Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

WinXP ZeroAccess rootkit infection (among possible other things...)


  • This topic is locked This topic is locked
16 replies to this topic

#1 antipode56

antipode56

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 05 August 2012 - 07:53 PM

Hello, I was told to post here to seek help with my ZeroAccess rootkit infection (among possible other things) on my HP laptop. I was helped by Broni in an introductory thread here (and by the way, my eternal thanks for the prompt and clear instructions): http://www.bleepingcomputer.com/forums/topic463872.html

I run Windows XP SP3, and my primary browser is the current version of Firefox (with rare occasional use of IE8). This issue first came up I think 3 days ago, when my Avira virus blocker software started being triggered about every minute or two by something it identified as TR/ATRAPS.GEN, and sometimes GEN2. If I understand correctly, this is a general name Avira assigns to something it's not identifying. Either way, every time the warning would appear, I'd remove it (send it to quarrantine), and the message would appear again shortly after. I then decided to update Avira (it auto-updates every 3 days for me, but I did it manually) and then ran a full virus scan. The log from that scan is available in the thread I linked - as usual, it found atraps.gen and gen2 and quarrantined them, along with several other viruses. Unfortunately, this didn't solve the issue, so I came here. The problems have also been getting rapidly worse - today, my Avira blocker no longer brings up the constant warnings because it has been completely disabled, and attempting to re-enable it results in an error. I attempted to install an Avast blocker as well, just as a test, and found that its blocker is also permanently disabled (I removed Avast again shortly afterward).

So as instructed, I first ran DeFogger to disable my virtual DVD drive, and then ran Security Check, FSS, MiniToolBox, MBAM, and aswMBR, producing logs for each, which I posted (and are also available in the thread I linked) and which Broni used to confirm the infection(s). He then directed me to use this Prep Guide: http://www.bleepingcomputer.com/forums/topic34773.html beginning with step 6 and then create this thread, explain the issue, and post all the logs created during each step of the guide. Each of those new logs is below, though not all of them were able to be created. I was told if that happened I should skip that step, explain the error, and proceed with the next log.

The first program I was told to run was DDS, which ran fine and produced the following log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_33
Run by Gary at 17:07:31 on 2012-08-05
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1337 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\Software Update 3\SoftAuto.exe
C:\Documents and Settings\Gary\Local Settings\Apps\F.lux\flux.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=64&bd=pavilion&pf=laptop
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/go/notebookaccessories
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uURLSearchHooks: FreeOnlineRadioPlayerRecorder Toolbar: {f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\freeonlineradioplayerrecorder\prxtbFre2.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: FreeOnlineRadioPlayerRecorder Toolbar: {f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\freeonlineradioplayerrecorder\prxtbFre2.dll
TB: FreeOnlineRadioPlayerRecorder Toolbar: {f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\freeonlineradioplayerrecorder\prxtbFre2.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [SoftAuto.exe] "c:\program files\creative\software update 3\SoftAuto.exe"
uRun: [F.lux] "c:\documents and settings\gary\local settings\apps\f.lux\flux.exe" /noshow
uRun: [Google Update] "c:\documents and settings\gary\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Aim] "c:\program files\aim7\aim.exe" /d locale=en-US
uRun: [laxzyldodalp] c:\documents and settings\gary\laxzyldodalp.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [nwiz] nwiz.exe /installquiet /nodetect
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
mRun: [Cpqset] c:\program files\hewlett-packard\default settings\cpqset.exe
mRun: [DeadAIM] rundll32.exe "c:\progra~1\aim\\DeadAIM.ocm",ExportedCheckODLs
mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [XboxStat] "c:\program files\microsoft xbox 360 accessories\XboxStat.exe" silentrun
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NPSStartup]
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\gary\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppavi~1.lnk - c:\program files\hewlett-packard\hp pavilion webcam\HPWebcam.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_33-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{84FF76F5-07A7-4A1C-8B69-C9E8E28EFE63} : DhcpNameServer = 192.168.2.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gary\application data\mozilla\firefox\profiles\6z280lyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\documents and settings\gary\application data\mozilla\firefox\profiles\6z280lyq.default\extensions\{e0c7b854-d5ce-4db6-9804-be1438603d89}\components\FFAlert.dll
FF - plugin: c:\documents and settings\gary\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\gary\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\gary\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_268.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2012-1-12 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-8-4 86224]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
S2 AntiVirService;Avira Realtime Protection;c:\program files\avira\antivir desktop\avguard.exe [2012-8-4 110032]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-8-4 83392]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [2006-6-6 61952]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\creative\creative centrale\CTUPnPSv.exe [2008-5-21 64000]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-7-2 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-7-2 8456]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-8-18 36608]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [2006-3-17 1544704]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2007-8-10 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-8-10 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2007-8-10 42112]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-25 113120]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2010-8-18 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2010-8-18 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2010-8-18 123648]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [2007-6-22 140800]
S4 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [2007-6-22 5248]
.
=============== Created Last 30 ================
.
2012-08-05 19:15:27 -------- d-----w- c:\documents and settings\gary\application data\Malwarebytes
2012-08-05 19:15:09 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-08-05 19:15:08 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-05 19:15:08 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-04 23:02:35 -------- d-----w- c:\documents and settings\gary\application data\Avira
2012-08-04 23:02:03 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-08-04 23:02:02 -------- d-----w- c:\program files\Avira
2012-08-04 23:02:02 -------- d-----w- c:\documents and settings\all users\application data\Avira
2012-08-04 22:19:52 -------- d-----w- c:\program files\AVAST Software
2012-08-04 22:19:52 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-08-04 18:26:06 71496 ----a-w- c:\windows\system32\drivers\139e758f6dff4bd1.sys
2012-08-04 08:04:36 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-03 19:06:19 94144 ----a-w- c:\documents and settings\gary\laxzyldodalp.exe
2012-08-03 05:24:51 -------- d-----w- c:\documents and settings\gary\.explorer.local
2012-08-03 05:24:50 -------- d-----w- c:\documents and settings\gary\.explorer.cache
.
==================== Find3M ====================
.
2012-08-04 08:04:13 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-08-04 08:04:13 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-07-31 18:02:25 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-31 18:02:24 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08:26 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42:33 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42:33 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38:02 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 17:08:37.63 ===============


It also produced the attach.txt file, though the warnings were very explicit about only posting it if asked directly - so it's available if needed.

The second thing I ran was GMER, which immediately gave me this error:

"LoadDriver( "C:\DOCUME-1\Gary\LOCALS-1\Temp\uwtiipoc.sys" ) error 0xC0000001: Cannot create a stable subkey under a volatile parent key."

GMER then opened, and I received the expected warning about rootkit activity, asking whether I want to run a full scan. I said "no". There's a single red listed entry for the service "C:\WINDOWS\System32\Drivers\139e758f6dff4bd1.sys (***hidden***)", with the value "[BOOT] 139e758f6dff4bd1". I attempted to then uncheck the specific settings on the right before proceeding, but I was unable to do so because all checkboxes were greyed out except for Services, Registry, and Files.

So, I think that's the extent of it so far.
Any help you can offer is very much appreciated (I don't take this for granted - you guys are awesome).

Edited by nasdaq, 06 August 2012 - 12:34 PM.
Quote box removed.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 08 August 2012 - 08:12 AM

Greetings and Welcome to The Forums!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 08 August 2012 - 10:16 PM

Hi Gringo, I followed your directions carefully, and thanks to your help (and Combofix, which is a wonderful tool) I'm tentatively saying my ZeroAccess seems to now be dead! My deepest thanks for your help so far - it's a really great thing that you offer your time to help resolve these issues.
Here's how it went. First I ran Security Check, which produced this log:

notcheckup27.txt
`````````````````System Health check`````````````````
Total Fragmentation on Drive C::
````````````````````End of Log``````````````````````

Same as before. Then I moved on to Combofix, which had me download/install the Recovery Console, as you suspected it might, since I have XP. I should also mention it had some kind of error about not being able to find/access C:\boot.ini or something like that - but it moved on after that and it was fine. It deleted lots of files, including the deadly "laxzyldodalp.exe" which I'm pretty sure was the main process linked to the rootkit - it was protected from being shut down in the task manager when this problem first started, and I kept getting process-ending warnings for it when I'd shut down my computer. Anyway, after the deletions it rebooted (which I should mention took a really long time - it was on the Logging Off screen for more than 30 minutes, and I was getting nervous that it had somehow gotten stuck there - but I remembered the warning about leaving it alone, and eventually it did reboot).

After the reboot, my Avira scanner was functioning once again, and the laxzyldodalp.exe process was gone! I got a security alert that automatic windows updates had been disabled and couldn't be re-enabled, but I rebooted again and that fixed itself. I just assumed that was some residual thing from the Combofix actions. The log Combofix produced is below. Before I paste it though, I should also mention that I ran a full Avira system scan after the second reboot, and it found a number of other things apparently still present on my system (which it also found in the first, original scan, viewable in the original thread I linked in the first post) and quarantined them. It also found all the items in the newly-created quarantine located at C:\Qoobox\Quarantine, and I left those where they were and told Avira to ignore them. The log from this new Avira scan is available here, if you'd like to see it: http://pastebin.com/dm7B10di - it mentions the trojans Dropper.Gen, BHO.bedl, Crypt.XPACK.Gen, and Dldr.Delf.azrn, which apparently MBAM and Combofix left alone, and which were still present in my system. Avira quarantined these, but I somehow doubt those issues are resolved yet. However, the ZeroAccess rootkit was a far more serious issue to me, and as far as I can tell, that has now been eliminated for good.

