Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browser ReDirect and FBI MoneyPak


  • This topic is locked This topic is locked
41 replies to this topic

#1 wildzero

wildzero

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 03 October 2012 - 06:43 PM

Hello, thanks for taking the time to help.

I am currently infected with the FBI MoneyPak virus and a browser redirect of some sort. I have dealt with the MoneyPak virus using Emsisoft Scan before, but it is not working on this one - the screen that pops up is a new screen I have not seen before, so I assume it is an updated version of the virus.

The "Attach" log was too big to attach so I zipped it.


.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Greg at 15:21:11 on 2012-10-03
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1647 [GMT -4:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\greg\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [Spotify Web Helper] "c:\documents and settings\greg\application data\spotify\data\SpotifyWebHelper.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
StartupFolder: c:\documents and settings\greg\start menu\programs\startup\explorer.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{1ce60928-8325-49a8-8b06-633e48dd2b67}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: mswsock.dll
Trusted Zone: ed.gov\fpass
Trusted Zone: ed.gov\www.fpass
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {2A0B9B82-D5C8-4D3D-8338-AD55B23662B1} - hxxps://fpass.ed.gov/vdesk/cachecleaner.cab#version=7000,2010,1020,1401
DPF: {41EF3CD2-D8CC-4438-84B1-280BB4E77C8E} - hxxps://fpass.ed.gov/vdesk/terminal/f5tunsrv.cab#version=7000,2011,104,2309
DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} - hxxps://fpass.ed.gov/vdesk/terminal/InstallerControl.cab
DPF: {57C76689-F052-487B-A19F-855AFDDF28EE} - hxxps://www.fpass.ed.gov/vdesk/terminal/f5InspectionHost.cab#version=7000,2010,1020,1407
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} - hxxps://fpass.ed.gov/vdesk/terminal/urxshost.cab#version=7000,2010,1020,1428
DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} - hxxps://fpass.ed.gov/vdesk/terminal/urxhost.cab#version=7000,2011,124,911
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E615C9EA-AD69-4AE9-83C9-9D906A0ACA6D} - hxxps://www.fpass.ed.gov/policy/download_binary.php/win32/f5syschk.cab#Version=7000,2010,1020,1432
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{ADEA19D0-3DDC-4AD3-8E79-6D1DE60F0E0D} : DhcpNameServer = 192.168.1.1
Filter: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Filter: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - c:\program files\citrix\ica client\IcaMimeFilter.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
Hosts: 10.0.0.34 sharepoint.ppsinfotech.com
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\greg\application data\mozilla\firefox\profiles\hig1dv12.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\greg\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\greg\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\greg\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\foxit software\foxit reader\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\alwil software\avast5\webrep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
============= SERVICES / DRIVERS ===============
.
S1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\greg\desktop\emsisoftemergencykit\run\a2ddax86.sys [2012-7-8 17904]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-4-16 729752]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-18 355632]
S1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-10-5 65584]
S2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2004-8-4 14336]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-18 21256]
S2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-18 44808]
S2 NIHardwareService;NIHardwareService;c:\program files\common files\native instruments\hardware\NIHardwareService.exe [2011-3-9 3857408]
S2 regi;regi;c:\windows\system32\drivers\regi.sys [2007-4-17 11032]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2010-7-8 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [2010-7-8 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [2010-7-8 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [2010-7-8 176384]
S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [2011-11-25 45608]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2007-11-14 394952]
.
=============== Created Last 30 ================
.
2012-10-02 00:03:04 33280 ----a-w- c:\documents and settings\all users\application data\lsass.exe
2012-09-21 18:37:05 -------- d-----w- c:\program files\common files\Deterministic Networks
2012-09-10 13:01:30 -------- d-----w- c:\windows\system32\LogFiles
.
==================== Find3M ====================
.
2012-09-07 21:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ----a-w- c:\windows\system32\html.iec
2012-08-21 18:27:32 404680 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13:15 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:12:33 41224 ----a-w- c:\windows\avastSS.scr
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
.
============= FINISH: 15:22:17.85 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 04 October 2012 - 10:52 PM

Greetings And Welcome To The Forums!!

My name is Gringo and I'll be glad to help you with your malware problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

download Farbar Recovery Scan Tool x64 and save it to a flash drive.

Plug the flash-drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst64.exe and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to disclaimer.

[*]First Press the Scan button.
[*]It will make a log (FRST.txt)

[*]Second Type the following in the edit box after "Search:". services.exe
[*]Click the Search button
[*]It will make a log (Search.txt)
[/list]
I want you to poste Both the FRST.txt report and the Search.txt into your reply to me

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 October 2012 - 09:34 AM

Thanks for your response gringo

When I get to my Advanced Boot Options I do not have a "Repair Your Computer" menu option. My screen shows as follows:

Windows Advanced Options Menu
Please select an option:

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt

Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration (your most recent setting that worked)
Directory Services Restore Mode (Windows domain controllers only)
Debugging Mode
Disable automatic restart on system failure

Start Windows Normally
Reboot
Return to OS Choices Menu

Also I noticed the Farbar Tool is for VISTA / Win7. I am running XP 32bit. Does this matter?

Edited by wildzero, 05 October 2012 - 09:38 AM.


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 October 2012 - 10:36 AM

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 October 2012 - 11:01 AM

Running in Safe Mode. Notified me that computer is infected with "Rootkit: ZeroAccess!". Restarted computer, ComboFix is still working...

Edited by wildzero, 05 October 2012 - 11:19 AM.


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 October 2012 - 11:09 AM

That will be fine for now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 October 2012 - 11:49 AM

The computer seems to be running better now. I was able to post using normal boot mode.


