 0696 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
18:34:45.0031 0696 NetBT - ok
18:34:45.0140 0696 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:34:45.0203 0696 NetDDE - ok
18:34:45.0203 0696 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
18:34:45.0218 0696 NetDDEdsdm - ok
18:34:45.0250 0696 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:34:45.0265 0696 Netlogon - ok
18:34:45.0422 0696 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
18:34:45.0531 0696 Netman - ok
18:34:45.0734 0696 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:34:45.0812 0696 NetTcpPortSharing - ok
18:34:45.0875 0696 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
18:34:45.0922 0696 NIC1394 - ok
18:34:46.0125 0696 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
18:34:46.0265 0696 Nla - ok
18:34:46.0359 0696 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
18:34:46.0375 0696 NPF - ok
18:34:46.0453 0696 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
18:34:46.0484 0696 Npfs - ok
18:34:46.0828 0696 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
18:34:47.0156 0696 Ntfs - ok
18:34:47.0156 0696 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:34:47.0172 0696 NtLmSsp - ok
18:34:47.0484 0696 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
18:34:47.0734 0696 NtmsSvc - ok
18:34:48.0812 0696 ntrtscan (7751583921b2fb20d880e84880adeccf) C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
18:34:49.0703 0696 ntrtscan - ok
18:34:50.0140 0696 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
18:34:50.0140 0696 Null - ok
18:34:50.0218 0696 nvatabus (6b37162e91a7005baa753cb611acea2d) C:\WINDOWS\system32\drivers\nvatabus.sys
18:34:50.0281 0696 nvatabus - ok
18:34:50.0328 0696 nvraid (3f98f15fca7420396bd2b1aa205c7247) C:\WINDOWS\system32\drivers\nvraid.sys
18:34:50.0390 0696 nvraid - ok
18:34:50.0390 0696 NvtSp50 - ok
18:34:50.0453 0696 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
18:34:50.0453 0696 NwlnkFlt - ok
18:34:50.0515 0696 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
18:34:50.0531 0696 NwlnkFwd - ok
18:34:50.0890 0696 odserv (1f0e05dff4f5a833168e49be1256f002) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
18:34:51.0203 0696 odserv - ok
18:34:51.0281 0696 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
18:34:51.0312 0696 ohci1394 - ok
18:34:51.0500 0696 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
18:34:51.0578 0696 ose - ok
18:34:51.0687 0696 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
18:34:51.0734 0696 Parport - ok
18:34:51.0750 0696 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
18:34:51.0765 0696 PartMgr - ok
18:34:51.0812 0696 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
18:34:51.0812 0696 ParVdm - ok
18:34:51.0843 0696 PBADRV (4088c1ecd1f54281a92fa663b0fdc36f) C:\WINDOWS\system32\DRIVERS\PBADRV.sys
18:34:51.0859 0696 PBADRV - ok
18:34:51.0922 0696 PCASp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\PCASp50.sys
18:34:51.0937 0696 PCASp50 - ok
18:34:52.0015 0696 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
18:34:52.0047 0696 PCI - ok
18:34:52.0062 0696 PCIDump - ok
18:34:52.0078 0696 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
18:34:52.0078 0696 PCIIde - ok
18:34:52.0172 0696 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
18:34:52.0250 0696 Pcmcia - ok
18:34:52.0390 0696 PCTBD (6c9e2f69d99c025fd5cab2228e495fa1) C:\WINDOWS\system32\Drivers\PCTBD.sys
18:34:52.0422 0696 PCTBD - ok
18:34:52.0734 0696 PCTCore (f7da28f2ab6cd32b2f76ee96edad8f20) C:\WINDOWS\system32\drivers\PCTCore.sys
18:34:52.0953 0696 PCTCore - ok
18:34:53.0328 0696 pctDS (3c9fd593e95b98c642b4486cd122c2fb) C:\WINDOWS\system32\drivers\pctDS.sys
18:34:53.0484 0696 pctDS - ok
18:34:53.0906 0696 pctEFA (db6b6e47165b9647b215ceeb4db33b87) C:\WINDOWS\system32\drivers\pctEFA.sys
18:34:54.0453 0696 pctEFA - ok
18:34:54.0609 0696 PCTSD (5e11c0c1bee956de9eaac7ed086d8db9) C:\WINDOWS\system32\Drivers\PCTSD.sys
18:34:54.0718 0696 PCTSD - ok
18:34:54.0843 0696 PCTSFileEnum (8363382b2357c4d95727e04e816ac17c) C:\Program Files\PC Tools\DMScanning\PCTSFiles.exe
18:34:54.0906 0696 PCTSFileEnum - ok
18:34:54.0906 0696 PDCOMP - ok
18:34:54.0922 0696 PDFRAME - ok
18:34:54.0922 0696 PDRELI - ok
18:34:54.0937 0696 PDRFRAME - ok
18:34:54.0937 0696 perc2 - ok
18:34:54.0953 0696 perc2hib - ok
18:34:55.0078 0696 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
18:34:55.0140 0696 PlugPlay - ok
18:34:55.0172 0696 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:34:55.0187 0696 PolicyAgent - ok
18:34:55.0250 0696 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
18:34:55.0281 0696 PptpMiniport - ok
18:34:55.0547 0696 prepdrvr (2a4514a9233d35a355f569ff8b8f6240) C:\WINDOWS\system32\CCM\prepdrv.sys
18:34:55.0562 0696 prepdrvr - ok
18:34:55.0562 0696 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:34:55.0578 0696 ProtectedStorage - ok
18:34:55.0625 0696 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
18:34:55.0672 0696 PSched - ok
18:34:55.0703 0696 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
18:34:55.0718 0696 Ptilink - ok
18:34:55.0718 0696 ql1080 - ok
18:34:55.0734 0696 Ql10wnt - ok
18:34:55.0734 0696 ql12160 - ok
18:34:55.0750 0696 ql1240 - ok
18:34:55.0750 0696 ql1280 - ok
18:34:55.0797 0696 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
18:34:55.0797 0696 RasAcd - ok
18:34:55.0890 0696 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
18:34:55.0953 0696 RasAuto - ok
18:34:56.0015 0696 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
18:34:56.0047 0696 Rasl2tp - ok
18:34:56.0172 0696 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
18:34:56.0281 0696 RasMan - ok
18:34:56.0312 0696 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
18:34:56.0343 0696 RasPppoe - ok
18:34:56.0390 0696 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
18:34:56.0406 0696 Raspti - ok
18:34:56.0547 0696 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
18:34:56.0640 0696 Rdbss - ok
18:34:56.0656 0696 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
18:34:56.0656 0696 RDPCDD - ok
18:34:56.0812 0696 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
18:34:56.0922 0696 rdpdr - ok
18:34:57.0078 0696 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
18:34:57.0156 0696 RDPWD - ok
18:34:57.0265 0696 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
18:34:57.0359 0696 RDSessMgr - ok
18:34:57.0422 0696 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
18:34:57.0468 0696 redbook - ok
18:34:57.0531 0696 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
18:34:57.0562 0696 RemoteAccess - ok
