Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit infection "Jesterss.dll"


  • This topic is locked This topic is locked
12 replies to this topic

#1 VicVegas

VicVegas

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 17 October 2012 - 01:39 PM

Avast picked up Jesterss.dll on my system during a boot scan. After doing a little searching around I found it associated with rootkits at one point and possibly related to a rogue scanner, as one thread on these forums went blabbing about it like it was a good program, even though searches bring up very little on it otherwise. I've also submitted it to avast and they still consider it a "Win32:Trojan-gen" so generic or not they haven't changed their minds on it being malicious.

I'll post a dds log, but for some reason my computer restarted after running GMER and I was asleep. This opens up additional concern as I'm not even sure why it restarted.

I'll post a GMER log when possible.

DDS (Ver_2012-10-14.05) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Administrator at 7:06:43 on 2012-10-17
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2466 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *Enabled*
FW: AVG Firewall *Disabled*
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\program files\real\realplayer\update\realsched.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_TrayIcon.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Intel\IntelDH\CCU\CCU_Engine.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe
C:\Program Files\Wave Systems Corp\Common\DataServer.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX510S
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX510S
dURLSearchHooks: {A3BC75A2-1F87-4686-AA43-5347D756017C} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Bing Bar Helper: {1dad3af3-ef2f-4f64-ac4b-11789189fcb6} - c:\program files\microsoft\bingbar\7.1.361.0\BingExt.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: PBlockHelper Class: {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - c:\program files\netscape internet service\netscape web accelerator\pbhelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\bae.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Bing Bar: {eec0f710-38b5-4aba-99bf-ec87564a4e13} -
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
uRun: [Power2GoExpress] NA
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [EA Core] "c:\program files\electronic arts\eadm\Core.exe" -silent
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [readericon] c:\program files\digital media reader\readericon45G.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Gateway Extended Warranty] "c:\program files\gateway\gwcares\GWCares.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [CCUTRAYICON] c:\program files\intel\inteldh\ccu\CCU_TrayIcon.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: c:\program files\netscape internet service\netscape web accelerator\sliplsp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1344343432682
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - hxxp://support.microsoft.com/mats/DiagWebControl.cab
DPF: {CAFEEFAC-0014-0002-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1
TCP: Interfaces\{354AA276-F51B-4060-98B2-6A4F3FCE459D} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{A62FB6C8-71E4-4552-9603-C61C17A96FF6} : NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{A62FB6C8-71E4-4552-9603-C61C17A96FF6} : DHCPNameServer = 192.168.1.1
Notify: MRI_DISABLED - <no file>
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\oxlcp4xu.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.aspx?mypg=1
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b8b3f7c&v=7.008.031.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordlegacyext.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071505000011.dll
FF - plugin: c:\documents and settings\administrator\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprpchromebrowserrecordext.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\common files\oberon media\ncadapter\1.0.0.7\npapicomadapter.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10329.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\virtual earth 3d\npVE3D.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_287.dll
FF - plugin: c:\windows\system32\npDeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: !HIDDEN! 2009-06-24 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2009-2-17 21504]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-9-29 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-9-29 355632]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2012-1-17 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2011-12-19 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2011-8-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-9-29 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-9-29 44808]
R2 BBSvc;BingBar Service;c:\program files\microsoft\bingbar\7.1.361.0\BBSvc.EXE [2012-2-10 193816]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2011-12-19 1983232]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-2-15 54752]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 BBUpdate;BBUpdate;c:\program files\microsoft\bingbar\7.1.361.0\SeaPort.EXE [2012-2-10 240408]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2009-2-17 40448]
S2 MCLServiceATL;Intel® Application Tracker;c:\program files\intel\inteldh\intel media server\shells\MCLServiceATL.exe [2006-6-15 147456]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia update core\daemonu.exe [2012-6-6 1262400]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-5-22 250808]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
.
=============== Created Last 30 ================
.
2012-10-14 02:23:05 96224 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-14 02:23:05 157272 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-09-29 23:06:16 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-29 23:05:52 41224 ----a-w- c:\windows\avastSS.scr
.
==================== Find3M ====================
.
2012-10-09 06:28:10 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-10-09 06:28:10 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-07 22:04:46 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 11:13:56 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-01 11:13:51 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-01 11:13:50 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 11:13:49 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14:53 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14:53 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14:52 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07:15 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53:22 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58:09 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
.
============= FINISH: 7:08:03.09 ===============

BC AdBot (Login to Remove)

 


#2 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 17 October 2012 - 04:55 PM

Sorry I forgot to post the "Attach" log on my previous post. I also have the GMER log, but for whatever reason it froze up when it was finished and I couldn't run any programs either until I restarted my computer.

Highlighting Avast in my taskbar "avast! Antivirus: WARNING, your system is UNSECURED." even though everything looks okay when I check the summary.

I will provide a log of the boot scan as well.

10/17/2012 03:52
Scan of all local drives

File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-rny.xpi|>chrome\noscript.jar|>locale\hu-HU\noscript\noscript.dtd Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temp\tmp-rny.xpi|>chrome\noscript.jar Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NU4E5KCG\bing%20rewards[1].bingbarapp|>images\alertState.png Error 42127 {CAB archive is corrupted.}
File C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NU4E5KCG\slacker%20radio[1].bingbarapp|>flash\BingPlayer.swf Error 42127 {CAB archive is corrupted.}
File C:\Games\Nexus Mod Manager\Skyrim\Mods\downloads\Immersive_Armors_v5-19733-5.7z.partial|>data\textures\armor\Paladin\Armor3 copy.dds Error 42139 {7ZIP archive is corrupted.}
File C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP876\A0138424.exe is infected by Win32:Trojan-gen, Moved to chest <- False positive
File C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP900\A0141599.exe is infected by Win32:Trojan-gen, Moved to chest <- False positive
File C:\WINDOWS\system32\jesterss.dll|>[ASPack] is infected by Win32:Trojan-gen, Moved to chest
File D:\PRELOAD\data9_08.inp|>spra0424.dll Error 42127 {CAB archive is corrupted.}
Number of searched folders: 29677
Number of tested files: 1320297
Number of infected files: 3

Attached Files



#3 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 18 October 2012 - 03:43 AM

Ran a complete scan in Safe Mode with several programs, including: Malwarebytes, Super Anti Spyware, Eset Online Scanner and Avast.

Avast's complete scan found another generic: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP900\A0141601.dll|>[ASPack]

At the moment I suppose I could say web browsing kinda hangs a bit, but then I've been using a computer with a stronger processor allot lately so it's hard for me to gauge it.

Sorry for using other scanners without permission after posting the logs. No one has checked my post yet and seeing as this computer isn't mainly used by me time is of the essence. I'll try to remain patient otherwise and won't veer of course once someone is helping me.

Edited by VicVegas, 18 October 2012 - 04:23 AM.