ComboFix 12-10-04.02 - Greg 10/05/2012 12:22:46.9.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1607 [GMT -4:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\18472756
c:\documents and settings\All Users\Application Data\6E631A18FB.sys
c:\documents and settings\All Users\Application Data\go_0molg.pad
c:\documents and settings\All Users\Application Data\lsass.exe
c:\documents and settings\All Users\Application Data\redaertaborca.pad
c:\windows\$NtUninstallKB12179$
c:\windows\$NtUninstallKB12179$\2567419540\@
c:\windows\$NtUninstallKB12179$\2567419540\Desktop.ini
c:\windows\$NtUninstallKB12179$\2567419540\L\00000004.@
c:\windows\$NtUninstallKB12179$\2567419540\L\201d3dde
c:\windows\$NtUninstallKB12179$\2567419540\L\uxagscgf
c:\windows\$NtUninstallKB12179$\2567419540\U\00000004.@
c:\windows\$NtUninstallKB12179$\2567419540\U\00000008.@
c:\windows\$NtUninstallKB12179$\2567419540\U\000000cb.@
c:\windows\$NtUninstallKB12179$\2567419540\U\80000000.@
c:\windows\$NtUninstallKB12179$\2567419540\U\80000032.@
c:\windows\$NtUninstallKB12179$\2705065696
.
Infected copy of c:\windows\system32\drivers\mqac.sys was found and disinfected
Restored copy from - The cat found it :)
.
((((((((((((((((((((((((( Files Created from 2012-09-05 to 2012-10-05 )))))))))))))))))))))))))))))))
.
.
2012-09-21 18:37 . 2012-09-21 18:37 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2012-09-10 13:01 . 2012-09-10 13:01 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 21:04 . 2010-04-18 07:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-21 18:27 . 2012-06-10 16:11 404680 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13 . 2011-04-17 02:05 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2010-04-18 07:17 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2010-04-18 07:17 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2010-04-18 07:17 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2010-04-18 07:17 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2010-04-18 07:17 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2010-04-18 07:17 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:13 . 2010-04-18 07:17 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:12 . 2010-08-05 03:47 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2010-04-18 07:17 227648 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-11 04:01 . 2010-03-11 04:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 04:40 . 2010-03-11 04:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 04:02 . 2010-03-11 04:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 04:01 . 2010-03-11 04:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 04:01 . 2010-03-11 04:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 04:00 . 2010-03-11 04:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 04:01 . 2010-03-11 04:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 04:01 . 2010-03-11 04:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 17:49 . 2009-10-05 17:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 04:02 . 2010-03-11 04:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\Greg\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-07-01 932528]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\Greg\Start Menu\Programs\Startup\
explorer.exe [2012-10-3 46592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-4-18 50688]
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2012-9-21 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Greg\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [7/8/2012 11:13 PM 17904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/16/2011 10:05 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/18/2010 3:17 AM 355632]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/18/2010 3:17 AM 21256]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [3/9/2011 7:08 AM 3857408]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/8/2010 10:52 AM 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [7/8/2010 10:52 AM 176384]
S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [11/25/2011 1:08 PM 45608]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2012-10-05 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-09 09:12]
.
2012-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1614895754-725345543-1003Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 16:30]
.
2012-10-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1614895754-725345543-1003UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 16:30]
.
2012-10-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-18 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: ed.gov\fpass
Trusted Zone: ed.gov\www.fpass
TCP: DhcpNameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\hig1dv12.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-05 12:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\avast! sandbox
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1152)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(452)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
c:\program files\SigmaTel\C-Major Audio\WDM\STacSV.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Citrix\ICA Client\wfcrun32.exe
.
**************************************************************************
.
Completion time: 2012-10-05 12:48:23 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-05 16:48
.
Pre-Run: 70,938,763,264 bytes free
Post-Run: 71,743,049,728 bytes free
.
- - End Of File - - 9CA54C088E985FD828FC3A489723BE2B

Edited by wildzero, 05 October 2012 - 11:53 AM.


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 October 2012 - 11:55 AM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 October 2012 - 01:09 PM