Here's the log produced by Combofix:




ComboFix 12-08-08.01 - Gary 08/08/2012 13:16:19.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1658 [GMT -7:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Gary\Application Data\PriceGong
c:\documents and settings\Gary\Application Data\PriceGong\Data\1.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\2229.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\7031.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\8999.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\a.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\b.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\c.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\d.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\e.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\f.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\g.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\h.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\i.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\j.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\k.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\l.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\m.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Gary\Application Data\PriceGong\Data\n.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\o.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\p.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\q.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\r.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\s.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\t.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\u.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\v.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\w.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\wlu.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\x.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\y.txt
c:\documents and settings\Gary\Application Data\PriceGong\Data\z.txt
c:\documents and settings\Gary\laxzyldodalp.exe
c:\documents and settings\Gary\Local Settings\Application Data\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}
c:\documents and settings\Gary\Local Settings\Application Data\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\@
c:\documents and settings\Gary\Local Settings\Application Data\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\n
c:\documents and settings\Gary\Start Menu\Programs\1964.lnk
c:\documents and settings\Gary\WINDOWS
c:\windows\AutoRun.ini
c:\windows\Installer\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}
c:\windows\Installer\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\@
c:\windows\Installer\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\U\00000001.@
c:\windows\Installer\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\U\80000000.@
c:\windows\system32\drivers\139e758f6dff4bd1.sys
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\SET24.tmp
c:\windows\system32\SET30.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
H:\install.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_139e758f6dff4bd1
-------\Service_139e758f6dff4bd1
.
.
((((((((((((((((((((((((( Files Created from 2012-07-08 to 2012-08-08 )))))))))))))))))))))))))))))))
.
.
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-05 19:15 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
2012-08-04 23:02 . 2012-07-19 01:05 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\program files\Avira
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-08-04 22:19 . 2012-08-04 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-08-04 22:19 . 2012-08-04 22:19 -------- d-----w- c:\program files\AVAST Software
2012-08-04 08:04 . 2012-08-04 08:04 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-04 08:02 . 2012-08-04 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-03 20:15 . 2012-08-03 20:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-08-03 05:24 . 2012-08-03 05:24 -------- d-----w- c:\documents and settings\Gary\.explorer.local
2012-08-03 05:24 . 2012-08-03 06:06 -------- d-----w- c:\documents and settings\Gary\.explorer.cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-04 08:04 . 2010-05-05 03:46 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-04 08:04 . 2007-06-22 20:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-31 18:02 . 2012-04-02 19:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-31 18:02 . 2011-05-14 16:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2006-03-16 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-19 20:03 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-03-16 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-03-16 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19 . 2007-04-17 05:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-04-17 05:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2006-03-16 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2006-03-16 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2006-03-16 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-04-17 05:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2007-04-17 05:45 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2006-03-16 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2006-03-16 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2006-03-16 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2007-04-17 05:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2006-03-16 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2006-03-16 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-03-16 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-05-11 14:42 . 2006-03-16 04:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-05-11 14:42 . 2006-03-16 04:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-05-11 11:38 . 2006-03-16 04:00 385024 ------w- c:\windows\system32\html.iec
2012-07-18 18:29 . 2011-08-28 01:12 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f999a48b-1950-4d81-9971-79018f807b4b}]
2011-05-09 09:49 176936 ----a-w- c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{f999a48b-1950-4d81-9971-79018f807b4b}"= "c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{F999A48B-1950-4D81-9971-79018F807B4B}"= "c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{f999a48b-1950-4d81-9971-79018f807b4b}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"F.lux"="c:\documents and settings\Gary\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Aim"="c:\program files\AIM7\aim.exe" [2012-02-29 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-04-11 144896]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-07-19 348664]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Gary\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-6-22 102400]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 08:28 133104 ----atw- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-07-19 22:14 102400 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-19 00:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [1/12/2012 1:36 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/4/2012 4:02 PM 86224]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 4:42 AM 64000]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/2/2011 7:34 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/2/2011 7:34 PM 8456]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [8/18/2010 7:37 PM 36608]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [3/17/2006 4:34 PM 1544704]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/10/2007 2:41 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/10/2007 2:41 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/10/2007 2:41 PM 42112]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 2:53 PM 113120]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [8/18/2010 7:37 PM 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [8/18/2010 7:37 PM 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [8/18/2010 7:37 PM 123648]
S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [6/22/2007 3:16 PM 140800]
S4 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [6/22/2007 3:16 PM 5248]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - AVGNTFLT
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2267045550-1316354526-338541988-1005Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 08:28]
.
2012-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2267045550-1316354526-338541988-1005UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 08:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/go/notebookaccessories
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\6z280lyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-laxzyldodalp - c:\documents and settings\Gary\laxzyldodalp.exe
HKLM-Run-NPSStartup - (no file)
AddRemove-DirectWave - c:\program files\VstPlugins\DirectWave\DirectWave\uninstall.exe
AddRemove-01_Simmental - c:\program files\Samsung\USB Drivers\01_Simmental\Uninstall.exe
AddRemove-02_Siberian - c:\program files\Samsung\USB Drivers\02_Siberian\Uninstall.exe
AddRemove-03_Swallowtail - c:\program files\Samsung\USB Drivers\03_Swallowtail\Uninstall.exe
AddRemove-04_semseyite - c:\program files\Samsung\USB Drivers\04_semseyite\Uninstall.exe
AddRemove-05_Sloan - c:\program files\Samsung\USB Drivers\05_Sloan\Uninstall.exe
AddRemove-06_Spencer - c:\program files\Samsung\USB Drivers\06_Spencer\Uninstall.exe
AddRemove-07_Schorl - c:\program files\Samsung\USB Drivers\07_Schorl\Uninstall.exe
AddRemove-08_EMPChipset - c:\program files\Samsung\USB Drivers\08_EMPChipset\Uninstall.exe
AddRemove-09_Hsp - c:\program files\Samsung\USB Drivers\09_Hsp\Uninstall.exe
AddRemove-11_HSP_Plus_Default - c:\program files\Samsung\USB Drivers\11_HSP_Plus_Default\Uninstall.exe
AddRemove-12_Symbian_USB_Download_Driver - c:\program files\SAMSUNG\USB Drivers\12_Symbian_USB_Download_Driver\Uninstall.exe
AddRemove-15_Symbian_Samsung_PC_DLC_Driver - c:\program files\SAMSUNG\USB Drivers\15_Symbian_Samsung_PC_DLC_Driver\Uninstall.exe
AddRemove-16_Shrewsbury - c:\program files\Samsung\USB Drivers\16_Shrewsbury\Uninstall.exe
AddRemove-17_EMP_Chipset2 - c:\program files\Samsung\USB Drivers\17_EMP_Chipset2\Uninstall.exe
AddRemove-18_Zinia_Serial_Driver - c:\program files\Samsung\USB Drivers\18_Zinia_Serial_Driver\Uninstall.exe
AddRemove-19_VIA_driver - c:\program files\Samsung\USB Drivers\19_VIA_driver\Uninstall.exe
AddRemove-20_NXP_Driver - c:\program files\Samsung\USB Drivers\20_NXP_Driver\Uninstall.exe
AddRemove-21_Searsburg - c:\program files\Samsung\USB Drivers\21_Searsburg\Uninstall.exe
AddRemove-22_WiBro_WiMAX - c:\program files\Samsung\USB Drivers\22_WiBro_WiMAX\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-08 13:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????R??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1624)
c:\windows\system32\WININET.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\msdtc.exe
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Creative\Shared Files\CTDevSrv.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\mqsvc.exe
c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\mqtgsvc.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\eHome\ehmsas.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-08-08 13:58:26 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-08 20:58
.
Pre-Run: 3,355,058,176 bytes free
Post-Run: 5,554,585,600 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 56F5D4D8560A422CE42A7E961BB41096




Again, Gringo, my eternal thanks for the help so far.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 08 August 2012 - 10:27 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 09 August 2012 - 01:31 AM

Here's the scan report from TDSSKiller:

