Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just removed Dark Comet RAT using their own remover, still infected with other RAT


  • This topic is locked This topic is locked
33 replies to this topic

#1 adobofosho

adobofosho

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 11 September 2012 - 05:24 PM

Managed to find Dark Comet RAT after using their own remover, svchost.exe seems to be still infected. Mouse moves by itself at times. Being on older XP I can easily tell when cpu hits 100 percent etc randomly. Couldn't find much from the scans I did mbam, sas, tdass, infestedcleaner, and a ton of others but i can rescan and post logs for you to look at.

Edited by adobofosho, 11 September 2012 - 05:25 PM.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 11 September 2012 - 08:35 PM

Hello adobofosho, and welcome back to the MRT forums! :thumbsup:

My name is bloopie and I'll be helping you with your problems as best I can! :thumbup2:

A few things to keep in mind while we are working together:

  • If you have since resolved the original problem you were having, I would appreciate it if you let me know.
  • If you are unsure about any of the steps just post what you can and I will guide you!
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.

==========

:step1:
We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

==========

:step2:
I also need a new log from the GMER anti-rootkit Scanner, please also do the following:

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


==========

:step3:
Please include the MBAM log from the scan you ran earlier:

  • Open the program (no need to update it yet)
  • Click the Logs button
  • Find the most recent one and double-click it
  • Copy and Paste the log here in your next reply

==========

What I would like to see in your next reply!

  • The DDS log
  • The minimized attach.txt from the DDS scan
  • The GMER log
  • The most recent log from MBAM
bloopie

#3 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 13 September 2012 - 03:30 AM

DDS

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.4.1
Run by The Junks at 15:26:27 on 2012-09-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.161 [GMT -7:00]
.
AV: Norton Security Suite *Enabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
d:\Program Files\Sandboxie\SbieSvc.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\PrivacyKeyboard\akl_svc.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\system32\svchost.exe -k HPService
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
d:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Documents and Settings\All Users\Application Data\Sidekick Manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\sskmngr.exe
C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Documents and Settings\All Users\Application Data\Sidekick Manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\sskmngr.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\Program Files\Logitech\Logitech WebCam Software\LWS.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
D:\Program Files\Rainmeter\Rainmeter.exe
D:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
D:\Program Files\mIRC\mirc.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ghgabhipcejejjmhhchfonmamedcbeod\7.9_0\plugin\ClickClean.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT3227982
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: IDM integration (IDMIEHlprObj Class): {0055c089-8582-441b-a0bf-17b458c2a3a8} - d:\program files\internet download manager\IDMIECC.dll
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DivX Plus Web Player HTML5 <video>: {326e768d-4182-46fd-9c16-1449a49795f4} - c:\program files\divx\divx plus web player\ie\divxhtml5\DivXHTML5.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton security suite\engine\5.2.2.3\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton security suite\engine\5.2.2.3\ips\IPSBHO.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton security suite\engine\5.2.2.3\coIEPlg.dll
TB: {0cc09160-108c-4759-bab1-5c12c216e005} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [AutoStartNPSAgent]
uRun: [ctfmon.exe]
uRun: [Facebook Update]
uRun: [Google Update]
uRun: [SUPERAntiSpyware] d:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\logitech webcam software\LWS.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [AdobeAAMUpdater-1.0] "c:\program files\common files\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\program files\common files\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS6ServiceManager] "c:\program files\common files\adobe\cs6servicemanager\CS6ServiceManager.exe" -launchedbylogin
mRun: [Aimersoft Helper Compact.exe] c:\program files\common files\aimersoft\aimersoft helper compact\ASHelper.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
StartupFolder: c:\docume~1\thejun~1\startm~1\programs\startup\rainme~1.lnk - d:\program files\rainmeter\Rainmeter.exe
uPolicies-explorer: NoInstrumentation = 1 (0x1)
uPolicies-explorer: NoStartMenuNetworkPlaces = 1 (0x1)
IE: Download all links with IDM - d:\program files\internet download manager\IEGetAll.htm
IE: Download with IDM - d:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{801AA6A6-59D4-4A0A-BE9A-A099283EF8AE} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: GIDLogonXP - GIDLogonXP.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\program files\superantispyware\SASSEH.DLL
mASetup: {9191979D-821C-4EA8-B021-2DA1D859A7C5}-3Reg - c:\program files\sft\guardedid\gidi.exe /v
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\the junks\application data\mozilla\firefox\profiles\ok95auwn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3227982&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - appbario8 Customized Web Search
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT3227982&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3227982&SearchSource=2&q=
FF - plugin: c:\documents and settings\the junks\local settings\application data\google\update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\oracle\javafx 2.1 runtime\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SonyLSM;LED State Service;c:\windows\system32\drivers\SonyLSM.sys [2003-10-28 4736]
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-16 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20120905.001\BHDrvx86.sys [2012-8-31 995488]
R1 GIDv2;GIDv2;c:\windows\system32\drivers\gidv2.sys [2011-8-21 25232]
R1 SASKUTIL;SASKUTIL;d:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-16 136312]
R2 !SASCORE;SAS Core Service;d:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 akl_svc";PrivacyKeyboard Service;d:\program files\privacykeyboard\akl_svc.exe [2011-11-4 66768]
R2 MBAMService;MBAMService;d:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-12-5 655944]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
R2 Sidekick Manager;Sidekick Manager;c:\documents and settings\all users\application data\sidekick manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\sskmngr.exe [2012-7-28 1691680]
R2 Skype C2C Service;Skype C2C Service;c:\documents and settings\all users\application data\skype\toolbars\skype c2c service\c2c_service.exe [2012-7-5 3048136]
R3 Dot4Usb HPH09;Dot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [2011-9-14 18864]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-8-8 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20120911.001\IDSXpx86.sys [2012-9-11 373728]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [2008-1-14 21632]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-14 22344]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120912.004\NAVENG.SYS [2012-9-12 92704]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20120912.004\NAVEX15.SYS [2012-9-12 1601184]
R3 SbieDrv;SbieDrv;d:\program files\sandboxie\SbieDrv.sys [2011-8-27 129808]
S0 cecp;cecp;c:\windows\system32\drivers\gukn.sys --> c:\windows\system32\drivers\gukn.sys [?]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TFSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 SASDIFSV;SASDIFSV;d:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-2-2 238952]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\fsusbexdisk.sys --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 IDMTDI;IDMTDI;c:\windows\system32\drivers\idmtdi.sys --> c:\windows\system32\drivers\idmtdi.sys [?]
S3 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2011-2-11 35088]
S3 pctNdisMP;PC Tools Driver;c:\windows\system32\drivers\pctndis.sys --> c:\windows\system32\drivers\pctNdis.sys [?]
S3 sscebus;SAMSUNG USB Composite Device V2 driver (WDM);c:\windows\system32\drivers\sscebus.sys [2012-2-2 98560]
S3 sscemdfl;SAMSUNG Mobile Modem V2 Filter;c:\windows\system32\drivers\sscemdfl.sys [2012-2-2 14848]
S3 sscemdm;SAMSUNG Mobile Modem V2 Drivers;c:\windows\system32\drivers\sscemdm.sys [2012-2-2 123648]
S3 SwitchBoard;Adobe SwitchBoard;c:\program files\common files\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
S3 SynasUSB;SynasUSB;c:\windows\system32\drivers\synasusb.sys --> c:\windows\system32\drivers\SynasUSB.sys [?]
S3 teamviewervpn;TeamViewer VPN Adapter;c:\windows\system32\drivers\teamviewervpn.sys [2012-3-12 25088]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\tmpassthru.sys --> c:\windows\system32\drivers\TMPassthru.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-10 01:10:33 -------- d-----w- c:\documents and settings\the junks\application data\SUPERAntiSpyware.com
2012-09-10 01:10:17 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-09-10 01:10:17 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-09-09 10:00:37 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-09 09:44:56 -------- d-----w- C:\VulcanQuarantine
2012-08-18 02:46:21 -------- d-----w- c:\documents and settings\the junks\application data\Digiarty
2012-08-17 23:22:44 497664 ----a-w- c:\windows\system32\ac3filter.acm
.
==================== Find3M ====================
.
2012-07-29 02:26:46 558133 ----a-w- c:\windows\system32\sqlite3.dll
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 20:46:44 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
2003-07-30 12:00:00 94784 -csh--w- c:\windows\twain.dll
2008-04-14 12:42:08 50688 -csh--w- c:\windows\twain_32.dll
2011-02-08 13:33:55 978944 -csh--w- c:\windows\system32\mfc42.dll
2008-04-14 12:42:02 57344 -csh--w- c:\windows\system32\msvcirt.dll
2010-12-20 17:32:15 551936 --sh--w- c:\windows\system32\oleaut32.dll
2008-04-14 12:42:34 11776 -csh--w- c:\windows\system32\regsvr32.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
user != kernel MBR !!!
.
============= FINISH: 15:32:34.89 ===============
GMER