13:07:35.0515 3980 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
13:07:35.0812 3980 ============================================================
13:07:35.0812 3980 Current date / time: 2012/10/05 13:07:35.0812
13:07:35.0812 3980 SystemInfo:
13:07:35.0812 3980
13:07:35.0812 3980 OS Version: 5.1.2600 ServicePack: 3.0
13:07:35.0812 3980 Product type: Workstation
13:07:35.0812 3980 ComputerName: GREGLAPTOP
13:07:35.0812 3980 UserName: Greg
13:07:35.0812 3980 Windows directory: C:\WINDOWS
13:07:35.0812 3980 System windows directory: C:\WINDOWS
13:07:35.0812 3980 Processor architecture: Intel x86
13:07:35.0812 3980 Number of processors: 2
13:07:35.0812 3980 Page size: 0x1000
13:07:35.0812 3980 Boot type: Normal boot
13:07:35.0812 3980 ============================================================
13:07:36.0203 3980 Drive \Device\Harddisk0\DR0 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
13:07:36.0218 3980 ============================================================
13:07:36.0218 3980 \Device\Harddisk0\DR0:
13:07:36.0218 3980 MBR partitions:
13:07:36.0218 3980 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2738A, BlocksNum 0x1CC9E831
13:07:36.0234 3980 ============================================================
13:07:36.0296 3980 C: <-> \Device\Harddisk0\DR0\Partition1
13:07:36.0296 3980 ============================================================
13:07:36.0296 3980 Initialize success
13:07:36.0296 3980 ============================================================
13:07:38.0828 2216 ============================================================
13:07:38.0828 2216 Scan started
13:07:38.0828 2216 Mode: Manual;
13:07:38.0828 2216 ============================================================
13:07:39.0265 2216 ================ Scan system memory ========================
13:07:39.0265 2216 System memory - ok
13:07:39.0265 2216 ================ Scan services =============================
13:07:39.0812 2216 [ C07D5197410AAB28D0D93F943F59656D ] 6to4 C:\WINDOWS\System32\6to4svc.dll
13:07:39.0828 2216 6to4 - ok
13:07:40.0046 2216 [ F7EABCA8375EA2DC6F35C4BCA4757515 ] A2DDA C:\Documents and Settings\Greg\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys
13:07:40.0046 2216 A2DDA - ok
13:07:40.0125 2216 [ 0352A73CD6B1782EA3ED7A03A8268F55 ] Aavmker4 C:\WINDOWS\system32\drivers\Aavmker4.sys
13:07:40.0140 2216 Aavmker4 - ok
13:07:40.0140 2216 Abiosdsk - ok
13:07:40.0156 2216 abp480n5 - ok
13:07:40.0171 2216 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:07:40.0171 2216 ACPI - ok
13:07:40.0250 2216 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
13:07:40.0250 2216 ACPIEC - ok
13:07:40.0250 2216 adpu160m - ok
13:07:40.0328 2216 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
13:07:40.0328 2216 aec - ok
13:07:40.0406 2216 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
13:07:40.0406 2216 AFD - ok
13:07:40.0421 2216 Aha154x - ok
13:07:40.0421 2216 aic78u2 - ok
13:07:40.0437 2216 aic78xx - ok
13:07:40.0937 2216 [ 0923671CF87CD511E46D4668B53F5E76 ] Akamai c:\program files\common files\akamai/netsession_win_5891ae0.dll
13:07:40.0937 2216 Suspicious file (Hidden): c:\program files\common files\akamai/netsession_win_5891ae0.dll. md5: 0923671CF87CD511E46D4668B53F5E76
13:07:40.0953 2216 Akamai ( HiddenFile.Multi.Generic ) - warning
13:07:40.0953 2216 Akamai - detected HiddenFile.Multi.Generic (1)
13:07:41.0015 2216 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
13:07:41.0015 2216 Alerter - ok
13:07:41.0046 2216 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
13:07:41.0046 2216 ALG - ok
13:07:41.0046 2216 AliIde - ok
13:07:41.0062 2216 amsint - ok
13:07:41.0140 2216 [ EC94E05B76D033B74394E7B2175103CF ] APPDRV C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
13:07:41.0156 2216 APPDRV - ok
13:07:41.0265 2216 [ 2E3E53A6AEF23E24F402C7855B9B1542 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:07:41.0265 2216 Apple Mobile Device - ok
13:07:41.0359 2216 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
13:07:41.0359 2216 AppMgmt - ok
13:07:41.0640 2216 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
13:07:41.0640 2216 Arp1394 - ok
13:07:41.0656 2216 asc - ok
13:07:41.0656 2216 asc3350p - ok
13:07:41.0671 2216 asc3550 - ok
13:07:41.0828 2216 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
13:07:41.0843 2216 aspnet_state - ok
13:07:41.0906 2216 [ F5DC168BF77572D51BE28BA261B30CB4 ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys
13:07:41.0906 2216 aswFsBlk - ok
13:07:41.0953 2216 [ 2B9B1DF809E965EF63402CBBA6DB50AE ] aswMon2 C:\WINDOWS\system32\drivers\aswMon2.sys
13:07:41.0953 2216 aswMon2 - ok
13:07:41.0953 2216 [ B7D5E4486BA658ED08624D8084ABB830 ] aswRdr C:\WINDOWS\system32\drivers\aswRdr.sys
13:07:41.0968 2216 aswRdr - ok
13:07:42.0062 2216 [ 30E45AF8B4D83176CA850FC9699E860B ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys
13:07:42.0078 2216 aswSnx - ok
13:07:42.0156 2216 [ F04BDBCB965C05C51F4A7DE7B62063D6 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys
13:07:42.0156 2216 aswSP - ok
13:07:42.0187 2216 [ DFE9152ABFA89BB8CFDC057409B2D4DA ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys
13:07:42.0187 2216 aswTdi - ok
13:07:42.0218 2216 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:07:42.0218 2216 AsyncMac - ok
13:07:42.0250 2216 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
13:07:42.0250 2216 atapi - ok
13:07:42.0265 2216 Atdisk - ok
13:07:42.0312 2216 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:07:42.0312 2216 Atmarpc - ok
13:07:42.0375 2216 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
13:07:42.0390 2216 AudioSrv - ok
13:07:42.0437 2216 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
13:07:42.0437 2216 audstub - ok
13:07:42.0531 2216 [ 04AC21E821F259845BD7367CEE057290 ] avast! Antivirus C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
13:07:42.0531 2216 avast! Antivirus - ok
13:07:42.0656 2216 [ 9208C78BD9283F79A30252AD954C77A2 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
13:07:42.0718 2216 BCM43XX - ok
13:07:42.0781 2216 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
13:07:42.0781 2216 Beep - ok
13:07:42.0875 2216 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
13:07:42.0906 2216 BITS - ok
13:07:42.0984 2216 [ 5AB58C337AC65837FE404462AD6265AB ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
13:07:43.0000 2216 Bonjour Service - ok
13:07:43.0062 2216 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
13:07:43.0062 2216 Browser - ok
13:07:43.0062 2216 catchme - ok
13:07:43.0109 2216 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
13:07:43.0109 2216 cbidf2k - ok
13:07:43.0125 2216 cd20xrnt - ok
13:07:43.0171 2216 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
13:07:43.0187 2216 Cdaudio - ok
13:07:43.0218 2216 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
13:07:43.0218 2216 Cdfs - ok
13:07:43.0234 2216 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:07:43.0234 2216 Cdrom - ok
13:07:43.0265 2216 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
13:07:43.0265 2216 cercsr6 - ok
13:07:43.0281 2216 Changer - ok
13:07:43.0328 2216 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
13:07:43.0343 2216 CiSvc - ok
13:07:43.0343 2216 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
13:07:43.0343 2216 ClipSrv - ok
13:07:43.0375 2216 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:07:43.0390 2216 clr_optimization_v2.0.50727_32 - ok
13:07:43.0421 2216 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
13:07:43.0421 2216 CmBatt - ok
13:07:43.0437 2216 CmdIde - ok
13:07:43.0437 2216 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
13:07:43.0437 2216 Compbatt - ok
13:07:43.0453 2216 COMSysApp - ok
13:07:43.0468 2216 Cpqarray - ok
13:07:43.0578 2216 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
13:07:43.0578 2216 CryptSvc - ok
13:07:43.0593 2216 [ CB6FF7012BB5D59D7C12350DB795CE1F ] ctxusbm C:\WINDOWS\system32\DRIVERS\ctxusbm.sys
13:07:43.0593 2216 ctxusbm - ok
13:07:43.0656 2216 [ B5ECADF7708960F1818C7FA015F4C239 ] CVirtA C:\WINDOWS\system32\DRIVERS\CVirtA.sys
13:07:43.0656 2216 CVirtA - ok
13:07:43.0781 2216 [ 30443EEF52F5FB043654859EAA8E5247 ] CVPND C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
13:07:43.0843 2216 CVPND - ok
13:07:43.0921 2216 [ CB90B2762B1A1D0B40496400C55B6ADE ] CVPNDRVA C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
13:07:43.0921 2216 CVPNDRVA - ok
13:07:43.0921 2216 dac2w2k - ok
13:07:43.0937 2216 dac960nt - ok
13:07:44.0000 2216 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
13:07:44.0015 2216 DcomLaunch - ok
13:07:44.0062 2216 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
13:07:44.0078 2216 Dhcp - ok
13:07:44.0093 2216 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
13:07:44.0093 2216 Disk - ok
13:07:44.0171 2216 [ 0659E6E0A95564F958D9DF7313F7701E ] DLABMFSM C:\WINDOWS\system32\DLA\DLABMFSM.SYS
13:07:44.0171 2216 DLABMFSM - ok
13:07:44.0171 2216 [ 8691C78908F0BD66170669DB268369F2 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
13:07:44.0171 2216 DLABOIOM - ok