18:34:57.0656 0696 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
18:34:57.0687 0696 RemoteRegistry - ok
18:34:57.0750 0696 Revoflt (8b5b8a11306190c6963d3473f052d3c8) C:\WINDOWS\system32\DRIVERS\revoflt.sys
18:34:57.0765 0696 Revoflt - ok
18:34:57.0843 0696 rimmptsk (ea885e7a56f1be1f14c372337c42fe48) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
18:34:57.0875 0696 rimmptsk - ok
18:34:58.0125 0696 rpcapd (b60f58f175de20a6739194e85b035178) C:\Program Files\WinPcap\rpcapd.exe
18:34:58.0187 0696 rpcapd - ok
18:34:58.0250 0696 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
18:34:58.0297 0696 RpcLocator - ok
18:34:58.0625 0696 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
18:34:58.0859 0696 RpcSs - ok
18:34:58.0968 0696 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
18:34:59.0047 0696 RSVP - ok
18:34:59.0109 0696 s3legacy (4294fdf954125ce9e39e68f826415c29) C:\WINDOWS\system32\DRIVERS\s3legacy.sys
18:34:59.0140 0696 s3legacy - ok
18:34:59.0187 0696 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
18:34:59.0203 0696 SamSs - ok
18:34:59.0297 0696 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
18:34:59.0359 0696 SCardSvr - ok
18:34:59.0515 0696 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
18:34:59.0625 0696 Schedule - ok
18:34:59.0953 0696 sdAuxService (cfeb26a26452d5337c2f3aadd8218fc3) C:\Program Files\PC Tools\PC Tools Security\pctsAuxs.exe
18:35:00.0203 0696 sdAuxService - ok
18:35:00.0281 0696 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
18:35:00.0328 0696 sdbus - ok
18:35:01.0297 0696 sdCoreService (b906c04f469060f2dd7fcb84706b4493) C:\Program Files\PC Tools\PC Tools Security\pctsSvc.exe
18:35:01.0828 0696 sdCoreService - ok
18:35:01.0875 0696 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
18:35:01.0890 0696 Secdrv - ok
18:35:01.0937 0696 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
18:35:01.0953 0696 seclogon - ok
18:35:02.0703 0696 SecureStorageService (e396fbc469df73692318dc90ad13ce86) C:\Program Files\Wave Systems Corp\Secure Storage Manager\SecureStorageService.exe
18:35:03.0297 0696 SecureStorageService - ok
18:35:03.0562 0696 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
18:35:03.0578 0696 SENS - ok
18:35:03.0593 0696 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
18:35:03.0609 0696 serenum - ok
18:35:03.0656 0696 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
18:35:03.0687 0696 Serial - ok
18:35:03.0703 0696 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
18:35:03.0718 0696 Sfloppy - ok
18:35:03.0781 0696 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:35:03.0828 0696 ShellHWDetection - ok
18:35:03.0828 0696 Simbad - ok
18:35:03.0922 0696 SiSRaid4 (e0a3aa486c4f4d896bbb0ffeac294b54) C:\WINDOWS\system32\drivers\sisraid4.sys
18:35:03.0937 0696 SiSRaid4 - ok
18:35:04.0109 0696 SMManager (8fea8f9939ba29e750310fc1f32ccf8f) C:\Program Files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe
18:35:04.0125 0696 SMManager - ok
18:35:04.0187 0696 smsmdd (4b4ab78e866bbecf93f6eabc3270178a) C:\WINDOWS\system32\DRIVERS\smsmdm.sys
18:35:04.0187 0696 smsmdd - ok
18:35:04.0281 0696 smstsmgr - ok
18:35:04.0281 0696 Sparrow - ok
18:35:04.0328 0696 speedfan (3fa2e254bfbce52b3c6f1bf23aab6911) C:\WINDOWS\system32\speedfan.sys
18:35:04.0343 0696 speedfan - ok
18:35:04.0406 0696 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
18:35:04.0406 0696 splitter - ok
18:35:04.0500 0696 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
18:35:04.0531 0696 Spooler - ok
18:35:04.0578 0696 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
18:35:04.0609 0696 sr - ok
18:35:04.0718 0696 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
18:35:04.0781 0696 srservice - ok
18:35:04.0953 0696 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
18:35:05.0109 0696 Srv - ok
18:35:05.0203 0696 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
18:35:05.0234 0696 SSDPSRV - ok
18:35:05.0672 0696 STacSV (0a8fa56553913e87aa24a6ce218b88de) c:\drivers\audio\r267815\payload\wdm\stacsv.exe
18:35:05.0765 0696 STacSV - ok
18:35:06.0718 0696 STHDA (c111965a8dbd00768787d807ec3113ff) C:\WINDOWS\system32\drivers\sthda.sys
18:35:07.0656 0696 STHDA - ok
18:35:08.0234 0696 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
18:35:08.0422 0696 stisvc - ok
18:35:08.0484 0696 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
18:35:08.0484 0696 swenum - ok
18:35:08.0578 0696 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
18:35:08.0609 0696 swmidi - ok
18:35:08.0609 0696 SwPrv - ok
18:35:08.0625 0696 symc810 - ok
18:35:08.0625 0696 symc8xx - ok
18:35:08.0718 0696 Symmpi (a42f863305943869ba00a613c8ee8c7e) C:\WINDOWS\system32\drivers\symmpi.sys
18:35:08.0765 0696 Symmpi - ok
18:35:08.0781 0696 sym_hi - ok
18:35:08.0781 0696 sym_u3 - ok
18:35:08.0843 0696 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
18:35:08.0875 0696 sysaudio - ok
18:35:08.0937 0696 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
18:35:09.0000 0696 SysmonLog - ok
18:35:09.0156 0696 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
18:35:09.0312 0696 TapiSrv - ok
18:35:09.0578 0696 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
18:35:09.0781 0696 Tcpip - ok
18:35:10.0734 0696 tcsd_win32.exe (69f1a38a6dbfe682491cb61a596662e3) C:\Program Files\NTRU Cryptosystems\NTRU TCG Software Stack\bin\tcsd_win32.exe
18:35:11.0484 0696 tcsd_win32.exe - ok
18:35:12.0281 0696 TdmService (a405d39f4dd131954c39114fba31a5e0) C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
18:35:13.0000 0696 TdmService - ok
18:35:13.0453 0696 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
18:35:13.0453 0696 TDPIPE - ok
18:35:13.0500 0696 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
18:35:13.0515 0696 TDTCP - ok
18:35:13.0562 0696 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
18:35:13.0578 0696 TermDD - ok
18:35:13.0953 0696 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
18:35:14.0062 0696 TermService - ok
18:35:14.0187 0696 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
18:35:14.0234 0696 Themes - ok
18:35:14.0312 0696 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
18:35:14.0375 0696 TlntSvr - ok
18:35:14.0453 0696 tmactmon (c3c65b0f90188d9c376bea19bdf3af67) C:\WINDOWS\system32\drivers\tmactmon.sys
18:35:14.0484 0696 tmactmon - ok
18:35:14.0828 0696 TMBMServer (8a22c4baddea7a03a6c9f8147ff842fa) C:\Program Files\Trend Micro\BM\TMBMSRV.exe
18:35:15.0031 0696 TMBMServer - ok
18:35:15.0156 0696 tmcomm (a9b5f432c1570b314b279b4527298532) C:\WINDOWS\system32\drivers\tmcomm.sys
18:35:15.0250 0696 tmcomm - ok