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-09-12 17:11:44
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 rev.
Running: dcwot4ei.exe; Driver: D:\Temp\pwtdapog.sys


---- System - GMER 1.0.15 ----

SSDT 89144938 ZwAlertResumeThread
SSDT 8A616340 ZwAlertThread
SSDT 89891E98 ZwAllocateVirtualMemory
SSDT 89143470 ZwAssignProcessToJobObject
SSDT 89FDB428 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB48D1710]
SSDT 891725C0 ZwCreateMutant
SSDT 89143290 ZwCreateSymbolicLinkObject
SSDT 89852E60 ZwCreateThread
SSDT 891436D8 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB48D1990]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB48D1EF0]
SSDT 89875178 ZwDuplicateObject
SSDT 89861E60 ZwFreeVirtualMemory
SSDT 89172690 ZwImpersonateAnonymousToken
SSDT 89144878 ZwImpersonateThread
SSDT 89FD8C10 ZwLoadDriver
SSDT 898E3240 ZwMapViewOfSection
SSDT 891826E0 ZwOpenEvent
SSDT 8989D168 ZwOpenProcess
SSDT 8A5F7B68 ZwOpenProcessToken
SSDT 891438E0 ZwOpenSection
SSDT 898AE178 ZwOpenThread
SSDT 89143380 ZwProtectVirtualMemory
SSDT 8A67B808 ZwResumeThread
SSDT 8A610E00 ZwSetContextThread
SSDT 89895670 ZwSetInformationProcess
SSDT 891437B8 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB48D2140]
SSDT 89182600 ZwSuspendProcess
SSDT 8A61CBA0 ZwSuspendThread
SSDT \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB4540640]
SSDT 8A618378 ZwTerminateThread
SSDT 8A5F7C40 ZwUnmapViewOfSection
SSDT 89246E60 ZwWriteVirtualMemory

INT 0x01 \??\D:\Temp\mbr.sys B8B5AC42

Code F7A66C9C ZwRequestPort
Code F7A66D3C ZwRequestWaitReplyPort
Code F7A66BFC ZwTraceEvent
Code F7A66C9B NtRequestPort
Code F7A66D3B NtRequestWaitReplyPort
Code F7A66BFB NtTraceEvent

---- Kernel code sections - GMER 1.0.15 ----

? 94164399.sys The system cannot find the file specified. !
? SYMDS.SYS The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
? D:\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 34, 00] {SUB [EAX], AL; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 34, 00] {SUB [EBX], AL; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 34, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 34, 00] {TEST AL, 0x1; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910A1A
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 34, 00] {TEST AL, 0x2; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 34, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 34, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B910A8B
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 34, 00] {TEST AL, 0x0; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910BB9
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 34, 00] {SUB [ECX], AL; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 34, 00] {SUB [EDX], AL; XOR AL, 0x0}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 34, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[524] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 2B, 00] {SUB [EAX], AL; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 2B, 00] {SUB [EBX], AL; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 2B, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 2B, 00] {TEST AL, 0x1; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91011A
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 2B, 00] {TEST AL, 0x2; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 2B, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 2B, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91018B
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 2B, 00] {TEST AL, 0x0; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9102B9
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 2B, 00] {SUB [ECX], AL; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 2B, 00] {SUB [EDX], AL; SUB EAX, [EAX]}
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 2B, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[552] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F41A
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F48B
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F5B9
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 1E, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2176] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2280] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B912B1A
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B912B8B
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B912CB9
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 55, 00]
.text C:\Documents and Settings\The Junks\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[2812] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\81711307 \Device\KLMD13082012_208040_B 94164399.sys

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1
Reg HKLM\SOFTWARE\Classes\CLSID\{1fab6ff5-f54d-4008-9464-006a9e13b955}@Model 151
Reg HKLM\SOFTWARE\Classes\CLSID\{1fab6ff5-f54d-4008-9464-006a9e13b955}@Therad 21
Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x60 0xC1 0x48 0xEE ...

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----
MBAM

Malwarebytes Anti-Malware (PRO) 1.65.0.1400
www.malwarebytes.org

Database version: v2012.09.12.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
The Junks :: LENNIE [limited]

Protection: Disabled

9/12/2012 6:05:08 PM
mbam-log-2012-09-12 (19-15-24).txt

Scan type: Full scan (C:\|D:\|G:\|N:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 377494
Time elapsed: 1 hour(s), 9 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
D:\Program Files\mIRC\Invision\Stdio.dll (Trojan.Agent.H) -> No action taken.
D:\Program Files\mkp4.1\mkp.exe (Trojan.Pirminay) -> No action taken.
D:\Program Files\mkp4.1\Windebug.exe (Trojan.Pirminay) -> No action taken.
D:\Program Files\hi-res mugen\winmugen.exe (Trojan.Pirminay) -> No action taken.

(end)

I'm pretty sure the last 4 files are false positives
1st with irc client
3 others with the game called M.U.G.E.N. although it never picked up on MBAM before so I found that wierd

#4 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 13 September 2012 - 04:01 AM

referring to the mbam

Edited by adobofosho, 13 September 2012 - 04:03 AM.


#5 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 13 September 2012 - 12:18 PM

Hi again,

Those detections found by MBAM were also in the "D:" drive. Do you have multiple partitions on your hard drive?

Please tell me if you have your original Windows CD/DVD available.

You have not yet responded to this. :)

==========

Let's look at what TDSSKiller has found in a previous run:

:step1:
  • Please download TDDS Qlook and save it to your desktop.
  • Double-click the program and run it.
  • Type the letter A and press ENTER.
  • A logfile will open (TDSSQ.txt), please copy and past the contents of that logfile into your next reply.

==========

:step2:

  • Double click ListParts.exe to launch the program.
  • Press the Scan button.
  • When finished scanning it will make a log Result.txt on your Desktop.
  • Please post me the contents of the log.

==========

:step3:
Please download aswMBR ( 4.5MB ) to your desktop.
  • Double click the aswMBR.exe icon, and click Run.
  • When asked if you'd like to "download the latest Avast! virus definitions", click Yes.
  • Click the Scan button to start the scan.
  • On completion of the scan, click the save log button, save it to your desktop, then copy and paste it in your next reply.

==========

Please post all three logs in your next reply!

bloopie

Edited by bloopie, 13 September 2012 - 12:35 PM.


#6 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 13 September 2012 - 02:22 PM

no windows cd
dont think i have multiple partitions


TDSSKiller Quarantine Information log
TDSS Qlook Version 1.0.0.5 - The Junks - Thu 09/13/2012 - 11:50:55.04.
Microsoft Windows XP Professional 5.1.2600 Service Pack 3
***** START SCAN Thu 09/13/2012 11:50:56.46 *****

---------- TDSSKiller logs ----------

TDSSKiller.2.8.8.0_09.09.2012_02.50.05_log.txt
TDSSKiller.2.8.8.0_09.09.2012_03.03.56_log.txt

---------- TDSSStarter logs ----------


---------- DIR LIST ----------

C:\TDSSKiller_Quarantine\09.09.2012_02.50.07
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\object.ini
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000\object.ini
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000\tsk0000.dta
C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000\tsk0000.ini

---------- INI FILES ----------

=== C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\object.ini

[InfectedObject]
Verdict: UnsignedFile.Multi.Generic


=== C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000\object.ini

[InfectedObject]
Type: Service
Name: FsUsbExDisk
Type: Kernel driver (0x1)
Start: Demand (0x3)
ImagePath: \??\C:\WINDOWS\system32\FsUsbExDisk.SYS


=== C:\TDSSKiller_Quarantine\09.09.2012_02.50.07\susp0000\svc0000\tsk0000.ini

[InfectedFile]
Type: Raw image
Src: C:\WINDOWS\system32\FsUsbExDisk.SYS
md5: CBE5F69A5E5B918225F420BA748F3742


***** END SCAN Thu 09/13/2012 11:50:57.10 *****
ListParts by Farbar Version: 10-08-2012
Ran by The Junks (administrator) on 13-09-2012 at 11:51:36
Windows XP (X86)
Running From: C:\Documents and Settings\The Junks\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 55%
Total physical RAM: 2047.36 MB
Available physical RAM: 901.88 MB
Total Pagefile: 1896.78 MB
Available Pagefile: 769.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.86 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:15.01 GB) (Free:1.5 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (Local Disk) (Fixed) (Total:168.9 GB) (Free:17.88 GB) NTFS
6 Drive g: () (Fixed) (Total:6.01 GB) (Free:0.95 GB) NTFS
12 Drive n: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 190 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 6150 MB 32 KB
Partition 2 Primary 15 GB 6150 MB
Partition 3 Extended 169 GB 21 GB
Partition 4 Logical 169 GB 21 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 G NTFS Partition 6150 MB Healthy
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 15 GB Healthy System (partition with boot components)
======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D Local Disk NTFS Partition 169 GB Healthy
======================================================================================================