13:07:44.0203 2216 [ 76167B5EB2DFFC729EDC36386876B40B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
13:07:44.0203 2216 DLACDBHM - ok
13:07:44.0234 2216 [ 5615744A1056933B90E6AC54FEB86F35 ] DLADResM C:\WINDOWS\system32\DLA\DLADResM.SYS
13:07:44.0234 2216 DLADResM - ok
13:07:44.0250 2216 [ 1AECA2AFA5005CE4A550CF8EB55A8C88 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
13:07:44.0250 2216 DLAIFS_M - ok
13:07:44.0265 2216 [ 840E7F6ABB885C72B9FFDDB022EF5B6D ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
13:07:44.0265 2216 DLAOPIOM - ok
13:07:44.0265 2216 [ 0294D18731AC05DA80132CE88F8A876B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
13:07:44.0265 2216 DLAPoolM - ok
13:07:44.0281 2216 [ 91886FED52A3F9966207BCE46CFD794F ] DLARTL_M C:\WINDOWS\system32\Drivers\DLARTL_M.SYS
13:07:44.0281 2216 DLARTL_M - ok
13:07:44.0296 2216 [ CCA4E121D599D7D1706A30F603731E59 ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
13:07:44.0296 2216 DLAUDFAM - ok
13:07:44.0296 2216 [ 7DAB85C33135DF24419951DA4E7D38E5 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
13:07:44.0296 2216 DLAUDF_M - ok
13:07:44.0312 2216 dmadmin - ok
13:07:44.0359 2216 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
13:07:44.0390 2216 dmboot - ok
13:07:44.0406 2216 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
13:07:44.0421 2216 dmio - ok
13:07:44.0421 2216 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
13:07:44.0421 2216 dmload - ok
13:07:44.0484 2216 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
13:07:44.0484 2216 dmserver - ok
13:07:44.0500 2216 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
13:07:44.0500 2216 DMusic - ok
13:07:44.0562 2216 [ B5AA5AA5AC327BD7C1AEC0C58F0C1144 ] DNE C:\WINDOWS\system32\DRIVERS\dne2000.sys
13:07:44.0562 2216 DNE - ok
13:07:44.0609 2216 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
13:07:44.0609 2216 Dnscache - ok
13:07:44.0703 2216 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
13:07:44.0703 2216 Dot3svc - ok
13:07:44.0718 2216 dpti2o - ok
13:07:44.0750 2216 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
13:07:44.0765 2216 drmkaud - ok
13:07:44.0828 2216 [ C00440385CF9F3D142917C63F989E244 ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
13:07:44.0843 2216 DRVMCDB - ok
13:07:44.0843 2216 [ 6E6AB29D3C06E64CE81FEACDA85394B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
13:07:44.0843 2216 DRVNDDM - ok
13:07:44.0921 2216 [ 0C8762B91B967A91373E0E022B62ACFC ] DXEC02 C:\WINDOWS\system32\drivers\dxec02.sys
13:07:44.0937 2216 DXEC02 - ok
13:07:44.0968 2216 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
13:07:44.0968 2216 EapHost - ok
13:07:45.0031 2216 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
13:07:45.0046 2216 ERSvc - ok
13:07:45.0109 2216 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
13:07:45.0125 2216 Eventlog - ok
13:07:45.0187 2216 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
13:07:45.0203 2216 EventSystem - ok
13:07:45.0265 2216 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
13:07:45.0281 2216 Fastfat - ok
13:07:45.0359 2216 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
13:07:45.0375 2216 FastUserSwitchingCompatibility - ok
13:07:45.0390 2216 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
13:07:45.0390 2216 Fdc - ok
13:07:45.0406 2216 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
13:07:45.0406 2216 Fips - ok
13:07:45.0437 2216 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
13:07:45.0453 2216 Flpydisk - ok
13:07:45.0484 2216 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
13:07:45.0500 2216 FltMgr - ok
13:07:45.0578 2216 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:07:45.0578 2216 FontCache3.0.0.0 - ok
13:07:45.0625 2216 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:07:45.0625 2216 Fs_Rec - ok
13:07:45.0656 2216 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:07:45.0656 2216 Ftdisk - ok
13:07:45.0718 2216 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:07:45.0734 2216 GEARAspiWDM - ok
13:07:45.0796 2216 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:07:45.0796 2216 Gpc - ok
13:07:45.0890 2216 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:07:45.0890 2216 HDAudBus - ok
13:07:46.0046 2216 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:07:46.0046 2216 helpsvc - ok
13:07:46.0109 2216 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
13:07:46.0125 2216 HidServ - ok
13:07:46.0125 2216 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:07:46.0125 2216 HidUsb - ok
13:07:46.0187 2216 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
13:07:46.0203 2216 hkmsvc - ok
13:07:46.0203 2216 hpn - ok
13:07:46.0250 2216 [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
13:07:46.0250 2216 HPZid412 - ok
13:07:46.0265 2216 [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
13:07:46.0265 2216 HPZipr12 - ok
13:07:46.0296 2216 [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
13:07:46.0312 2216 HPZius12 - ok
13:07:46.0359 2216 [ B1526810210980BED9D22315946C919D ] HSFHWAZL C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
13:07:46.0375 2216 HSFHWAZL - ok
13:07:46.0468 2216 [ DDBD528E60F5961C142A490DC4EA7780 ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
13:07:46.0531 2216 HSF_DPV - ok
13:07:46.0609 2216 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
13:07:46.0625 2216 HTTP - ok
13:07:46.0671 2216 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
13:07:46.0687 2216 HTTPFilter - ok
13:07:46.0703 2216 i2omgmt - ok
13:07:46.0703 2216 i2omp - ok
13:07:46.0828 2216 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:07:46.0843 2216 i8042prt - ok
13:07:46.0875 2216 [ 2358C53F30CB9DCD1D3843C4E2F299B2 ] iastor C:\WINDOWS\system32\DRIVERS\iaStor.sys
13:07:46.0890 2216 iastor - ok
13:07:46.0890 2216 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
13:07:46.0890 2216 Imapi - ok
13:07:46.0984 2216 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
13:07:46.0984 2216 ImapiService - ok
13:07:47.0000 2216 ini910u - ok
13:07:47.0015 2216 IntelIde - ok
13:07:47.0031 2216 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:07:47.0031 2216 intelppm - ok
13:07:47.0109 2216 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
13:07:47.0109 2216 Ip6Fw - ok
13:07:47.0171 2216 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:07:47.0171 2216 IpFilterDriver - ok
13:07:47.0187 2216 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:07:47.0187 2216 IpInIp - ok
13:07:47.0218 2216 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:07:47.0218 2216 IpNat - ok
13:07:47.0312 2216 [ F92048E22CB392BBC3C38EF393C0E4A6 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
13:07:47.0343 2216 iPod Service - ok
13:07:47.0359 2216 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:07:47.0359 2216 IPSec - ok
13:07:47.0390 2216 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
13:07:47.0390 2216 IRENUM - ok
13:07:47.0421 2216 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:07:47.0421 2216 isapnp - ok
13:07:47.0546 2216 [ 0A5709543986843D37A92290B7838340 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
13:07:47.0546 2216 JavaQuickStarterService - ok
13:07:47.0562 2216 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:07:47.0578 2216 Kbdclass - ok
13:07:47.0593 2216 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
13:07:47.0593 2216 kmixer - ok
13:07:47.0609 2216 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
13:07:47.0609 2216 KSecDD - ok
13:07:47.0687 2216 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
13:07:47.0703 2216 lanmanserver - ok
13:07:47.0781 2216 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
13:07:47.0812 2216 lanmanworkstation - ok
13:07:47.0812 2216 lbrtfdc - ok
13:07:47.0890 2216 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
13:07:47.0906 2216 LmHosts - ok
13:07:47.0953 2216 [ 0CEA2D0D3FA284B85ED5B68365114F76 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
13:07:47.0953 2216 mdmxsdk - ok
13:07:47.0984 2216 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
13:07:48.0000 2216 Messenger - ok
13:07:48.0062 2216 [ 123271BD5237AB991DC5C21FDF8835EB ] Microsoft Office Groove Audit Service C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
13:07:48.0062 2216 Microsoft Office Groove Audit Service - ok
13:07:48.0093 2216 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
13:07:48.0093 2216 mnmdd - ok
13:07:48.0140 2216 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
13:07:48.0156 2216 mnmsrvc - ok
13:07:48.0156 2216 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
13:07:48.0156 2216 Modem - ok
13:07:48.0218 2216 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:07:48.0218 2216 Mouclass - ok
13:07:48.0250 2216 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
13:07:48.0250 2216 MountMgr - ok
13:07:48.0250 2216 mraid35x - ok
13:07:48.0265 2216 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:07:48.0281 2216 MRxDAV - ok
13:07:48.0343 2216 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:07:48.0375 2216 MRxSmb - ok
13:07:48.0375 2216 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
