Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Partly cleaned infection Live Security Platinum


  • Please log in to reply
15 replies to this topic

#1 herbaklez

herbaklez

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 30 August 2012 - 08:36 PM

a few days ago I found that the shared computer had been infected with the Live Security Platinum rogue AV.

Before finding instructions for removal, I ran MBAM and Avira.

Later I followed the instructions, though it didn't go quite as the instructions indicate.

Since then, there have been a few alerts from Avira, though I haven't been present to record the alerts.

Today I ran MBAM and Avira again.

Avira reported:
TR/ATRAPS.GEN
TR/Sirefef.A.50
TR/FakeAV.auu.1

MBAM reported:
PUP.Historytool

Computer is running XP SP3
I have downloaded Secunia PSI but haven't run it yet
I have updated IE from 7 to 8.

Here are 2 of the latest MBAM logs:

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.26.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: TILL4 [administrator]

31/08/2012 09:48:59
mbam-log-2012-08-31 (09-48-59).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 272873
Time elapsed: 1 hour(s), 8 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Program Files\iehv\iehv.exe (PUP.HistoryTool) -> Quarantined and deleted successfully.

(end)


Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.08.26.05

Windows XP Service Pack 3 x86 NTFS (Safe Mode/Networking)
Internet Explorer 7.0.5730.11
User :: TILL4 [administrator]

28/08/2012 08:05:25
mbam-log-2012-08-28 (08-05-25).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 279506
Time elapsed: 27 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 1
HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Live Security Platinum (Rogue.LiveSecurityPlatinum) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 1
C:\Documents and Settings\User\Start Menu\Programs\Live Security Platinum (Rogue.LiveSecurity) -> Quarantined and deleted successfully.

Files Detected: 5
C:\Program Files\iehv\iehv.exe (PUP.HistoryTool) -> No action taken.
C:\RECYCLER\S-1-5-18\$83a36a77b59be7bc54a4fd5e84578aa5\U\800000cb.@ (Rootkit.0Access) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Live Security Platinum\Live Security Platinum Support Site.url (Rogue.LiveSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Start Menu\Programs\Live Security Platinum\Uninstall.lnk (Rogue.LiveSecurity) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Desktop\Live Security Platinum Support Site.url (Rogue.LiveSecurity) -> Quarantined and deleted successfully.

(end)

BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 30 August 2012 - 08:39 PM

Download

TDSSkiller

Launch it.Click on change parameters-Select TDLFS file system

Click on "Scan".Please post the LOG report(log file should be in your C drive)

Do not change the default options on scan results

Download

aswMBR

Launch it, allow it to download latest Avast! virus definitions
Click the "Scan" button to start scan.After scan finishes,click on Save log

Post the log results here

Download

ESET online scanner

Install it

Click on START,it should download the virus definitions
When scan gets completed,click on LIST of found threats

Export the list to desktop,copy the contents of the text file in your reply

#3 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 30 August 2012 - 10:34 PM