****** End Of Log ******

ListParts by Farbar Version: 10-08-2012
Ran by The Junks (administrator) on 13-09-2012 at 11:51:36
Windows XP (X86)
Running From: C:\Documents and Settings\The Junks\Desktop
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 55%
Total physical RAM: 2047.36 MB
Available physical RAM: 901.88 MB
Total Pagefile: 1896.78 MB
Available Pagefile: 769.48 MB
Total Virtual: 2047.88 MB
Available Virtual: 1994.86 MB

======================= Partitions =========================

2 Drive c: () (Fixed) (Total:15.01 GB) (Free:1.5 GB) NTFS ==>[Drive with boot components (Windows XP)]
3 Drive d: (Local Disk) (Fixed) (Total:168.9 GB) (Free:17.88 GB) NTFS
6 Drive g: () (Fixed) (Total:6.01 GB) (Free:0.95 GB) NTFS
12 Drive n: () (Removable) (Total:3.73 GB) (Free:3.73 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 190 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 6150 MB 32 KB
Partition 2 Primary 15 GB 6150 MB
Partition 3 Extended 169 GB 21 GB
Partition 4 Logical 169 GB 21 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 G NTFS Partition 6150 MB Healthy
======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 C NTFS Partition 15 GB Healthy System (partition with boot components)
======================================================================================================

Disk: 0
Partition 4
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 D Local Disk NTFS Partition 169 GB Healthy
======================================================================================================

****** End Of Log ******
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-09-13 12:11:27
-----------------------------
12:11:27.703 OS Version: Windows 5.1.2600 Service Pack 3
12:11:27.703 Number of processors: 2 586 0x209
12:11:27.703 ComputerName: LENNIE UserName:
12:11:27.859 Initialize success
12:11:41.296 AVAST engine defs: 12091300
12:11:46.937 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:11:46.953 Disk 0 Vendor: Size: 0MB BusType: 0
12:11:46.968 Disk 1 \Device\Harddisk1\DR4 -> \Device\0000008c
12:11:46.984 Disk 1 Vendor: Size: 0MB BusType: 0
12:11:47.031 Disk 0 MBR read successfully
12:11:47.046 Disk 0 MBR scan
12:11:47.109 Disk 0 Windows XP default MBR code
12:11:47.140 Disk 0 MBR hidden
12:11:47.156 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 6149 MB offset 63
12:11:47.203 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 15366 MB offset 12594960
12:11:47.218 Disk 0 Partition - 00 0F Extended LBA 172957 MB offset 44066295
12:11:47.265 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 172957 MB offset 44066358
12:11:47.328 Disk 0 scanning C:\WINDOWS\system32\drivers
12:12:07.484 Service scanning
12:12:33.515 Modules scanning
12:12:39.890 Disk 0 trace - called modules:
12:12:39.921 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:12:39.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a902ab8]
12:12:39.968 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000078[0x8a948510]
12:12:39.984 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a947940]
12:12:40.156 AVAST engine scan C:\WINDOWS
12:12:46.359 AVAST engine scan C:\WINDOWS\system32
12:16:39.062 AVAST engine scan C:\WINDOWS\system32\drivers
12:16:55.890 AVAST engine scan C:\Documents and Settings\The Junks
12:18:38.250 AVAST engine scan C:\Documents and Settings\All Users
12:21:06.953 Scan finished successfully
12:22:24.625 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\The Junks\Desktop\MBR.dat"
12:22:24.656 The log file has been saved successfully to "C:\Documents and Settings\The Junks\Desktop\aswMBR.txt"

#7 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 13 September 2012 - 03:34 PM

Hi again,

Those last logs aren't showing much, but I was concerned about the Gmer log:

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

And some other lines as well.

Step :step1:
Run a new scan with TDSSKiller using these instructions:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.


After you get the log from TDSSKiller, then:

==========

Let's take out the big guns:

Step :step2:
Run Combofix

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
  • Close any open browsers or any other programs that are open.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you C:\Combofix.txt. Please include that in your next reply.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

==========

In your next reply, please provide:

  • The new TDSSKiller log
  • The ComboFix log

bloopie

#8 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 14 September 2012 - 03:56 AM

ComboFix 12-09-13.03 - The Junks 09/14/2012 1:32:50.16.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1287 [GMT -7:00]
Running from: D:\Program Files\Combofix\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}