#4 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 18 October 2012 - 02:07 PM

Okay now I am VERY concerned. I found some posts (here and on another forum) of an instance of the same file and it looks pretty bad.

http://www.bleepingcomputer.com/forums/topic235128.html

http://www.geekstogo.com/forum/topic/250157-recurring-jesterssdll-trojan-rootkit-with-a-side-of-malware-solved/?ModPagespeed=noscript

On the other hand, the computer mentioned above was a gateway and so is the one in question. Also the malicious detection could simply be due to the fact that it uses an "executable packer" known as ASPack, as is suggested in this post.

http://www.techsupportforum.com/forums/f100/anything-need-to-be-done-on-my-log-124267.html

I may download and run a Comodo scan to see if anything comes up. Beyond that, none of my other regular scanners detected these prior to Avast. I kinda wish avast would tell me when the file was created on the disk, or when it was last used. With that I'd know for sure if it was false or not.

#5 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 18 October 2012 - 04:54 PM

Okay. Well, I just got a phone call from someone claiming to be from a spyware removal company. I guess that means that something has gotten into my computer(s) that has gotten the information on exactly where I live and what my phone number is. It could just be an amazing coincidence, but my guess is I'm screwed. My mother told me she's been getting phoe calls like these both at home and at work randomly for a long time now, so it's just a coincidence. Come to think of it, I have no idea how they'd get my phone number, even if they had my IP address.

Edited by VicVegas, 18 October 2012 - 05:35 PM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 PM

Posted 19 October 2012 - 09:17 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Let start with these additional scan.

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

#7 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 19 October 2012 - 04:17 PM