18:35:15.0297 0696 tmevtmgr (154916f620d263b1cfb1ab81a512ba24) C:\WINDOWS\system32\drivers\tmevtmgr.sys
18:35:15.0328 0696 tmevtmgr - ok
18:35:15.0625 0696 TmFilter (717e406972bbc07f8fb2a989416cab73) C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys
18:35:15.0828 0696 TmFilter - ok
18:35:16.0922 0696 tmlisten (d51822a472f4ac993d84f07c8f249392) C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
18:35:17.0828 0696 tmlisten - ok
18:35:17.0859 0696 TmPreFilter (379c4f99994a56b66e11d1e32bb22a1c) C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys
18:35:17.0890 0696 TmPreFilter - ok
18:35:18.0312 0696 TmProxy (9f4e0a7d3d221347b994aebfc15bf989) C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
18:35:18.0703 0696 TmProxy - ok
18:35:19.0265 0696 tmtdi (5f7f63884a8547981ee379b8c0fb3312) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
18:35:19.0312 0696 tmtdi - ok
18:35:19.0312 0696 TosIde - ok
18:35:19.0422 0696 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
18:35:19.0468 0696 TrkWks - ok
18:35:19.0515 0696 TSKNFA00.SYS (b3350e310fa52ca72155a428aed5670f) C:\WINDOWS\system32\Drivers\TSKNFA00.SYS
18:35:19.0531 0696 TSKNFA00.SYS - ok
18:35:19.0687 0696 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
18:35:19.0734 0696 Udfs - ok
18:35:19.0750 0696 ultra - ok
18:35:19.0984 0696 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
18:35:20.0203 0696 Update - ok
18:35:20.0343 0696 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
18:35:20.0453 0696 upnphost - ok
18:35:20.0500 0696 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
18:35:20.0515 0696 UPS - ok
18:35:20.0562 0696 usbbus (af9388e736af0c325067f05edc350010) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
18:35:20.0578 0696 usbbus - ok
18:35:20.0625 0696 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
18:35:20.0640 0696 usbccgp - ok
18:35:20.0703 0696 UsbDiag (ae30ea96e60e823c7b525da356283ae8) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
18:35:20.0718 0696 UsbDiag - ok
18:35:20.0750 0696 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
18:35:20.0781 0696 usbehci - ok
18:35:20.0843 0696 UsbGps (d9db955cc7d4266b9786f0f1be05d91e) C:\WINDOWS\system32\DRIVERS\lgusbgps.sys
18:35:20.0843 0696 UsbGps - ok
18:35:20.0906 0696 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
18:35:20.0937 0696 usbhub - ok
18:35:20.0968 0696 USBModem (46ac66df3d6efe81f69bea823a53aab5) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
18:35:20.0984 0696 USBModem - ok
18:35:21.0062 0696 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
18:35:21.0078 0696 USBSTOR - ok
18:35:21.0109 0696 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
18:35:21.0125 0696 usbuhci - ok
18:35:21.0187 0696 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
18:35:21.0203 0696 VgaSave - ok
18:35:21.0218 0696 ViaIde - ok
18:35:21.0265 0696 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
18:35:21.0297 0696 VolSnap - ok
18:35:22.0406 0696 VSApiNt (642eb152cb980ad9181b2161066be629) C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys
18:35:23.0203 0696 VSApiNt - ok
18:35:23.0843 0696 vsdatant (0354ba3a5ba5e28cc247eb5f5dd8793c) C:\WINDOWS\system32\vsdatant.sys
18:35:24.0156 0696 vsdatant - ok
18:35:24.0312 0696 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
18:35:24.0437 0696 VSS - ok
18:35:24.0547 0696 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
18:35:24.0625 0696 W32Time - ok
18:35:24.0672 0696 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
18:35:24.0687 0696 Wanarp - ok
18:35:24.0875 0696 WavxDMgr (81f117b7834fa0b78c2354208d185528) C:\WINDOWS\system32\DRIVERS\WavxDMgr.sys
18:35:25.0015 0696 WavxDMgr - ok
18:35:25.0078 0696 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\WINDOWS\system32\DRIVERS\wceusbsh.sys
18:35:25.0093 0696 wceusbsh - ok
18:35:25.0422 0696 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
18:35:25.0672 0696 Wdf01000 - ok
18:35:25.0672 0696 WDICA - ok
18:35:25.0797 0696 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
18:35:25.0843 0696 wdmaud - ok
18:35:25.0890 0696 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
18:35:25.0937 0696 WebClient - ok
18:35:26.0156 0696 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
18:35:26.0234 0696 winmgmt - ok
18:35:26.0968 0696 WinRM (18f347402da544a780949b8fdf83351b) C:\WINDOWS\system32\WsmSvc.dll
18:35:27.0593 0696 WinRM - ok
18:35:27.0640 0696 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
18:35:27.0672 0696 WmdmPmSN - ok
18:35:28.0078 0696 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
18:35:28.0422 0696 Wmi - ok
18:35:28.0640 0696 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
18:35:28.0656 0696 WmiAcpi - ok
18:35:28.0843 0696 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
18:35:28.0922 0696 WmiApSrv - ok
18:35:29.0640 0696 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
18:35:30.0140 0696 WMPNetworkSvc - ok
18:35:30.0203 0696 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
18:35:30.0218 0696 WS2IFSL - ok
18:35:30.0359 0696 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
18:35:30.0422 0696 wscsvc - ok
18:35:30.0437 0696 WSearch - ok
18:35:30.0500 0696 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
18:35:30.0515 0696 wuauserv - ok
18:35:30.0593 0696 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
18:35:30.0640 0696 WudfPf - ok
18:35:30.0718 0696 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
18:35:30.0765 0696 WudfRd - ok
18:35:30.0812 0696 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
18:35:30.0843 0696 WudfSvc - ok
18:35:31.0453 0696 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
18:35:31.0672 0696 WZCSVC - ok
18:35:31.0734 0696 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
18:35:31.0797 0696 xmlprov - ok
18:35:31.0828 0696 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
18:35:32.0672 0696 \Device\Harddisk0\DR0 - ok
18:35:32.0672 0696 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR3
18:35:32.0812 0696 \Device\Harddisk1\DR3 - ok
18:35:32.0812 0696 Boot (0x1200) (e37702cd8f91ba9fe8266eed47f1de09) \Device\Harddisk0\DR0\Partition0
18:35:32.0828 0696 \Device\Harddisk0\DR0\Partition0 - ok
18:35:32.0828 0696 Boot (0x1200) (fe144d3bbe08b21e6cc369a8c4d23023) \Device\Harddisk1\DR3\Partition0
18:35:32.0828 0696 \Device\Harddisk1\DR3\Partition0 - ok
18:35:32.0828 0696 ============================================================
18:35:32.0828 0696 Scan finished
18:35:32.0828 0696 ============================================================
18:35:32.0828 5420 Detected object count: 0
18:35:32.0828 5420 Actual detected object count: 0