13:12:57.0484 3632 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
13:12:58.0375 3632 ============================================================
13:12:58.0375 3632 Current date / time: 2012/08/31 13:12:58.0375
13:12:58.0375 3632 SystemInfo:
13:12:58.0375 3632
13:12:58.0375 3632 OS Version: 5.1.2600 ServicePack: 3.0
13:12:58.0375 3632 Product type: Workstation
13:12:58.0375 3632 ComputerName: TILL4
13:12:58.0375 3632 UserName: User
13:12:58.0375 3632 Windows directory: C:\WINDOWS
13:12:58.0375 3632 System windows directory: C:\WINDOWS
13:12:58.0375 3632 Processor architecture: Intel x86
13:12:58.0375 3632 Number of processors: 2
13:12:58.0375 3632 Page size: 0x1000
13:12:58.0375 3632 Boot type: Normal boot
13:12:58.0375 3632 ============================================================
13:13:00.0140 3632 Drive \Device\Harddisk0\DR0 - Size: 0x12A1E0DE00 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:13:00.0187 3632 ============================================================
13:13:00.0187 3632 \Device\Harddisk0\DR0:
13:13:00.0203 3632 MBR partitions:
13:13:00.0203 3632 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x950E482
13:13:00.0203 3632 ============================================================
13:13:00.0218 3632 C: <-> \Device\Harddisk0\DR0\Partition1
13:13:00.0218 3632 ============================================================
13:13:00.0218 3632 Initialize success
13:13:00.0218 3632 ============================================================
13:13:39.0484 1392 ============================================================
13:13:39.0484 1392 Scan started
13:13:39.0484 1392 Mode: Manual; TDLFS;
13:13:39.0484 1392 ============================================================
13:13:39.0593 1392 ================ Scan system memory ========================
13:13:39.0593 1392 System memory - ok
13:13:39.0593 1392 ================ Scan services =============================
13:13:39.0671 1392 Abiosdsk - ok
13:13:39.0671 1392 abp480n5 - ok
13:13:39.0718 1392 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:13:39.0718 1392 ACPI - ok
13:13:39.0765 1392 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
13:13:39.0781 1392 ACPIEC - ok
13:13:39.0843 1392 [ A9D3B95E8466BD58EEB8A1154654E162 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
13:13:39.0843 1392 AdobeFlashPlayerUpdateSvc - ok
13:13:39.0843 1392 adpu160m - ok
13:13:39.0859 1392 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
13:13:39.0859 1392 aec - ok
13:13:39.0906 1392 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
13:13:39.0906 1392 AFD - ok
13:13:39.0921 1392 Aha154x - ok
13:13:39.0921 1392 aic78u2 - ok
13:13:39.0937 1392 aic78xx - ok
13:13:39.0968 1392 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
13:13:39.0968 1392 Alerter - ok
13:13:39.0984 1392 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
13:13:39.0984 1392 ALG - ok
13:13:40.0000 1392 AliIde - ok
13:13:40.0000 1392 amsint - ok
13:13:40.0125 1392 [ 0A1CC583E8147004E4AD4625D7FBF88C ] AntiVirSchedulerService C:\Program Files\Avira\AntiVir Desktop\sched.exe
13:13:40.0125 1392 AntiVirSchedulerService - ok
13:13:40.0156 1392 [ C9A36EF935ACED86AEDF93E97E606911 ] AntiVirService C:\Program Files\Avira\AntiVir Desktop\avguard.exe
13:13:40.0171 1392 AntiVirService - ok
13:13:40.0203 1392 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
13:13:40.0203 1392 AppMgmt - ok
13:13:40.0203 1392 asc - ok
13:13:40.0218 1392 asc3350p - ok
13:13:40.0218 1392 asc3550 - ok
13:13:40.0312 1392 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
13:13:40.0343 1392 aspnet_state - ok
13:13:40.0375 1392 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:13:40.0375 1392 AsyncMac - ok
13:13:40.0390 1392 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
13:13:40.0390 1392 atapi - ok
13:13:40.0406 1392 Atdisk - ok
13:13:40.0421 1392 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:13:40.0437 1392 Atmarpc - ok
13:13:40.0484 1392 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
13:13:40.0484 1392 AudioSrv - ok
13:13:40.0515 1392 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
13:13:40.0515 1392 audstub - ok
13:13:40.0546 1392 [ D5541F0AFB767E85FC412FC609D96A74 ] avgntflt C:\WINDOWS\system32\DRIVERS\avgntflt.sys
13:13:40.0546 1392 avgntflt - ok
13:13:40.0578 1392 [ 7D967A682D4694DF7FA57D63A2DB01FE ] avipbb C:\WINDOWS\system32\DRIVERS\avipbb.sys
13:13:40.0578 1392 avipbb - ok
13:13:40.0593 1392 [ 53E56450DA16A1A7F0D002F511113F67 ] avkmgr C:\WINDOWS\system32\DRIVERS\avkmgr.sys
13:13:40.0593 1392 avkmgr - ok
13:13:40.0625 1392 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
13:13:40.0625 1392 Beep - ok
13:13:40.0671 1392 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
13:13:40.0671 1392 Browser - ok
13:13:40.0703 1392 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
13:13:40.0703 1392 cbidf2k - ok
13:13:40.0703 1392 cd20xrnt - ok
13:13:40.0734 1392 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
13:13:40.0734 1392 Cdaudio - ok
13:13:40.0781 1392 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
13:13:40.0781 1392 Cdfs - ok
13:13:40.0781 1392 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:13:40.0796 1392 Cdrom - ok
13:13:40.0796 1392 Changer - ok
13:13:40.0843 1392 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
13:13:40.0843 1392 CiSvc - ok
13:13:40.0890 1392 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
13:13:40.0890 1392 ClipSrv - ok
13:13:40.0921 1392 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:13:41.0046 1392 clr_optimization_v2.0.50727_32 - ok
13:13:41.0062 1392 CmdIde - ok
13:13:41.0078 1392 COMSysApp - ok
13:13:41.0093 1392 Cpqarray - ok
13:13:41.0140 1392 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
13:13:41.0140 1392 CryptSvc - ok
13:13:41.0140 1392 dac2w2k - ok
13:13:41.0156 1392 dac960nt - ok
13:13:41.0203 1392 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
13:13:41.0250 1392 DcomLaunch - ok
13:13:41.0296 1392 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
13:13:41.0296 1392 Dhcp - ok
13:13:41.0312 1392 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
13:13:41.0312 1392 Disk - ok
13:13:41.0328 1392 dmadmin - ok
13:13:41.0375 1392 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
13:13:41.0390 1392 dmboot - ok
13:13:41.0390 1392 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
13:13:41.0390 1392 dmio - ok
13:13:41.0421 1392 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
13:13:41.0421 1392 dmload - ok
13:13:41.0453 1392 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
13:13:41.0453 1392 dmserver - ok
13:13:41.0468 1392 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
13:13:41.0468 1392 DMusic - ok
13:13:41.0515 1392 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
13:13:41.0515 1392 Dnscache - ok
13:13:41.0546 1392 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
13:13:41.0562 1392 Dot3svc - ok
13:13:41.0562 1392 dpti2o - ok
13:13:41.0593 1392 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
13:13:41.0593 1392 drmkaud - ok
13:13:41.0625 1392 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
13:13:41.0625 1392 EapHost - ok