14:19:55.0165 4248 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
14:19:55.0744 4248 ============================================================
14:19:55.0744 4248 Current date / time: 2012/10/19 14:19:55.0744
14:19:55.0744 4248 SystemInfo:
14:19:55.0744 4248
14:19:55.0744 4248 OS Version: 5.1.2600 ServicePack: 3.0
14:19:55.0744 4248 Product type: Workstation
14:19:55.0744 4248 ComputerName: HARVEYDENT
14:19:55.0744 4248 UserName: Administrator
14:19:55.0744 4248 Windows directory: C:\WINDOWS
14:19:55.0744 4248 System windows directory: C:\WINDOWS
14:19:55.0744 4248 Processor architecture: Intel x86
14:19:55.0744 4248 Number of processors: 2
14:19:55.0744 4248 Page size: 0x1000
14:19:55.0744 4248 Boot type: Normal boot
14:19:55.0744 4248 ============================================================
14:19:57.0056 4248 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:19:57.0244 4248 ============================================================
14:19:57.0244 4248 \Device\Harddisk0\DR0:
14:19:57.0244 4248 MBR partitions:
14:19:57.0244 4248 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x921954, BlocksNum 0x24B07EAC
14:19:57.0244 4248 \Device\Harddisk0\DR0\Partition2: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x921915
14:19:57.0244 4248 ============================================================
14:19:57.0306 4248 C: <-> \Device\Harddisk0\DR0\Partition1
14:19:57.0306 4248 D: <-> \Device\Harddisk0\DR0\Partition2
14:19:57.0306 4248 ============================================================
14:19:57.0306 4248 Initialize success
14:19:57.0306 4248 ============================================================
14:21:49.0619 5008 ============================================================
14:21:49.0619 5008 Scan started
14:21:49.0619 5008 Mode: Manual;
14:21:49.0619 5008 ============================================================
14:21:51.0619 5008 ================ Scan system memory ========================
14:21:51.0619 5008 System memory - ok
14:21:51.0619 5008 ================ Scan services =============================
14:21:51.0744 5008 [ 01E81C84AD1D0ACC61CF3CFD06632210 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
14:21:51.0759 5008 !SASCORE - ok
14:21:52.0025 5008 [ 0352A73CD6B1782EA3ED7A03A8268F55 ] Aavmker4 C:\WINDOWS\system32\drivers\Aavmker4.sys
14:21:52.0025 5008 Aavmker4 - ok
14:21:52.0025 5008 Abiosdsk - ok
14:21:52.0040 5008 [ 6ABB91494FE6C59089B9336452AB2EA3 ] abp480n5 C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
14:21:52.0056 5008 abp480n5 - ok
14:21:52.0103 5008 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:21:52.0134 5008 ACPI - ok
14:21:52.0165 5008 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
14:21:52.0165 5008 ACPIEC - ok
14:21:52.0337 5008 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
14:21:52.0353 5008 AdobeFlashPlayerUpdateSvc - ok
14:21:52.0369 5008 [ 9A11864873DA202C996558B2106B0BBC ] adpu160m C:\WINDOWS\system32\DRIVERS\adpu160m.sys
14:21:52.0462 5008 adpu160m - ok
14:21:52.0509 5008 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
14:21:52.0603 5008 aec - ok
14:21:52.0681 5008 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
14:21:52.0681 5008 AFD - ok
14:21:52.0775 5008 [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
14:21:52.0775 5008 agp440 - ok
14:21:52.0775 5008 [ 03A7E0922ACFE1B07D5DB2EEB0773063 ] agpCPQ C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
14:21:52.0790 5008 agpCPQ - ok
14:21:52.0790 5008 [ C23EA9B5F46C7F7910DB3EAB648FF013 ] Aha154x C:\WINDOWS\system32\DRIVERS\aha154x.sys
14:21:52.0790 5008 Aha154x - ok
14:21:52.0806 5008 [ 19DD0FB48B0C18892F70E2E7D61A1529 ] aic78u2 C:\WINDOWS\system32\DRIVERS\aic78u2.sys
14:21:52.0806 5008 aic78u2 - ok
14:21:52.0806 5008 [ B7FE594A7468AA0132DEB03FB8E34326 ] aic78xx C:\WINDOWS\system32\DRIVERS\aic78xx.sys
14:21:52.0806 5008 aic78xx - ok
14:21:52.0837 5008 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
14:21:52.0837 5008 Alerter - ok
14:21:52.0915 5008 [ 613BA3152B1B470FD7FB8F6F6C9D74D5 ] AlertService C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
14:21:52.0931 5008 AlertService - ok
14:21:52.0947 5008 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
14:21:52.0947 5008 ALG - ok
14:21:52.0978 5008 [ 1140AB9938809700B46BB88E46D72A96 ] AliIde C:\WINDOWS\system32\DRIVERS\aliide.sys
14:21:52.0978 5008 AliIde - ok
14:21:52.0978 5008 [ CB08AED0DE2DD889A8A820CD8082D83C ] alim1541 C:\WINDOWS\system32\DRIVERS\alim1541.sys
14:21:52.0994 5008 alim1541 - ok
14:21:52.0994 5008 [ 95B4FB835E28AA1336CEEB07FD5B9398 ] amdagp C:\WINDOWS\system32\DRIVERS\amdagp.sys
14:21:52.0994 5008 amdagp - ok
14:21:53.0009 5008 [ 79F5ADD8D24BD6893F2903A3E2F3FAD6 ] amsint C:\WINDOWS\system32\DRIVERS\amsint.sys
14:21:53.0009 5008 amsint - ok
14:21:53.0025 5008 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
14:21:53.0025 5008 AppMgmt - ok
14:21:53.0040 5008 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
14:21:53.0040 5008 Arp1394 - ok
14:21:53.0056 5008 [ 62D318E9A0C8FC9B780008E724283707 ] asc C:\WINDOWS\system32\DRIVERS\asc.sys
14:21:53.0056 5008 asc - ok
14:21:53.0056 5008 [ 69EB0CC7714B32896CCBFD5EDCBEA447 ] asc3350p C:\WINDOWS\system32\DRIVERS\asc3350p.sys
14:21:53.0056 5008 asc3350p - ok
14:21:53.0072 5008 [ 5D8DE112AA0254B907861E9E9C31D597 ] asc3550 C:\WINDOWS\system32\DRIVERS\asc3550.sys
14:21:53.0072 5008 asc3550 - ok
14:21:53.0212 5008 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:21:53.0244 5008 aspnet_state - ok
14:21:53.0259 5008 [ F5DC168BF77572D51BE28BA261B30CB4 ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys
14:21:53.0259 5008 aswFsBlk - ok
14:21:53.0275 5008 [ 2B9B1DF809E965EF63402CBBA6DB50AE ] aswMon2 C:\WINDOWS\system32\drivers\aswMon2.sys
14:21:53.0275 5008 aswMon2 - ok
14:21:53.0290 5008 [ B7D5E4486BA658ED08624D8084ABB830 ] AswRdr C:\WINDOWS\system32\drivers\AswRdr.sys
14:21:53.0290 5008 AswRdr - ok
14:21:53.0306 5008 [ D5052BC2F8C43937465E4D7BB9CA4F27 ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys
14:21:53.0322 5008 Suspicious file (Forged): C:\WINDOWS\system32\drivers\aswSnx.sys. Real md5: D5052BC2F8C43937465E4D7BB9CA4F27, Fake md5: 30E45AF8B4D83176CA850FC9699E860B
14:21:53.0322 5008 aswSnx ( ForgedFile.Multi.Generic ) - warning
14:21:53.0322 5008 aswSnx - detected ForgedFile.Multi.Generic (1)
14:21:53.0353 5008 [ F04BDBCB965C05C51F4A7DE7B62063D6 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys
14:21:53.0369 5008 aswSP - ok
14:21:53.0400 5008 [ DFE9152ABFA89BB8CFDC057409B2D4DA ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys
14:21:53.0400 5008 aswTdi - ok
14:21:53.0462 5008 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:21:53.0462 5008 AsyncMac - ok
14:21:53.0462 5008 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
14:21:53.0462 5008 atapi - ok
14:21:53.0478 5008 Atdisk - ok
14:21:53.0525 5008 [ DE74AD11F0175EAB23BA994F59423997 ] ATIAVPCI C:\WINDOWS\system32\DRIVERS\atinavrr.sys
14:21:53.0540 5008 ATIAVPCI - ok
14:21:53.0572 5008 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:21:53.0572 5008 Atmarpc - ok
14:21:53.0603 5008 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
14:21:53.0603 5008 AudioSrv - ok
14:21:53.0650 5008 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
14:21:53.0650 5008 audstub - ok
14:21:53.0744 5008 [ 04AC21E821F259845BD7367CEE057290 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
14:21:53.0744 5008 avast! Antivirus - ok
14:21:53.0853 5008 [ A2494901E7226B356B8C1005C45F1C5F ] BBSvc C:\Program Files\Microsoft\BingBar\7.1.361.0\BBSvc.exe