ComboFix 12-07-31.03 - Jim.Fougeron 08/01/2012 18:55:02.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.2782 [GMT -5:00]
Running from: c:\documents and settings\jim.fougeron\Desktop\etavaresCF.exe
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\jim.fougeron\Application Data\mIRC\logs\status.log
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-07-30 13:58 . 2012-07-30 23:57 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-30 13:58 . 2012-07-30 23:57 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-29 23:17 . 2012-07-29 23:17 -------- d-----w- c:\documents and settings\jim.fougeron\Local Settings\Application Data\VS Revo Group
2012-07-29 23:17 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-07-29 23:17 . 2012-07-29 23:17 -------- d-----w- c:\program files\VS Revo Group
2012-07-29 14:56 . 2012-07-29 14:56 54016 ----a-w- c:\windows\system32\drivers\hbhuwxd.sys
2012-07-27 07:32 . 2012-07-27 16:21 -------- d-----w- c:\documents and settings\jim.fougeron\Application Data\mIRC
2012-07-27 07:32 . 2012-07-27 07:32 -------- d-----w- c:\program files\mIRC
2012-07-27 06:51 . 2012-07-27 06:51 54016 ----a-w- c:\windows\system32\drivers\vwpnpc.sys
2012-07-27 06:20 . 2012-07-27 06:20 -------- d-----w- c:\documents and settings\jim.fougeron\Application Data\Malwarebytes
2012-07-27 06:20 . 2012-07-27 06:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-07-27 06:20 . 2012-07-27 06:20 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-27 06:20 . 2012-07-03 18:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-26 05:05 . 2012-01-31 21:01 18560 ----a-w- c:\windows\system32\drivers\Tsknfa00.sys
2012-07-26 05:04 . 2012-07-26 05:04 -------- d-----w- c:\program files\Iarsn
2012-07-25 01:26 . 2012-07-25 01:26 -------- d-----w- c:\documents and settings\jim.fougeron\Local Settings\Application Data\Threat Expert
2012-07-25 01:03 . 2012-07-25 01:03 -------- d-----w- c:\documents and settings\jim.fougeron\Application Data\FixZeroAccess
2012-07-24 13:42 . 2012-06-22 20:34 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-24 13:42 . 2012-07-24 23:30 -------- d-----w- c:\program files\PC Tools
2012-07-24 13:40 . 2012-07-24 23:30 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-07-24 13:40 . 2012-07-24 13:40 -------- d-----w- c:\documents and settings\jim.fougeron\Application Data\TestApp
2012-07-24 01:09 . 2012-07-26 04:12 22032 ----a-w- c:\windows\DCEBoot.exe
2012-07-13 23:33 . 2012-07-13 23:33 -------- d-----w- c:\documents and settings\jim.fougeron\Local Settings\Application Data\Sun
2012-07-13 23:29 . 2012-07-13 23:29 -------- d-----w- c:\documents and settings\jim.fougeron\Application Data\Oracle
2012-07-13 23:29 . 2012-07-06 03:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-07-13 23:28 . 2012-07-13 23:28 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-21 01:28 . 2011-12-15 16:15 0 ----a-w- c:\documents and settings\jim.fougeron\Local Settings\Application Data\WavXMapDrive.bat
2012-07-06 03:06 . 2011-12-20 12:58 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-06-22 15:43 . 2012-07-24 23:31 3488 ----a-w- c:\windows\UDB.zip
2012-06-22 15:43 . 2012-07-24 23:31 131 ----a-w- c:\windows\IDB.zip
2012-05-11 01:42 . 2012-02-05 03:16 238080 ----a-w- c:\windows\system32\ssleay32.dll
2012-05-11 01:42 . 2012-02-05 03:16 238080 ----a-w- c:\windows\system32\libssl32.dll
2012-05-11 01:41 . 2012-02-05 03:16 1100800 ----a-w- c:\windows\system32\libeay32.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-27_05.52.06 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-01 14:16 . 2012-08-01 14:16 16384 c:\windows\temp\Perflib_Perfdata_554.dat
- 2008-04-14 12:00 . 2012-07-26 19:40 84180 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2012-07-31 22:28 84180 c:\windows\system32\perfc009.dat
- 2012-02-26 02:16 . 2012-03-15 11:15 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-02-26 02:16 . 2012-08-01 21:58 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2012-02-26 02:16 . 2012-08-01 21:58 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2012-02-26 02:16 . 2012-03-15 11:15 16384 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-11-07 14:12 . 2012-03-15 11:15 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2012-08-01 21:58 . 2012-08-01 21:58 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-04-14 12:00 . 2012-07-26 19:40 478884 c:\windows\system32\perfh009.dat
+ 2008-04-14 12:00 . 2012-07-31 22:28 478884 c:\windows\system32\perfh009.dat
+ 2012-07-30 13:58 . 2012-07-30 23:57 686792 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.exe
+ 2012-07-30 13:58 . 2012-07-30 23:57 466632 c:\windows\system32\Macromed\Flash\FlashUtil32_11_3_300_268_ActiveX.dll
+ 2012-07-30 13:58 . 2012-07-30 23:57 250056 c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
+ 2011-12-16 05:56 . 2012-08-01 14:17 3240960 c:\windows\Downloaded Installations\{45E67E08-CA09-4AC3-A962-D4A64C97B56A}\LEGATO EmailXtender Shortcut Addin 4.70.msi
- 2011-12-16 05:56 . 2011-12-16 05:56 3240960 c:\windows\Downloaded Installations\{45E67E08-CA09-4AC3-A962-D4A64C97B56A}\LEGATO EmailXtender Shortcut Addin 4.70.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\EnabledUnlockedFDEIconOverlay]
@="{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}"
[HKEY_CLASSES_ROOT\CLSID\{30D3C2AF-9709-4D05-9CF4-13335F3C1E4A}]
2010-03-29 11:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\UninitializedFdeIconOverlay]
@="{CF08DA3E-C97D-4891-A66B-E39B28DD270F}"
[HKEY_CLASSES_ROOT\CLSID\{CF08DA3E-C97D-4891-A66B-E39B28DD270F}]