13:07:48.0390 2216 MSDTC - ok
13:07:48.0406 2216 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
13:07:48.0406 2216 Msfs - ok
13:07:48.0406 2216 MSIServer - ok
13:07:48.0421 2216 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:07:48.0421 2216 MSKSSRV - ok
13:07:48.0421 2216 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:07:48.0437 2216 MSPCLOCK - ok
13:07:48.0468 2216 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
13:07:48.0468 2216 MSPQM - ok
13:07:48.0500 2216 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:07:48.0515 2216 mssmbios - ok
13:07:48.0515 2216 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
13:07:48.0531 2216 Mup - ok
13:07:48.0578 2216 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
13:07:48.0625 2216 napagent - ok
13:07:48.0625 2216 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
13:07:48.0640 2216 NDIS - ok
13:07:48.0687 2216 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:07:48.0687 2216 NdisTapi - ok
13:07:48.0703 2216 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:07:48.0703 2216 Ndisuio - ok
13:07:48.0718 2216 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:07:48.0718 2216 NdisWan - ok
13:07:48.0750 2216 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
13:07:48.0765 2216 NDProxy - ok
13:07:48.0765 2216 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
13:07:48.0765 2216 NetBIOS - ok
13:07:48.0812 2216 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
13:07:48.0812 2216 NetBT - ok
13:07:48.0890 2216 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
13:07:48.0906 2216 NetDDE - ok
13:07:48.0906 2216 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
13:07:48.0921 2216 NetDDEdsdm - ok
13:07:48.0968 2216 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
13:07:48.0984 2216 Netlogon - ok
13:07:49.0015 2216 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
13:07:49.0031 2216 Netman - ok
13:07:49.0046 2216 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
13:07:49.0046 2216 NIC1394 - ok
13:07:49.0328 2216 [ F01865222A5C5B220F9B1FD9EB4EE4AD ] NIHardwareService C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
13:07:49.0375 2216 NIHardwareService - ok
13:07:49.0421 2216 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
13:07:49.0437 2216 Nla - ok
13:07:49.0453 2216 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
13:07:49.0453 2216 Npfs - ok
13:07:49.0531 2216 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
13:07:49.0531 2216 Ntfs - ok
13:07:49.0546 2216 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
13:07:49.0546 2216 NtLmSsp - ok
13:07:49.0593 2216 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
13:07:49.0625 2216 NtmsSvc - ok
13:07:49.0687 2216 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
13:07:49.0687 2216 Null - ok
13:07:50.0062 2216 [ C116D2B008A1640C4484A1DCD1ABE12C ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:07:50.0390 2216 nv - ok
13:07:50.0421 2216 [ BC6F6D569A0848BA9D38158AE4734A9C ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
13:07:50.0437 2216 NVSvc - ok
13:07:50.0515 2216 [ C83766C4A147159254FF16F1A6C9DC6E ] NWADI C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
13:07:50.0531 2216 NWADI - ok
13:07:50.0578 2216 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:07:50.0578 2216 NwlnkFlt - ok
13:07:50.0593 2216 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:07:50.0593 2216 NwlnkFwd - ok
13:07:50.0656 2216 [ 224131778C92AEE8C13AFAC5FBFF19CA ] NWUSBCDFIL C:\WINDOWS\system32\DRIVERS\NwUsbCdFil.sys
13:07:50.0656 2216 NWUSBCDFIL - ok
13:07:50.0656 2216 [ C7FB1635508D0009489A0F7E7743468A ] NWUSBModem_000 C:\WINDOWS\system32\DRIVERS\nwusbmdm_000.sys
13:07:50.0671 2216 NWUSBModem_000 - ok
13:07:50.0687 2216 [ C7FB1635508D0009489A0F7E7743468A ] NWUSBPort2_000 C:\WINDOWS\system32\DRIVERS\nwusbser2_000.sys
13:07:50.0703 2216 NWUSBPort2_000 - ok
13:07:50.0750 2216 [ C7FB1635508D0009489A0F7E7743468A ] NWUSBPort_000 C:\WINDOWS\system32\DRIVERS\nwusbser_000.sys
13:07:50.0750 2216 NWUSBPort_000 - ok
13:07:50.0890 2216 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
13:07:50.0906 2216 odserv - ok
13:07:50.0968 2216 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
13:07:50.0968 2216 ohci1394 - ok
13:07:51.0015 2216 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:07:51.0015 2216 ose - ok
13:07:51.0062 2216 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
13:07:51.0078 2216 Parport - ok
13:07:51.0078 2216 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
13:07:51.0093 2216 PartMgr - ok
13:07:51.0109 2216 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
13:07:51.0109 2216 ParVdm - ok
13:07:51.0125 2216 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
13:07:51.0125 2216 PCI - ok
13:07:51.0140 2216 PCIDump - ok
13:07:51.0140 2216 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
13:07:51.0140 2216 PCIIde - ok
13:07:51.0156 2216 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
13:07:51.0171 2216 Pcmcia - ok
13:07:51.0171 2216 PDCOMP - ok
13:07:51.0187 2216 PDFRAME - ok
13:07:51.0187 2216 PDRELI - ok
13:07:51.0203 2216 PDRFRAME - ok
13:07:51.0203 2216 perc2 - ok
13:07:51.0218 2216 perc2hib - ok
13:07:51.0265 2216 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
13:07:51.0281 2216 PlugPlay - ok
13:07:51.0343 2216 [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
13:07:51.0359 2216 Pml Driver HPZ12 - ok
13:07:51.0359 2216 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
13:07:51.0375 2216 PolicyAgent - ok
13:07:51.0390 2216 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:07:51.0406 2216 PptpMiniport - ok
13:07:51.0406 2216 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
13:07:51.0421 2216 ProtectedStorage - ok
13:07:51.0421 2216 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
13:07:51.0421 2216 PSched - ok
13:07:51.0500 2216 [ F036CFB275D0C55F4E45FBBF5F98B3C8 ] PSI_SVC_2 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
13:07:51.0515 2216 PSI_SVC_2 - ok
13:07:51.0546 2216 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:07:51.0562 2216 Ptilink - ok
13:07:51.0562 2216 [ FEFFCFDC528764A04C8ED63D5FA6E711 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:07:51.0562 2216 PxHelp20 - ok
13:07:51.0578 2216 ql1080 - ok
13:07:51.0578 2216 Ql10wnt - ok
13:07:51.0593 2216 ql12160 - ok
13:07:51.0593 2216 ql1240 - ok
13:07:51.0609 2216 ql1280 - ok
13:07:51.0687 2216 [ 3B68696914E467BBE827D2552B5B85EF ] qrkis C:\WINDOWS\system32\DRIVERS\qrkis.sys
13:07:51.0687 2216 qrkis - ok
13:07:51.0734 2216 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:07:51.0734 2216 RasAcd - ok
13:07:51.0781 2216 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
13:07:51.0796 2216 RasAuto - ok
13:07:51.0843 2216 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:07:51.0843 2216 Rasl2tp - ok
13:07:51.0937 2216 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
13:07:51.0953 2216 RasMan - ok
13:07:51.0953 2216 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:07:51.0968 2216 RasPppoe - ok
13:07:51.0968 2216 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
13:07:51.0968 2216 Raspti - ok
13:07:52.0015 2216 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:07:52.0015 2216 Rdbss - ok
13:07:52.0031 2216 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:07:52.0031 2216 RDPCDD - ok
13:07:52.0046 2216 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:07:52.0062 2216 rdpdr - ok
13:07:52.0109 2216 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
13:07:52.0109 2216 RDPWD - ok
13:07:52.0125 2216 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
13:07:52.0156 2216 RDSessMgr - ok
13:07:52.0250 2216 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
13:07:52.0250 2216 redbook - ok
13:07:52.0265 2216 [ 001B4278407F4303EFC902A2B16F2453 ] regi C:\WINDOWS\system32\drivers\regi.sys
13:07:52.0265 2216 regi - ok
13:07:52.0328 2216 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
13:07:52.0328 2216 RemoteAccess - ok
13:07:52.0359 2216 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
13:07:52.0375 2216 RemoteRegistry - ok
13:07:52.0390 2216 RimUsb - ok
13:07:52.0421 2216 [ 3A5633AD615E2B15291BD0B1B97CCD8A ] RimVSerPort C:\WINDOWS\system32\DRIVERS\RimSerial.sys
13:07:52.0437 2216 RimVSerPort - ok
13:07:52.0500 2216 [ D8B0B4ADE32574B2D9C5CC34DC0DBBE7 ] ROOTMODEM C:\WINDOWS\system32\Drivers\RootMdm.sys
13:07:52.0500 2216 ROOTMODEM - ok
13:07:52.0562 2216 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
13:07:52.0562 2216 RpcLocator - ok
13:07:52.0625 2216 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
13:07:52.0640 2216 RpcSs - ok
13:07:52.0656 2216 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
13:07:52.0671 2216 RSVP - ok
13:07:52.0718 2216 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
13:07:52.0734 2216 SamSs - ok
13:07:52.0734 2216 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
13:07:52.0750 2216 SCardSvr - ok
13:07:52.0828 2216 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
13:07:52.0843 2216 Schedule - ok