15:20:10.0531 3124 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
15:20:11.0406 3124 ============================================================
15:20:11.0406 3124 Current date / time: 2012/09/13 15:20:11.0406
15:20:11.0406 3124 SystemInfo:
15:20:11.0406 3124
15:20:11.0406 3124 OS Version: 5.1.2600 ServicePack: 3.0
15:20:11.0406 3124 Product type: Workstation
15:20:11.0406 3124 ComputerName: LENNIE
15:20:11.0406 3124 UserName: The Junks
15:20:11.0406 3124 Windows directory: C:\WINDOWS
15:20:11.0406 3124 System windows directory: C:\WINDOWS
15:20:11.0406 3124 Processor architecture: Intel x86
15:20:11.0406 3124 Number of processors: 2
15:20:11.0406 3124 Page size: 0x1000
15:20:11.0406 3124 Boot type: Normal boot
15:20:11.0406 3124 ============================================================
15:20:12.0890 3124 Drive \Device\Harddisk0\DR0 - Size: 0x2F7B100000 (189.92 Gb), SectorSize: 0x200, Cylinders: 0x60D8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:20:12.0937 3124 Drive \Device\Harddisk5\DR8 - Size: 0xEF000000 (3.73 Gb), SectorSize: 0x200, Cylinders: 0x1E7, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:20:12.0937 3124 ============================================================
15:20:12.0937 3124 \Device\Harddisk0\DR0:
15:20:12.0937 3124 MBR partitions:
15:20:12.0937 3124 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC02ED1
15:20:12.0937 3124 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC02F10, BlocksNum 0x1E036E7
15:20:12.0953 3124 \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x2A06636, BlocksNum 0x151CECA2
15:20:12.0953 3124 \Device\Harddisk5\DR8:
15:20:12.0953 3124 MBR partitions:
15:20:12.0953 3124 \Device\Harddisk5\DR8\Partition1: MBR, Type 0xC, StartLBA 0x30, BlocksNum 0x777FD0
15:20:12.0953 3124 ============================================================
15:20:12.0984 3124 C: <-> \Device\Harddisk0\DR0\Partition2
15:20:13.0000 3124 D: <-> \Device\Harddisk0\DR0\Partition3
15:20:13.0000 3124 G: <-> \Device\Harddisk0\DR0\Partition1
15:20:13.0000 3124 ============================================================
15:20:13.0000 3124 Initialize success
15:20:13.0000 3124 ============================================================
15:20:17.0578 3820 ============================================================
15:20:17.0578 3820 Scan started
15:20:17.0578 3820 Mode: Manual;
15:20:17.0578 3820 ============================================================
15:20:18.0359 3820 ================ Scan system memory ========================
15:20:18.0359 3820 System memory - ok
15:20:18.0359 3820 ================ Scan services =============================
15:20:18.0437 3820 [ 01E81C84AD1D0ACC61CF3CFD06632210 ] !SASCORE D:\Program Files\SUPERAntiSpyware\SASCORE.EXE
15:20:18.0484 3820 !SASCORE - ok
15:20:18.0687 3820 Abiosdsk - ok
15:20:18.0703 3820 abp480n5 - ok
15:20:18.0734 3820 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:20:18.0781 3820 ACPI - ok
15:20:18.0843 3820 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
15:20:18.0859 3820 ACPIEC - ok
15:20:18.0890 3820 adpu160m - ok
15:20:18.0921 3820 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
15:20:18.0937 3820 aec - ok
15:20:18.0968 3820 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
15:20:18.0984 3820 AFD - ok
15:20:19.0000 3820 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
15:20:19.0000 3820 agp440 - ok
15:20:19.0015 3820 Aha154x - ok
15:20:19.0031 3820 aic78u2 - ok
15:20:19.0031 3820 aic78xx - ok
15:20:19.0093 3820 [ 9B80DAA8C20112BF8A7827BC797BDC2A ] akl_svc" D:\Program Files\PrivacyKeyboard\akl_svc.exe
15:20:19.0125 3820 akl_svc" - ok
15:20:19.0156 3820 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
15:20:19.0156 3820 Alerter - ok
15:20:19.0171 3820 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
15:20:19.0171 3820 ALG - ok
15:20:19.0187 3820 AliIde - ok
15:20:19.0203 3820 amsint - ok
15:20:19.0234 3820 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
15:20:19.0250 3820 AppMgmt - ok
15:20:19.0281 3820 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:20:19.0281 3820 Arp1394 - ok
15:20:19.0296 3820 asc - ok
15:20:19.0312 3820 asc3350p - ok
15:20:19.0312 3820 asc3550 - ok
15:20:19.0421 3820 [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:20:19.0437 3820 aspnet_state - ok
15:20:19.0468 3820 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:20:19.0468 3820 AsyncMac - ok
15:20:19.0484 3820 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
15:20:19.0484 3820 atapi - ok
15:20:19.0500 3820 Atdisk - ok
15:20:19.0531 3820 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:20:19.0531 3820 Atmarpc - ok
15:20:19.0546 3820 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
15:20:19.0562 3820 AudioSrv - ok
15:20:19.0593 3820 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
15:20:19.0593 3820 audstub - ok
15:20:19.0640 3820 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
15:20:19.0640 3820 Beep - ok
15:20:19.0812 3820 [ C364F02969E9A842321DD91BCFF749D4 ] BHDrvx86 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20120905.001\BHDrvx86.sys
15:20:19.0843 3820 BHDrvx86 - ok
15:20:19.0875 3820 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
15:20:19.0890 3820 BITS - ok
15:20:19.0921 3820 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
15:20:19.0921 3820 Browser - ok
15:20:19.0968 3820 catchme - ok
15:20:20.0000 3820 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
15:20:20.0000 3820 cbidf2k - ok
15:20:20.0015 3820 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:20:20.0015 3820 CCDECODE - ok
15:20:20.0031 3820 cd20xrnt - ok
15:20:20.0062 3820 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
15:20:20.0062 3820 Cdaudio - ok
15:20:20.0078 3820 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
15:20:20.0078 3820 Cdfs - ok
15:20:20.0093 3820 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:20:20.0109 3820 Cdrom - ok
15:20:20.0109 3820 cecp - ok
15:20:20.0125 3820 Changer - ok
15:20:20.0156 3820 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
15:20:20.0156 3820 CiSvc - ok
15:20:20.0171 3820 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
15:20:20.0171 3820 ClipSrv - ok
15:20:20.0250 3820 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:20:20.0359 3820 clr_optimization_v2.0.50727_32 - ok
15:20:20.0406 3820 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:20:20.0515 3820 clr_optimization_v4.0.30319_32 - ok
15:20:20.0531 3820 CmdIde - ok
15:20:20.0531 3820 COMSysApp - ok
15:20:20.0562 3820 Cpqarray - ok
15:20:20.0593 3820 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
15:20:20.0593 3820 CryptSvc - ok
15:20:20.0640 3820 [ 8DB84DE3AAB34A8B4C2F644EFF41CD76 ] ctsfm2k C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys
15:20:20.0640 3820 ctsfm2k - ok
15:20:20.0640 3820 dac2w2k - ok
15:20:20.0656 3820 dac960nt - ok
15:20:20.0703 3820 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
15:20:20.0703 3820 DcomLaunch - ok
15:20:20.0734 3820 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
15:20:20.0750 3820 Dhcp - ok
15:20:20.0750 3820 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
15:20:20.0765 3820 Disk - ok
15:20:20.0765 3820 dmadmin - ok
15:20:20.0796 3820 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
15:20:20.0812 3820 dmboot - ok
15:20:20.0843 3820 [ 526192BF7696F72E29777BF4A180513A ] DMICall C:\WINDOWS\system32\DRIVERS\DMICall.sys
15:20:20.0843 3820 DMICall - ok
15:20:20.0859 3820 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
15:20:20.0859 3820 dmio - ok
15:20:20.0875 3820 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
15:20:20.0875 3820 dmload - ok
15:20:20.0906 3820 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
15:20:20.0906 3820 dmserver - ok
15:20:20.0921 3820 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
15:20:20.0921 3820 DMusic - ok
15:20:20.0953 3820 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
15:20:20.0968 3820 Dnscache - ok
15:20:20.0984 3820 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
15:20:21.0015 3820 Dot3svc - ok
15:20:21.0031 3820 [ 577DC4C5F7102BA9957F302942EB2DA4 ] Dot4 HPH09 C:\WINDOWS\system32\DRIVERS\hphid409.sys
15:20:21.0046 3820 Dot4 HPH09 - ok
15:20:21.0062 3820 [ D559E03B3168BC00011DD2B6F443AC71 ] Dot4Print HPH09 C:\WINDOWS\system32\DRIVERS\hphipr09.sys
15:20:21.0062 3820 Dot4Print HPH09 - ok
15:20:21.0093 3820 [ 7E90E0199786C4BDA3CF675B93544939 ] Dot4Storage HPH09 C:\WINDOWS\system32\Drivers\hphs2k09.sys
15:20:21.0109 3820 Dot4Storage HPH09 - ok
15:20:21.0125 3820 [ AFCAA5B28BD1A3F9645E7EBEE217C365 ] Dot4Usb HPH09 C:\WINDOWS\system32\drivers\hphius09.sys
15:20:21.0125 3820 Dot4Usb HPH09 - ok
15:20:21.0140 3820 dpti2o - ok
15:20:21.0156 3820 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
15:20:21.0156 3820 drmkaud - ok
15:20:21.0187 3820 [ 2476936F4994E9084CCFE75ED4F6226A ] E1000 C:\WINDOWS\system32\DRIVERS\e1000325.sys
15:20:21.0187 3820 E1000 - ok
15:20:21.0218 3820 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
15:20:21.0218 3820 EapHost - ok
15:20:21.0296 3820 [ 85B8B4032A895A746D46A288A9B30DED ] eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:20:21.0296 3820 eeCtrl - ok
15:20:21.0359 3820 [ F6D494D609D52A0E9596756C5540A978 ] ehSched C:\WINDOWS\ehome\ehSched.exe
15:20:21.0359 3820 ehSched - ok
15:20:21.0390 3820 [ B5A8A04A6E5B4E86B95B1553AA918F5F ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:20:21.0390 3820 EraserUtilRebootDrv - ok
15:20:21.0421 3820 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
15:20:21.0437 3820 ERSvc - ok
15:20:21.0484 3820 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
15:20:21.0484 3820 Eventlog - ok
15:20:21.0515 3820 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\System32\es.dll
15:20:21.0515 3820 EventSystem - ok
15:20:21.0562 3820 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
15:20:21.0562 3820 Fastfat - ok
15:20:21.0609 3820 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:20:21.0625 3820 FastUserSwitchingCompatibility - ok
15:20:21.0625 3820 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
15:20:21.0640 3820 Fdc - ok
15:20:21.0656 3820 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
15:20:21.0656 3820 Fips - ok
15:20:21.0671 3820 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:20:21.0671 3820 Flpydisk - ok
15:20:21.0703 3820 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
15:20:21.0703 3820 FltMgr - ok
15:20:21.0734 3820 [ 5043F0D9A22AABF550508B3165C5B0FD ] FolderSize C:\Program Files\FolderSize\FolderSizeSvc.exe
15:20:21.0765 3820 FolderSize - ok