2010-03-29 11:45 62832 ----a-w- c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmIconOverlay.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.e xe" [X]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="c:\program files\Trend Micro\OfficeScan Client\pccntmon.e xe -HideWindow" [X]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2010-02-17 278528]
"DellControlPoint"="c:\program files\Dell\Dell ControlPoint\Dell.ControlPoint.exe" [2009-11-02 657920]
"DellConnectionManager"="c:\program files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe" [2009-12-22 1845248]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Communicator"="c:\program files\Microsoft Office Communicator\Communicator.exe" [2005-05-12 4167376]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Dell ControlPoint System Manager.lnk - c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe [2010-2-8 1338224]
TdmNotify.lnk - c:\program files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe [2010-3-29 132456]
VPN Client.lnk - c:\windows\Installer\{F3C1DE9E-5E16-4BA9-B854-7B53A45E3579}\Icon3E5562ED7.ico [2011-11-7 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 wvauth
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1713058441-2013475467-4145886249-4259\Scripts\Logon\0\0]
"Script"=\\dtn.com\SYSVOL\dtn.com\scripts\kix32.exe
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntivirus]
"DisableMonitoring"=dword:00000001
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [6/29/2010 1:35 PM 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [6/29/2010 1:35 PM 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [6/29/2010 1:35 PM 204800]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [6/29/2010 1:35 PM 187960]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [6/29/2010 1:35 PM 19200]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [7/24/2012 8:42 AM 383368]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [7/24/2012 8:42 AM 342168]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [7/24/2012 8:42 AM 909728]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [6/29/2010 1:35 PM 63872]
R1 PCTSD;PC Tools Spyware Doctor Driver;c:\windows\system32\drivers\PCTSD.sys [7/24/2012 8:42 AM 203120]
R1 TSKNFA00.SYS;TSKNFA00.SYS;c:\windows\system32\drivers\Tsknfa00.sys [7/26/2012 12:05 AM 18560]
R2 ATService;AuthenTec Fingerprint Service;c:\program files\Fingerprint Sensor\AtService.exe [5/10/2010 9:24 AM 1803584]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe [7/24/2012 6:31 PM 575448]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\Dell\Dell ControlPoint\DCPButtonSvc.exe [11/20/2009 11:42 AM 278304]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe [2/8/2010 10:20 AM 376688]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]
R2 SMManager;Smith Micro Connection Manager Service;c:\program files\Dell\Dell ControlPoint\Connection Manager\SMManager.exe [12/22/2009 5:23 AM 77312]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [11/7/2011 11:15 AM 59152]
R2 TmFilter;Trend Micro Filter;c:\program files\Trend Micro\OfficeScan Client\TmXpflt.sys [7/12/2011 10:44 AM 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\Trend Micro\OfficeScan Client\TmPreflt.sys [7/12/2011 10:43 AM 36624]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [11/7/2011 1:12 AM 113664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [11/7/2011 1:17 AM 109568]
R3 PCTBD;PC Tools Browser Defender Driver;c:\windows\system32\drivers\PCTBD.sys [7/24/2012 6:31 PM 70768]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2012 4:05 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2012 4:05 PM 136176]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\NvtSp50.sys --> c:\windows\system32\Drivers\NvtSp50.sys [?]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\PC Tools\DMScanning\PCTSFiles.exe [7/24/2012 8:42 AM 89048]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [7/29/2012 6:17 PM 27064]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [11/3/2008 8:07 PM 65664]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\PC Tools Security\pctsAuxs.exe [7/24/2012 6:30 PM 402368]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2/14/2011 3:42 AM 20096]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\Trend Micro\OfficeScan Client\TmProxy.exe [4/24/2010 11:36 PM 689416]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 60379054
*Deregistered* - 60379054
*Deregistered* - aswMBR
*Deregistered* - fxdyapow
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 12:15]
.
2012-08-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2012-01-31 12:15]
.
2012-08-01 c:\windows\Tasks\User_Feed_Synchronization-{B2348DFF-6C84-42A5-AD8B-A5C131E40528}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
Trusted Zone: aghost.net
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
Trusted Zone: 8080
Trusted Zone: aghost.net
Trusted Zone: disa.mil\edadocs.ogden
Trusted Zone: disa.mil\myinvoice.csd
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: eb.mil\wawf
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-01 19:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1532)
c:\windows\system32\igfxdev.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
- - - - - - - > 'lsass.exe'(1588)
c:\windows\system32\wvauth.dll
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
.
Completion time: 2012-08-01 19:57:44
ComboFix-quarantined-files.txt 2012-08-02 00:57
.
Pre-Run: 121,693,081,600 bytes free
Post-Run: 121,998,856,192 bytes free
.
- - End Of File - - C366E5F639FE59726F8B4247D9111BE9