13:07:52.0859 2216 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
13:07:52.0875 2216 sdbus - ok
13:07:52.0921 2216 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:07:52.0921 2216 Secdrv - ok
13:07:52.0953 2216 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
13:07:52.0968 2216 seclogon - ok
13:07:53.0015 2216 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
13:07:53.0031 2216 SENS - ok
13:07:53.0046 2216 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
13:07:53.0046 2216 Serial - ok
13:07:53.0078 2216 [ 0FA803C64DF0914B41F807EA276BF2A6 ] sffdisk C:\WINDOWS\system32\DRIVERS\sffdisk.sys
13:07:53.0093 2216 sffdisk - ok
13:07:53.0093 2216 [ C17C331E435ED8737525C86A7557B3AC ] sffp_sd C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
13:07:53.0093 2216 sffp_sd - ok
13:07:53.0171 2216 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
13:07:53.0171 2216 Sfloppy - ok
13:07:53.0250 2216 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
13:07:53.0265 2216 SharedAccess - ok
13:07:53.0296 2216 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
13:07:53.0312 2216 ShellHWDetection - ok
13:07:53.0312 2216 Simbad - ok
13:07:53.0328 2216 Sparrow - ok
13:07:53.0406 2216 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
13:07:53.0406 2216 splitter - ok
13:07:53.0468 2216 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
13:07:53.0484 2216 Spooler - ok
13:07:53.0515 2216 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
13:07:53.0515 2216 sr - ok
13:07:53.0593 2216 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
13:07:53.0609 2216 srservice - ok
13:07:53.0687 2216 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
13:07:53.0703 2216 Srv - ok
13:07:53.0734 2216 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
13:07:53.0750 2216 SSDPSRV - ok
13:07:53.0828 2216 [ B218068EBA6F46F102B4218BDB81BE0B ] STacSV C:\Program Files\SigmaTel\C-Major Audio\WDM\STacSV.exe
13:07:53.0828 2216 STacSV - ok
13:07:53.0906 2216 [ 58F855684E163466A5C565ADF0865536 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
13:07:53.0921 2216 STHDA - ok
13:07:54.0015 2216 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
13:07:54.0031 2216 stisvc - ok
13:07:54.0109 2216 [ 51778FD315C9882F1CBD932743E62A72 ] stllssvr C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
13:07:54.0109 2216 stllssvr - ok
13:07:54.0187 2216 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
13:07:54.0187 2216 swenum - ok
13:07:54.0218 2216 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
13:07:54.0218 2216 swmidi - ok
13:07:54.0218 2216 SwPrv - ok
13:07:54.0234 2216 symc810 - ok
13:07:54.0234 2216 symc8xx - ok
13:07:54.0250 2216 sym_hi - ok
13:07:54.0265 2216 sym_u3 - ok
13:07:54.0281 2216 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
13:07:54.0281 2216 sysaudio - ok
13:07:54.0359 2216 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
13:07:54.0390 2216 SysmonLog - ok
13:07:54.0421 2216 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
13:07:54.0453 2216 TapiSrv - ok
13:07:54.0531 2216 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:07:54.0531 2216 Tcpip - ok
13:07:54.0562 2216 [ 4E53BBCC4BE37D7A4BD6EF1098C89FF7 ] Tcpip6 C:\WINDOWS\system32\DRIVERS\tcpip6.sys
13:07:54.0562 2216 Tcpip6 - ok
13:07:54.0609 2216 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
13:07:54.0609 2216 TDPIPE - ok
13:07:54.0625 2216 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
13:07:54.0625 2216 TDTCP - ok
13:07:54.0625 2216 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
13:07:54.0640 2216 TermDD - ok
13:07:54.0671 2216 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
13:07:54.0687 2216 TermService - ok
13:07:54.0718 2216 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
13:07:54.0734 2216 Themes - ok
13:07:54.0765 2216 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
13:07:54.0781 2216 TlntSvr - ok
13:07:54.0781 2216 TosIde - ok
13:07:54.0796 2216 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
13:07:54.0812 2216 TrkWks - ok
13:07:54.0875 2216 [ 8F861EDA21C05857EB8197300A92501C ] tunmp C:\WINDOWS\system32\DRIVERS\tunmp.sys
13:07:54.0890 2216 tunmp - ok
13:07:54.0890 2216 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
13:07:54.0906 2216 Udfs - ok
13:07:54.0906 2216 ultra - ok
13:07:54.0953 2216 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
13:07:54.0953 2216 Update - ok
13:07:55.0031 2216 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
13:07:55.0046 2216 upnphost - ok
13:07:55.0078 2216 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
13:07:55.0093 2216 UPS - ok
13:07:55.0171 2216 [ 4B8A9C16B6D9258ED99C512AECB8C555 ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
13:07:55.0171 2216 USBAAPL - ok
13:07:55.0250 2216 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
13:07:55.0250 2216 usbaudio - ok
13:07:55.0296 2216 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:07:55.0296 2216 usbccgp - ok
13:07:55.0343 2216 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:07:55.0343 2216 usbehci - ok
13:07:55.0421 2216 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:07:55.0421 2216 usbhub - ok
13:07:55.0468 2216 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:07:55.0468 2216 usbprint - ok
13:07:55.0484 2216 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:07:55.0484 2216 usbscan - ok
13:07:55.0515 2216 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:07:55.0515 2216 USBSTOR - ok
13:07:55.0531 2216 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:07:55.0531 2216 usbuhci - ok
13:07:55.0578 2216 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
13:07:55.0578 2216 VgaSave - ok
13:07:55.0578 2216 ViaIde - ok
13:07:55.0625 2216 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
13:07:55.0625 2216 VolSnap - ok
13:07:55.0718 2216 [ 0354BA3A5BA5E28CC247EB5F5DD8793C ] vsdatant C:\WINDOWS\system32\vsdatant.sys
13:07:55.0750 2216 vsdatant - ok
13:07:55.0812 2216 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
13:07:55.0843 2216 VSS - ok
13:07:55.0875 2216 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
13:07:55.0906 2216 W32Time - ok
13:07:55.0968 2216 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:07:55.0968 2216 Wanarp - ok
13:07:56.0046 2216 [ BBCFEAB7E871CDDAC2D397EE7FA91FDC ] Wdf01000 C:\WINDOWS\system32\Drivers\wdf01000.sys
13:07:56.0093 2216 Wdf01000 - ok
13:07:56.0093 2216 WDICA - ok
13:07:56.0109 2216 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
13:07:56.0125 2216 wdmaud - ok
13:07:56.0140 2216 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
13:07:56.0156 2216 WebClient - ok
13:07:56.0265 2216 [ 96AFF1738271755A39B52EEF7E35F98F ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
13:07:56.0312 2216 winachsf - ok
13:07:56.0437 2216 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
13:07:56.0453 2216 winmgmt - ok
13:07:56.0468 2216 wltrysvc - ok
13:07:56.0531 2216 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
13:07:56.0531 2216 WmdmPmSN - ok
13:07:56.0578 2216 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
13:07:56.0609 2216 Wmi - ok
13:07:56.0640 2216 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
13:07:56.0656 2216 WmiAcpi - ok
13:07:56.0687 2216 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:07:56.0687 2216 WmiApSrv - ok
13:07:56.0750 2216 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
13:07:56.0765 2216 WS2IFSL - ok
13:07:56.0828 2216 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
13:07:56.0843 2216 wscsvc - ok
13:07:56.0859 2216 WSearch - ok
13:07:56.0906 2216 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
13:07:56.0921 2216 wuauserv - ok
13:07:57.0000 2216 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
13:07:57.0046 2216 WZCSVC - ok
13:07:57.0093 2216 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
13:07:57.0109 2216 xmlprov - ok
13:07:57.0125 2216 ================ Scan global ===============================
13:07:57.0171 2216 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
13:07:57.0234 2216 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:07:57.0281 2216 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:07:57.0312 2216 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
13:07:57.0343 2216 [Global] - ok
13:07:57.0343 2216 ================ Scan MBR ==================================
13:07:57.0375 2216 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
13:07:57.0781 2216 \Device\Harddisk0\DR0 - ok
13:07:57.0781 2216 ================ Scan VBR ==================================
13:07:57.0781 2216 [ 6F50FE131A0D64A15F5421D39E447167 ] \Device\Harddisk0\DR0\Partition1
13:07:57.0781 2216 \Device\Harddisk0\DR0\Partition1 - ok
13:07:57.0796 2216 ============================================================
13:07:57.0796 2216 Scan finished
13:07:57.0796 2216 ============================================================
13:07:57.0796 1252 Detected object count: 1
13:07:57.0796 1252 Actual detected object count: 1
13:08:05.0546 1252 Akamai ( HiddenFile.Multi.Generic ) - skipped by user
13:08:05.0546 1252 Akamai ( HiddenFile.Multi.Generic ) - User select action: Skip



aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-05 13:09:39
-----------------------------
13:09:39.046 OS Version: Windows 5.1.2600 Service Pack 3
13:09:39.046 Number of processors: 2 586 0xF0D
13:09:39.046 ComputerName: GREGLAPTOP UserName: Greg
13:09:41.000 Initialize success
13:09:44.531 AVAST engine defs: 12100501
13:10:16.531 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
13:10:16.531 Disk 0 Vendor: FUJITSU_ 0085 Size: 238475MB BusType: 3
13:10:16.546 Disk 0 MBR read successfully
13:10:16.546 Disk 0 MBR scan
13:10:16.546 Disk 0 Windows XP default MBR code
13:10:16.562 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 78 MB offset 63
13:10:16.562 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 235837 MB offset 160650
13:10:16.578 Disk 0 Partition - 00 0F Extended LBA 2557 MB offset 483154875
13:10:16.609 Disk 0 Partition 3 00 DD MSDOS5.0 2557 MB offset 483154938
13:10:16.609 Disk 0 scanning sectors +488392065
13:10:16.703 Disk 0 scanning C:\WINDOWS\system32\drivers
13:10:27.359 Service scanning
13:11:11.875 Modules scanning
13:11:20.156 Disk 0 trace - called modules:
13:11:20.187 ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
13:11:20.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x89c47030]
13:11:20.187 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8a61b030]
13:11:21.140 AVAST engine scan C:\WINDOWS
13:11:42.187 AVAST engine scan C:\WINDOWS\system32
13:13:19.843 File: C:\WINDOWS\assembly\GAC\Desktop.ini **INFECTED** Win32:Sirefef-PL [Rtk]
13:13:48.578 AVAST engine scan C:\WINDOWS\system32\drivers
13:14:06.984 AVAST engine scan C:\Documents and Settings\Greg
13:53:57.218 AVAST engine scan C:\Documents and Settings\All Users
14:07:54.437 Scan finished successfully
14:08:20.140 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Greg\Desktop\MBR.dat"
14:08:20.140 The log file has been saved successfully to "C:\Documents and Settings\Greg\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 October 2012 - 03:14 PM