13:13:41.0687 1392 [ B7F4E8BAB46EA36E7E001084CF1A9C5C ] EpsonPOSLog C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPHLog.exe
13:13:41.0687 1392 EpsonPOSLog - ok
13:13:41.0750 1392 [ E54DC9984D085C8099EF0FE50476EE0D ] EpsonPOSPort C:\Program Files\EPSON\EPSON Advanced Printer Driver 4\EpsonPH.exe
13:13:41.0765 1392 EpsonPOSPort - ok
13:13:41.0796 1392 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
13:13:41.0796 1392 ERSvc - ok
13:13:41.0828 1392 [ C1DC4530B1DAB57A8296E1A8A9D9DCCD ] Esdpdx01 C:\WINDOWS\system32\Drivers\ESDPDX01.SYS
13:13:41.0906 1392 Esdpdx01 - ok
13:13:41.0937 1392 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
13:13:41.0953 1392 Eventlog - ok
13:13:41.0984 1392 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
13:13:42.0000 1392 EventSystem - ok
13:13:42.0015 1392 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
13:13:42.0031 1392 Fastfat - ok
13:13:42.0062 1392 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
13:13:42.0062 1392 FastUserSwitchingCompatibility - ok
13:13:42.0078 1392 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
13:13:42.0078 1392 Fdc - ok
13:13:42.0125 1392 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
13:13:42.0125 1392 Fips - ok
13:13:42.0140 1392 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:13:42.0140 1392 Flpydisk - ok
13:13:42.0187 1392 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
13:13:42.0187 1392 FltMgr - ok
13:13:42.0250 1392 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:13:42.0250 1392 FontCache3.0.0.0 - ok
13:13:42.0250 1392 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:13:42.0250 1392 Fs_Rec - ok
13:13:42.0265 1392 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:13:42.0281 1392 Ftdisk - ok
13:13:42.0312 1392 [ 54789F9BA0D59072CDD4E7C200E122C4 ] gdrv C:\WINDOWS\gdrv.sys
13:13:42.0312 1392 gdrv - ok
13:13:42.0343 1392 [ 4AC51459805264AFFD5F6FDFB9D9235F ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
13:13:42.0343 1392 GEARAspiWDM - ok
13:13:42.0343 1392 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:13:42.0359 1392 Gpc - ok
13:13:42.0437 1392 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
13:13:42.0437 1392 gupdate - ok
13:13:42.0437 1392 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
13:13:42.0437 1392 gupdatem - ok
13:13:42.0484 1392 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
13:13:42.0484 1392 gusvc - ok
13:13:42.0515 1392 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:13:42.0531 1392 HDAudBus - ok
13:13:42.0593 1392 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:13:42.0593 1392 helpsvc - ok
13:13:42.0640 1392 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
13:13:42.0640 1392 HidServ - ok
13:13:42.0671 1392 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:13:42.0671 1392 HidUsb - ok
13:13:42.0718 1392 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
13:13:42.0734 1392 hkmsvc - ok
13:13:42.0734 1392 hpn - ok
13:13:42.0765 1392 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
13:13:42.0781 1392 HTTP - ok
13:13:42.0796 1392 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
13:13:42.0796 1392 HTTPFilter - ok
13:13:42.0796 1392 i2omgmt - ok
13:13:42.0796 1392 i2omp - ok
13:13:42.0812 1392 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:13:42.0812 1392 i8042prt - ok
13:13:43.0015 1392 [ A9D01DB3B27C518972F42806152C7FB8 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
13:13:43.0187 1392 ialm - ok
13:13:43.0250 1392 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:13:43.0265 1392 idsvc - ok
13:13:43.0281 1392 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
13:13:43.0281 1392 Imapi - ok
13:13:43.0328 1392 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
13:13:43.0328 1392 ImapiService - ok
13:13:43.0375 1392 [ 580904D6CDB481BB72FEE15AA575B5BD ] InCDfs C:\WINDOWS\system32\drivers\InCDfs.sys
13:13:43.0390 1392 InCDfs - ok
13:13:43.0390 1392 [ 37B31B5741674525BBA5C1659B132418 ] InCDPass C:\WINDOWS\system32\DRIVERS\InCDPass.sys
13:13:43.0390 1392 InCDPass - ok
13:13:43.0406 1392 [ A2F6306E5E12B9F78CCA5485B312FCBD ] InCDrec C:\WINDOWS\system32\drivers\InCDrec.sys
13:13:43.0406 1392 InCDrec - ok
13:13:43.0421 1392 [ 084F6C2E3E2BE980242984B74279BFB6 ] incdrm C:\WINDOWS\system32\drivers\incdrm.sys
13:13:43.0421 1392 incdrm - ok
13:13:43.0500 1392 [ EDBF2717F21A9F0DB6065EA166E6EE1D ] InCDsrv C:\Program Files\Ahead\InCD\InCDsrv.exe
13:13:43.0500 1392 InCDsrv - ok
13:13:43.0515 1392 ini910u - ok
13:13:43.0687 1392 [ C4006AF18682FCA0D8A011A0A21070F8 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
13:13:43.0937 1392 IntcAzAudAddService - ok
13:13:43.0953 1392 IntelIde - ok
13:13:43.0984 1392 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:13:43.0984 1392 intelppm - ok
13:13:44.0015 1392 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
13:13:44.0015 1392 Ip6Fw - ok
13:13:44.0062 1392 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:13:44.0062 1392 IpFilterDriver - ok
13:13:44.0078 1392 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:13:44.0078 1392 IpInIp - ok
13:13:44.0109 1392 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:13:44.0109 1392 IpNat - ok
13:13:44.0125 1392 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:13:44.0125 1392 IPSec - ok
13:13:44.0140 1392 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
13:13:44.0140 1392 IRENUM - ok
13:13:44.0171 1392 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:13:44.0171 1392 isapnp - ok
13:13:44.0234 1392 [ 381B25DC8E958D905B33130D500BBF29 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
13:13:44.0234 1392 JavaQuickStarterService - ok
13:13:44.0281 1392 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:13:44.0281 1392 Kbdclass - ok
13:13:44.0296 1392 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:13:44.0296 1392 kbdhid - ok
13:13:44.0328 1392 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
13:13:44.0328 1392 kmixer - ok
13:13:44.0359 1392 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
13:13:44.0359 1392 KSecDD - ok
13:13:44.0390 1392 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
13:13:44.0390 1392 lanmanserver - ok
13:13:44.0437 1392 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
13:13:44.0437 1392 lanmanworkstation - ok
13:13:44.0437 1392 lbrtfdc - ok
13:13:44.0484 1392 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
13:13:44.0484 1392 LmHosts - ok
13:13:44.0531 1392 [ 9EE18A5A45552673A67532EA37370377 ] ltmodem5 C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
13:13:44.0546 1392 ltmodem5 - ok
13:13:44.0578 1392 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
13:13:44.0578 1392 Messenger - ok
13:13:44.0609 1392 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
13:13:44.0609 1392 mnmdd - ok
13:13:44.0640 1392 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
13:13:44.0640 1392 mnmsrvc - ok
13:13:44.0671 1392 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
13:13:44.0671 1392 Modem - ok
13:13:44.0687 1392 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:13:44.0687 1392 Mouclass - ok
13:13:44.0734 1392 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:13:44.0765 1392 mouhid - ok