Edited by Jim_F, 02 August 2012 - 07:17 PM.


#9 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 02 August 2012 - 08:47 PM

Hi,

We can try to delete the .mil trusted domains manually if you'd like.

Download LSPFix and save to your desktop.
alternate download site
alternate download site

  • Disconnect from the Internet, go to the LSPfix file and extract (unzip) LSP-Fix into its own folder such as C:\lspfix. (Click here for information on how to do this if not sure. Win 9x/2000 users click here.
  • Open the lspfix folder and double-click on LSPFix.exe to start the program.
  • Check the "I know what I am doing" checkbox.
  • Select (highlight) all instances of mswsock.dll in the left column under "Keep".
  • Click the arrow >> so it goes over to the right column under "Remove".
  • Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
  • Restart your computer.

For instructions with screen shots, see the "Using LSP-Fix Tutorial".


Please post an updated DDS log.

Edited by etavares, 02 August 2012 - 08:47 PM.
BBCode tag


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#10 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 03 August 2012 - 07:43 AM

Before I continue, I wanted to post the exact screen seen in LSPFix, and make sure I understand fully your instructions:

Attached File  lspfix.JPG   35.29KB   6 downloads

What you want me to do, is to remove the mswsock.dll entry, correct?

Jim.

#11 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 03 August 2012 - 03:02 PM

Hi Jim_F:

Correct...that is a ZeroAccess entry. The worst that will happen is you lose web connectivity...we can reset winsock entirely if we have to at that point.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#12 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 03 August 2012 - 07:42 PM

Hi Jim_F:

Correct...that is a ZeroAccess entry. The worst that will happen is you lose web connectivity...we can reset winsock entirely if we have to at that point.

-etavares


Again, THANKS for the help! I do appreciate it a lot.

Ok, the steps you asked for, are done.

This was the message received by LSP-fix, upon the change:

Attached File  LSP-fix-output.JPG   10.74KB   1 downloads

Then upon reboot, this message was shown, and the wireless icon was not displayed (it has (should have) an X as I have the radio off)