Greetings wildzero

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 05 October 2012 - 03:39 PM

Things seem to be running well. No issues noted.


ComboFix 12-10-04.02 - Greg 10/05/2012 16:28:32.10.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1319 [GMT -4:00]
Running from: c:\documents and settings\Greg\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Greg\Desktop\CFScript.txt
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2012-09-05 to 2012-10-05 )))))))))))))))))))))))))))))))
.
.
2012-09-21 18:37 . 2012-09-21 18:37 -------- d-----w- c:\program files\Common Files\Deterministic Networks
2012-09-10 13:01 . 2012-09-10 13:01 -------- d-----w- c:\windows\system32\LogFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-07 21:04 . 2010-04-18 07:20 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-08-28 15:14 . 2006-03-04 03:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2004-08-04 10:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2004-08-04 10:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2004-08-04 10:00 385024 ----a-w- c:\windows\system32\html.iec
2012-08-21 18:27 . 2012-06-10 16:11 404680 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-08-21 09:13 . 2011-04-17 02:05 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-08-21 09:13 . 2010-04-18 07:17 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-08-21 09:13 . 2010-04-18 07:17 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-08-21 09:13 . 2010-04-18 07:17 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-08-21 09:13 . 2010-04-18 07:17 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-08-21 09:13 . 2010-04-18 07:17 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-08-21 09:13 . 2010-04-18 07:17 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-08-21 09:13 . 2010-04-18 07:17 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-08-21 09:12 . 2010-08-05 03:47 41224 ----a-w- c:\windows\avastSS.scr
2012-08-21 09:12 . 2010-04-18 07:17 227648 ----a-w- c:\windows\system32\aswBoot.exe
2010-03-11 04:01 . 2010-03-11 04:01 124272 ----a-w- c:\program files\mozilla firefox\plugins\CCMSDK.dll
2010-03-11 04:40 . 2010-03-11 04:40 13168 ----a-w- c:\program files\mozilla firefox\plugins\cgpcfg.dll
2010-03-11 04:02 . 2010-03-11 04:02 70512 ----a-w- c:\program files\mozilla firefox\plugins\CgpCore.dll
2010-03-11 04:01 . 2010-03-11 04:01 91504 ----a-w- c:\program files\mozilla firefox\plugins\confmgr.dll
2010-03-11 04:01 . 2010-03-11 04:01 22384 ----a-w- c:\program files\mozilla firefox\plugins\ctxlogging.dll
2010-03-11 04:00 . 2010-03-11 04:00 255344 ----a-w- c:\program files\mozilla firefox\plugins\ctxmui.dll
2010-03-11 04:01 . 2010-03-11 04:01 31088 ----a-w- c:\program files\mozilla firefox\plugins\icafile.dll
2010-03-11 04:01 . 2010-03-11 04:01 40304 ----a-w- c:\program files\mozilla firefox\plugins\icalogon.dll
2009-10-05 17:49 . 2009-10-05 17:49 652640 ----a-w- c:\program files\mozilla firefox\plugins\sslsdk_b.dll
2010-03-11 04:02 . 2010-03-11 04:02 23920 ----a-w- c:\program files\mozilla firefox\plugins\TcpPServ.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify Web Helper"="c:\documents and settings\Greg\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-07-01 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"ConnectionCenter"="c:\program files\Citrix\ICA Client\concentr.exe" [2010-03-11 300400]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-06-09 13537280]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2009-02-26 30040]
.
c:\documents and settings\Greg\Start Menu\Programs\Startup\
explorer.exe [2012-10-3 46592]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-4-18 50688]
VPN Client.lnk - c:\windows\Installer\{1CE60928-8325-49A8-8B06-633E48DD2B67}\Icon3E5562ED7.ico [2012-9-21 6144]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 A2DDA;A2 Direct Disk Access Support Driver;c:\documents and settings\Greg\Desktop\EmsisoftEmergencyKit\Run\a2ddax86.sys [7/8/2012 11:13 PM 17904]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [4/16/2011 10:05 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/18/2010 3:17 AM 355632]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [10/5/2009 10:08 AM 65584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [8/4/2004 6:00 AM 14336]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/18/2010 3:17 AM 21256]
R2 NIHardwareService;NIHardwareService;c:\program files\Common Files\Native Instruments\Hardware\NIHardwareService.exe [3/9/2011 7:08 AM 3857408]
R2 regi;regi;c:\windows\system32\drivers\regi.sys [4/17/2007 8:09 PM 11032]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [7/8/2010 10:52 AM 20480]
S3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\drivers\nwusbmdm_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\drivers\nwusbser_000.sys [7/8/2010 10:52 AM 176384]
S3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\drivers\nwusbser2_000.sys [7/8/2010 10:52 AM 176384]
S3 qrkis;Tether Miniport;c:\windows\system32\drivers\qrkis.sys [11/25/2011 1:08 PM 45608]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 99470523
*NewlyCreated* - BITS
*Deregistered* - 99470523
*Deregistered* - aswMBR
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2012-10-05 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\Alwil Software\Avast5\AvastEmUpdate.exe [2012-07-09 09:12]
.
2012-09-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1614895754-725345543-1003Core.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 16:30]
.
2012-10-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1614895754-725345543-1003UA.job
- c:\documents and settings\Greg\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-08-22 16:30]
.
2012-10-05 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2010-04-18 02:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: ed.gov\fpass
Trusted Zone: ed.gov\www.fpass
TCP: DhcpNameServer = 192.168.1.1
DPF: vzTCPConfig - hxxp://my.verizon.com/micro/speedoptimizer/fios/vzTCPConfig.CAB
FF - ProfilePath - c:\documents and settings\Greg\Application Data\Mozilla\Firefox\Profiles\hig1dv12.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: avast! WebRep: wrc@avast.com - c:\program files\Alwil Software\Avast5\WebRep\FF
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-05 16:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Akamai]
"ServiceDll"="c:\program files\common files\akamai/netsession_win_5891ae0.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1152)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(1796)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2012-10-05 16:38:29
ComboFix-quarantined-files.txt 2012-10-05 20:38
ComboFix2.txt 2012-10-05 16:48
.
Pre-Run: 71,792,971,776 bytes free
Post-Run: 71,784,919,040 bytes free
.
- - End Of File - - A1C53D7D02376C093707FC6793AAA588

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 05 October 2012 - 09:01 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

BitTorrent
Java™ 6 Update 31
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 wildzero

wildzero
  • Topic Starter

  • Members
  • 145 posts
  • OFFLINE
  •  
  • Local time:08:01 AM

Posted 06 October 2012 - 01:28 AM

Thanks gringo - I will be away this weekend and will get to the final round of cleansing in a few days. Thanks for your help - will follow up soon.

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 06 October 2012 - 01:44 AM

no problem


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:08:01 AM

Posted 09 October 2012 - 12:57 AM

Greetings


I have not heard from you in a couple of days so I am coming by to check on you to see if you are having problems or you just need some more time.

Also to remind you that it is very important that we finish the process completely so as to not get reinfected. I will let you know when we are complete and I will ask to remove our tools




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users