15:20:21.0812 3820 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:20:21.0828 3820 FontCache3.0.0.0 - ok
15:20:21.0828 3820 FsUsbExDisk - ok
15:20:21.0875 3820 [ 96633419F4A1E37ACB89B45EBCCFE001 ] FsUsbExService C:\WINDOWS\system32\FsUsbExService.Exe
15:20:21.0890 3820 FsUsbExService - ok
15:20:21.0921 3820 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:20:21.0921 3820 Fs_Rec - ok
15:20:21.0937 3820 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:20:21.0937 3820 Ftdisk - ok
15:20:21.0968 3820 [ 065639773D8B03F33577F6CDAEA21063 ] gameenum C:\WINDOWS\system32\DRIVERS\gameenum.sys
15:20:21.0968 3820 gameenum - ok
15:20:22.0000 3820 [ 5AE3A887ECE5BBB72CFAB273C2FD1CFA ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:20:22.0015 3820 GEARAspiWDM - ok
15:20:22.0031 3820 [ 20F6C49E2C410FCD32D781F521579BF5 ] GIDv2 C:\WINDOWS\system32\drivers\GIDv2.sys
15:20:22.0046 3820 GIDv2 - ok
15:20:22.0062 3820 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:20:22.0078 3820 Gpc - ok
15:20:22.0140 3820 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:20:22.0140 3820 helpsvc - ok
15:20:22.0171 3820 [ BB1A6FB7D35A91E599973FA74A619056 ] HidIr C:\WINDOWS\system32\DRIVERS\hidir.sys
15:20:22.0171 3820 HidIr - ok
15:20:22.0203 3820 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
15:20:22.0203 3820 HidServ - ok
15:20:22.0234 3820 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:20:22.0234 3820 HidUsb - ok
15:20:22.0265 3820 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
15:20:22.0281 3820 hkmsvc - ok
15:20:22.0281 3820 hpn - ok
15:20:22.0375 3820 [ CE0FCEC4D4D860F36D972759B11EAF0F ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
15:20:22.0390 3820 hpqcxs08 - ok
15:20:22.0421 3820 [ 7DA3211AC63EDD90B8ECA1CA1ABFD43B ] hpqddsvc C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
15:20:22.0421 3820 hpqddsvc - ok
15:20:22.0453 3820 [ 14229263AA19C704E0D6D2E7404A8455 ] HPSLPSVC C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
15:20:22.0484 3820 HPSLPSVC - ok
15:20:22.0500 3820 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:20:22.0515 3820 HPZid412 - ok
15:20:22.0515 3820 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:20:22.0531 3820 HPZipr12 - ok
15:20:22.0531 3820 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:20:22.0531 3820 HPZius12 - ok
15:20:22.0578 3820 [ 68329F53EBFD34ABF268C42D98C830F3 ] HSFHWICH C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
15:20:22.0578 3820 HSFHWICH - ok
15:20:22.0625 3820 [ 7BBC0D5900A1FC9F69FA0950A149A1C6 ] HSF_DP C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
15:20:22.0656 3820 HSF_DP - ok
15:20:22.0687 3820 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
15:20:22.0703 3820 HTTP - ok
15:20:22.0734 3820 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
15:20:22.0750 3820 HTTPFilter - ok
15:20:22.0750 3820 i2omgmt - ok
15:20:22.0765 3820 i2omp - ok
15:20:22.0812 3820 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:20:22.0812 3820 i8042prt - ok
15:20:22.0812 3820 IDMTDI - ok
15:20:22.0875 3820 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:20:22.0906 3820 idsvc - ok
15:20:22.0968 3820 [ C19BF2A07BE972A110220DF6B1E89D14 ] IDSxpx86 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20120912.001\IDSxpx86.sys
15:20:22.0968 3820 IDSxpx86 - ok
15:20:23.0000 3820 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
15:20:23.0000 3820 Imapi - ok
15:20:23.0031 3820 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
15:20:23.0046 3820 ImapiService - ok
15:20:23.0046 3820 ini910u - ok
15:20:23.0062 3820 IntelIde - ok
15:20:23.0093 3820 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:20:23.0109 3820 intelppm - ok
15:20:23.0125 3820 [ 3BB22519A194418D5FEC05D800A19AD0 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
15:20:23.0125 3820 ip6fw - ok
15:20:23.0140 3820 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:20:23.0156 3820 IpFilterDriver - ok
15:20:23.0156 3820 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:20:23.0156 3820 IpInIp - ok
15:20:23.0187 3820 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:20:23.0187 3820 IpNat - ok
15:20:23.0203 3820 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:20:23.0203 3820 IPSec - ok
15:20:23.0250 3820 [ B43B36B382AEA10861F7C7A37F9D4AE2 ] IrBus C:\WINDOWS\system32\DRIVERS\IrBus.sys
15:20:23.0250 3820 IrBus - ok
15:20:23.0265 3820 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
15:20:23.0265 3820 IRENUM - ok
15:20:23.0296 3820 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:20:23.0296 3820 isapnp - ok
15:20:23.0343 3820 [ 5472D771C0197355C1D347F20392B982 ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
15:20:23.0359 3820 JavaQuickStarterService - ok
15:20:23.0375 3820 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:20:23.0390 3820 Kbdclass - ok
15:20:23.0406 3820 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:20:23.0406 3820 kbdhid - ok
15:20:23.0421 3820 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
15:20:23.0421 3820 kmixer - ok
15:20:23.0468 3820 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
15:20:23.0468 3820 KSecDD - ok
15:20:23.0500 3820 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
15:20:23.0500 3820 lanmanserver - ok
15:20:23.0546 3820 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:20:23.0562 3820 lanmanworkstation - ok
15:20:23.0578 3820 lbrtfdc - ok
15:20:23.0609 3820 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
15:20:23.0625 3820 LmHosts - ok
15:20:23.0640 3820 [ 1A7DB7A00A4B0D8DA24CD691A4547291 ] LVPr2Mon C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys
15:20:23.0640 3820 LVPr2Mon - ok
15:20:23.0703 3820 [ 0DDFDCAA92C7F553328DB06BA599BEA9 ] LVPrcSrv C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
15:20:23.0703 3820 LVPrcSrv - ok
15:20:23.0734 3820 [ F7E15F2FE7790733DF86E95A76556389 ] LVUSBSta C:\WINDOWS\system32\DRIVERS\LVUSBSta.sys
15:20:23.0734 3820 LVUSBSta - ok
15:20:23.0828 3820 [ 92D03DC19EAE9D0A86735705E374FDAD ] LVUVC C:\WINDOWS\system32\DRIVERS\lvuvc.sys
15:20:23.0921 3820 LVUVC - ok
15:20:23.0953 3820 [ C6D085C7045200143528136A43A65FDE ] ManyCam C:\WINDOWS\system32\DRIVERS\ManyCam.sys
15:20:23.0968 3820 ManyCam - ok
15:20:24.0000 3820 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys
15:20:24.0000 3820 MBAMProtector - ok
15:20:24.0062 3820 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService d:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
15:20:24.0140 3820 MBAMService - ok
15:20:24.0171 3820 [ EEAEA6514BA7C9D273B5E87C4E1AAB30 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:20:24.0171 3820 mdmxsdk - ok
15:20:24.0203 3820 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
15:20:24.0203 3820 Messenger - ok
15:20:24.0234 3820 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
15:20:24.0250 3820 mnmdd - ok
15:20:24.0265 3820 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
15:20:24.0281 3820 mnmsrvc - ok
15:20:24.0296 3820 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
15:20:24.0296 3820 Modem - ok
15:20:24.0312 3820 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:20:24.0312 3820 Mouclass - ok
15:20:24.0343 3820 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:20:24.0343 3820 mouhid - ok
15:20:24.0359 3820 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
15:20:24.0359 3820 MountMgr - ok
15:20:24.0375 3820 mraid35x - ok
15:20:24.0406 3820 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:20:24.0406 3820 MRxDAV - ok
15:20:24.0437 3820 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:20:24.0468 3820 MRxSmb - ok
15:20:24.0484 3820 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\System32\msdtc.exe
15:20:24.0500 3820 MSDTC - ok
15:20:24.0515 3820 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
15:20:24.0531 3820 Msfs - ok
15:20:24.0531 3820 MSIServer - ok
15:20:24.0546 3820 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:20:24.0562 3820 MSKSSRV - ok
15:20:24.0578 3820 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:20:24.0578 3820 MSPCLOCK - ok
15:20:24.0609 3820 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
15:20:24.0609 3820 MSPQM - ok
15:20:24.0625 3820 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:20:24.0625 3820 mssmbios - ok
15:20:24.0640 3820 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
15:20:24.0640 3820 MSTEE - ok
15:20:24.0671 3820 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
15:20:24.0671 3820 Mup - ok
15:20:24.0734 3820 [ E78A365CC3E0FBFC018A33DCE01909F8 ] N360 C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
15:20:24.0734 3820 N360 - ok
15:20:24.0750 3820 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:20:24.0750 3820 NABTSFEC - ok
15:20:24.0796 3820 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
15:20:24.0812 3820 napagent - ok
15:20:24.0875 3820 [ 8E4C77AD9BB279900C00F870CC0C674B ] NAVENG C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120913.002\NAVENG.SYS
15:20:24.0890 3820 NAVENG - ok
15:20:24.0953 3820 [ 826F699B69E88A3920C70F344DD42D88 ] NAVEX15 C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20120913.002\NAVEX15.SYS
15:20:25.0000 3820 NAVEX15 - ok
15:20:25.0015 3820 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
15:20:25.0031 3820 NDIS - ok
15:20:25.0046 3820 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:20:25.0046 3820 NdisIP - ok
15:20:25.0078 3820 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:20:25.0078 3820 NdisTapi - ok
15:20:25.0078 3820 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:20:25.0093 3820 Ndisuio - ok
15:20:25.0109 3820 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:20:25.0109 3820 NdisWan - ok
15:20:25.0140 3820 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
15:20:25.0156 3820 NDProxy - ok
15:20:25.0171 3820 [ 2969D26EEE289BE7422AA46FC55F4E38 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
15:20:25.0171 3820 Net Driver HPZ12 - ok
15:20:25.0203 3820 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
15:20:25.0203 3820 NetBIOS - ok
15:20:25.0234 3820 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
15:20:25.0234 3820 NetBT - ok
15:20:25.0281 3820 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
15:20:25.0281 3820 NetDDE - ok
15:20:25.0296 3820 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
15:20:25.0296 3820 NetDDEdsdm - ok
15:20:25.0312 3820 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
15:20:25.0328 3820 Netlogon - ok
15:20:25.0343 3820 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
15:20:25.0359 3820 Netman - ok