Attached File  upon-reboot-tcp-error-msg.JPG   7.39KB   1 downloads



Ok, here are the output files from dds. I only attached the dds.log as that was all you requested. Note, I am still running with the wireless radio off. Also, I have disabled the services for Trend office scan (while doing this work), and mangled the exe name within the HKLM\...\Run to keep the AV off for scanning.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jim.Fougeron at 19:26:21 on 2012-08-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3539.3074 [GMT -5:00]
.
AV: Trend Micro OfficeScan Antivirus *Disabled/Outdated* {4CA5B9AB-4295-4D4C-9664-0EBE85AE0525}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\drivers\audio\r267815\payload\wdm\stacsv.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmService.exe
svchost.exe
C:\Program Files\Dell\Dell ControlPoint\DCPButtonSvc.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgrSvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Dell\Dell ControlPoint\Dell.ControlPoint.exe
C:\Program Files\Dell\Dell ControlPoint\Connection Manager\Dell.UCM.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\Dell\Dell ControlPoint\System Manager\DCPSysMgr.exe
C:\Program Files\Wave Systems Corp\Trusted Drive Manager\TdmNotify.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Dell\Dell ControlPoint\Security Manager\BcmDeviceAndTaskStatusService.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.e xe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [DellControlPoint] "c:\program files\dell\dell controlpoint\Dell.ControlPoint.exe"
mRun: [DellConnectionManager] "c:\program files\dell\dell controlpoint\connection manager\Dell.UCM.exe"
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.e xe" -HideWindow
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dellco~1.lnk - c:\program files\dell\dell controlpoint\system manager\DCPSysMgr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tdmnot~1.lnk - c:\program files\wave systems corp\trusted drive manager\TdmNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{f3c1de9e-5e16-4ba9-b854-7b53a45e3579}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: aghost.net
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
Trusted Zone: 8080
Trusted Zone: aghost.net
Trusted Zone: disa.mil\edadocs.ogden
Trusted Zone: disa.mil\myinvoice.csd
Trusted Zone: dtn.com\psoftwebprod01
Trusted Zone: dtnprogressivefarmer.com
Trusted Zone: eb.mil\wawf
Trusted Zone: misbeaconcat01
Trusted Zone: officescan
Trusted Zone: project
DPF: {00134F72-5284-44F7-95A8-52A619F70751} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/WinNTChk.cab
DPF: {08D75BC1-D2B5-11D1-88FC-0080C859833B} - hxxps://trendappprod02:4343/officescan/console/html/ClientInstall/setup.cab
DPF: {35C3D91E-401A-4E45-88A5-F3B32CD72DF4} - hxxps://trendappprod02:4343/officescan/console/html/root/AtxEnc.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320675334917
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 wvauth
.
============= SERVICES / DRIVERS ===============
.
R0 a320raid;a320raid;c:\windows\system32\drivers\a320raid.sys [2010-6-29 218112]
R0 aac;PERC 320/DC SCSI RAID Miniport Driver;c:\windows\system32\drivers\aac.sys [2010-6-29 48140]
R0 aarich;aarich;c:\windows\system32\drivers\aarich.sys [2010-6-29 204800]
R0 ahcix86;ahcix86;c:\windows\system32\drivers\ahcix86.sys [2010-6-29 187960]
R0 megasas;DELL PERC RAID Driver;c:\windows\system32\drivers\megasas.sys [2010-6-29 19200]
R0 SiSRaid4;SiSRaid4;c:\windows\system32\drivers\sisraid4.sys [2010-6-29 63872]
R1 TSKNFA00.SYS;TSKNFA00.SYS;c:\windows\system32\drivers\Tsknfa00.sys [2012-7-26 18560]
R2 buttonsvc32;Dell ControlPoint Button Service;c:\program files\dell\dell controlpoint\DCPButtonSvc.exe [2009-11-20 278304]
R2 dcpsysmgrsvc;Dell ControlPoint System Manager;c:\program files\dell\dell controlpoint\system manager\DCPSysMgrSvc.exe [2010-2-8 376688]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2011-11-7 59152]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXpflt.sys [2011-7-12 262416]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\TmPreflt.sys [2011-7-12 36624]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2011-11-7 113664]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2011-11-7 109568]
S2 ATService;AuthenTec Fingerprint Service;c:\program files\fingerprint sensor\AtService.exe [2010-5-10 1803584]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S2 SMManager;Smith Micro Connection Manager Service;c:\program files\dell\dell controlpoint\connection manager\SMManager.exe [2009-12-22 77312]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2012-1-31 136176]
S3 NvtSp50;NvtSp50 NDIS Protocol Driver;c:\windows\system32\drivers\nvtsp50.sys --> c:\windows\system32\drivers\NvtSp50.sys [?]
S3 PCTSFileEnum;PCTSFileEnum;c:\program files\pc tools\dmscanning\PCTSFiles.exe [2012-7-24 89048]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2012-7-29 27064]
S3 s3legacy;s3legacy;c:\windows\system32\drivers\s3legacy.sys [2008-11-3 65664]
S3 UsbGps;LGE CDMA USB GPS NMEA Port;c:\windows\system32\drivers\lgusbgps.sys [2011-2-14 20096]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2008-4-14 14336]
S4 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2010-4-24 689416]
.
=============== Created Last 30 ================
.
2012-07-30 13:58:52 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-07-30 13:58:52 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-29 23:17:29 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\VS Revo Group
2012-07-29 23:17:24 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-07-29 23:17:22 -------- d-----w- c:\program files\VS Revo Group
2012-07-29 14:56:24 54016 ----a-w- c:\windows\system32\drivers\hbhuwxd.sys
2012-07-27 07:32:47 -------- d-----w- c:\program files\mIRC
2012-07-27 07:32:47 -------- d-----w- c:\documents and settings\jim.fougeron\application data\mIRC
2012-07-27 06:51:35 54016 ----a-w- c:\windows\system32\drivers\vwpnpc.sys
2012-07-27 06:20:23 -------- d-----w- c:\documents and settings\jim.fougeron\application data\Malwarebytes
2012-07-27 06:20:15 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-07-27 06:20:14 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-27 06:20:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-07-27 05:40:46 -------- d-sha-r- C:\cmdcons
2012-07-27 05:37:24 256000 ----a-w- c:\windows\PEV.exe
2012-07-27 05:37:24 208896 ----a-w- c:\windows\MBR.exe
2012-07-27 05:37:23 98816 ----a-w- c:\windows\sed.exe
2012-07-27 05:37:23 518144 ----a-w- c:\windows\SWREG.exe
2012-07-26 05:05:00 18560 ----a-w- c:\windows\system32\drivers\Tsknfa00.sys
2012-07-26 05:04:59 -------- d-----w- c:\program files\Iarsn
2012-07-25 01:26:40 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\Threat Expert
2012-07-25 01:03:01 -------- d-----w- c:\documents and settings\jim.fougeron\application data\FixZeroAccess
2012-07-24 13:42:28 203120 ----a-w- c:\windows\system32\drivers\PCTSD.sys
2012-07-24 13:42:28 -------- d-----w- c:\program files\common files\PC Tools
2012-07-24 13:42:27 -------- d-----w- c:\program files\PC Tools
2012-07-24 13:40:32 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-07-24 13:40:26 -------- d-----w- c:\documents and settings\jim.fougeron\application data\TestApp
2012-07-24 01:09:14 22032 ----a-w- c:\windows\DCEBoot.exe
2012-07-13 23:33:21 -------- d-----w- c:\documents and settings\jim.fougeron\local settings\application data\Sun
2012-07-13 23:29:25 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
.
==================== Find3M ====================
.
2012-07-06 03:06:20 687544 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\ssleay32.dll
2012-05-11 01:42:06 238080 ----a-w- c:\windows\system32\libssl32.dll
2012-05-11 01:41:52 1100800 ----a-w- c:\windows\system32\libeay32.dll
.
============= FINISH: 19:27:39.09 ===============