13:13:44.0828 1392 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
13:13:44.0828 1392 MountMgr - ok
13:13:44.0828 1392 mraid35x - ok
13:13:44.0843 1392 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:13:44.0843 1392 MRxDAV - ok
13:13:44.0890 1392 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:13:44.0890 1392 MRxSmb - ok
13:13:44.0937 1392 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
13:13:44.0968 1392 MSDTC - ok
13:13:44.0968 1392 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
13:13:44.0968 1392 Msfs - ok
13:13:44.0984 1392 MSIServer - ok
13:13:45.0015 1392 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:13:45.0015 1392 MSKSSRV - ok
13:13:45.0015 1392 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:13:45.0015 1392 MSPCLOCK - ok
13:13:45.0031 1392 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
13:13:45.0031 1392 MSPQM - ok
13:13:45.0062 1392 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:13:45.0109 1392 mssmbios - ok
13:13:45.0125 1392 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
13:13:45.0140 1392 Mup - ok
13:13:45.0203 1392 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
13:13:45.0203 1392 napagent - ok
13:13:45.0250 1392 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
13:13:45.0265 1392 NDIS - ok
13:13:45.0296 1392 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:13:45.0296 1392 NdisTapi - ok
13:13:45.0296 1392 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:13:45.0296 1392 Ndisuio - ok
13:13:45.0312 1392 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:13:45.0312 1392 NdisWan - ok
13:13:45.0359 1392 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
13:13:45.0359 1392 NDProxy - ok
13:13:45.0359 1392 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
13:13:45.0359 1392 NetBIOS - ok
13:13:45.0375 1392 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
13:13:45.0375 1392 NetBT - ok
13:13:45.0421 1392 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
13:13:45.0421 1392 NetDDE - ok
13:13:45.0421 1392 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
13:13:45.0421 1392 NetDDEdsdm - ok
13:13:45.0468 1392 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
13:13:45.0468 1392 Netlogon - ok
13:13:45.0484 1392 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
13:13:45.0484 1392 Netman - ok
13:13:45.0531 1392 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
13:13:45.0531 1392 NetTcpPortSharing - ok
13:13:45.0546 1392 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
13:13:45.0562 1392 Nla - ok
13:13:45.0593 1392 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
13:13:45.0593 1392 Npfs - ok
13:13:45.0625 1392 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
13:13:45.0625 1392 Ntfs - ok
13:13:45.0640 1392 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
13:13:45.0640 1392 NtLmSsp - ok
13:13:45.0656 1392 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
13:13:45.0671 1392 NtmsSvc - ok
13:13:45.0687 1392 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
13:13:45.0687 1392 Null - ok
13:13:45.0750 1392 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:13:45.0765 1392 NwlnkFlt - ok
13:13:45.0781 1392 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:13:45.0781 1392 NwlnkFwd - ok
13:13:45.0843 1392 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:13:45.0859 1392 ose - ok
13:13:45.0906 1392 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
13:13:45.0906 1392 Parport - ok
13:13:45.0937 1392 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
13:13:45.0937 1392 PartMgr - ok
13:13:45.0984 1392 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
13:13:46.0015 1392 ParVdm - ok
13:13:46.0015 1392 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
13:13:46.0015 1392 PCI - ok
13:13:46.0031 1392 PCIDump - ok
13:13:46.0046 1392 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
13:13:46.0046 1392 PCIIde - ok
13:13:46.0062 1392 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
13:13:46.0062 1392 Pcmcia - ok
13:13:46.0078 1392 PDCOMP - ok
13:13:46.0078 1392 PDFRAME - ok
13:13:46.0078 1392 PDRELI - ok
13:13:46.0093 1392 PDRFRAME - ok
13:13:46.0093 1392 perc2 - ok
13:13:46.0109 1392 perc2hib - ok
13:13:46.0140 1392 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
13:13:46.0140 1392 PlugPlay - ok
13:13:46.0156 1392 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
13:13:46.0156 1392 PolicyAgent - ok
13:13:46.0171 1392 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:13:46.0171 1392 PptpMiniport - ok
13:13:46.0171 1392 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
13:13:46.0187 1392 ProtectedStorage - ok
13:13:46.0187 1392 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
13:13:46.0187 1392 PSched - ok
13:13:46.0187 1392 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:13:46.0203 1392 Ptilink - ok
13:13:46.0203 1392 ql1080 - ok
13:13:46.0203 1392 Ql10wnt - ok
13:13:46.0218 1392 ql12160 - ok
13:13:46.0218 1392 ql1240 - ok
13:13:46.0234 1392 ql1280 - ok
13:13:46.0250 1392 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:13:46.0250 1392 RasAcd - ok
13:13:46.0281 1392 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
13:13:46.0281 1392 RasAuto - ok
13:13:46.0296 1392 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:13:46.0296 1392 Rasl2tp - ok
13:13:46.0343 1392 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
13:13:46.0343 1392 RasMan - ok
13:13:46.0359 1392 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:13:46.0359 1392 RasPppoe - ok
13:13:46.0375 1392 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
13:13:46.0375 1392 Raspti - ok
13:13:46.0406 1392 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:13:46.0421 1392 Rdbss - ok
13:13:46.0421 1392 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:13:46.0421 1392 RDPCDD - ok
13:13:46.0437 1392 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:13:46.0437 1392 rdpdr - ok
13:13:46.0468 1392 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
13:13:46.0468 1392 RDPWD - ok
13:13:46.0500 1392 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
13:13:46.0515 1392 RDSessMgr - ok
13:13:46.0515 1392 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
13:13:46.0515 1392 redbook - ok
13:13:46.0546 1392 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
13:13:46.0546 1392 RemoteAccess - ok
13:13:46.0593 1392 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
13:13:46.0593 1392 RemoteRegistry - ok
13:13:46.0593 1392 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
13:13:46.0593 1392 RpcLocator - ok
13:13:46.0625 1392 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
13:13:46.0625 1392 RpcSs - ok
13:13:46.0656 1392 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
13:13:46.0656 1392 RSVP - ok
13:13:46.0687 1392 [ BADABE0940C01619E8510B90FB314929 ] RTLE8023xp C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
13:13:46.0687 1392 RTLE8023xp - ok
13:13:46.0703 1392 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
13:13:46.0703 1392 SamSs - ok
13:13:46.0750 1392 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
13:13:46.0750 1392 SCardSvr - ok
13:13:46.0765 1392 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