21:58:30.0740 3628 TDSS rootkit removing tool 2.7.48.0 Jul 24 2012 13:16:32
21:58:31.0161 3628 ============================================================
21:58:31.0161 3628 Current date / time: 2012/08/08 21:58:31.0161
21:58:31.0161 3628 SystemInfo:
21:58:31.0161 3628
21:58:31.0161 3628 OS Version: 5.1.2600 ServicePack: 3.0
21:58:31.0161 3628 Product type: Workstation
21:58:31.0161 3628 ComputerName: TRISKELION
21:58:31.0161 3628 UserName: Gary
21:58:31.0161 3628 Windows directory: C:\WINDOWS
21:58:31.0161 3628 System windows directory: C:\WINDOWS
21:58:31.0161 3628 Processor architecture: Intel x86
21:58:31.0161 3628 Number of processors: 2
21:58:31.0161 3628 Page size: 0x1000
21:58:31.0161 3628 Boot type: Normal boot
21:58:31.0161 3628 ============================================================
21:58:32.0396 3628 Drive \Device\Harddisk0\DR0 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:58:32.0396 3628 Drive \Device\Harddisk1\DR1 - Size: 0x174A446000 (93.16 Gb), SectorSize: 0x200, Cylinders: 0x2F81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
21:58:32.0396 3628 Drive \Device\Harddisk2\DR5 - Size: 0x15D50D00000 (1397.26 Gb), SectorSize: 0x200, Cylinders: 0x2C881, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
21:58:32.0411 3628 ============================================================
21:58:32.0411 3628 \Device\Harddisk0\DR0:
21:58:32.0427 3628 MBR partitions:
21:58:32.0427 3628 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xB84F13F
21:58:32.0427 3628 \Device\Harddisk1\DR1:
21:58:32.0427 3628 MBR partitions:
21:58:32.0427 3628 \Device\Harddisk1\DR1\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xBA50E02
21:58:32.0427 3628 \Device\Harddisk2\DR5:
21:58:32.0427 3628 MBR partitions:
21:58:32.0427 3628 \Device\Harddisk2\DR5\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0xAEA86000
21:58:32.0427 3628 ============================================================
21:58:32.0536 3628 C: <-> \Device\Harddisk0\DR0\Partition0
21:58:32.0911 3628 D: <-> \Device\Harddisk1\DR1\Partition0
21:58:32.0943 3628 H: <-> \Device\Harddisk2\DR5\Partition0
21:58:32.0943 3628 ============================================================
21:58:32.0943 3628 Initialize success
21:58:32.0943 3628 ============================================================
21:58:46.0693 4652 ============================================================
21:58:46.0693 4652 Scan started
21:58:46.0693 4652 Mode: Manual;
21:58:46.0693 4652 ============================================================
21:58:47.0521 4652 5U870CAP_VID_1262&PID_25FD (d2142fee659d97b2b05820f21594bfe2) C:\WINDOWS\system32\Drivers\5U870CAP.sys
21:58:47.0552 4652 5U870CAP_VID_1262&PID_25FD - ok
21:58:47.0568 4652 Abiosdsk - ok
21:58:47.0615 4652 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
21:58:47.0646 4652 abp480n5 - ok
21:58:47.0708 4652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
21:58:47.0708 4652 ACPI - ok
21:58:47.0724 4652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
21:58:47.0724 4652 ACPIEC - ok
21:58:47.0896 4652 AddFiltr (746742588c07db53731143229e2ee450) C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
21:58:47.0927 4652 AddFiltr - ok
21:58:48.0005 4652 Adobe LM Service (c1eb9968ec89fba5f3a264e2e57923ab) C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
21:58:48.0052 4652 Adobe LM Service - ok
21:58:48.0099 4652 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
21:58:48.0161 4652 adpu160m - ok
21:58:48.0208 4652 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
21:58:48.0255 4652 aec - ok
21:58:48.0318 4652 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
21:58:48.0333 4652 AFD - ok
21:58:48.0396 4652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
21:58:48.0427 4652 agp440 - ok
21:58:48.0474 4652 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
21:58:48.0505 4652 agpCPQ - ok
21:58:48.0568 4652 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
21:58:48.0599 4652 Aha154x - ok
21:58:48.0661 4652 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
21:58:48.0693 4652 aic78u2 - ok
21:58:48.0740 4652 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
21:58:48.0771 4652 aic78xx - ok
21:58:48.0833 4652 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
21:58:48.0865 4652 Alerter - ok
21:58:48.0896 4652 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
21:58:48.0896 4652 ALG - ok
21:58:48.0911 4652 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
21:58:48.0927 4652 AliIde - ok
21:58:48.0958 4652 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
21:58:48.0958 4652 alim1541 - ok
21:58:48.0990 4652 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
21:58:49.0083 4652 amdagp - ok
21:58:49.0115 4652 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
21:58:49.0161 4652 amsint - ok
21:58:49.0302 4652 AntiVirSchedulerService (0a1cc583e8147004e4ad4625d7fbf88c) C:\Program Files\Avira\AntiVir Desktop\sched.exe
21:58:49.0333 4652 AntiVirSchedulerService - ok
21:58:49.0396 4652 AntiVirService (c9a36ef935aced86aedf93e97e606911) C:\Program Files\Avira\AntiVir Desktop\avguard.exe
21:58:49.0443 4652 AntiVirService - ok
21:58:49.0583 4652 Apple Mobile Device (2e3e53a6aef23e24f402c7855b9b1542) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
21:58:49.0630 4652 Apple Mobile Device - ok
21:58:49.0693 4652 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
21:58:49.0740 4652 AppMgmt - ok
21:58:49.0802 4652 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
21:58:49.0802 4652 Arp1394 - ok
21:58:49.0865 4652 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
21:58:49.0880 4652 asc - ok
21:58:49.0911 4652 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
21:58:49.0927 4652 asc3350p - ok
21:58:49.0943 4652 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
21:58:49.0990 4652 asc3550 - ok
21:58:50.0161 4652 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
21:58:50.0240 4652 aspnet_state - ok
21:58:50.0302 4652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
21:58:50.0318 4652 AsyncMac - ok
21:58:50.0365 4652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
21:58:50.0365 4652 atapi - ok
21:58:50.0365 4652 Atdisk - ok
21:58:50.0427 4652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
21:58:50.0458 4652 Atmarpc - ok
21:58:50.0521 4652 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
21:58:50.0552 4652 AudioSrv - ok
21:58:50.0599 4652 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
21:58:50.0646 4652 audstub - ok
21:58:50.0677 4652 avgntflt (d5541f0afb767e85fc412fc609d96a74) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
21:58:50.0677 4652 avgntflt - ok
21:58:50.0755 4652 avipbb (7d967a682d4694df7fa57d63a2db01fe) C:\WINDOWS\system32\DRIVERS\avipbb.sys
21:58:50.0802 4652 avipbb - ok
21:58:50.0833 4652 avkmgr (271cfd1a989209b1964e24d969552bf7) C:\WINDOWS\system32\DRIVERS\avkmgr.sys
21:58:50.0880 4652 avkmgr - ok
21:58:50.0911 4652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
21:58:50.0974 4652 Beep - ok
21:58:51.0099 4652 Bonjour Service (5ab58c337ac65837fe404462ad6265ab) C:\Program Files\Bonjour\mDNSResponder.exe
21:58:51.0177 4652 Bonjour Service - ok
21:58:51.0224 4652 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
21:58:51.0255 4652 Browser - ok
21:58:51.0302 4652 BTWUSB (4272bab9291d26da5ac913bc79c3ce85) C:\WINDOWS\system32\Drivers\btwusb.sys
21:58:51.0333 4652 BTWUSB - ok
21:58:51.0349 4652 catchme - ok
21:58:51.0396 4652 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
21:58:51.0411 4652 cbidf - ok
21:58:51.0427 4652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
21:58:51.0427 4652 cbidf2k - ok
21:58:51.0490 4652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
21:58:51.0521 4652 CCDECODE - ok
21:58:51.0568 4652 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
21:58:51.0599 4652 cd20xrnt - ok
21:58:51.0630 4652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
21:58:51.0661 4652 Cdaudio - ok
21:58:51.0708 4652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
21:58:51.0708 4652 Cdfs - ok
21:58:51.0724 4652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
21:58:51.0771 4652 Cdrom - ok
21:58:51.0771 4652 CFcatchme - ok
21:58:51.0771 4652 Changer - ok
21:58:51.0802 4652 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
21:58:51.0818 4652 CiSvc - ok
21:58:51.0849 4652 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
21:58:51.0865 4652 ClipSrv - ok
21:58:52.0068 4652 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
21:58:52.0240 4652 clr_optimization_v2.0.50727_32 - ok
21:58:52.0349 4652 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
21:58:52.0396 4652 clr_optimization_v4.0.30319_32 - ok
21:58:52.0458 4652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
21:58:52.0490 4652 CmBatt - ok
21:58:52.0521 4652 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
21:58:52.0552 4652 CmdIde - ok
21:58:52.0583 4652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
21:58:52.0583 4652 Compbatt - ok
21:58:52.0599 4652 COMSysApp - ok
21:58:52.0630 4652 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
21:58:52.0661 4652 Cpqarray - ok
21:58:52.0708 4652 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
21:58:52.0755 4652 CryptSvc - ok
21:58:52.0880 4652 CTDevice_Srv (a5bea0e5c297f5f3835638a87e512fba) C:\Program Files\Creative\Shared Files\CTDevSrv.exe
21:58:52.0927 4652 CTDevice_Srv - ok
21:58:52.0990 4652 CTUPnPSv (8e26d772f53b7883a651e0e4a9598f21) C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
21:58:53.0021 4652 CTUPnPSv - ok
21:58:53.0083 4652 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
21:58:53.0130 4652 dac2w2k - ok
21:58:53.0161 4652 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
21:58:53.0193 4652 dac960nt - ok
21:58:53.0271 4652 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
21:58:53.0302 4652 DcomLaunch - ok
21:58:53.0380 4652 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
21:58:53.0396 4652 Dhcp - ok
21:58:53.0583 4652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
21:58:53.0599 4652 Disk - ok
21:58:53.0599 4652 dmadmin - ok
21:58:53.0724 4652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
21:58:53.0849 4652 dmboot - ok
21:58:53.0865 4652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
21:58:53.0880 4652 dmio - ok
21:58:53.0896 4652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
21:58:53.0896 4652 dmload - ok
21:58:53.0943 4652 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
21:58:53.0943 4652 dmserver - ok
21:58:53.0974 4652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
21:58:54.0005 4652 DMusic - ok
21:58:54.0052 4652 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
21:58:54.0068 4652 Dnscache - ok
21:58:54.0130 4652 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
21:58:54.0177 4652 Dot3svc - ok
21:58:54.0208 4652 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
21:58:54.0255 4652 dpti2o - ok
21:58:54.0286 4652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
21:58:54.0318 4652 drmkaud - ok
21:58:54.0365 4652 e1express (f239ec59b4a30266a4a7b081a5dee0fc) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
21:58:54.0411 4652 e1express - ok
21:58:54.0443 4652 eabfiltr (b5cb3084046146fd2587d8c9b219feb4) C:\WINDOWS\system32\DRIVERS\eabfiltr.sys
21:58:54.0474 4652 eabfiltr - ok
21:58:54.0521 4652 eabusb (231f4547ae1e4b3e60eca66c3a96d218) C:\WINDOWS\system32\DRIVERS\eabusb.sys
21:58:54.0521 4652 eabusb - ok
21:58:54.0552 4652 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
21:58:54.0583 4652 EapHost - ok
21:58:54.0724 4652 ehRecvr (d039a0c347632622934906bd59a4e1ea) C:\WINDOWS\eHome\ehRecvr.exe
21:58:54.0771 4652 ehRecvr - ok
21:58:54.0802 4652 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
21:58:54.0849 4652 ehSched - ok
21:58:54.0880 4652 enodpl (b4556f3d468c8dcb0b259d9d866cd4c4) C:\WINDOWS\system32\drivers\enodpl.sys
21:58:54.0911 4652 enodpl - ok
21:58:54.0958 4652 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
21:58:54.0990 4652 epmntdrv - ok
21:58:55.0036 4652 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
21:58:55.0068 4652 ERSvc - ok
21:58:55.0099 4652 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
21:58:55.0146 4652 EuGdiDrv - ok
21:58:55.0208 4652 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:58:55.0208 4652 Eventlog - ok
21:58:55.0302 4652 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
21:58:55.0302 4652 EventSystem - ok
21:58:55.0349 4652 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
21:58:55.0396 4652 Fastfat - ok
21:58:55.0443 4652 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:58:55.0458 4652 FastUserSwitchingCompatibility - ok
21:58:55.0505 4652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
21:58:55.0536 4652 Fdc - ok
21:58:55.0552 4652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
21:58:55.0583 4652 Fips - ok
21:58:55.0615 4652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
21:58:55.0646 4652 Flpydisk - ok
21:58:55.0693 4652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
21:58:55.0693 4652 FltMgr - ok
21:58:55.0818 4652 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
21:58:55.0865 4652 FontCache3.0.0.0 - ok
21:58:55.0958 4652 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\WINDOWS\system32\FsUsbExDisk.SYS
21:58:56.0005 4652 FsUsbExDisk - ok
21:58:56.0036 4652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
21:58:56.0083 4652 Fs_Rec - ok
21:58:56.0130 4652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
21:58:56.0130 4652 Ftdisk - ok
21:58:56.0177 4652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
21:58:56.0224 4652 GEARAspiWDM - ok
21:58:56.0271 4652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
21:58:56.0302 4652 Gpc - ok
21:58:56.0333 4652 hamachi (14d11f508e649f1499bd32e145ba80cb) C:\WINDOWS\system32\DRIVERS\hamachi.sys
21:58:56.0365 4652 hamachi - ok
21:58:56.0411 4652 HBtnKey (4d4d97671c63c3af869b3518e6054204) C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
21:58:56.0458 4652 HBtnKey - ok
21:58:56.0536 4652 HdAudAddService (2a6e9a118da2dd0439551a7eb3a8f65e) C:\WINDOWS\system32\drivers\CHDAud.sys