14:21:53.0853 5008 BBSvc - ok
14:21:53.0915 5008 [ 63B1CBBAE4790B5BAC98F01BF9449722 ] BBUpdate C:\Program Files\Microsoft\BingBar\7.1.361.0\SeaPort.exe
14:21:53.0915 5008 BBUpdate - ok
14:21:53.0947 5008 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
14:21:53.0947 5008 Beep - ok
14:21:54.0009 5008 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
14:21:54.0025 5008 BITS - ok
14:21:54.0056 5008 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
14:21:54.0056 5008 Browser - ok
14:21:54.0087 5008 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
14:21:54.0087 5008 cbidf - ok
14:21:54.0087 5008 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
14:21:54.0087 5008 cbidf2k - ok
14:21:54.0119 5008 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
14:21:54.0134 5008 CCDECODE - ok
14:21:54.0134 5008 [ F3EC03299634490E97BBCE94CD2954C7 ] cd20xrnt C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
14:21:54.0134 5008 cd20xrnt - ok
14:21:54.0165 5008 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
14:21:54.0165 5008 Cdaudio - ok
14:21:54.0197 5008 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
14:21:54.0197 5008 Cdfs - ok
14:21:54.0244 5008 [ 2552670E5FBCFDB540EEB426AF39704D ] Cdr4_xp C:\WINDOWS\system32\drivers\Cdr4_xp.sys
14:21:54.0244 5008 Cdr4_xp - ok
14:21:54.0259 5008 [ B761B10D6A541BE69EA448A8429D30B0 ] Cdralw2k C:\WINDOWS\system32\drivers\Cdralw2k.sys
14:21:54.0259 5008 Cdralw2k - ok
14:21:54.0259 5008 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:21:54.0259 5008 Cdrom - ok
14:21:54.0275 5008 Changer - ok
14:21:54.0290 5008 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
14:21:54.0290 5008 CiSvc - ok
14:21:54.0322 5008 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
14:21:54.0322 5008 ClipSrv - ok
14:21:54.0337 5008 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:21:54.0431 5008 clr_optimization_v2.0.50727_32 - ok
14:21:54.0462 5008 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
14:21:54.0462 5008 CmBatt - ok
14:21:54.0540 5008 [ 77A752759E1F4D1F34AB75484C31F475 ] cmdAgent C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
14:21:54.0556 5008 Suspicious file (Forged): C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe. Real md5: 77A752759E1F4D1F34AB75484C31F475, Fake md5: 907324001AE25AC5959C91EAA34CABAE
14:21:54.0556 5008 cmdAgent ( ForgedFile.Multi.Generic ) - warning
14:21:54.0556 5008 cmdAgent - detected ForgedFile.Multi.Generic (1)
14:21:54.0603 5008 [ BEE235831F8E3F0BAACA18B39D285CF5 ] cmdGuard C:\WINDOWS\system32\DRIVERS\cmdguard.sys
14:21:54.0619 5008 cmdGuard - ok
14:21:54.0634 5008 [ DE548946F36CAB62FEC2E6AA0149A619 ] cmdHlp C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
14:21:54.0634 5008 cmdHlp - ok
14:21:54.0665 5008 [ E5DCB56C533014ECBC556A8357C929D5 ] CmdIde C:\WINDOWS\system32\DRIVERS\cmdide.sys
14:21:54.0665 5008 CmdIde - ok
14:21:54.0681 5008 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
14:21:54.0681 5008 Compbatt - ok
14:21:54.0681 5008 COMSysApp - ok
14:21:54.0697 5008 [ 3EE529119EED34CD212A215E8C40D4B6 ] Cpqarray C:\WINDOWS\system32\DRIVERS\cpqarray.sys
14:21:54.0697 5008 Cpqarray - ok
14:21:54.0744 5008 [ D01F685F8B4598D144B0CCE9FF95D8D5 ] cpudrv C:\Program Files\SystemRequirementsLab\cpudrv.sys
14:21:54.0744 5008 cpudrv - ok
14:21:54.0775 5008 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
14:21:54.0775 5008 CryptSvc - ok
14:21:54.0775 5008 [ E550E7418984B65A78299D248F0A7F36 ] dac2w2k C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
14:21:54.0775 5008 dac2w2k - ok
14:21:54.0790 5008 [ 683789CAA3864EB46125AE86FF677D34 ] dac960nt C:\WINDOWS\system32\DRIVERS\dac960nt.sys
14:21:54.0790 5008 dac960nt - ok
14:21:54.0900 5008 [ 77843EB03B5F6995D6184BD6C4EA139F ] DataSvr C:\Program Files\Wave Systems Corp\Common\DataServer.exe
14:21:54.0900 5008 DataSvr - ok
14:21:54.0962 5008 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
14:21:54.0978 5008 DcomLaunch - ok
14:21:55.0040 5008 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
14:21:55.0040 5008 Dhcp - ok
14:21:55.0040 5008 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
14:21:55.0040 5008 Disk - ok
14:21:55.0056 5008 dmadmin - ok
14:21:55.0056 5008 [ E8BD266C43CD750CAD9A0F503523FF48 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
14:21:55.0103 5008 Suspicious file (Forged): C:\WINDOWS\system32\drivers\dmboot.sys. Real md5: E8BD266C43CD750CAD9A0F503523FF48, Fake md5: D992FE1274BDE0F84AD826ACAE022A41
14:21:55.0103 5008 dmboot ( ForgedFile.Multi.Generic ) - warning
14:21:55.0103 5008 dmboot - detected ForgedFile.Multi.Generic (1)
14:21:55.0134 5008 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
14:21:55.0134 5008 dmio - ok
14:21:55.0150 5008 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
14:21:55.0150 5008 dmload - ok
14:21:55.0197 5008 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
14:21:55.0197 5008 dmserver - ok
14:21:55.0212 5008 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
14:21:55.0228 5008 DMusic - ok
14:21:55.0244 5008 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
14:21:55.0244 5008 Dnscache - ok
14:21:55.0275 5008 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
14:21:55.0290 5008 Dot3svc - ok
14:21:55.0290 5008 [ 40F3B93B4E5B0126F2F5C0A7A5E22660 ] dpti2o C:\WINDOWS\system32\DRIVERS\dpti2o.sys
14:21:55.0290 5008 dpti2o - ok
14:21:55.0306 5008 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
14:21:55.0306 5008 drmkaud - ok
14:21:55.0353 5008 [ F239EC59B4A30266A4A7B081A5DEE0FC ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
14:21:55.0353 5008 e1express - ok
14:21:55.0384 5008 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
14:21:55.0384 5008 EapHost - ok
14:21:55.0447 5008 [ 5D1347AA5AE6E2F77D7F4F8372D95AC9 ] ehRecvr C:\WINDOWS\eHome\ehRecvr.exe
14:21:55.0462 5008 ehRecvr - ok
14:21:55.0494 5008 [ A53243709439AC2A4C216B817F8D7411 ] ehSched C:\WINDOWS\eHome\ehSched.exe
14:21:55.0509 5008 ehSched - ok
14:21:55.0540 5008 [ C9E04311E2810131EEB4DC5C3E3B8181 ] ELacpi C:\WINDOWS\system32\DRIVERS\ELacpi.sys
14:21:55.0556 5008 ELacpi - ok
14:21:55.0572 5008 [ 5E58F151A79A8AC76CDB747E34186E8C ] ELhid C:\WINDOWS\System32\Drivers\Elhid.sys
14:21:55.0572 5008 ELhid - ok
14:21:55.0587 5008 [ CC1ADACC2099C942CC8DAD0C6A58F4F4 ] ELkbd C:\WINDOWS\System32\Drivers\Elkbd.sys
14:21:55.0587 5008 ELkbd - ok
14:21:55.0603 5008 [ B4280D16C080715BC073BCF03EAE42BB ] ELmon C:\WINDOWS\System32\Drivers\Elmon.sys
14:21:55.0603 5008 ELmon - ok
14:21:55.0603 5008 [ C5204040F97EB81631615BDC87E1DA6A ] ELmou C:\WINDOWS\System32\Drivers\Elmou.sys
14:21:55.0603 5008 ELmou - ok
14:21:55.0650 5008 [ 4BBBCED90EADF949D42EF51E6E4118EA ] ELService C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
14:21:55.0650 5008 ELService - ok
14:21:55.0665 5008 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
14:21:55.0665 5008 ERSvc - ok
14:21:55.0712 5008 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
14:21:55.0712 5008 Eventlog - ok
14:21:55.0775 5008 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
14:21:55.0790 5008 EventSystem - ok
14:21:55.0837 5008 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
14:21:55.0837 5008 Fastfat - ok
14:21:55.0900 5008 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
14:21:55.0900 5008 FastUserSwitchingCompatibility - ok
14:21:55.0947 5008 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
14:21:55.0947 5008 Fdc - ok
14:21:55.0978 5008 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