13:13:46.0781 1392 Schedule - ok
13:13:46.0812 1392 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:13:46.0812 1392 Secdrv - ok
13:13:46.0859 1392 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
13:13:46.0890 1392 seclogon - ok
13:13:46.0906 1392 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
13:13:46.0906 1392 SENS - ok
13:13:46.0953 1392 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
13:13:46.0968 1392 serenum - ok
13:13:46.0984 1392 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
13:13:46.0984 1392 Serial - ok
13:13:47.0015 1392 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
13:13:47.0015 1392 Sfloppy - ok
13:13:47.0062 1392 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
13:13:47.0062 1392 ShellHWDetection - ok
13:13:47.0062 1392 Simbad - ok
13:13:47.0078 1392 Sparrow - ok
13:13:47.0109 1392 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
13:13:47.0109 1392 splitter - ok
13:13:47.0156 1392 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
13:13:47.0203 1392 Spooler - ok
13:13:47.0218 1392 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
13:13:47.0218 1392 sr - ok
13:13:47.0265 1392 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
13:13:47.0281 1392 srservice - ok
13:13:47.0296 1392 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
13:13:47.0296 1392 Srv - ok
13:13:47.0328 1392 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
13:13:47.0328 1392 SSDPSRV - ok
13:13:47.0359 1392 [ A36EE93698802CD899F98BFD553D8185 ] ssmdrv C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
13:13:47.0375 1392 ssmdrv - ok
13:13:47.0406 1392 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
13:13:47.0406 1392 stisvc - ok
13:13:47.0437 1392 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
13:13:47.0437 1392 swenum - ok
13:13:47.0484 1392 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
13:13:47.0484 1392 swmidi - ok
13:13:47.0484 1392 SwPrv - ok
13:13:47.0500 1392 symc810 - ok
13:13:47.0500 1392 symc8xx - ok
13:13:47.0515 1392 sym_hi - ok
13:13:47.0515 1392 sym_u3 - ok
13:13:47.0531 1392 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
13:13:47.0531 1392 sysaudio - ok
13:13:47.0578 1392 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
13:13:47.0578 1392 SysmonLog - ok
13:13:47.0593 1392 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
13:13:47.0593 1392 TapiSrv - ok
13:13:47.0640 1392 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:13:47.0656 1392 Tcpip - ok
13:13:47.0671 1392 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
13:13:47.0671 1392 TDPIPE - ok
13:13:47.0687 1392 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
13:13:47.0687 1392 TDTCP - ok
13:13:47.0734 1392 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
13:13:47.0750 1392 TermDD - ok
13:13:47.0781 1392 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
13:13:47.0781 1392 TermService - ok
13:13:47.0828 1392 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
13:13:47.0828 1392 Themes - ok
13:13:47.0875 1392 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
13:13:47.0921 1392 TlntSvr - ok
13:13:47.0921 1392 TosIde - ok
13:13:47.0968 1392 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
13:13:47.0968 1392 TrkWks - ok
13:13:48.0031 1392 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
13:13:48.0031 1392 Udfs - ok
13:13:48.0031 1392 ultra - ok
13:13:48.0078 1392 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
13:13:48.0078 1392 Update - ok
13:13:48.0109 1392 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
13:13:48.0109 1392 upnphost - ok
13:13:48.0125 1392 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
13:13:48.0125 1392 UPS - ok
13:13:48.0171 1392 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:13:48.0171 1392 usbccgp - ok
13:13:48.0187 1392 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:13:48.0187 1392 usbehci - ok
13:13:48.0203 1392 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:13:48.0203 1392 usbhub - ok
13:13:48.0218 1392 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:13:48.0218 1392 USBSTOR - ok
13:13:48.0234 1392 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:13:48.0234 1392 usbuhci - ok
13:13:48.0234 1392 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
13:13:48.0234 1392 VgaSave - ok
13:13:48.0250 1392 ViaIde - ok
13:13:48.0281 1392 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
13:13:48.0281 1392 VolSnap - ok
13:13:48.0328 1392 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
13:13:48.0343 1392 VSS - ok
13:13:48.0359 1392 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
13:13:48.0359 1392 W32Time - ok
13:13:48.0375 1392 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:13:48.0375 1392 Wanarp - ok
13:13:48.0375 1392 WDICA - ok
13:13:48.0390 1392 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
13:13:48.0390 1392 wdmaud - ok
13:13:48.0406 1392 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
13:13:48.0406 1392 WebClient - ok
13:13:48.0500 1392 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
13:13:48.0500 1392 winmgmt - ok
13:13:48.0578 1392 [ CD99C9FEAE87C1963273F6B150251E33 ] WMConnectCDS C:\Program Files\Windows Media Connect 2\wmccds.exe
13:13:48.0593 1392 WMConnectCDS - ok
13:13:48.0625 1392 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
13:13:48.0625 1392 WmdmPmSN - ok
13:13:48.0687 1392 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
13:13:48.0703 1392 Wmi - ok
13:13:48.0718 1392 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:13:48.0734 1392 WmiApSrv - ok
13:13:48.0781 1392 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:13:48.0781 1392 WudfPf - ok
13:13:48.0796 1392 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:13:48.0796 1392 WudfRd - ok
13:13:48.0812 1392 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
13:13:48.0828 1392 WudfSvc - ok
13:13:48.0890 1392 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
13:13:48.0906 1392 WZCSVC - ok
13:13:48.0937 1392 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
13:13:48.0937 1392 xmlprov - ok
13:13:48.0937 1392 ================ Scan global ===============================
13:13:49.0000 1392 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
13:13:49.0031 1392 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:13:49.0046 1392 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:13:49.0062 1392 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
13:13:49.0062 1392 [Global] - ok
13:13:49.0062 1392 ================ Scan MBR ==================================
13:13:49.0078 1392 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
13:13:49.0265 1392 \Device\Harddisk0\DR0 - ok
13:13:49.0265 1392 ================ Scan VBR ==================================
13:13:49.0265 1392 [ ED176DC1B7FA972F0C88F81969165249 ] \Device\Harddisk0\DR0\Partition1
13:13:49.0265 1392 \Device\Harddisk0\DR0\Partition1 - ok
13:13:49.0265 1392 ============================================================
13:13:49.0265 1392 Scan finished
13:13:49.0265 1392 ============================================================
13:13:49.0281 0568 Detected object count: 0
13:13:49.0281 0568 Actual detected object count: 0