21:58:56.0568 4652 HdAudAddService - ok
21:58:56.0599 4652 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
21:58:56.0599 4652 HDAudBus - ok
21:58:56.0708 4652 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
21:58:56.0740 4652 helpsvc - ok
21:58:56.0771 4652 HidIr (bb1a6fb7d35a91e599973fa74a619056) C:\WINDOWS\system32\DRIVERS\hidir.sys
21:58:56.0786 4652 HidIr - ok
21:58:56.0818 4652 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
21:58:56.0849 4652 HidServ - ok
21:58:56.0896 4652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
21:58:56.0943 4652 HidUsb - ok
21:58:57.0036 4652 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
21:58:57.0068 4652 hkmsvc - ok
21:58:57.0115 4652 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
21:58:57.0146 4652 hpn - ok
21:58:57.0286 4652 hpqwmiex (04c1dcbb226c6ae647b794833ce3ceb6) C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
21:58:57.0286 4652 hpqwmiex - ok
21:58:57.0333 4652 HSFHWAZL (448c0fd272fe1b80046f4767db21eb8d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
21:58:57.0365 4652 HSFHWAZL - ok
21:58:57.0490 4652 HSF_DPV (2715a27de9c17bdbaf6d6c79989a7b12) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
21:58:57.0630 4652 HSF_DPV - ok
21:58:57.0708 4652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
21:58:57.0724 4652 HTTP - ok
21:58:57.0802 4652 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
21:58:57.0833 4652 HTTPFilter - ok
21:58:57.0880 4652 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
21:58:57.0911 4652 i2omgmt - ok
21:58:57.0943 4652 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
21:58:57.0974 4652 i2omp - ok
21:58:58.0005 4652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
21:58:58.0052 4652 i8042prt - ok
21:58:58.0177 4652 iaStor (309c4d86d989fb1fcf64bd30dc81c51b) C:\WINDOWS\system32\DRIVERS\iaStor.sys
21:58:58.0193 4652 iaStor - ok
21:58:58.0365 4652 iComp (299f68c088b7c55cf1ac48980a1fca21) C:\WINDOWS\system32\DRIVERS\p2usbwdm.sys
21:58:58.0583 4652 iComp - ok
21:58:58.0740 4652 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
21:58:58.0771 4652 IDriverT - ok
21:58:59.0036 4652 idsvc (c01ac32dc5c03076cfb852cb5da5229c) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
21:58:59.0208 4652 idsvc - ok
21:58:59.0396 4652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
21:58:59.0443 4652 Imapi - ok
21:58:59.0490 4652 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
21:58:59.0505 4652 ImapiService - ok
21:58:59.0552 4652 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
21:58:59.0552 4652 ini910u - ok
21:58:59.0599 4652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
21:58:59.0599 4652 IntelIde - ok
21:58:59.0615 4652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
21:58:59.0615 4652 intelppm - ok
21:58:59.0646 4652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
21:58:59.0693 4652 Ip6Fw - ok
21:58:59.0724 4652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
21:58:59.0724 4652 IpFilterDriver - ok
21:58:59.0740 4652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
21:58:59.0786 4652 IpInIp - ok
21:58:59.0818 4652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
21:58:59.0818 4652 IpNat - ok
21:59:00.0005 4652 iPod Service (8f610078437a459948480407f4db91ea) C:\Program Files\iPod\bin\iPodService.exe
21:59:00.0052 4652 iPod Service - ok
21:59:00.0083 4652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
21:59:00.0115 4652 IPSec - ok
21:59:00.0146 4652 IrBus (b43b36b382aea10861f7c7a37f9d4ae2) C:\WINDOWS\system32\DRIVERS\IrBus.sys
21:59:00.0161 4652 IrBus - ok
21:59:00.0193 4652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
21:59:00.0224 4652 IRENUM - ok
21:59:00.0271 4652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
21:59:00.0271 4652 isapnp - ok
21:59:00.0443 4652 JavaQuickStarterService (28e8a9984ba1297efe44b6138d2ca51e) C:\Program Files\Java\jre6\bin\jqs.exe
21:59:00.0490 4652 JavaQuickStarterService - ok
21:59:00.0536 4652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
21:59:00.0568 4652 Kbdclass - ok
21:59:00.0599 4652 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
21:59:00.0630 4652 kbdhid - ok
21:59:00.0677 4652 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
21:59:00.0724 4652 kmixer - ok
21:59:00.0755 4652 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
21:59:00.0755 4652 KSecDD - ok
21:59:00.0802 4652 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
21:59:00.0818 4652 lanmanserver - ok
21:59:00.0880 4652 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
21:59:00.0896 4652 lanmanworkstation - ok
21:59:00.0896 4652 lbrtfdc - ok
21:59:01.0052 4652 LightScribeService (86e8bcaa91fc2acfacd99cf2bf9f1f47) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
21:59:01.0083 4652 LightScribeService - ok
21:59:01.0115 4652 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
21:59:01.0161 4652 LmHosts - ok
21:59:01.0224 4652 Macromedia Licensing Service (4c14b1315e7be1838e11c34d368e94bf) C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
21:59:01.0255 4652 Macromedia Licensing Service - ok
21:59:01.0349 4652 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
21:59:01.0411 4652 McrdSvc - ok
21:59:01.0458 4652 mdmxsdk (74f4372af97a587ecec527ec34955712) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
21:59:01.0490 4652 mdmxsdk - ok
21:59:01.0536 4652 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
21:59:01.0583 4652 Messenger - ok
21:59:01.0630 4652 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
21:59:01.0677 4652 MHN - ok
21:59:01.0708 4652 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
21:59:01.0740 4652 MHNDRV - ok
21:59:01.0771 4652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
21:59:01.0786 4652 mnmdd - ok
21:59:01.0849 4652 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
21:59:01.0880 4652 mnmsrvc - ok
21:59:01.0927 4652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
21:59:01.0927 4652 Modem - ok
21:59:01.0974 4652 motccgp (69cd0527a73636990967093674a176e2) C:\WINDOWS\system32\DRIVERS\motccgp.sys
21:59:02.0021 4652 motccgp - ok
21:59:02.0068 4652 motccgpfl (aad6191a4daa519f04ab12b2af73e356) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
21:59:02.0099 4652 motccgpfl - ok
21:59:02.0146 4652 MotDev (20ff89c59b0a50f53822303064988e00) C:\WINDOWS\system32\DRIVERS\motodrv.sys
21:59:02.0177 4652 MotDev - ok
21:59:02.0224 4652 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
21:59:02.0240 4652 motmodem - ok
21:59:02.0271 4652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
21:59:02.0286 4652 Mouclass - ok
21:59:02.0349 4652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
21:59:02.0365 4652 mouhid - ok
21:59:02.0396 4652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
21:59:02.0411 4652 MountMgr - ok
21:59:02.0474 4652 MozillaMaintenance (46297fa8e30a6007f14118fc2b942fbc) C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
21:59:02.0521 4652 MozillaMaintenance - ok
21:59:02.0599 4652 MQAC (70c14f5cca5cf73f8a645c73a01d8726) C:\WINDOWS\system32\drivers\mqac.sys
21:59:02.0630 4652 MQAC - ok
21:59:02.0693 4652 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
21:59:02.0724 4652 mraid35x - ok
21:59:02.0740 4652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
21:59:02.0755 4652 MRxDAV - ok
21:59:02.0818 4652 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
21:59:02.0880 4652 MRxSmb - ok
21:59:02.0943 4652 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
21:59:02.0974 4652 MSDTC - ok
21:59:02.0990 4652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
21:59:02.0990 4652 Msfs - ok
21:59:03.0005 4652 MSIServer - ok
21:59:03.0083 4652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
21:59:03.0130 4652 MSKSSRV - ok
21:59:03.0161 4652 MSMQ (afb909b537aae1beae7bbdb6a36d40b0) C:\WINDOWS\system32\mqsvc.exe
21:59:03.0193 4652 MSMQ - ok
21:59:03.0224 4652 MSMQTriggers (7f955ff3b1bb93376ebe75d5accdc6db) C:\WINDOWS\system32\mqtgsvc.exe
21:59:03.0271 4652 MSMQTriggers - ok
21:59:03.0286 4652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
21:59:03.0302 4652 MSPCLOCK - ok
21:59:03.0333 4652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
21:59:03.0365 4652 MSPQM - ok
21:59:03.0411 4652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
21:59:03.0411 4652 mssmbios - ok
21:59:03.0427 4652 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
21:59:03.0458 4652 MSTEE - ok
21:59:03.0505 4652 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
21:59:03.0505 4652 Mup - ok
21:59:03.0552 4652 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
21:59:03.0583 4652 NABTSFEC - ok
21:59:03.0677 4652 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
21:59:03.0755 4652 napagent - ok
21:59:03.0802 4652 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
21:59:03.0802 4652 NDIS - ok
21:59:03.0849 4652 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
21:59:03.0880 4652 NdisIP - ok
21:59:03.0958 4652 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
21:59:03.0958 4652 NdisTapi - ok
21:59:03.0974 4652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
21:59:04.0005 4652 Ndisuio - ok
21:59:04.0052 4652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
21:59:04.0068 4652 NdisWan - ok
21:59:04.0115 4652 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
21:59:04.0115 4652 NDProxy - ok
21:59:04.0146 4652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
21:59:04.0146 4652 NetBIOS - ok
21:59:04.0193 4652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
21:59:04.0255 4652 NetBT - ok
21:59:04.0302 4652 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:59:04.0349 4652 NetDDE - ok
21:59:04.0349 4652 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
21:59:04.0349 4652 NetDDEdsdm - ok
21:59:04.0380 4652 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:59:04.0380 4652 Netlogon - ok
21:59:04.0427 4652 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
21:59:04.0474 4652 Netman - ok
21:59:04.0599 4652 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
21:59:04.0661 4652 NetTcpPortSharing - ok
21:59:04.0693 4652 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
21:59:04.0693 4652 NIC1394 - ok
21:59:04.0771 4652 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
21:59:04.0786 4652 Nla - ok
21:59:04.0833 4652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
21:59:04.0849 4652 Npfs - ok
21:59:04.0927 4652 NSNDIS5 (53f7546e8daefb3a0813f5e19c4613c9) C:\WINDOWS\system32\NSNDIS5.SYS
21:59:04.0974 4652 NSNDIS5 - ok
21:59:05.0083 4652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
21:59:05.0099 4652 Ntfs - ok
21:59:05.0146 4652 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:59:05.0146 4652 NtLmSsp - ok
21:59:05.0224 4652 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
21:59:05.0286 4652 NtmsSvc - ok
21:59:05.0318 4652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
21:59:05.0349 4652 Null - ok
21:59:06.0177 4652 nv (d42fb8615e810901779294f5627364fe) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
21:59:06.0771 4652 nv - ok
21:59:07.0005 4652 NVSvc (755d3a2de4b05024f90430fe32ff26a5) C:\WINDOWS\system32\nvsvc32.exe
21:59:07.0052 4652 NVSvc - ok
21:59:07.0146 4652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
21:59:07.0193 4652 NwlnkFlt - ok
21:59:07.0224 4652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
21:59:07.0255 4652 NwlnkFwd - ok
21:59:07.0302 4652 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
21:59:07.0302 4652 ohci1394 - ok
21:59:07.0458 4652 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
21:59:07.0490 4652 ose - ok
21:59:07.0536 4652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
21:59:07.0568 4652 Parport - ok
21:59:07.0568 4652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
21:59:07.0583 4652 PartMgr - ok
21:59:07.0615 4652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
21:59:07.0646 4652 ParVdm - ok
21:59:07.0661 4652 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
21:59:07.0661 4652 PCI - ok
21:59:07.0661 4652 PCIDump - ok
21:59:07.0677 4652 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
21:59:07.0677 4652 PCIIde - ok
21:59:07.0693 4652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
21:59:07.0693 4652 Pcmcia - ok
21:59:07.0708 4652 PDCOMP - ok
21:59:07.0708 4652 PDFRAME - ok
21:59:07.0724 4652 PDRELI - ok
21:59:07.0740 4652 PDRFRAME - ok
21:59:07.0786 4652 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
21:59:07.0818 4652 perc2 - ok
21:59:07.0849 4652 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
21:59:07.0880 4652 perc2hib - ok
21:59:07.0958 4652 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
21:59:07.0958 4652 PlugPlay - ok
21:59:08.0005 4652 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:59:08.0005 4652 PolicyAgent - ok
21:59:08.0021 4652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
21:59:08.0068 4652 PptpMiniport - ok
21:59:08.0068 4652 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:59:08.0068 4652 ProtectedStorage - ok
21:59:08.0099 4652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
21:59:08.0130 4652 PSched - ok
21:59:08.0161 4652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
21:59:08.0193 4652 Ptilink - ok
21:59:08.0224 4652 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
21:59:08.0224 4652 PxHelp20 - ok
21:59:08.0255 4652 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
21:59:08.0302 4652 ql1080 - ok
21:59:08.0349 4652 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
21:59:08.0380 4652 Ql10wnt - ok
21:59:08.0411 4652 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
21:59:08.0458 4652 ql12160 - ok
21:59:08.0505 4652 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
21:59:08.0536 4652 ql1240 - ok
21:59:08.0583 4652 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
21:59:08.0615 4652 ql1280 - ok
21:59:08.0646 4652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
21:59:08.0677 4652 RasAcd - ok
21:59:08.0724 4652 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
21:59:08.0771 4652 RasAuto - ok