15:20:25.0375 3820 [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
15:20:25.0406 3820 NetTcpPortSharing - ok
15:20:25.0453 3820 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:20:25.0453 3820 NIC1394 - ok
15:20:25.0484 3820 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
15:20:25.0484 3820 Nla - ok
15:20:25.0515 3820 [ B48DC6ABCD3AEFF8618350CCBDC6B09A ] npf C:\WINDOWS\system32\drivers\npf.sys
15:20:25.0515 3820 npf - ok
15:20:25.0531 3820 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
15:20:25.0531 3820 Npfs - ok
15:20:25.0578 3820 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
15:20:25.0609 3820 Ntfs - ok
15:20:25.0625 3820 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
15:20:25.0625 3820 NtLmSsp - ok
15:20:25.0656 3820 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
15:20:25.0671 3820 NtmsSvc - ok
15:20:25.0703 3820 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
15:20:25.0703 3820 Null - ok
15:20:25.0781 3820 [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:20:25.0828 3820 nv - ok
15:20:25.0859 3820 [ 88A8CFCD2BC3FF1484901CE985782E6E ] NVSvc C:\WINDOWS\System32\nvsvc32.exe
15:20:25.0875 3820 NVSvc - ok
15:20:25.0890 3820 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:20:25.0890 3820 NwlnkFlt - ok
15:20:25.0906 3820 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:20:25.0906 3820 NwlnkFwd - ok
15:20:25.0937 3820 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:20:25.0937 3820 ohci1394 - ok
15:20:25.0984 3820 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:20:25.0984 3820 ose - ok
15:20:26.0015 3820 [ 103A9B117A7D9903111955CDAFE65AC6 ] ossrv C:\WINDOWS\system32\DRIVERS\ctoss2k.sys
15:20:26.0015 3820 ossrv - ok
15:20:26.0062 3820 [ DF886FFED69AEAD0CF608B89B18C3F6F ] P17 C:\WINDOWS\system32\drivers\P17.sys
15:20:26.0093 3820 P17 - ok
15:20:26.0109 3820 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
15:20:26.0109 3820 Parport - ok
15:20:26.0125 3820 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
15:20:26.0125 3820 PartMgr - ok
15:20:26.0140 3820 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
15:20:26.0140 3820 ParVdm - ok
15:20:26.0171 3820 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
15:20:26.0171 3820 PCI - ok
15:20:26.0171 3820 PCIDump - ok
15:20:26.0187 3820 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
15:20:26.0187 3820 PCIIde - ok
15:20:26.0203 3820 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
15:20:26.0203 3820 Pcmcia - ok
15:20:26.0218 3820 pctNdisMP - ok
15:20:26.0234 3820 PDCOMP - ok
15:20:26.0234 3820 PDFRAME - ok
15:20:26.0250 3820 PDRELI - ok
15:20:26.0250 3820 PDRFRAME - ok
15:20:26.0265 3820 perc2 - ok
15:20:26.0281 3820 perc2hib - ok
15:20:26.0312 3820 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
15:20:26.0312 3820 PlugPlay - ok
15:20:26.0359 3820 [ 7C13A95C456D4B61FBA3E1FD2924A2E8 ] Pml Driver C:\WINDOWS\system32\HPHipm09.exe
15:20:26.0359 3820 Pml Driver - ok
15:20:26.0375 3820 [ BAFC9706BDF425A02B66468AB2605C59 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
15:20:26.0390 3820 Pml Driver HPZ12 - ok
15:20:26.0406 3820 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
15:20:26.0406 3820 PolicyAgent - ok
15:20:26.0421 3820 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:20:26.0421 3820 PptpMiniport - ok
15:20:26.0437 3820 [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
15:20:26.0453 3820 Processor - ok
15:20:26.0453 3820 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
15:20:26.0468 3820 ProtectedStorage - ok
15:20:26.0484 3820 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
15:20:26.0484 3820 PSched - ok
15:20:26.0500 3820 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:20:26.0500 3820 Ptilink - ok
15:20:26.0515 3820 [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20 C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
15:20:26.0515 3820 PxHelp20 - ok
15:20:26.0531 3820 ql1080 - ok
15:20:26.0531 3820 Ql10wnt - ok
15:20:26.0578 3820 ql12160 - ok
15:20:26.0578 3820 ql1240 - ok
15:20:26.0593 3820 ql1280 - ok
15:20:26.0625 3820 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:20:26.0625 3820 RasAcd - ok
15:20:26.0656 3820 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
15:20:26.0671 3820 RasAuto - ok
15:20:26.0687 3820 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:20:26.0703 3820 Rasl2tp - ok
15:20:26.0718 3820 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
15:20:26.0718 3820 RasMan - ok
15:20:26.0734 3820 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:20:26.0734 3820 RasPppoe - ok
15:20:26.0765 3820 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
15:20:26.0765 3820 Raspti - ok
15:20:26.0781 3820 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:20:26.0781 3820 Rdbss - ok
15:20:26.0812 3820 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:20:26.0828 3820 RDPCDD - ok
15:20:26.0859 3820 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:20:26.0859 3820 rdpdr - ok
15:20:26.0890 3820 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
15:20:26.0906 3820 RDPWD - ok
15:20:26.0921 3820 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
15:20:26.0937 3820 RDSessMgr - ok
15:20:26.0953 3820 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
15:20:26.0968 3820 redbook - ok
15:20:26.0984 3820 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
15:20:26.0984 3820 RemoteAccess - ok
15:20:27.0000 3820 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
15:20:27.0000 3820 RemoteRegistry - ok
15:20:27.0031 3820 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\System32\locator.exe
15:20:27.0031 3820 RpcLocator - ok
15:20:27.0062 3820 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
15:20:27.0062 3820 RpcSs - ok
15:20:27.0093 3820 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\System32\rsvp.exe
15:20:27.0093 3820 RSVP - ok
15:20:27.0125 3820 [ D507C1400284176573224903819FFDA3 ] rtl8139 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
15:20:27.0125 3820 rtl8139 - ok
15:20:27.0156 3820 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
15:20:27.0156 3820 SamSs - ok
15:20:27.0187 3820 [ 39763504067962108505BFF25F024345 ] SASDIFSV D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
15:20:27.0203 3820 SASDIFSV - ok
15:20:27.0265 3820 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL D:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
15:20:27.0281 3820 SASKUTIL - ok
15:20:27.0328 3820 [ A4AAC62E6C1A5A56AE41B6C0570AB68B ] SbieDrv d:\Program Files\Sandboxie\SbieDrv.sys
15:20:27.0343 3820 SbieDrv - ok
15:20:27.0343 3820 [ 9581517EF4B3E6F84B6CFD503A0178C4 ] SbieSvc d:\Program Files\Sandboxie\SbieSvc.exe
15:20:27.0390 3820 SbieSvc - ok
15:20:27.0421 3820 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
15:20:27.0421 3820 SCardSvr - ok
15:20:27.0468 3820 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
15:20:27.0468 3820 Schedule - ok
15:20:27.0500 3820 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:20:27.0500 3820 Secdrv - ok
15:20:27.0515 3820 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
15:20:27.0531 3820 seclogon - ok
15:20:27.0546 3820 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
15:20:27.0562 3820 SENS - ok
15:20:27.0593 3820 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
15:20:27.0593 3820 Serial - ok
15:20:27.0625 3820 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
15:20:27.0640 3820 Sfloppy - ok
15:20:27.0671 3820 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
15:20:27.0671 3820 SharedAccess - ok
15:20:27.0687 3820 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
15:20:27.0687 3820 ShellHWDetection - ok
15:20:27.0781 3820 [ 7F72CDD92EDB28FD4B386F4D39962256 ] Sidekick Manager C:\Documents and Settings\All Users\Application Data\Sidekick Manager\2.2.513.159\{6f06cdeb-5de2-4520-aef2-1aa556ca7a6b}\sskmngr.exe
15:20:27.0875 3820 Sidekick Manager - ok
15:20:27.0890 3820 Simbad - ok
15:20:28.0015 3820 [ 0F97E7A47A52F4A36969F0FC319654C2 ] Skype C2C Service C:\Documents and Settings\All Users\Application Data\Skype\Toolbars\Skype C2C Service\c2c_service.exe
15:20:28.0093 3820 Skype C2C Service - ok
15:20:28.0125 3820 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:20:28.0125 3820 SLIP - ok
15:20:28.0171 3820 [ 27D6BE8E961AB9DF26EC5CE823B68B7F ] smrt C:\WINDOWS\system32\DRIVERS\smrt.sys
15:20:28.0187 3820 smrt - ok
15:20:28.0250 3820 [ 89CB81394D58F450BDDBF4AE3483CA72 ] SonicStageMonitoring C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
15:20:28.0281 3820 SonicStageMonitoring - ok
15:20:28.0343 3820 [ CD1BEA0CB0E96B828D225B106CBFB968 ] Sony TV Tuner Controller C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
15:20:28.0390 3820 Sony TV Tuner Controller - ok
15:20:28.0406 3820 [ AF35291F72F6CF0915765E44F1045305 ] Sony TV Tuner Manager C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
15:20:28.0406 3820 Sony TV Tuner Manager - ok
15:20:28.0421 3820 [ EFAAEED11AAF285435A0DCFE15047983 ] Sony TVTA Manager C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
15:20:28.0421 3820 Sony TVTA Manager - ok
15:20:28.0468 3820 [ ED9A10456E25DE7A3350F896B962F60A ] SonyLSM C:\WINDOWS\system32\Drivers\SonyLSM.sys
15:20:28.0468 3820 SonyLSM - ok
15:20:28.0500 3820 [ A1ECEEAA5C5E74B2499EB51D38185B84 ] SONYPVU1 C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
15:20:28.0500 3820 SONYPVU1 - ok
15:20:28.0500 3820 Sparrow - ok
15:20:28.0515 3820 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
15:20:28.0515 3820 splitter - ok
15:20:28.0562 3820 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
15:20:28.0562 3820 Spooler - ok
15:20:28.0609 3820 [ FB3E6325A5B3B63CDABB7C0BF4125B2C ] SPTISRV C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
15:20:28.0625 3820 SPTISRV - ok
15:20:28.0656 3820 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
15:20:28.0656 3820 sr - ok
15:20:28.0687 3820 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
15:20:28.0687 3820 srservice - ok
15:20:28.0765 3820 [ 83726CF02ECED69138948083E06B6EAC ] SRTSP C:\WINDOWS\System32\Drivers\N360\0502020.003\SRTSP.SYS
15:20:28.0781 3820 SRTSP - ok
15:20:28.0796 3820 [ 4E7EAB2E5615D39CF1F1DF9C71E5E225 ] SRTSPX C:\WINDOWS\system32\drivers\N360\0502020.003\SRTSPX.SYS
15:20:28.0796 3820 SRTSPX - ok
15:20:28.0828 3820 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
15:20:28.0843 3820 Srv - ok
15:20:28.0890 3820 [ B2063CE662AF3AB20045121A5B716DF6 ] sscebus C:\WINDOWS\system32\DRIVERS\sscebus.sys
15:20:28.0890 3820 sscebus - ok
15:20:28.0921 3820 [ 66799DC0AFE3DCAF8368CAE17394A762 ] sscemdfl C:\WINDOWS\system32\DRIVERS\sscemdfl.sys