#13 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 03 August 2012 - 08:51 PM

OK, open a command prompt by clicking Start --> Run
Type cmd and press Enter to open a command prompt.
Type the following exactly as shown at the prompt and press Enter
netsh int ip reset c:\resetlog.txt

Reboot the computer.

The TCP/IP error should disappear. Please let me know if it did.

-etavares


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 


#14 Jim_F

Jim_F
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Omaha NE
  • Local time:03:14 PM

Posted 03 August 2012 - 10:07 PM

Actions done. Same message upon reboot. NOTE, the message does list 'Mobile Devices' within the title. So I am not sure it is the wireless. I did look at networks, and the proper 3 are there. There is my gigabit network unplugged. The Cisco VPN (disabled until I start it to log in), and the wireless connector, disabled. So it does appear they are all 'listed'. I do only get the wired icon in the tray (with an X since it is unplugged) I was pretty sure I was getting the wireless connector there.

NOTE, I did not run LSP-fix again, to look to see if the mswinsock was back, after the last step and reboot, but can if you would like me to.

Here is the log file from the netsh. You did not list to post it, but it was created with the last command, so I thought it important enough to post.

reset SYSTEM\CurrentControlSet\Services\Dhcp\Parameters\Options\15\RegLocation
old REG_MULTI_SZ =
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\?\DhcpDomain
SYSTEM\CurrentControlSet\Services\TcpIp\Parameters\DhcpDomain

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{43C2DA1E-58E1-406D-9F87-BAA7AEA9D757}\NetbiosOptions
reset SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\NameServerList
old REG_MULTI_SZ =
<empty>

added SYSTEM\CurrentControlSet\Services\Netbt\Parameters\Interfaces\Tcpip_{B2D536A6-395D-49B1-B1E2-AFD13F3D5D69}\NetbiosOptions
deleted SYSTEM\CurrentControlSet\Services\Netbt\Parameters\EnableLmhosts
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\AddressType
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{356F287E-DA35-49E6-B343-957B55D3781D}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5FAE1CA3-83C6-49DD-B5DB-F813BD6E518D}\UdpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\AddressType
old REG_DWORD = 1

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\IpAutoconfigurationSeed
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{769AD865-94D7-40C1-AEBE-DC9939C38A80}\UdpAllowedPorts
old REG_MULTI_SZ =
0

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\DisableDynamicUpdate
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{87826422-6C11-49B0-BF73-08DFAC2EE513}\UdpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\DefaultGateway
old REG_MULTI_SZ =
<empty>

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\DefaultGatewayMetric
old REG_MULTI_SZ =
<empty>

added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\DisableDynamicUpdate
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\EnableDhcp
old REG_DWORD = 0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\IpAutoconfigurationAddress
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\IpAutoconfigurationMask
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\IpAutoconfigurationSeed
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\Mtu
reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\RawIpAllowedProtocols
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\TcpAllowedPorts
old REG_MULTI_SZ =
0

reset SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B05BD245-3CB2-4C9A-965C-121D8B3D2DCF}\UdpAllowedPorts
old REG_MULTI_SZ =
0

deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableTaskOffload
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DontAddDefaultGatewayDefault
added SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\SearchList
deleted SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
reset Linkage\UpperBind for PCI\VEN_14E4&DEV_1674&SUBSYS_167414E4&REV_00\4&2DA1E264&0&00E4. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for ROOT\NET\0000. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for PCI\VEN_14E4&DEV_4315&SUBSYS_000C1028&REV_01\4&84CCC20&0&00E1. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for PCI\VEN_14E4&DEV_1674&SUBSYS_02621028&REV_00\4&2DA1E264&0&00E4. bad value was:
REG_MULTI_SZ =
DNE

reset Linkage\UpperBind for ROOT\MS_NDISWANIP\0000. bad value was:
REG_MULTI_SZ =
DNE

<completed>

#15 etavares

etavares

    Bleepin' Remover


  • Malware Response Team
  • 15,514 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:14 PM

Posted 04 August 2012 - 05:21 AM

The DDS log showed the bad entry is gone. OK, let's just reset winsock directly.

Open a command prompt with administrator privileges as before. Type this command and hit Enter. Then reboot and let me know how it is.

netsh winsock reset


If I don't respond within 2 days, please feel free to PM me.
Please don't ask for help via PM. The forums are there for a reason. Please post in the forums so others may benefit as well.

Posted Image
Unified Network of Instructors and Trusted Eliminators
 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users