21:59:08.0802 4652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
21:59:08.0833 4652 Rasl2tp - ok
21:59:08.0896 4652 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
21:59:08.0943 4652 RasMan - ok
21:59:08.0958 4652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
21:59:08.0974 4652 RasPppoe - ok
21:59:09.0036 4652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
21:59:09.0068 4652 Raspti - ok
21:59:09.0115 4652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
21:59:09.0115 4652 Rdbss - ok
21:59:09.0130 4652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
21:59:09.0161 4652 RDPCDD - ok
21:59:09.0208 4652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
21:59:09.0271 4652 rdpdr - ok
21:59:09.0333 4652 RDPWD (6589db6e5969f8eee594cf71171c5028) C:\WINDOWS\system32\drivers\RDPWD.sys
21:59:09.0349 4652 RDPWD - ok
21:59:09.0411 4652 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
21:59:09.0458 4652 RDSessMgr - ok
21:59:09.0505 4652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
21:59:09.0521 4652 redbook - ok
21:59:09.0599 4652 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
21:59:09.0646 4652 RemoteAccess - ok
21:59:09.0693 4652 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
21:59:09.0755 4652 RemoteRegistry - ok
21:59:09.0786 4652 rimmptsk (7a6648b61661b1421ffab762e391e33f) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
21:59:09.0818 4652 rimmptsk - ok
21:59:09.0849 4652 rimsptsk (d0a35b7670aa3558eaab483f64446496) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
21:59:09.0880 4652 rimsptsk - ok
21:59:09.0927 4652 rismxdp (3ac17802740c3a4764dc9750e92e6233) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
21:59:09.0990 4652 rismxdp - ok
21:59:10.0052 4652 RMCAST (96f7a9a7bf0c9c0440a967440065d33c) C:\WINDOWS\system32\drivers\RMCast.sys
21:59:10.0052 4652 RMCAST - ok
21:59:10.0115 4652 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
21:59:10.0130 4652 RpcLocator - ok
21:59:10.0224 4652 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
21:59:10.0224 4652 RpcSs - ok
21:59:10.0302 4652 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
21:59:10.0349 4652 RSVP - ok
21:59:10.0396 4652 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
21:59:10.0427 4652 rtl8139 - ok
21:59:10.0490 4652 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
21:59:10.0490 4652 SamSs - ok
21:59:10.0536 4652 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
21:59:10.0536 4652 sbp2port - ok
21:59:10.0693 4652 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
21:59:10.0724 4652 SCardSvr - ok
21:59:10.0786 4652 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
21:59:10.0833 4652 Schedule - ok
21:59:10.0880 4652 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
21:59:10.0911 4652 sdbus - ok
21:59:10.0958 4652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
21:59:10.0990 4652 Secdrv - ok
21:59:11.0005 4652 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
21:59:11.0036 4652 seclogon - ok
21:59:11.0068 4652 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
21:59:11.0068 4652 SENS - ok
21:59:11.0083 4652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
21:59:11.0083 4652 Serial - ok
21:59:11.0161 4652 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
21:59:11.0193 4652 sffdisk - ok
21:59:11.0224 4652 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
21:59:11.0255 4652 sffp_sd - ok
21:59:11.0286 4652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
21:59:11.0286 4652 Sfloppy - ok
21:59:11.0380 4652 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
21:59:11.0411 4652 SharedAccess - ok
21:59:11.0474 4652 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:59:11.0490 4652 ShellHWDetection - ok
21:59:11.0490 4652 Simbad - ok
21:59:11.0568 4652 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
21:59:11.0646 4652 sisagp - ok
21:59:12.0099 4652 Skype C2C Service (0f97e7a47a52f4a36969f0fc319654c2) C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
21:59:12.0443 4652 Skype C2C Service - ok
21:59:12.0630 4652 SkypeUpdate (f07af60b152221472fbdb2fecec4896d) C:\Program Files\Skype\Updater\Updater.exe
21:59:12.0630 4652 SkypeUpdate - ok
21:59:12.0896 4652 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
21:59:12.0927 4652 SLIP - ok
21:59:12.0974 4652 SNP2UVC (fac7b89330e20713950925050c91cd04) C:\WINDOWS\system32\DRIVERS\snp2uvc.sys
21:59:13.0021 4652 SNP2UVC - ok
21:59:13.0068 4652 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
21:59:13.0099 4652 Sparrow - ok
21:59:13.0146 4652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
21:59:13.0161 4652 splitter - ok
21:59:13.0224 4652 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
21:59:13.0224 4652 Spooler - ok
21:59:13.0255 4652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
21:59:13.0255 4652 sr - ok
21:59:13.0318 4652 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
21:59:13.0380 4652 srservice - ok
21:59:13.0458 4652 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
21:59:13.0474 4652 Srv - ok
21:59:13.0521 4652 sscebus (b2063ce662af3ab20045121a5b716df6) C:\WINDOWS\system32\DRIVERS\sscebus.sys
21:59:13.0536 4652 sscebus - ok
21:59:13.0583 4652 sscemdfl (66799dc0afe3dcaf8368cae17394a762) C:\WINDOWS\system32\DRIVERS\sscemdfl.sys
21:59:13.0630 4652 sscemdfl - ok
21:59:13.0661 4652 sscemdm (cbf03ffc08f8db547bab2f79aa663d16) C:\WINDOWS\system32\DRIVERS\sscemdm.sys
21:59:13.0708 4652 sscemdm - ok
21:59:13.0755 4652 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
21:59:13.0802 4652 SSDPSRV - ok
21:59:13.0865 4652 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
21:59:13.0911 4652 ssmdrv - ok
21:59:13.0974 4652 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
21:59:14.0052 4652 stisvc - ok
21:59:14.0099 4652 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
21:59:14.0146 4652 streamip - ok
21:59:14.0177 4652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
21:59:14.0193 4652 swenum - ok
21:59:14.0240 4652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
21:59:14.0271 4652 swmidi - ok
21:59:14.0271 4652 SwPrv - ok
21:59:14.0318 4652 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
21:59:14.0349 4652 symc810 - ok
21:59:14.0396 4652 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
21:59:14.0427 4652 symc8xx - ok
21:59:14.0474 4652 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
21:59:14.0474 4652 sym_hi - ok
21:59:14.0521 4652 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
21:59:14.0568 4652 sym_u3 - ok
21:59:14.0630 4652 SynTP (d7b9ad3abd0f7f9f694d71f38b5c7b72) C:\WINDOWS\system32\DRIVERS\SynTP.sys
21:59:14.0661 4652 SynTP - ok
21:59:14.0708 4652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
21:59:14.0740 4652 sysaudio - ok
21:59:14.0802 4652 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
21:59:14.0818 4652 SysmonLog - ok
21:59:14.0880 4652 tandpl (126d7b3b4c7b724491c604060e1f4e14) C:\WINDOWS\system32\drivers\tandpl.sys
21:59:14.0911 4652 tandpl - ok
21:59:14.0974 4652 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
21:59:15.0021 4652 TapiSrv - ok
21:59:15.0099 4652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
21:59:15.0130 4652 Tcpip - ok
21:59:15.0193 4652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
21:59:15.0240 4652 TDPIPE - ok
21:59:15.0286 4652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
21:59:15.0318 4652 TDTCP - ok
21:59:15.0349 4652 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
21:59:15.0365 4652 TermDD - ok
21:59:15.0443 4652 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
21:59:15.0521 4652 TermService - ok
21:59:15.0583 4652 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
21:59:15.0599 4652 Themes - ok
21:59:15.0630 4652 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
21:59:15.0661 4652 TlntSvr - ok
21:59:15.0724 4652 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
21:59:15.0755 4652 TosIde - ok
21:59:15.0818 4652 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
21:59:15.0849 4652 TrkWks - ok
21:59:15.0896 4652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
21:59:15.0943 4652 Udfs - ok
21:59:15.0958 4652 UIUSys - ok
21:59:16.0005 4652 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
21:59:16.0068 4652 ultra - ok
21:59:16.0146 4652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
21:59:16.0208 4652 Update - ok
21:59:16.0286 4652 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
21:59:16.0333 4652 upnphost - ok
21:59:16.0365 4652 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
21:59:16.0396 4652 UPS - ok
21:59:16.0443 4652 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
21:59:16.0474 4652 USBAAPL - ok
21:59:16.0521 4652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
21:59:16.0536 4652 usbccgp - ok
21:59:16.0568 4652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
21:59:16.0615 4652 usbehci - ok
21:59:16.0661 4652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
21:59:16.0693 4652 usbhub - ok
21:59:16.0724 4652 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
21:59:16.0771 4652 usbprint - ok
21:59:16.0833 4652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
21:59:16.0865 4652 usbscan - ok
21:59:16.0911 4652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
21:59:16.0927 4652 USBSTOR - ok
21:59:16.0974 4652 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
21:59:17.0036 4652 usbuhci - ok
21:59:17.0068 4652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
21:59:17.0099 4652 VgaSave - ok
21:59:17.0146 4652 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
21:59:17.0177 4652 viaagp - ok
21:59:17.0208 4652 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
21:59:17.0208 4652 ViaIde - ok
21:59:17.0224 4652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
21:59:17.0224 4652 VolSnap - ok
21:59:17.0318 4652 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
21:59:17.0333 4652 VSS - ok
21:59:17.0380 4652 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
21:59:17.0380 4652 W32Time - ok
21:59:17.0630 4652 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
21:59:17.0724 4652 w39n51 - ok
21:59:18.0021 4652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
21:59:18.0052 4652 Wanarp - ok
21:59:18.0146 4652 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
21:59:18.0286 4652 Wdf01000 - ok
21:59:18.0286 4652 WDICA - ok
21:59:18.0333 4652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
21:59:18.0365 4652 wdmaud - ok
21:59:18.0427 4652 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
21:59:18.0443 4652 WebClient - ok
21:59:18.0583 4652 winachsf (7fe372b1ab60736cc67e8eb6f1fb1f5b) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
21:59:18.0724 4652 winachsf - ok
21:59:18.0849 4652 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
21:59:18.0911 4652 winmgmt - ok
21:59:19.0161 4652 WMConnectCDS (cd99c9feae87c1963273f6b150251e33) C:\Program Files\Windows Media Connect 2\wmccds.exe
21:59:19.0240 4652 WMConnectCDS - ok
21:59:19.0286 4652 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
21:59:19.0349 4652 WmdmPmSN - ok
21:59:19.0458 4652 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
21:59:19.0521 4652 Wmi - ok
21:59:19.0630 4652 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
21:59:19.0630 4652 WmiAcpi - ok
21:59:19.0755 4652 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
21:59:19.0786 4652 WmiApSrv - ok
21:59:19.0818 4652 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
21:59:19.0865 4652 WpdUsb - ok
21:59:20.0193 4652 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
21:59:20.0286 4652 WPFFontCache_v0400 - ok
21:59:20.0380 4652 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
21:59:20.0411 4652 WS2IFSL - ok
21:59:20.0458 4652 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
21:59:20.0521 4652 wscsvc - ok
21:59:20.0552 4652 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
21:59:20.0552 4652 WSTCODEC - ok
21:59:20.0583 4652 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
21:59:20.0599 4652 wuauserv - ok
21:59:20.0661 4652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
21:59:20.0661 4652 WudfPf - ok
21:59:20.0708 4652 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
21:59:20.0740 4652 WudfRd - ok
21:59:20.0771 4652 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
21:59:20.0802 4652 WudfSvc - ok
21:59:20.0896 4652 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
21:59:20.0943 4652 WZCSVC - ok
21:59:21.0005 4652 xmasbus (ddd8286b88fe764ad2a8bd171e7b569a) C:\WINDOWS\system32\DRIVERS\xmasbus.sys
21:59:21.0052 4652 xmasbus - ok
21:59:21.0115 4652 xmasscsi (4059ad5e639fa47e334304cbe82e9572) C:\WINDOWS\System32\Drivers\xmasscsi.sys
21:59:21.0146 4652 xmasscsi - ok
21:59:21.0193 4652 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
21:59:21.0240 4652 xmlprov - ok
21:59:21.0302 4652 xusb21 (09e5340bd9b2cb730bf4dc6be7721291) C:\WINDOWS\system32\DRIVERS\xusb21.sys
21:59:21.0333 4652 xusb21 - ok
21:59:21.0380 4652 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
21:59:21.0990 4652 \Device\Harddisk0\DR0 - ok
21:59:21.0990 4652 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
21:59:21.0990 4652 \Device\Harddisk1\DR1 - ok
21:59:22.0005 4652 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk2\DR5
21:59:22.0005 4652 \Device\Harddisk2\DR5 - ok
21:59:22.0005 4652 Boot (0x1200) (753de2ef9a81b1eb402f59f5481cebf4) \Device\Harddisk0\DR0\Partition0
21:59:22.0005 4652 \Device\Harddisk0\DR0\Partition0 - ok
21:59:22.0021 4652 Boot (0x1200) (3b59c194a51bc13f2aeeeca7042e37e5) \Device\Harddisk1\DR1\Partition0
21:59:22.0021 4652 \Device\Harddisk1\DR1\Partition0 - ok
21:59:22.0021 4652 Boot (0x1200) (aba4abbbba63dedaf4f2a967e1d5a9b0) \Device\Harddisk2\DR5\Partition0
21:59:22.0021 4652 \Device\Harddisk2\DR5\Partition0 - ok
21:59:22.0021 4652 ============================================================
21:59:22.0021 4652 Scan finished
21:59:22.0021 4652 ============================================================
21:59:22.0036 4668 Detected object count: 0
21:59:22.0036 4668 Actual detected object count: 0