15:20:28.0921 3820 sscemdfl - ok
15:20:28.0937 3820 [ CBF03FFC08F8DB547BAB2F79AA663D16 ] sscemdm C:\WINDOWS\system32\DRIVERS\sscemdm.sys
15:20:28.0953 3820 sscemdm - ok
15:20:28.0968 3820 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
15:20:28.0968 3820 SSDPSRV - ok
15:20:28.0984 3820 Steam Client Service - ok
15:20:29.0015 3820 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
15:20:29.0031 3820 stisvc - ok
15:20:29.0031 3820 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:20:29.0046 3820 streamip - ok
15:20:29.0062 3820 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
15:20:29.0062 3820 swenum - ok
15:20:29.0140 3820 [ F577910A133A592234EBAAD3F3AFA258 ] SwitchBoard C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe
15:20:29.0187 3820 SwitchBoard - ok
15:20:29.0203 3820 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
15:20:29.0203 3820 swmidi - ok
15:20:29.0218 3820 SwPrv - ok
15:20:29.0234 3820 symc810 - ok
15:20:29.0234 3820 symc8xx - ok
15:20:29.0281 3820 [ 9BBEB8C6258E72D62E7560E6667AAD39 ] SymDS C:\WINDOWS\system32\drivers\N360\0502020.003\SYMDS.SYS
15:20:29.0281 3820 SymDS - ok
15:20:29.0328 3820 [ D5C02629C02A820A7E71BCA3D44294A3 ] SymEFA C:\WINDOWS\system32\drivers\N360\0502020.003\SYMEFA.SYS
15:20:29.0343 3820 SymEFA - ok
15:20:29.0375 3820 [ AB33C3B196197CA467CBDDA717860DBA ] SymEvent C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:20:29.0375 3820 SymEvent - ok
15:20:29.0406 3820 [ A73399804D5D4A8B20BA60FCF70C9F1F ] SymIRON C:\WINDOWS\system32\drivers\N360\0502020.003\Ironx86.SYS
15:20:29.0421 3820 SymIRON - ok
15:20:29.0437 3820 [ 336CACE58F0359D5CBB1AE6B8A2FB205 ] SYMTDI C:\WINDOWS\System32\Drivers\N360\0502020.003\SYMTDI.SYS
15:20:29.0453 3820 SYMTDI - ok
15:20:29.0468 3820 sym_hi - ok
15:20:29.0468 3820 sym_u3 - ok
15:20:29.0484 3820 SynasUSB - ok
15:20:29.0500 3820 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
15:20:29.0500 3820 sysaudio - ok
15:20:29.0531 3820 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
15:20:29.0562 3820 SysmonLog - ok
15:20:29.0593 3820 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
15:20:29.0609 3820 TapiSrv - ok
15:20:29.0640 3820 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:20:29.0671 3820 Tcpip - ok
15:20:29.0687 3820 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
15:20:29.0687 3820 TDPIPE - ok
15:20:29.0718 3820 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
15:20:29.0718 3820 TDTCP - ok
15:20:29.0734 3820 [ 9101FFFCFCCD1A30E870A5B8A9091B10 ] teamviewervpn C:\WINDOWS\system32\DRIVERS\teamviewervpn.sys
15:20:29.0734 3820 teamviewervpn - ok
15:20:29.0750 3820 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
15:20:29.0750 3820 TermDD - ok
15:20:29.0765 3820 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
15:20:29.0781 3820 TermService - ok
15:20:29.0796 3820 TfFsMon - ok
15:20:29.0796 3820 TfNetMon - ok
15:20:29.0812 3820 TFSysMon - ok
15:20:29.0828 3820 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
15:20:29.0828 3820 Themes - ok
15:20:29.0859 3820 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
15:20:29.0859 3820 TlntSvr - ok
15:20:29.0875 3820 TMPassthruMP - ok
15:20:29.0890 3820 TosIde - ok
15:20:29.0906 3820 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
15:20:29.0906 3820 TrkWks - ok
15:20:29.0937 3820 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
15:20:29.0953 3820 Udfs - ok
15:20:29.0953 3820 ultra - ok
15:20:29.0984 3820 [ AB0A7CA90D9E3D6A193905DC1715DED0 ] UMWdf C:\WINDOWS\system32\wdfmgr.exe
15:20:29.0984 3820 UMWdf - ok
15:20:30.0015 3820 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
15:20:30.0031 3820 Update - ok
15:20:30.0062 3820 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
15:20:30.0062 3820 upnphost - ok
15:20:30.0093 3820 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
15:20:30.0093 3820 UPS - ok
15:20:30.0125 3820 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:20:30.0125 3820 usbccgp - ok
15:20:30.0140 3820 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:20:30.0140 3820 usbehci - ok
15:20:30.0171 3820 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:20:30.0171 3820 usbhub - ok
15:20:30.0203 3820 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:20:30.0218 3820 usbprint - ok
15:20:30.0234 3820 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:20:30.0234 3820 usbscan - ok
15:20:30.0265 3820 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:20:30.0265 3820 USBSTOR - ok
15:20:30.0281 3820 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:20:30.0296 3820 usbuhci - ok
15:20:30.0312 3820 [ B6CC50279D6CD28E090A5D33244ADC9A ] usb_rndisx C:\WINDOWS\system32\DRIVERS\usb8023x.sys
15:20:30.0312 3820 usb_rndisx - ok
15:20:30.0406 3820 [ 5A173C23810AC6935227C617893A63AA ] VAIOMediaPlatform-MusicServer-AppServer C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
15:20:30.0437 3820 VAIOMediaPlatform-MusicServer-AppServer - ok
15:20:30.0468 3820 [ 6341C4E00A6F2474E59D1331B3CE9C0D ] VAIOMediaPlatform-MusicServer-HTTP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
15:20:30.0484 3820 VAIOMediaPlatform-MusicServer-HTTP - ok
15:20:30.0531 3820 [ F27789E13CA6A94D1420572D9E1A8344 ] VAIOMediaPlatform-MusicServer-UPnP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
15:20:30.0593 3820 VAIOMediaPlatform-MusicServer-UPnP - ok
15:20:30.0625 3820 [ 48036BCFB49346F33389AD9FB035522F ] VAIOMediaPlatform-PhotoServer-AppServer C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
15:20:30.0687 3820 VAIOMediaPlatform-PhotoServer-AppServer - ok
15:20:30.0703 3820 [ 6341C4E00A6F2474E59D1331B3CE9C0D ] VAIOMediaPlatform-PhotoServer-HTTP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
15:20:30.0703 3820 VAIOMediaPlatform-PhotoServer-HTTP - ok
15:20:30.0734 3820 [ F27789E13CA6A94D1420572D9E1A8344 ] VAIOMediaPlatform-PhotoServer-UPnP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
15:20:30.0750 3820 VAIOMediaPlatform-PhotoServer-UPnP - ok
15:20:30.0828 3820 [ 095265E6F1C668709A4944F8DAB7EAA9 ] VAIOMediaPlatform-VideoServer-AppServer C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
15:20:30.0890 3820 VAIOMediaPlatform-VideoServer-AppServer - ok
15:20:30.0890 3820 [ 6341C4E00A6F2474E59D1331B3CE9C0D ] VAIOMediaPlatform-VideoServer-HTTP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
15:20:30.0906 3820 VAIOMediaPlatform-VideoServer-HTTP - ok
15:20:30.0937 3820 [ F27789E13CA6A94D1420572D9E1A8344 ] VAIOMediaPlatform-VideoServer-UPnP C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
15:20:30.0937 3820 VAIOMediaPlatform-VideoServer-UPnP - ok
15:20:30.0968 3820 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
15:20:30.0968 3820 VgaSave - ok
15:20:30.0968 3820 ViaIde - ok
15:20:30.0984 3820 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
15:20:31.0000 3820 VolSnap - ok
15:20:31.0031 3820 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
15:20:31.0062 3820 VSS - ok
15:20:31.0078 3820 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
15:20:31.0093 3820 W32Time - ok
15:20:31.0109 3820 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:20:31.0109 3820 Wanarp - ok
15:20:31.0125 3820 WDICA - ok
15:20:31.0140 3820 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
15:20:31.0156 3820 wdmaud - ok
15:20:31.0171 3820 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
15:20:31.0187 3820 WebClient - ok
15:20:31.0218 3820 [ E010C2588ED1C0AD0E8188EC0F46CED6 ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
15:20:31.0234 3820 winachsf - ok
15:20:31.0296 3820 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
15:20:31.0296 3820 winmgmt - ok
15:20:31.0343 3820 [ 140EF97B64F560FD78643CAE2CDAD838 ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
15:20:31.0359 3820 WmdmPmSN - ok
15:20:31.0390 3820 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
15:20:31.0421 3820 Wmi - ok
15:20:31.0453 3820 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
15:20:31.0468 3820 WmiApSrv - ok
15:20:31.0500 3820 [ 1385E5AA9C9821790D33A9563B8D2DD0 ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
15:20:31.0500 3820 WpdUsb - ok
15:20:31.0640 3820 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:20:31.0703 3820 WPFFontCache_v0400 - ok
15:20:31.0750 3820 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:20:31.0765 3820 WS2IFSL - ok
15:20:31.0890 3820 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
15:20:31.0906 3820 wscsvc - ok
15:20:31.0921 3820 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:20:31.0921 3820 WSTCODEC - ok
15:20:31.0953 3820 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
15:20:31.0968 3820 wuauserv - ok
15:20:32.0015 3820 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
15:20:32.0031 3820 WZCSVC - ok
15:20:32.0078 3820 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
15:20:32.0093 3820 xmlprov - ok
15:20:32.0171 3820 ================ Scan global ===============================
15:20:32.0203 3820 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:20:32.0250 3820 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:20:32.0265 3820 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:20:32.0296 3820 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:20:32.0296 3820 [Global] - ok
15:20:32.0296 3820 ================ Scan MBR ==================================
15:20:32.0328 3820 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
15:20:32.0468 3820 \Device\Harddisk0\DR0 - ok
15:20:32.0484 3820 [ 23B571400A29918F5392F6E85EEB756E ] \Device\Harddisk5\DR8
15:20:42.0296 3820 \Device\Harddisk5\DR8 - ok
15:20:42.0296 3820 ================ Scan VBR ==================================
15:20:42.0312 3820 [ C0FE20D114CB07D343022C1B28312099 ] \Device\Harddisk0\DR0\Partition1
15:20:42.0312 3820 \Device\Harddisk0\DR0\Partition1 - ok
15:20:42.0359 3820 [ F1444DB58CA0E158D5DAEF1C462C7BA3 ] \Device\Harddisk0\DR0\Partition2
15:20:42.0359 3820 \Device\Harddisk0\DR0\Partition2 - ok
15:20:42.0390 3820 [ 49E8C76A61414CB061907B761185B448 ] \Device\Harddisk0\DR0\Partition3
15:20:42.0390 3820 \Device\Harddisk0\DR0\Partition3 - ok
15:20:42.0406 3820 [ AF4D611A5172726B40B38A44CCE45272 ] \Device\Harddisk5\DR8\Partition1
15:20:42.0406 3820 \Device\Harddisk5\DR8\Partition1 - ok
15:20:42.0421 3820 ============================================================
15:20:42.0421 3820 Scan finished
15:20:42.0421 3820 ============================================================
15:20:42.0484 3280 Detected object count: 0
15:20:42.0484 3280 Actual detected object count: 0
15:21:53.0265 3428 Deinitialize success