14:21:55.0978 5008 Fips - ok
14:21:55.0994 5008 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
14:21:55.0994 5008 Flpydisk - ok
14:21:56.0025 5008 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
14:21:56.0025 5008 FltMgr - ok
14:21:56.0072 5008 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:21:56.0087 5008 FontCache3.0.0.0 - ok
14:21:56.0119 5008 [ C6EE3A87FE609D3E1DB9DBD072A248DE ] fssfltr C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
14:21:56.0119 5008 fssfltr - ok
14:21:56.0197 5008 [ DB961C66BE6F76124043CDF880DC8043 ] fsssvc C:\Program Files\Windows Live\Family Safety\fsssvc.exe
14:21:56.0228 5008 Suspicious file (Forged): C:\Program Files\Windows Live\Family Safety\fsssvc.exe. Real md5: DB961C66BE6F76124043CDF880DC8043, Fake md5: 206AD9A89BF05DFA1621F1FC7B82592D
14:21:56.0228 5008 fsssvc ( ForgedFile.Multi.Generic ) - warning
14:21:56.0228 5008 fsssvc - detected ForgedFile.Multi.Generic (1)
14:21:56.0275 5008 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:21:56.0275 5008 Fs_Rec - ok
14:21:56.0290 5008 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:21:56.0290 5008 Ftdisk - ok
14:21:56.0337 5008 [ AB8A6A87D9D7255C3884D5B9541A6E80 ] GEARAspiWDM C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
14:21:56.0337 5008 GEARAspiWDM - ok
14:21:56.0337 5008 getPlusHelper - ok
14:21:56.0384 5008 [ 3800262165CE4A2B9D1ED09E2BCE3E9C ] GoProto C:\WINDOWS\system32\DRIVERS\goprot51.sys
14:21:56.0384 5008 GoProto - ok
14:21:56.0400 5008 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:21:56.0400 5008 Gpc - ok
14:21:56.0431 5008 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:21:56.0431 5008 HDAudBus - ok
14:21:56.0572 5008 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:21:56.0572 5008 helpsvc - ok
14:21:56.0619 5008 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
14:21:56.0619 5008 HidServ - ok
14:21:56.0650 5008 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:21:56.0650 5008 HidUsb - ok
14:21:56.0681 5008 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
14:21:56.0681 5008 hkmsvc - ok
14:21:56.0681 5008 [ B028377DEA0546A5FCFBA928A8AEFAE0 ] hpn C:\WINDOWS\system32\DRIVERS\hpn.sys
14:21:56.0681 5008 hpn - ok
14:21:56.0728 5008 [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:21:56.0728 5008 HPZid412 - ok
14:21:56.0728 5008 [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:21:56.0744 5008 HPZipr12 - ok
14:21:56.0744 5008 [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:21:56.0759 5008 HPZius12 - ok
14:21:56.0806 5008 [ B6B0721A86E51D141EC55C3CC1CA5686 ] HSFHWBS2 C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
14:21:56.0822 5008 HSFHWBS2 - ok
14:21:56.0837 5008 [ 83430D00295AEC17211F22AD26AEDF84 ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
14:21:56.0884 5008 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys. Real md5: 83430D00295AEC17211F22AD26AEDF84, Fake md5: 698204D9C2832E53633E53A30A53FC3D
14:21:56.0884 5008 HSF_DPV ( ForgedFile.Multi.Generic ) - warning
14:21:56.0884 5008 HSF_DPV - detected ForgedFile.Multi.Generic (1)
14:21:56.0947 5008 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
14:21:56.0947 5008 HTTP - ok
14:21:56.0978 5008 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
14:21:56.0994 5008 HTTPFilter - ok
14:21:57.0009 5008 [ 9368670BD426EBEA5E8B18A62416EC28 ] i2omgmt C:\WINDOWS\system32\drivers\i2omgmt.sys
14:21:57.0009 5008 i2omgmt - ok
14:21:57.0040 5008 [ F10863BF1CCC290BABD1A09188AE49E0 ] i2omp C:\WINDOWS\system32\DRIVERS\i2omp.sys
14:21:57.0040 5008 i2omp - ok
14:21:57.0056 5008 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
14:21:57.0056 5008 i8042prt - ok
14:21:57.0103 5008 [ B705032DB7053E255D331AC8A639A1D3 ] IAMTXP C:\WINDOWS\system32\DRIVERS\IAMTXP.sys
14:21:57.0119 5008 IAMTXP - ok
14:21:57.0134 5008 [ 88B1943ECFF661F765228099138CF6AB ] iaStor C:\WINDOWS\system32\DRIVERS\IASTOR.SYS
14:21:57.0134 5008 iaStor - ok
14:21:57.0181 5008 [ 63D05CE1990B514789C1F9566140D5B0 ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:21:57.0212 5008 Suspicious file (Forged): c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe. Real md5: 63D05CE1990B514789C1F9566140D5B0, Fake md5: C01AC32DC5C03076CFB852CB5DA5229C
14:21:57.0212 5008 idsvc ( ForgedFile.Multi.Generic ) - warning
14:21:57.0212 5008 idsvc - detected ForgedFile.Multi.Generic (1)
14:21:57.0228 5008 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
14:21:57.0228 5008 Imapi - ok
14:21:57.0259 5008 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
14:21:57.0275 5008 ImapiService - ok
14:21:57.0322 5008 [ 4A40E045FAEE58631FD8D91AFC620719 ] ini910u C:\WINDOWS\system32\DRIVERS\ini910u.sys
14:21:57.0322 5008 ini910u - ok
14:21:57.0322 5008 [ F89849CF13805EF49DA64A8A63193AF7 ] Inspect C:\WINDOWS\system32\DRIVERS\inspect.sys
14:21:57.0337 5008 Inspect - ok
14:21:57.0337 5008 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
14:21:57.0337 5008 IntelIde - ok
14:21:57.0384 5008 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:21:57.0384 5008 intelppm - ok
14:21:57.0400 5008 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
14:21:57.0415 5008 Ip6Fw - ok
14:21:57.0415 5008 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:21:57.0415 5008 IpFilterDriver - ok
14:21:57.0415 5008 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:21:57.0415 5008 IpInIp - ok
14:21:57.0462 5008 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:21:57.0462 5008 IpNat - ok
14:21:57.0509 5008 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:21:57.0509 5008 IPSec - ok
14:21:57.0540 5008 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
14:21:57.0540 5008 IRENUM - ok
14:21:57.0572 5008 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:21:57.0572 5008 isapnp - ok
14:21:57.0665 5008 [ 03C46D43740D4BF5098D8DE7F4D85F91 ] ISSM C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
14:21:57.0665 5008 ISSM - ok
14:21:57.0775 5008 [ B591E761161D1EF547D76EF236EAA6A5 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
14:21:57.0775 5008 JavaQuickStarterService - ok
14:21:57.0806 5008 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:21:57.0806 5008 Kbdclass - ok
14:21:57.0853 5008 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:21:57.0853 5008 kbdhid - ok
14:21:57.0869 5008 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
14:21:57.0869 5008 kmixer - ok
14:21:57.0931 5008 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
14:21:57.0931 5008 KSecDD - ok
14:21:57.0978 5008 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
14:21:57.0978 5008 lanmanserver - ok
14:21:58.0040 5008 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
14:21:58.0040 5008 lanmanworkstation - ok
14:21:58.0056 5008 lbrtfdc - ok
14:21:58.0103 5008 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
14:21:58.0103 5008 LmHosts - ok
14:21:58.0165 5008 [ 3699E400C0F0412EF5C070447F43C693 ] M1 Server C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
14:21:58.0165 5008 M1 Server - ok
14:21:58.0181 5008 [ DFE4CDA8626647BB086F6034A2573581 ] MCLServiceATL C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
14:21:58.0181 5008 MCLServiceATL - ok
14:21:58.0228 5008 [ DF0A511F38F16016BF658FCA0090CB87 ] McrdSvc C:\WINDOWS\ehome\mcrdsvc.exe
14:21:58.0244 5008 McrdSvc - ok
14:21:58.0259 5008 [ E246A32C445056996074A397DA56E815 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
14:21:58.0259 5008 mdmxsdk - ok
14:21:58.0290 5008 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
14:21:58.0290 5008 Messenger - ok