...and here's the results from aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-08 22:15:14
-----------------------------
22:15:14.755 OS Version: Windows 5.1.2600 Service Pack 3
22:15:14.755 Number of processors: 2 586 0xF06
22:15:14.755 ComputerName: TRISKELION UserName: Gary
22:15:15.740 Initialize success
22:23:14.411 AVAST engine defs: 12080801
22:24:37.443 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
22:24:37.443 Disk 0 Vendor: FUJITSU_ 892C Size: 95396MB BusType: 3
22:24:37.458 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1
22:24:37.458 Disk 1 Vendor: FUJITSU_ 892C Size: 95396MB BusType: 3
22:24:37.490 Disk 0 MBR read successfully
22:24:37.505 Disk 0 MBR scan
22:24:37.646 Disk 0 Windows XP default MBR code
22:24:37.646 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 94366 MB offset 63
22:24:37.724 Disk 0 Partition 2 00 D7 NTFS 1027 MB offset 193262013
22:24:37.771 Disk 0 scanning sectors +195366465
22:24:37.896 Disk 0 scanning C:\WINDOWS\system32\drivers
22:25:07.333 Service scanning
22:25:43.943 Modules scanning
22:25:54.021 Disk 0 trace - called modules:
22:25:54.083 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll iaStor.sys
22:25:54.099 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83ee59c0]
22:25:54.115 3 CLASSPNP.SYS[f75c3fd7] -> nt!IofCallDriver -> \Device\00000090[0x83ee7a18]
22:25:54.130 5 ACPI.sys[f743a620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x839f2030]
22:25:55.005 AVAST engine scan C:\WINDOWS
22:26:10.677 AVAST engine scan C:\WINDOWS\system32
22:33:27.396 AVAST engine scan C:\WINDOWS\system32\drivers
22:33:51.255 AVAST engine scan C:\Documents and Settings\Gary
23:07:37.865 AVAST engine scan C:\Documents and Settings\All Users
23:09:40.865 Scan finished successfully
23:19:12.583 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Gary\Desktop\MBR.dat"
23:19:12.599 The log file has been saved successfully to "C:\Documents and Settings\Gary\Desktop\aswMBR.txt"