The aswMBR crashed partway through the scan 'Avast! needs to close... tell microsoft about the problem...'

I didn't continue past that point.

#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 30 August 2012 - 10:38 PM

Try to run it in safemode with networking

Edited by narenxp, 30 August 2012 - 10:38 PM.


#5 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 31 August 2012 - 12:10 AM

Hi Narenxp,

Thanks for your very prompt assistance.

I ran both the following scans under safe mode with networking in Administrator profile (mostly so my nicely arranged desktop wasn't mashed!)



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-08-31 14:12:45
-----------------------------
14:12:45.000 OS Version: Windows 5.1.2600 Service Pack 3
14:12:45.000 Number of processors: 2 586 0xF0D
14:12:45.000 ComputerName: TILL4 UserName:
14:12:45.343 Initialize success
14:22:27.984 AVAST engine defs: 12083001
14:24:32.281 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
14:24:32.296 Disk 0 Vendor: Hitachi_HDS721680PLA380 P21OABEA Size: 76318MB BusType: 3
14:24:32.328 Disk 0 MBR read successfully
14:24:32.328 Disk 0 MBR scan
14:24:32.390 Disk 0 Windows XP default MBR code
14:24:32.406 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76316 MB offset 63
14:24:32.421 Disk 0 scanning sectors +156296385
14:24:32.515 Disk 0 scanning C:\WINDOWS\system32\drivers
14:24:41.031 Service scanning
14:24:56.906 Modules scanning
14:25:02.703 Disk 0 trace - called modules:
14:25:02.750 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
14:25:02.765 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82f8e908]
14:25:03.781 3 CLASSPNP.SYS[f86c4fd7] -> nt!IofCallDriver -> \Device\0000005e[0x82ef6650]
14:25:03.812 5 ACPI.sys[f863b620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82ef6030]
14:25:04.296 AVAST engine scan C:\WINDOWS
14:25:20.281 AVAST engine scan C:\WINDOWS\system32
14:27:18.375 AVAST engine scan C:\WINDOWS\system32\drivers
14:27:30.078 AVAST engine scan C:\Documents and Settings\Administrator
14:27:34.281 AVAST engine scan C:\Documents and Settings\All Users
14:27:46.953 Scan finished successfully
14:48:58.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\My Documents\MBR.dat"
14:48:58.859 The log file has been saved successfully to "C:\Documents and Settings\User\My Documents\aswMBR_aug31.txt"

ESET scan taking a while, so I'll send this now, and the other to follow.

Thanks,

Herbaklez

#6 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 31 August 2012 - 12:31 AM

And here is the result of ESET:

C:\POS\HEADNET.EXE probably a variant of Win32/TrojanDownloader.Hotworld trojan cleaned by deleting - quarantined


Thanks,

Herbaklez

#7 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 31 August 2012 - 12:33 AM

Download

http://www.techspot.com/downloads/4716-malwarebytes-anti-malware.html

Install,update and run a full scan

Click on SHOW results.Select all infections and remove it

Reboot the PC and scan MBAM once in regular mode until you get a clean log

Download

mini toolbox

Checkmark following boxes:

Flush DNS
Report IE Proxy Settings
Reset IE Proxy Settings
Report FF Proxy Settings
Reset FF Proxy Settings
List content of Hosts
List IP configuration
List Winsock Entries
List last 10 Event Viewer log
List Installed Programs
List Users, Partitions and Memory size

Click Go and post the result.

Download

FSS

Checkmark all the boxes

Click on "Scan".
Please copy and paste the log to your reply.

Create a restore point before trying this

Download

adware cleaner

Launch it click on Delete

post the generated log

download

http://www.bleepingcomputer.com/download/rkill/

Run it and after scan finishes,post the contents of RKILL log located on the desktop here

#8 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 31 August 2012 - 06:34 AM

I'm unlikely to get back to working on that computer for a couple of days, but thanks for your help so far.

#9 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 31 August 2012 - 08:10 AM

:thumbup2:

#10 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 02 September 2012 - 07:50 PM

Hi Narenxp,

Here are the results of the instructions above:


MiniToolBox by Farbar Version: 23-07-2012
Ran by User (administrator) on 03-09-2012 at 10:22:34
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================


Windows IP Configuration



Successfully flushed the DNS Resolver Cache.


========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

"Reset IE Proxy Settings": IE Proxy Settings were reset.
========================= Hosts content: =================================
Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC = Local Area Connection (Connected)


# ----------------------------------
# Interface IP Configuration
# ----------------------------------
pushd interface ip


# Interface IP Configuration for "Local Area Connection"

set address name="Local Area Connection" source=static addr=192.168.1.3 mask=255.255.255.0
set address name="Local Area Connection" gateway=192.168.1.1 gwmetric=0
set dns name="Local Area Connection" source=static addr=192.168.1.1 register=PRIMARY
set wins name="Local Area Connection" source=static addr=none


popd
# End of interface IP configuration




Windows IP Configuration



Host Name . . . . . . . . . . . . : TILL4

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No



Ethernet adapter Local Area Connection:



Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC

Physical Address. . . . . . . . . : 00-1D-7D-AB-80-9A

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.3

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

Server: www.routerlogin.com
Address: 192.168.1.1

Name: google.com
Addresses: 74.125.237.1, 74.125.237.2, 74.125.237.5, 74.125.237.0
74.125.237.3, 74.125.237.14, 74.125.237.4, 74.125.237.8, 74.125.237.7
74.125.237.6, 74.125.237.9



Pinging google.com [74.125.237.142] with 32 bytes of data:



Reply from 74.125.237.142: bytes=32 time=28ms TTL=53

Reply from 74.125.237.142: bytes=32 time=28ms TTL=52



Ping statistics for 74.125.237.142:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 28ms, Maximum = 28ms, Average = 28ms

Server: www.routerlogin.com
Address: 192.168.1.1

Name: yahoo.com
Addresses: 72.30.38.140, 98.138.253.109, 98.139.183.24



Pinging yahoo.com [72.30.38.140] with 32 bytes of data:



Reply from 72.30.38.140: bytes=32 time=209ms TTL=48

Reply from 72.30.38.140: bytes=32 time=470ms TTL=48



Ping statistics for 72.30.38.140:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 209ms, Maximum = 470ms, Average = 339ms

Server: www.routerlogin.com
Address: 192.168.1.1

Name: bleepingcomputer.com
Address: 208.43.87.2



Pinging bleepingcomputer.com [208.43.87.2] with 32 bytes of data:



Reply from 208.43.87.2: Destination host unreachable.

Reply from 208.43.87.2: Destination host unreachable.



Ping statistics for 208.43.87.2:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms



Pinging 127.0.0.1 with 32 bytes of data:



Reply from 127.0.0.1: bytes=32 time<1ms TTL=128

Reply from 127.0.0.1: bytes=32 time<1ms TTL=128



Ping statistics for 127.0.0.1:

Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1d 7d ab 80 9a ...... Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC - Packet Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.3 10
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.3 192.168.1.3 10
192.168.1.3 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.1.255 255.255.255.255 192.168.1.3 192.168.1.3 10
224.0.0.0 240.0.0.0 192.168.1.3 192.168.1.3 10
255.255.255.255 255.255.255.255 192.168.1.3 192.168.1.3 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None
========================= Winsock entries =====================================

Catalog5 01 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog5 02 C:\Windows\System32\winrnr.dll [16896] (Microsoft Corporation)
Catalog5 03 C:\Windows\System32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 01 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 02 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 03 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 04 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 05 C:\Windows\system32\rsvpsp.dll [92672] (Microsoft Corporation)
Catalog9 06 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 07 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 08 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 09 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 10 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)
Catalog9 11 C:\Windows\system32\mswsock.dll [245248] (Microsoft Corporation)

========================= Event log errors: ===============================

Application errors:
==================
Error: (08/31/2012 01:30:53 PM) (Source: Application Error) (User: )
Description: Faulting application aswmbr.exe, version 0.9.9.1665, faulting module ntdll.dll, version 5.1.2600.6055, fault address 0x000108f3.
Processing media-specific event for [aswmbr.exe!ws!]