14:21:58.0322 5008 [ B7521F69C0A9B29D356157229376FB21 ] MHN C:\WINDOWS\System32\mhn.dll
14:21:58.0322 5008 MHN - ok
14:21:58.0353 5008 [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV C:\WINDOWS\system32\DRIVERS\mhndrv.sys
14:21:58.0353 5008 MHNDRV - ok
14:21:58.0384 5008 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
14:21:58.0384 5008 mnmdd - ok
14:21:58.0431 5008 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
14:21:58.0431 5008 mnmsrvc - ok
14:21:58.0478 5008 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
14:21:58.0478 5008 Modem - ok
14:21:58.0478 5008 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:21:58.0478 5008 Mouclass - ok
14:21:58.0509 5008 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:21:58.0509 5008 mouhid - ok
14:21:58.0540 5008 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
14:21:58.0540 5008 MountMgr - ok
14:21:58.0572 5008 [ C0F8E0C2C3C0437CF37C6781896DC3EC ] MPE C:\WINDOWS\system32\DRIVERS\MPE.sys
14:21:58.0572 5008 MPE - ok
14:21:58.0572 5008 [ 3F4BB95E5A44F3BE34824E8E7CAF0737 ] mraid35x C:\WINDOWS\system32\DRIVERS\mraid35x.sys
14:21:58.0572 5008 mraid35x - ok
14:21:58.0587 5008 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:21:58.0587 5008 MRxDAV - ok
14:21:58.0634 5008 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:21:58.0634 5008 MRxSmb - ok
14:21:58.0681 5008 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
14:21:58.0681 5008 MSDTC - ok
14:21:58.0712 5008 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
14:21:58.0712 5008 Msfs - ok
14:21:58.0712 5008 MSIServer - ok
14:21:58.0744 5008 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:21:58.0744 5008 MSKSSRV - ok
14:21:58.0759 5008 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:21:58.0759 5008 MSPCLOCK - ok
14:21:58.0790 5008 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
14:21:58.0790 5008 MSPQM - ok
14:21:58.0806 5008 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:21:58.0806 5008 mssmbios - ok
14:21:58.0884 5008 MSSQL$SONY_MEDIAMGR - ok
14:21:58.0947 5008 [ CB7524C21727404BD3140DCA32DEB7DE ] MSSQLServerADHelper C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
14:21:58.0947 5008 MSSQLServerADHelper - ok
14:21:58.0978 5008 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
14:21:58.0978 5008 MSTEE - ok
14:21:59.0025 5008 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
14:21:59.0025 5008 Mup - ok
14:21:59.0040 5008 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
14:21:59.0040 5008 NABTSFEC - ok
14:21:59.0072 5008 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
14:21:59.0087 5008 napagent - ok
14:21:59.0134 5008 [ 6B2DE42F8E9AEF946F4DBF02375766F3 ] NCUpdateSvc C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
14:21:59.0134 5008 NCUpdateSvc - ok
14:21:59.0150 5008 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
14:21:59.0150 5008 NDIS - ok
14:21:59.0197 5008 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
14:21:59.0197 5008 NdisIP - ok
14:21:59.0228 5008 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:21:59.0228 5008 NdisTapi - ok
14:21:59.0259 5008 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:21:59.0259 5008 Ndisuio - ok
14:21:59.0259 5008 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:21:59.0259 5008 NdisWan - ok
14:21:59.0322 5008 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
14:21:59.0322 5008 NDProxy - ok
14:21:59.0369 5008 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
14:21:59.0369 5008 NetBIOS - ok
14:21:59.0384 5008 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
14:21:59.0400 5008 NetBT - ok
14:21:59.0447 5008 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
14:21:59.0447 5008 NetDDE - ok
14:21:59.0447 5008 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
14:21:59.0462 5008 NetDDEdsdm - ok
14:21:59.0494 5008 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
14:21:59.0494 5008 Netlogon - ok
14:21:59.0556 5008 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
14:21:59.0556 5008 Netman - ok
14:21:59.0603 5008 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:21:59.0603 5008 NetTcpPortSharing - ok
14:21:59.0619 5008 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
14:21:59.0619 5008 NIC1394 - ok
14:21:59.0665 5008 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
14:21:59.0665 5008 Nla - ok
14:21:59.0712 5008 NMIndexingService - ok
14:21:59.0744 5008 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
14:21:59.0744 5008 Npfs - ok
14:21:59.0775 5008 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
14:21:59.0790 5008 Ntfs - ok
14:21:59.0790 5008 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
14:21:59.0790 5008 NtLmSsp - ok
14:21:59.0837 5008 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
14:21:59.0837 5008 NtmsSvc - ok
14:21:59.0884 5008 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
14:21:59.0884 5008 Null - ok
14:21:59.0994 5008 [ 5F1E7716A0FBD8FE5760E00266CC5A51 ] nv C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
14:22:00.0431 5008 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\nv4_mini.sys. Real md5: 5F1E7716A0FBD8FE5760E00266CC5A51, Fake md5: 7B5A17BD54BB9142843DBE99A1CAAED8
14:22:00.0478 5008 nv ( ForgedFile.Multi.Generic ) - warning
14:22:00.0478 5008 nv - detected ForgedFile.Multi.Generic (1)
14:22:00.0525 5008 [ 5150B108EA88831E1C599603D8B89621 ] NVSvc C:\WINDOWS\system32\nvsvc32.exe
14:22:00.0540 5008 NVSvc - ok
14:22:00.0619 5008 [ AF2EB4D0B72482899E8089BAD3AC5526 ] nvUpdatusService C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
14:22:00.0681 5008 Suspicious file (Forged): C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe. Real md5: AF2EB4D0B72482899E8089BAD3AC5526, Fake md5: 83E8AB7BB3C8956C53FEC071C94F0BBB
14:22:00.0681 5008 nvUpdatusService ( ForgedFile.Multi.Generic ) - warning
14:22:00.0681 5008 nvUpdatusService - detected ForgedFile.Multi.Generic (1)
14:22:00.0712 5008 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:22:00.0712 5008 NwlnkFlt - ok
14:22:00.0728 5008 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:22:00.0728 5008 NwlnkFwd - ok
14:22:00.0744 5008 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
14:22:00.0744 5008 ohci1394 - ok
14:22:00.0806 5008 [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:22:00.0806 5008 ose - ok
14:22:00.0853 5008 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
14:22:00.0853 5008 Parport - ok
14:22:00.0853 5008 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
14:22:00.0853 5008 PartMgr - ok
14:22:00.0884 5008 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
14:22:00.0884 5008 ParVdm - ok
14:22:00.0931 5008 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
14:22:00.0931 5008 PCI - ok
14:22:00.0931 5008 PCIDump - ok
14:22:00.0962 5008 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
14:22:00.0962 5008 PCIIde - ok
14:22:00.0962 5008 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
14:22:00.0978 5008 Pcmcia - ok
14:22:00.0978 5008 PDCOMP - ok
14:22:00.0978 5008 PDFRAME - ok
14:22:00.0994 5008 PDRELI - ok
14:22:00.0994 5008 PDRFRAME - ok
14:22:01.0009 5008 [ 6C14B9C19BA84F73D3A86DBA11133101 ] perc2 C:\WINDOWS\system32\DRIVERS\perc2.sys
14:22:01.0009 5008 perc2 - ok
14:22:01.0009 5008 [ F50F7C27F131AFE7BEBA13E14A3B9416 ] perc2hib C:\WINDOWS\system32\DRIVERS\perc2hib.sys
14:22:01.0009 5008 perc2hib - ok
14:22:01.0056 5008 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
14:22:01.0056 5008 PlugPlay - ok
14:22:01.0119 5008 [ 2D091A99624FB9E7EEF0A86D872EC0C3 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