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 09 August 2012 - 08:13 AM

Greetings antipode56

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Folder::
c:\program files\FreeOnlineRadioPlayerRecorder

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 09 August 2012 - 01:23 PM

Excellent, looks like Combofix cleared out a few extra things there. Again though, I'm left wondering about those four trojans found by Avira after running Combofix for the first time (I listed those in my second post in this thread). Are those a non-issue and are false detections, or just some dormant thing related to the rootkit? They were quarantined by Avira this time, but I'm fairly certain I've quarantined Dropper and XPACK.Gen before, only to have them return. Are they legitimate threats or should I not worry?

Anyhow, here's the new Combofix log (it didn't require a reboot this time):



ComboFix 12-08-09.01 - Gary 08/09/2012 11:00:45.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1499 [GMT -7:00]
Running from: c:\documents and settings\Gary\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Gary\Desktop\CFScript.txt
AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\FreeOnlineRadioPlayerRecorder
c:\program files\FreeOnlineRadioPlayerRecorder\FreeOnlineRadioPlayerRecorderToolbarHelper.exe
c:\program files\FreeOnlineRadioPlayerRecorder\FreeOnlineRadioPlayerRecorderToolbarHelper1.exe
c:\program files\FreeOnlineRadioPlayerRecorder\GottenAppsContextMenu.xml
c:\program files\FreeOnlineRadioPlayerRecorder\ldrtbFre0.dll
c:\program files\FreeOnlineRadioPlayerRecorder\ldrtbFre2.dll
c:\program files\FreeOnlineRadioPlayerRecorder\OtherAppsContextMenu.xml
c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre0.dll
c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFree.dll
c:\program files\FreeOnlineRadioPlayerRecorder\SharedAppsContextMenu.xml
c:\program files\FreeOnlineRadioPlayerRecorder\tbFre0.dll
c:\program files\FreeOnlineRadioPlayerRecorder\tbFre2.dll
c:\program files\FreeOnlineRadioPlayerRecorder\tbFree.dll
c:\program files\FreeOnlineRadioPlayerRecorder\toolbar.cfg
c:\program files\FreeOnlineRadioPlayerRecorder\ToolbarContextMenu.xml
c:\program files\FreeOnlineRadioPlayerRecorder\uninstall.exe
c:\windows\system32\drivers\etc\hosts.ics
.
.
((((((((((((((((((((((((( Files Created from 2012-07-09 to 2012-08-09 )))))))))))))))))))))))))))))))
.
.
2012-08-08 21:12 . 2012-08-08 23:27 -------- d-----w- c:\windows\system32\NtmsData
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\documents and settings\Gary\Application Data\Malwarebytes
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-08-05 19:15 . 2012-08-05 19:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-08-05 19:15 . 2012-07-03 20:46 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\documents and settings\Gary\Application Data\Avira
2012-08-04 23:02 . 2012-07-19 01:05 83392 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\program files\Avira
2012-08-04 23:02 . 2012-08-04 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2012-08-04 22:19 . 2012-08-04 22:28 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-08-04 22:19 . 2012-08-04 22:19 -------- d-----w- c:\program files\AVAST Software
2012-08-04 08:04 . 2012-08-04 08:04 476976 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-08-04 08:02 . 2012-08-04 08:02 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-03 20:15 . 2012-08-03 20:15 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2012-08-03 05:24 . 2012-08-03 05:24 -------- d-----w- c:\documents and settings\Gary\.explorer.local
2012-08-03 05:24 . 2012-08-03 06:06 -------- d-----w- c:\documents and settings\Gary\.explorer.cache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-08-04 08:04 . 2010-05-05 03:46 472880 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-04 08:04 . 2007-06-22 20:23 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-31 18:02 . 2012-04-02 19:15 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-07-31 18:02 . 2011-05-14 16:33 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-13 13:19 . 2006-03-16 04:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50 . 2008-08-19 20:03 1372672 ------w- c:\windows\system32\msxml6.dll
2012-06-05 15:50 . 2006-03-16 04:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32 . 2006-03-16 04:00 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 22:19 . 2007-04-17 05:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2007-04-17 05:46 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2006-03-16 04:00 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2006-03-16 04:00 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2006-03-16 04:00 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-04-17 05:46 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2007-04-17 05:45 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2006-03-16 04:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2006-03-16 04:00 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2006-03-16 04:00 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2007-04-17 05:45 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2006-03-16 04:00 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2006-03-16 04:00 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-05-31 13:22 . 2006-03-16 04:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-16 15:08 . 2006-03-16 04:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-18 18:29 . 2011-08-28 01:12 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2012-08-08_20.48.59 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-08-09 17:44 . 2012-08-09 17:44 16384 c:\windows\temp\Perflib_Perfdata_164.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 00:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoftAuto.exe"="c:\program files\Creative\Software Update 3\SoftAuto.exe" [2008-05-28 401408]
"F.lux"="c:\documents and settings\Gary\Local Settings\Apps\F.lux\flux.exe" [2009-08-29 966656]
"Aim"="c:\program files\AIM7\aim.exe" [2012-02-29 4321112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"hpWirelessAssistant"="c:\program files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-05-04 458752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-30 13594624]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-30 86016]
"nwiz"="nwiz.exe" [2009-01-30 1657376]
"MsmqIntCert"="mqrt.dll" [2008-04-14 177152]
"High Definition Audio Property Page Shortcut"="CHDAudPropShortcut.exe" [2006-06-02 61952]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-12-07 1024000]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 81920]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-06-19 163840]
"Cpqset"="c:\program files\Hewlett-Packard\Default Settings\cpqset.exe" [2006-06-19 40960]
"DeadAIM"="c:\progra~1\AIM\\DeadAIM.ocm" [2004-04-11 144896]
"StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2006-03-15 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"XboxStat"="c:\program files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2009-10-01 718688]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2012-07-19 348664]
.
c:\windows\system32\config\systemprofile\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
c:\documents and settings\Gary\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Pavilion Webcam Tray Icon.lnk - c:\program files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe [2007-6-22 102400]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Vongo Tray.lnk - c:\program files\Vongo\Tray.exe [N/A]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-11-12 08:28 133104 ----atw- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 18:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2006-07-19 22:14 102400 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-19 05:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecGuard]
2005-10-11 17:23 1187840 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-09-19 00:51 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Gary\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [1/12/2012 1:36 PM 36000]
R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/4/2012 4:02 PM 86224]
S2 Skype C2C Service;Skype C2C Service;c:\documents and settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe [7/5/2012 6:41 PM 3048136]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 1:28 PM 160944]
S3 5U870CAP_VID_1262&PID_25FD;HP Pavilion Webcam ;c:\windows\system32\drivers\5U870CAP.sys [6/6/2006 1:39 PM 61952]
S3 CFcatchme;CFcatchme;\??\c:\combofix\CFcatchme.sys --> c:\combofix\CFcatchme.sys [?]
S3 CTUPnPSv;Creative Centrale Media Server;c:\program files\Creative\Creative Centrale\CTUPnPSv.exe [5/21/2008 4:42 AM 64000]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/2/2011 7:34 PM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/2/2011 7:34 PM 8456]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [8/18/2010 7:37 PM 36608]
S3 iComp;HP Analog TV Tuner;c:\windows\system32\drivers\p2usbwdm.sys [3/17/2006 4:34 PM 1544704]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/10/2007 2:41 PM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/10/2007 2:41 PM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [8/10/2007 2:41 PM 42112]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/25/2012 2:53 PM 113120]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [8/18/2010 7:37 PM 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [8/18/2010 7:37 PM 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [8/18/2010 7:37 PM 123648]
S4 xmasbus;xmasbus;c:\windows\system32\drivers\xmasbus.sys [6/22/2007 3:16 PM 140800]
S4 xmasscsi;xmasscsi;c:\windows\system32\drivers\xmasscsi.sys [6/22/2007 3:16 PM 5248]
.
Contents of the 'Scheduled Tasks' folder
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2267045550-1316354526-338541988-1005Core.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 08:28]
.
2012-08-09 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2267045550-1316354526-338541988-1005UA.job
- c:\documents and settings\Gary\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-12 08:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/go/notebookaccessories
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.2.1
FF - ProfilePath - c:\documents and settings\Gary\Application Data\Mozilla\Firefox\Profiles\6z280lyq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
BHO-{f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
Toolbar-{f999a48b-1950-4d81-9971-79018f807b4b} - c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
WebBrowser-{F999A48B-1950-4D81-9971-79018F807B4B} - c:\program files\FreeOnlineRadioPlayerRecorder\prxtbFre2.dll
AddRemove-FreeOnlineRadioPlayerRecorder Toolbar - c:\program files\FreeOnlineRadioPlayerRecorder\uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-09 11:08
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\Hewlett-Packard\Default Settings\cpqset.exe????????????L?@? ????R??????`?@?????L?@
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-08-09 11:10:27
ComboFix-quarantined-files.txt 2012-08-09 18:10
ComboFix2.txt 2012-08-08 20:58
.
Pre-Run: 5,192,945,664 bytes free
Post-Run: 5,300,424,704 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - BE3AF9B6B8F044C232ED39C2AE4A5108

Edited by antipode56, 09 August 2012 - 01:26 PM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 09 August 2012 - 02:08 PM

Hello

everything in that scan was in combofix backup folder and system restore

I would like to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 09 August 2012 - 02:40 PM

Hah, wow, I'll have to do some cleanup - there's quite a bit here I didn't even know I had.


µTorrent
7-Zip 9.10 beta
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 1.0
Adobe Illustrator CS2
Adobe Photoshop CS2
Adobe Reader X (10.1.2)
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
AIM 7
Alcohol 120% (Trial Version)
AOL Instant Messenger
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ASIO4ALL
Audacity 1.2.6
Avira Free Antivirus
balldroppings
Batch PPTX to PPT Converter 2009
Battlezone
Bonjour
calibre
CCleaner
CDex - Open Source Digital Audio CD Extractor
CDisplay 1.8
Chipamp
Compatibility Pack for the 2007 Office system
Conexant HD Audio
Coupon Printer for Windows
CourseSmart Bookshelf
Creative Centrale
Creative Removable Disk Manager
Creative Software Update
Creative ZEN Mozaic User's Guide
Customer Experience Enhancement
DC++ 0.782
DeadAIM
Destinations
DeviceManagementQFolder
DivX Content Uploader
DivX Web Player
doPDF 7.2 printer
Download Updater (AOL LLC)
Drumaxx
DX10
EASEUS Partition Master 8.0.1 Home Edition
Easy Internet Sign-up
Edison
EPSON Printer Software
F.lux
Far Cry (Patch 1.3)
FileZilla Client 3.0.4.1
FirstClass® Client
FL Studio 10
FL Studio v7.0
Free MP3 WMA OGG Converter 8.2.5
FreeAgent Pro Tools
FreeOnlineRadioPlayerRecorder Toolbar
GCFScape 1.6.6
GoldWave v5.08
Google Talk Plugin
Gravioli
GTK+ Runtime 2.12.1 rev b (remove only)
Halo 2 for Windows Vista
Halo 2 for Windows XP [by RoboMASTER]
Halo CE Cracked Setup
Hamachi 1.0.2.1
HammerHead Rhythm Station
Hardcore
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Help and Support
HP Imaging Device Functions 6.0
HP Pavilion Webcam
HP Pavilion Webcam Demo
HP Product Detection
HP Quick Launch Buttons 6.10 A2
HP QuickPlay 2.3
HP Update
HP User Guides 0036
HP Wireless Assistant 2.00 G2
HpSdpAppCoreApp
Hydrogen
IL Autogun
IL Download Manager
IL Harmless
IL Harmor
IL Juice Pack
IL Ogun
IL Slicex
IL Vocodex
ImgBurn
IMSI Applications
Intel® PRO Network Connections Drivers
ips XP 1.11.2600
iTunes
J2SE Runtime Environment 5.0 Update 6
Java Auto Updater
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 33
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
JDownloader
K-Lite Codec Pack 3.2.0 Full
Last.fm 1.5.4.27091
LightScribe 1.4.97.1
LIMBO
LIVE gaming on Windows Runtime Version 1.0.6027
LucasArts' The Phantom Menace
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Shockwave Player
Malwarebytes Anti-Malware version 1.62.0.1300
Maximus
Media Player Classic - Home Cinema v1.5.2.3456
Melodyne 3.2
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB2604042)
Microsoft .NET Framework 1.0 Hotfix (KB2656378)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Game Studios Common Redistributables Pack 1
Microsoft Halo
Microsoft Halo Custom Edition
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
Microsoft WorldWide Telescope
Microsoft Xbox 360 Accessories 1.2
Microsoft XML Parser
Microsoft XNA Framework Redistributable 3.1
Microsoft XNA Framework Redistributable 4.0
MobileMe Control Panel
Morphine
Motorola Driver Installation
Mozilla Firefox 14.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 Parser and SDK
Multimedia Fusion 2
muvee autoProducer 5.0
MyDefrag v4.3.1
Native Instruments Absynth 4
Native Instruments FM8 v1.0.1.002 VSTi DXi RTAS
Native Instruments Kontakt 3
Native Instruments Kontakt 5
Native Instruments Massive v1.0.1.008 VSTi DXi RTAS
Native Instruments Service Center
Native.Instruments Battery v3.0.1.005 VSTi DXi RTAS
Nero 6 Ultra Edition
NetWaiting
Network Slime Client
Network Slime Server
Network Stumbler 0.4.0 (remove only)
NVIDIA Drivers
NVIDIA PhysX
Office 2003 Trial Assistant
OrganizeME v1.0
Otto
Ovine Rubber Transition
Pidgin
PoiZone
Prey
Project64 1.6
QuickTime
Real Alternative 1.9.0
RealPlayer
Reason 3.0
Renoise 1.8.0
ReValver Mk IIIdotV
RGSS-RTP Standard
Rocket Jockey v1.0
SAMSUNG USB Driver for Mobile Phones
Sawer
SBaGen 1.4.4
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
sfArk
SFPack
Sibelius 5
SimSynth
skiStunt
Skype Click to Call
Skype™ 5.10
SnappySoft
Soft Data Fax Modem with SmartCP
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
SonicAC3Encoder
SonicMPEGEncoder
SSH Secure Shell
Star Trek - Hidden Evil
Star Trek Voyager Elite Force
Star Wars JK II Jedi Outcast
Starcraft
Starscape V1.5c
Steam
Super Meat Boy
Synaptics Pointing Device Driver
System Requirements Lab
Sytrus
TanksOnAHeightmap
The Binding of Isaac
The File Splitter 1.31
The Red Odyssey
TortoiseSVN 1.5.4.14259 (32 bit)
TourSetup
Toxic Biohazard
Tron 2.0
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Viewpoint Media Player
VLC media player 2.0.1
Vongo
Voxli Voice Chat Plugin 1.0.12.79
Warsow 0.42
Wasp
WebFldrs XP
Winamp
Winamp Remote
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB915381
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
WinRAR archiver
Wireless Home Network Setup