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll

---- Previous Run -------

C:\WINDOWS\isRS-000.tmp
C:\WINDOWS\system32\sqlite3.dll
C:\WINDOWS\system32\URTTemp\regtlib.exe
C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll
G:\setup.exe


((((((((((((((((((((((((( Files Created from 2012-08-14 to 2012-09-14 )))))))))))))))))))))))))))))))

#9 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 14 September 2012 - 08:52 AM

Hi again,

Why have you only posted one small portion of the Combofix log? I need the whole log found at C:\Combofix.txt please. :)

Also, how is your computer running at this point?

bloopie

#10 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 14 September 2012 - 04:03 PM

i thought it was weird too since it really didn't give me a log once i was done
i dont have a C:\Combofix.txt
C:\ComboFix\Combofix.txt is where I got this one though

#11 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 14 September 2012 - 06:05 PM

Hi again,

That's interesting... Did you save Combofix to the desktop as instructed, or did you save it to a folder named ComboFix as indicated here:

Running from: D:\Program Files\Combofix\ComboFix.exe


Also, how many times have you run Combofix? From the small header portion you posted before the TDSSKiller log and looking at your previous thread when m0le was helping you last year, it looks like you've been running Combofix plenty of times since then! :blink:

Combofix is not a toy, and should only be used by someone who has been trained in it's use! :)

Because of that, it's very hard to get an idea of what's been done to this machine. Getting the proper logs is very difficult as well.

==========

--> Do NOT do this now, but did you uninstall Combofix as instructed by m0le last year here? <-- Just answer yes or no to this question!

==========

Now I would like to attempt to get a clear Combofix log by using a script. Please make sure you have Combofix saved to your desktop, then follow these instructions:

Run a Combofix Script


1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy the text in the codebox below, then paste it into the empty notepad:

ClearJavaCache::
Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt, or D:\ComboFix.txt which I will require in your next reply.

==========

As well as the new log, please let me know how the computer is running now!!

bloopie

#12 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 15 September 2012 - 08:48 PM

lol forgot about the desktop step as I already had it on D
im going to be able to come back to that PC tomorrow night

#13 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 15 September 2012 - 10:35 PM

Hi again,

I already had it on D


Please right-click and delete that copy of ComboFix, then grab a fresh copy from post #7!

Please download the new copy to your desktop as instructed, and run the script from post #11 there, okay? :)

I'll be waiting for your post! :thumbup2:

Please don't forget to let me know how the computer is running before/after the script! I need to know that! :whistle:

If you have any questions, please stop and ask me! :thumbup2:

bloopie

#14 adobofosho

adobofosho
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:08:30 AM

Posted 17 September 2012 - 11:46 PM

ran combofix off desktop and still cant find combofix.txt in my c drive
in c combofix there is one there but its the same log as the last I posted

i turn off av's then pc restarts then i dont know where the log saves to the screen exits

Edited by adobofosho, 17 September 2012 - 11:46 PM.


#15 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:11:30 AM

Posted 18 September 2012 - 01:39 PM

Hi again,

Why have you not answered any of my questions I keep asking:

Also, how is your computer running at this point?


--> Do NOT do this now, but did you uninstall Combofix as instructed by m0le last year here? <-- Just answer yes or no to this question!


As well as the new log, please let me know how the computer is running now!!


I need to know these things if I am to continue helping you, okay? :thumbup2:

==========

Also check your D:\ drive for Combofix.txt as mentioned here:

When finished, it shall produce a log for you at C:\ComboFix.txt, or D:\ComboFix.txt which I will require in your next reply.


==========

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

Please answer my previous questions and provide the new OTL log for me as instructed. :)

bloopie




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users