14:22:01.0119 5008 Pml Driver HPZ12 - ok
14:22:01.0119 5008 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
14:22:01.0119 5008 PolicyAgent - ok
14:22:01.0150 5008 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:22:01.0150 5008 PptpMiniport - ok
14:22:01.0181 5008 [ F3C8D6E59A36D4DD5729782015E685A8 ] PrismXL C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
14:22:01.0181 5008 PrismXL - ok
14:22:01.0181 5008 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
14:22:01.0181 5008 ProtectedStorage - ok
14:22:01.0197 5008 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
14:22:01.0197 5008 PSched - ok
14:22:01.0212 5008 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:22:01.0212 5008 Ptilink - ok
14:22:01.0212 5008 [ 617ACCADA2E0A0F43EC6030BBAC49513 ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
14:22:01.0212 5008 PxHelp20 - ok
14:22:01.0228 5008 [ 0A63FB54039EB5662433CABA3B26DBA7 ] ql1080 C:\WINDOWS\system32\DRIVERS\ql1080.sys
14:22:01.0228 5008 ql1080 - ok
14:22:01.0228 5008 [ 6503449E1D43A0FF0201AD5CB1B8C706 ] Ql10wnt C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
14:22:01.0228 5008 Ql10wnt - ok
14:22:01.0244 5008 [ 156ED0EF20C15114CA097A34A30D8A01 ] ql12160 C:\WINDOWS\system32\DRIVERS\ql12160.sys
14:22:01.0244 5008 ql12160 - ok
14:22:01.0244 5008 [ 70F016BEBDE6D29E864C1230A07CC5E6 ] ql1240 C:\WINDOWS\system32\DRIVERS\ql1240.sys
14:22:01.0244 5008 ql1240 - ok
14:22:01.0259 5008 [ 907F0AEEA6BC451011611E732BD31FCF ] ql1280 C:\WINDOWS\system32\DRIVERS\ql1280.sys
14:22:01.0259 5008 ql1280 - ok
14:22:01.0290 5008 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:22:01.0290 5008 RasAcd - ok
14:22:01.0337 5008 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
14:22:01.0337 5008 RasAuto - ok
14:22:01.0337 5008 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:22:01.0353 5008 Rasl2tp - ok
14:22:01.0400 5008 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
14:22:01.0400 5008 RasMan - ok
14:22:01.0447 5008 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:22:01.0447 5008 RasPppoe - ok
14:22:01.0462 5008 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
14:22:01.0462 5008 Raspti - ok
14:22:01.0494 5008 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:22:01.0494 5008 Rdbss - ok
14:22:01.0540 5008 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:22:01.0540 5008 RDPCDD - ok
14:22:01.0556 5008 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
14:22:01.0556 5008 rdpdr - ok
14:22:01.0603 5008 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
14:22:01.0603 5008 RDPWD - ok
14:22:01.0650 5008 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
14:22:01.0650 5008 RDSessMgr - ok
14:22:01.0697 5008 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
14:22:01.0697 5008 redbook - ok
14:22:01.0744 5008 [ E8666443281E2D393C9BB4B2140718E4 ] Remote UI Service C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
14:22:01.0759 5008 Remote UI Service - ok
14:22:01.0775 5008 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
14:22:01.0775 5008 RemoteAccess - ok
14:22:01.0806 5008 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
14:22:01.0806 5008 RemoteRegistry - ok
14:22:01.0822 5008 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
14:22:01.0822 5008 RpcLocator - ok
14:22:01.0853 5008 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
14:22:01.0853 5008 RpcSs - ok
14:22:01.0900 5008 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
14:22:01.0915 5008 RSVP - ok
14:22:01.0931 5008 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
14:22:01.0931 5008 SamSs - ok
14:22:02.0025 5008 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
14:22:02.0025 5008 SASDIFSV - ok
14:22:02.0040 5008 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
14:22:02.0040 5008 SASKUTIL - ok
14:22:02.0040 5008 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
14:22:02.0056 5008 SCardSvr - ok
14:22:02.0103 5008 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
14:22:02.0119 5008 Schedule - ok
14:22:02.0150 5008 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
14:22:02.0165 5008 sdbus - ok
14:22:02.0181 5008 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:22:02.0181 5008 Secdrv - ok
14:22:02.0212 5008 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
14:22:02.0228 5008 seclogon - ok
14:22:02.0244 5008 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
14:22:02.0244 5008 SENS - ok
14:22:02.0290 5008 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] Serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
14:22:02.0306 5008 Serenum - ok
14:22:02.0306 5008 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
14:22:02.0322 5008 Serial - ok
14:22:02.0353 5008 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
14:22:02.0353 5008 Sfloppy - ok
14:22:02.0400 5008 [ 5FE18FFF6FBCF218290042009EAB023D ] sfng32 C:\WINDOWS\system32\drivers\sfng32.sys
14:22:02.0415 5008 sfng32 - ok
14:22:02.0462 5008 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
14:22:02.0478 5008 SharedAccess - ok
14:22:02.0509 5008 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
14:22:02.0525 5008 ShellHWDetection - ok
14:22:02.0525 5008 Simbad - ok
14:22:02.0540 5008 [ 6B33D0EBD30DB32E27D1D78FE946A754 ] sisagp C:\WINDOWS\system32\DRIVERS\sisagp.sys
14:22:02.0540 5008 sisagp - ok
14:22:02.0572 5008 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
14:22:02.0572 5008 SLIP - ok
14:22:02.0587 5008 [ 83C0F71F86D3BDAF915685F3D568B20E ] Sparrow C:\WINDOWS\system32\DRIVERS\sparrow.sys
14:22:02.0587 5008 Sparrow - ok
14:22:02.0619 5008 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
14:22:02.0619 5008 splitter - ok
14:22:02.0665 5008 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
14:22:02.0681 5008 Spooler - ok
14:22:02.0681 5008 SQLAgent$SONY_MEDIAMGR - ok
14:22:02.0697 5008 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
14:22:02.0697 5008 sr - ok
14:22:02.0712 5008 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
14:22:02.0728 5008 srservice - ok
14:22:02.0775 5008 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
14:22:02.0775 5008 Srv - ok
14:22:02.0837 5008 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
14:22:02.0837 5008 SSDPSRV - ok
14:22:02.0900 5008 [ B8CE501A576695746CDD344D9E866C37 ] STacSV C:\WINDOWS\system32\STacSV.exe
14:22:02.0900 5008 STacSV - ok
14:22:02.0947 5008 [ 571BC278D213A22168631A3F0D5C9167 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
14:22:02.0994 5008 Suspicious file (Forged): C:\WINDOWS\system32\drivers\sthda.sys. Real md5: 571BC278D213A22168631A3F0D5C9167, Fake md5: 797FCC1D859B203958E915BB82528DA9
14:22:02.0994 5008 STHDA ( ForgedFile.Multi.Generic ) - warning
14:22:02.0994 5008 STHDA - detected ForgedFile.Multi.Generic (1)
14:22:03.0040 5008 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
14:22:03.0040 5008 stisvc - ok
14:22:03.0056 5008 [ A641AD349077DC979E0046975F099DCB ] stmtpm C:\WINDOWS\system32\DRIVERS\stm_tpm.sys
14:22:03.0072 5008 stmtpm - ok
14:22:03.0087 5008 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
14:22:03.0087 5008 streamip - ok
14:22:03.0103 5008 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
14:22:03.0103 5008 swenum - ok
14:22:03.0119 5008 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
14:22:03.0119 5008 swmidi - ok
14:22:03.0119 5008 SwPrv - ok
14:22:03.0150 5008 [ 1FF3217614018630D0A6758630FC698C ] symc810 C:\WINDOWS\system32\DRIVERS\symc810.sys
14:22:03.0165 5008 symc810 - ok