Error: (08/31/2012 08:55:33 AM) (Source: Avira Antivirus) (User: NT AUTHORITY)NT AUTHORITY
Description: Unable to load file AvShadow.
Returned error code: 0x3e5

Error: (08/30/2012 08:13:51 AM) (Source: Application Error) (User: )
Description: Faulting application avscan.exe, version 12.3.0.33, faulting module unknown, version 0.0.0.0, fault address 0x00000000.
Processing media-specific event for [avscan.exe!ws!]

Error: (08/29/2012 11:22:58 AM) (Source: Application Error) (User: )
Description: Faulting application netbak.exe, version 3.2.1.710, faulting module netbak.exe, version 3.2.1.710, fault address 0x00009592.
Processing media-specific event for [netbak.exe!ws!]

Error: (08/28/2012 11:10:32 AM) (Source: Application Error) (User: )
Description: Faulting application netbak.exe, version 3.2.1.710, faulting module netbak.exe, version 3.2.1.710, fault address 0x00009592.
Processing media-specific event for [netbak.exe!ws!]

Error: (08/27/2012 02:17:30 PM) (Source: Avira Antivirus) (User: NT AUTHORITY)NT AUTHORITY
Description: Unable to load file AvShadow.
Returned error code: 0x3e5

Error: (08/25/2012 09:09:21 AM) (Source: Application Error) (User: )
Description: Faulting application netbak.exe, version 3.2.1.710, faulting module netbak.exe, version 3.2.1.710, fault address 0x00009592.
Processing media-specific event for [netbak.exe!ws!]

Error: (08/15/2012 07:33:55 AM) (Source: Application Error) (User: )
Description: Faulting application netbak.exe, version 3.2.1.710, faulting module netbak.exe, version 3.2.1.710, fault address 0x00009592.
Processing media-specific event for [netbak.exe!ws!]

Error: (08/12/2012 02:04:25 PM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17110, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Error: (08/09/2012 11:01:41 AM) (Source: Application Hang) (User: )
Description: Hanging application iexplore.exe, version 7.0.6000.17110, hang module hungapp, version 0.0.0.0, hang address 0x00000000.


System errors:
=============
Error: (09/03/2012 08:59:12 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (09/03/2012 08:57:42 AM) (Source: 0) (User: )
Description: 0xC0000001HarddiskVolume1

Error: (09/03/2012 07:43:55 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/31/2012 03:32:05 PM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/31/2012 02:11:36 PM) (Source: Service Control Manager) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
avipbb
avkmgr
Fips
intelppm
ssmdrv

Error: (08/31/2012 09:48:26 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/31/2012 09:45:49 AM) (Source: DCOM) (User: NT AUTHORITY)
Description: DCOM got error "%%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Error: (08/30/2012 05:26:16 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/30/2012 05:12:34 PM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060

Error: (08/30/2012 07:25:14 AM) (Source: Service Control Manager) (User: )
Description: The Computer Browser service terminated with the following error:
%%1060


Microsoft Office Sessions:
=========================
Activation Assistant for the 2007 Microsoft Office suites
Activation Assistant for the 2007 Microsoft Office suites (Version: 1.0)
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742) (Version: 8.1.2)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.271)
Adobe Reader 8.1.2 (Version: 8.1.2)
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Avira Free Antivirus (Version: 12.0.0.1167)
Checkout XP Patch
CutePDF Writer 2.6
EPSON Advanced Printer Driver 4 (Version: 4.07.0007)
EPSON APD4 Point and Print Support (Version: 4.07.0006)
ESET Online Scanner v3
Google Chrome (Version: 21.0.1180.83)
Google Toolbar for Internet Explorer (Version: 1.0.0)
Google Toolbar for Internet Explorer (Version: 7.4.3203.136)
Google Update Helper (Version: 1.3.21.115)
High Definition Audio Driver Package - KB888111 (Version: 20040219.000000)
HighMAT Extension to Microsoft Windows XP CD Writing Wizard (Version: 1.1.1905.1)
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
Java Auto Updater (Version: 2.0.6.1)
Java™ 6 Update 29 (Version: 6.0.290)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB2656370)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 1.1 SP1 with KB886903 Hotfix (Version: 1.1.4322)
Microsoft .NET Framework 2.0 Service Pack 2 (Version: 2.2.30729)
Microsoft .NET Framework 3.0 Service Pack 2 (Version: 3.2.30729)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1 (Version: 3.5.30729)
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Baseline Security Analyzer 2.0 (Version: 2.0.5029.2)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003 (Version: 11.0.5614.0)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (Version: 10.0.40219)
Microsoft Windows Journal Viewer (Version: 1.5.2316.0)
MSXML 4.0 SP2 (KB927978) (Version: 4.20.9841.0)
MSXML 4.0 SP2 (KB936181) (Version: 4.20.9848.0)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML 6 Service Pack 2 (KB954459) (Version: 6.20.1099.0)
Nero Suite
Philips Songbird (Version: 3.2.1667 (1667))
PocketKnife Peek 1.3 (Version: 1.3)
QNAP NetBak Replicator
REALTEK GbE & FE Ethernet PCI-E NIC Driver (Version: 1.11.0000)
Realtek High Definition Audio Driver (Version: 5.10.0.5449)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707) (Version: 1)
Update for Windows Internet Explorer 7 (KB976749) (Version: 1)
Update for Windows Internet Explorer 7 (KB980182) (Version: 1)
Update for Windows XP (KB2141007) (Version: 1)
Update for Windows XP (KB2345886) (Version: 1)
Update for Windows XP (KB2467659) (Version: 1)
Update for Windows XP (KB2541763) (Version: 1)
Update for Windows XP (KB2607712) (Version: 1)
Update for Windows XP (KB2616676) (Version: 1)
Update for Windows XP (KB2641690) (Version: 1)
Update for Windows XP (KB2718704) (Version: 1)
Update for Windows XP (KB951072-v2) (Version: 2)
Update for Windows XP (KB951978) (Version: 1)
Update for Windows XP (KB955759) (Version: 1)
Update for Windows XP (KB955839) (Version: 1)
Update for Windows XP (KB967715) (Version: 1)
Update for Windows XP (KB968389) (Version: 1)
Update for Windows XP (KB971029) (Version: 1)
Update for Windows XP (KB971737) (Version: 1)
Update for Windows XP (KB973687) (Version: 1)
Update for Windows XP (KB973815) (Version: 1)
ViewSonic Monitor Drivers
WebFldrs XP (Version: 9.50.7523)
Windows Genuine Advantage Notifications (KB905474) (Version: 1.9.0040.0)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Genuine Advantage Validation Tool (KB892130) (Version: 1.7.0069.2)
Windows Imaging Component (Version: 3.0.0.0)
Windows Internet Explorer 7 (Version: 20061017.133151)
Windows Internet Explorer 8 (Version: 20090308.140743)
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Player 10
Windows PowerShell™ 1.0 (Version: 2)
Windows Rights Management Client Backwards Compatibility SP2 (Version: 5.2.70)
Windows Rights Management Client with Service Pack 2 (Version: 5.2.70)
Windows XP Service Pack 3 (Version: 20080414.031525)
XML Paper Specification Shared Components Pack 1.0
Yahoo! Detect