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 09 August 2012 - 03:02 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

µTorrent
J2SE Runtime Environment 5.0 Update 6
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 33
Java™ 6 Update 5
Java™ SE Runtime Environment 6 Update 1
Viewpoint Media Player
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 09 August 2012 - 04:48 PM

Here we are:



Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.09.11

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Gary :: TRISKELION [administrator]

8/9/2012 2:13:58 PM
mbam-log-2012-08-09 (14-13-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 222780
Time elapsed: 10 minute(s), 25 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





...and the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:42:50 PM, on 8/9/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Creative\Shared Files\CTDevSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
H:\Program Files\Steam\Steam.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Gary\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/go/notebookaccessories
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe"
O4 - HKCU\..\Run: [F.lux] "C:\Documents and Settings\Gary\Local Settings\Apps\F.lux\flux.exe" /noshow
O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
O4 - S-1-5-18 Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Pavilion Webcam Tray Icon.lnk = C:\Program Files\Hewlett-Packard\HP Pavilion Webcam\HPWebcam.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Skype Click to Call - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=64&bd=pavilion&pf=laptop
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira Scheduler (AntiVirSchedulerService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira Realtime Protection (AntiVirService) - Avira Operations GmbH & Co. KG - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CT Device Query service (CTDevice_Srv) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTDevSrv.exe
O23 - Service: Creative Centrale Media Server (CTUPnPSv) - Creative Technology Ltd - C:\Program Files\Creative\Creative Centrale\CTUPnPSv.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Oracle Corporation - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Skype C2C Service - Skype Technologies S.A. - C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
O23 - Service: Skype Updater (SkypeUpdate) - Skype Technologies - C:\Program Files\Skype\Updater\Updater.exe

--
End of file - 10930 bytes




I'd say I probably trust these results a lot more now than those found from that recent Avira scan - I'm feeling a lot better about this than I was. Anything else you feel I ought to run at this point?
EDIT: As a matter of fact, I just took a second look at those Avira results - it turns out, the trojans it found and quarantined were ALL in the System Volume Information\_restore directory - which, if I understand right, is probably the directory used to hold the restore point we created earlier on, before we'd killed all the viruses! This totally sets me at ease and it probably explains why MBAM didn't find anything (and I'd be willing to bet Avira wouldn't either at this point)!

Edited by antipode56, 09 August 2012 - 05:19 PM.


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 09 August 2012 - 05:21 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
      O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
      O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
      O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
      O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
      O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
      O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
      O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
      O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
      O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
      O4 - HKLM\..\Run: [Cpqset] C:\Program Files\Hewlett-Packard\Default Settings\cpqset.exe
      O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
      O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
      O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
      O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
      O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [SoftAuto.exe] "C:\Program Files\Creative\Software Update 3\SoftAuto.exe"
      O4 - HKCU\..\Run: [F.lux] "C:\Documents and Settings\Gary\Local Settings\Apps\F.lux\flux.exe" /noshow
      O4 - HKCU\..\Run: [Aim] "C:\Program Files\AIM7\aim.exe" /d locale=en-US
      O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the Run ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the add/on to be installed
    • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • wait for the virus definitions to be downloaded
  • Wait for the scan to finish

When the scan is complete

  • If no threats were found
  • put a checkmark in "Uninstall application on close"
  • close program
  • report to me that nothing was found

  • If threats were found
  • click on "list of threats found"
  • click on "export to text file" and save it as ESET SCAN and save to the desktop
  • Click on back
  • put a checkmark in "Uninstall application on close"
  • click on finish
  • close program
  • copy and paste the report here

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 09 August 2012 - 10:54 PM

I did actually go ahead and disable some of those startup processes as you recommended, though not all of them (I looked up each of them to be certain of what I wanted).
Then I ran ESET's online virus scanner, which produced this log:

C:\Program Files\AIM\Sysfiles\WxBug.EXE Win32/Adware.WBug.A application
C:\Qoobox\Quarantine\C\Documents and Settings\Gary\laxzyldodalp.exe.vir a variant of Win32/Kryptik.AJKU trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Gary\Local Settings\Application Data\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\n.vir Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\WINDOWS\Installer\{c353bec1-0dbf-5028-b0be-a14ffa02fc07}\U\80000000.@.vir a variant of Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\139e758f6dff4bd1.sys.vir a variant of Win32/Rootkit.Kryptik.NM trojan
H:\Installers\Standalones\aim553598.exe Win32/Adware.WBug.A application

Looking good! Wonder if this WxBug.EXE within AIM is something I can just delete without any problems.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:05:04 AM

Posted 10 August 2012 - 02:18 AM

Greetings


that I do not know - move the file to the recycle bin and see if it gives you any problems




Very well done!! This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are.


:Why we need to remove some of our tools:

Some of the tools we have used to clean your computer were made by fellow malware fighters and are very powerful and if used incorrectly or at the wrong time can make the computer an expensive paper weight.
They are updated all the time and some of them more than once a day so by the time you are ready to use them again they will already be outdated.

The following procedures will implement some cleanup procedures to remove these tools. It will also reset your System Restore by flushing out previous restore points and create a new restore point. It will also remove all the backups our tools may have made.
:DeFogger:

Note** Defogger only needs to be run if it was run when we first started. If you have not already run it then skip this.

  • To re-enable your Emulation drivers, double click DeFogger to run the tool.
  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK.
Your Emulation drivers are now re-enabled.
:Uninstall ComboFix:

  • turn off all active protection software
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.
  • Posted Image

:Remove the rest of our tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
  • If asked to restart the computer, please do so
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:The programs you can keep:

Some of the programs that we have used would be a good idea to keep and used often in helping to keep the computer clean. I use these programs on my computer.

Revo Uninstaller Free - this is the uninstaller that I had you download and works allot better than add/remove in windows and has saved me more than once from corrupted installs and uninstalls

CCleaner - This is a good program to clean out temp files, I would use this once a week or before any malware scan to remove unwanted temp files - It has a built in registry cleaner but I would leave that alone and not use any registry cleaner

Malwarebytes' Anti-Malware The Gold standard today in antimalware scanners

:Security programs:

One of the questions I am asked all the time is "What programs do you use" I have at this time 4 computers in my home and I have this setup on all 4 of them.


  • Microsoft Security Essentials - provides real-time protection for your home PC that guards against viruses, spyware, and other malicious software.
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Malwarebytes' Anti-Malware Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and using often. (I have upgraded to the paid version of MBAM and I am glad I did)

    Note** If you decide to install MSE you will need to uninstall your present Antivirus

:Security awareness:

The other question I am asked all the time is "How can I prevent this from happening again." and the short answer to that is to be aware of what is out there and how to start spotting dangers.

Here are some articles that are must reads and should be read by everybody in your household that uses the internet

internetsafety

Internet Safety for Kids

Here is some more reading for you from some of my colleges

PC Safety and Security - What Do I Need? from my friends at Tech Support Forum

COMPUTER SECURITY - a short guide to staying safer online from my friends at Malware Removal

quoted from Tech Support Forum

Conclusion

There is no such thing as ‘perfect security’. This applies to many things, not just computer systems. Using the above guide you should be able to take all the reasonable steps you can to prevent infection. However, the most important part of all this is you, the user. Surf sensibly and think before you download a file or click on a link. Take a few moments to assess the possible risks and you should be able to enjoy all the internet has to offer.


I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

I Will Keep This Open For About Three Days, If Anything Comes Up - Just Come Back And Let Me Know, after that time you will have to send me a PM

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->Posted Image<-- Don't worry every little bit helps.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 antipode56

antipode56
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:01:04 AM

Posted 10 August 2012 - 03:51 AM

Hi Gringo, I went ahead and wrapped everything up like you said - the cleanup program took care of most everything, and I already had CCleaner and MBAM, so I definitely plan to keep them. Just want to say, I truly appreciate your time and effort - you helped save me from having to reinstall Windows! It's nice to know that while there are people making these ridiculous viruses, there are even more people like yourself, devoting their own time to helping others eliminate them. So, thanks! I'll definitely be recommending your site to my friends and family. If I have any further issues, I'll be sure to post!

Cheers.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users