========================= Memory info: ===================================

Percentage of memory in use: 79%
Total physical RAM: 501.42 MB
Available physical RAM: 101.6 MB
Total Pagefile: 1225.39 MB
Available Pagefile: 680.64 MB
Total Virtual: 2047.88 MB
Available Virtual: 1966.09 MB

========================= Partitions: =====================================

2 Drive c: () (Fixed) (Total:74.53 GB) (Free:56.85 GB) NTFS
4 Drive f: () (Network) (Total:232.88 GB) (Free:112.74 GB) NTFS

========================= Users: ========================================

User accounts for \\TILL4

Administrator ASPNET Guest
HelpAssistant SUPPORT_388945a0 User


**** End of log ****



Farbar Service Scanner Version: 06-08-2012
Ran by User (administrator) on 03-09-2012 at 10:25:12
Running from "C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\WAZA9YRU"
Microsoft Windows XP Professional Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Google IP is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============
sharedaccess Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of sharedaccess. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of sharedaccess. The value does not exist.
Unable to retrieve ServiceDll of sharedaccess. The value does not exist.


Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wscsvc registry key. The service key does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open wuauserv registry key. The service key does not exist.

BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ImagePath: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.
Checking ServiceDll: ATTENTION!=====> Unable to open BITS registry key. The service key does not exist.


Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
Gpc(3) IPSec(5) NetBT(6) PSched(7) Tcpip(4)
0x0700000005000000010000000200000003000000040000000600000007000000
IpSec Tag value is correct.

**** End of log ****


# AdwCleaner v2.000 - Logfile created 09/03/2012 at 10:31:46
# Updated 30/08/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : User - TILL4
# Boot Mode : Normal
# Running from : C:\Documents and Settings\User\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

Restored : [HKCU\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-18\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-19\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]
Restored : [HKU\S-1-5-20\Software\Microsoft\Internet Explorer\SearchScopes - DefaultScope]

-\\ Google Chrome v21.0.1180.83

File : C:\Documents and Settings\User\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [1134 octets] - [03/09/2012 10:31:46]

########## EOF - C:\AdwCleaner[S1].txt - [1194 octets] ##########



.
Rkill 2.3.3 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 09/03/2012 10:43:50 AM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop.

* No malware services found to stop.

Checking for processes to terminate.

* No malware processes found to kill.

Checking Registry for malware related settings.

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks.
* No issues found.

Checking Windows Service Integrity:

* BITS [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Program finished at: 09/03/2012 10:44:37 AM
Execution time: 0 hours(s), 0 minute(s), and 47 seconds(s)

#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 02 September 2012 - 09:56 PM

Update malwarebytes,run a scan again and post the clean log

#12 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 03 September 2012 - 12:46 AM

Malwarebytes Anti-Malware 1.62.0.1300
www.malwarebytes.org

Database version: v2012.09.03.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
User :: TILL4 [administrator]

03/09/2012 14:53:20
mbam-log-2012-09-03 (14-53-20).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 274323
Time elapsed: 38 minute(s), 12 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Thanks Narenxp

#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:07:17 AM

Posted 03 September 2012 - 12:53 AM

Download

wscsvc
Sharedaccess
BITS
wuauserv

Launch them,click YES

Restart the PC

Download

TFC


Launch it,it will close all running programs

click on START,it should ask for reboot

Turn off your system restore,restart the PC,create a new restore point

http://support.microsoft.com/kb/310405

Update your JAVA from here

http://java.com/en/download/inc/windows_upgrade_xpi.jsp

Update your flash player

Update your antivirus frequently,do not click on suspicious links

Safe surfing :)

#14 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 03 September 2012 - 06:16 PM

Hi Narenxp

Windows hung during shutduwn after TFC. After 10 mins I forced a reboot

On reboot after turning off system restore, system prompted to install updates. I had earlier cancelled an automatic update of Java, and figured that this was the source of the prompt to install updates. I selected shutdown without installing updates as I hadn't yet done the New restore point.

After restarting and creating the system restore point, I navigated to the Java update link above, but during installation got a message that the lavas_sp.dll file was corrupt. Uncompression of the download file could not occur.

Also tried the Java update from the Java icon in Control Panel with the same result

Hmm...

#15 herbaklez

herbaklez
  • Topic Starter

  • Members
  • 76 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:17 PM

Posted 03 September 2012 - 06:30 PM

Have now successfully updated Java. Version 7, Update 7 build 1.7.0_07-b10

Flash player updated

Avira is up to date, though I'm seriously considering changing to Avast! which we use on a number of other computers.

Hopefully we are all done here.

Thanks so much for your assistance, I don't recall any other bleepingcomputer infection support being anywhere near as quick

Regards,

Herbaklez




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users