14:22:03.0165 5008 [ 070E001D95CF725186EF8B20335F933C ] symc8xx C:\WINDOWS\system32\DRIVERS\symc8xx.sys
14:22:03.0165 5008 symc8xx - ok
14:22:03.0181 5008 [ 80AC1C4ABBE2DF3B738BF15517A51F2C ] sym_hi C:\WINDOWS\system32\DRIVERS\sym_hi.sys
14:22:03.0181 5008 sym_hi - ok
14:22:03.0212 5008 [ BF4FAB949A382A8E105F46EBB4937058 ] sym_u3 C:\WINDOWS\system32\DRIVERS\sym_u3.sys
14:22:03.0212 5008 sym_u3 - ok
14:22:03.0259 5008 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
14:22:03.0275 5008 sysaudio - ok
14:22:03.0290 5008 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
14:22:03.0306 5008 SysmonLog - ok
14:22:03.0337 5008 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
14:22:03.0337 5008 TapiSrv - ok
14:22:03.0415 5008 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:22:03.0415 5008 Tcpip - ok
14:22:03.0462 5008 [ 884999BCF1E73136FA4CC726AFD8B519 ] tcsd_win32.exe C:\Program Files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
14:22:03.0462 5008 tcsd_win32.exe - ok
14:22:03.0509 5008 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
14:22:03.0509 5008 TDPIPE - ok
14:22:03.0540 5008 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
14:22:03.0540 5008 TDTCP - ok
14:22:03.0556 5008 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
14:22:03.0556 5008 TermDD - ok
14:22:03.0619 5008 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
14:22:03.0634 5008 TermService - ok
14:22:03.0665 5008 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
14:22:03.0665 5008 Themes - ok
14:22:03.0712 5008 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
14:22:03.0712 5008 TlntSvr - ok
14:22:03.0728 5008 [ F2790F6AF01321B172AA62F8E1E187D9 ] TosIde C:\WINDOWS\system32\DRIVERS\toside.sys
14:22:03.0728 5008 TosIde - ok
14:22:03.0759 5008 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
14:22:03.0775 5008 TrkWks - ok
14:22:03.0806 5008 [ 3F55DAB936A6FC1D40375218040E4F09 ] TSHWMDTCP C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\TSHWMDTCP.sys
14:22:03.0806 5008 TSHWMDTCP - ok
14:22:03.0837 5008 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
14:22:03.0837 5008 Udfs - ok
14:22:03.0853 5008 [ 1B698A51CD528D8DA4FFAED66DFC51B9 ] ultra C:\WINDOWS\system32\DRIVERS\ultra.sys
14:22:03.0853 5008 ultra - ok
14:22:03.0915 5008 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
14:22:03.0915 5008 Update - ok
14:22:03.0962 5008 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
14:22:03.0978 5008 upnphost - ok
14:22:04.0009 5008 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
14:22:04.0025 5008 UPS - ok
14:22:04.0056 5008 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
14:22:04.0056 5008 usbaudio - ok
14:22:04.0087 5008 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:22:04.0087 5008 usbccgp - ok
14:22:04.0134 5008 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:22:04.0134 5008 usbehci - ok
14:22:04.0150 5008 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:22:04.0150 5008 usbhub - ok
14:22:04.0197 5008 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:22:04.0197 5008 usbprint - ok
14:22:04.0244 5008 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:22:04.0244 5008 usbscan - ok
14:22:04.0259 5008 [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:22:04.0259 5008 usbstor - ok
14:22:04.0322 5008 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:22:04.0322 5008 usbuhci - ok
14:22:04.0322 5008 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
14:22:04.0322 5008 VgaSave - ok
14:22:04.0337 5008 [ 754292CE5848B3738281B4F3607EAEF4 ] viaagp C:\WINDOWS\system32\DRIVERS\viaagp.sys
14:22:04.0337 5008 viaagp - ok
14:22:04.0353 5008 [ 3B3EFCDA263B8AC14FDF9CBDD0791B2E ] ViaIde C:\WINDOWS\system32\DRIVERS\viaide.sys
14:22:04.0353 5008 ViaIde - ok
14:22:04.0353 5008 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
14:22:04.0353 5008 VolSnap - ok
14:22:04.0400 5008 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
14:22:04.0400 5008 VSS - ok
14:22:04.0431 5008 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
14:22:04.0447 5008 W32Time - ok
14:22:04.0478 5008 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:22:04.0494 5008 Wanarp - ok
14:22:04.0494 5008 wanatw - ok
14:22:04.0494 5008 WDICA - ok
14:22:04.0540 5008 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
14:22:04.0556 5008 wdmaud - ok
14:22:04.0603 5008 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
14:22:04.0603 5008 WebClient - ok
14:22:04.0619 5008 [ ABB2F7AC5CCE8D850EE1A125EA30BB7A ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
14:22:04.0650 5008 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys. Real md5: ABB2F7AC5CCE8D850EE1A125EA30BB7A, Fake md5: 74CF3F2E4E40C4A2E18D39D6300A5C24
14:22:04.0650 5008 winachsf ( ForgedFile.Multi.Generic ) - warning
14:22:04.0650 5008 winachsf - detected ForgedFile.Multi.Generic (1)
14:22:04.0744 5008 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
14:22:04.0759 5008 winmgmt - ok
14:22:04.0853 5008 [ 1FA802825542186C1976D204754A4124 ] wlidsvc C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
14:22:04.0915 5008 Suspicious file (Forged): C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE. Real md5: 1FA802825542186C1976D204754A4124, Fake md5: 5144AE67D60EC653F97DDF3FEED29E77
14:22:04.0931 5008 wlidsvc ( ForgedFile.Multi.Generic ) - warning
14:22:04.0931 5008 wlidsvc - detected ForgedFile.Multi.Generic (1)
14:22:04.0962 5008 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
14:22:04.0962 5008 WmdmPmSN - ok
14:22:05.0009 5008 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
14:22:05.0025 5008 Wmi - ok
14:22:05.0072 5008 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:22:05.0072 5008 WmiApSrv - ok
14:22:05.0119 5008 [ F24B2C2AC4AF2B1A19C42D3415CCA040 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
14:22:05.0165 5008 Suspicious file (Forged): C:\Program Files\Windows Media Player\WMPNetwk.exe. Real md5: F24B2C2AC4AF2B1A19C42D3415CCA040, Fake md5: F74E3D9A7FA9556C3BBB14D4E5E63D3B
14:22:05.0165 5008 WMPNetworkSvc ( ForgedFile.Multi.Generic ) - warning
14:22:05.0165 5008 WMPNetworkSvc - detected ForgedFile.Multi.Generic (1)
14:22:05.0181 5008 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
14:22:05.0181 5008 WpdUsb - ok
14:22:05.0212 5008 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:22:05.0212 5008 WS2IFSL - ok
14:22:05.0275 5008 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
14:22:05.0275 5008 wscsvc - ok
14:22:05.0275 5008 WSearch - ok
14:22:05.0322 5008 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
14:22:05.0322 5008 WSTCODEC - ok
14:22:05.0353 5008 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
14:22:05.0369 5008 wuauserv - ok
14:22:05.0415 5008 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:22:05.0415 5008 WudfPf - ok
14:22:05.0431 5008 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WUDFRd C:\WINDOWS\system32\DRIVERS\WUDFRd.sys
14:22:05.0447 5008 WUDFRd - ok
14:22:05.0462 5008 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
14:22:05.0478 5008 WudfSvc - ok
14:22:05.0525 5008 [ 70AEEC67E87A2002E6B2CC353D56E222 ] WUSB54GPV4SRV C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
14:22:05.0525 5008 WUSB54GPV4SRV - ok
14:22:05.0572 5008 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
14:22:05.0587 5008 WZCSVC - ok
14:22:05.0619 5008 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
14:22:05.0634 5008 xmlprov - ok
14:22:05.0634 5008 ================ Scan global ===============================
14:22:05.0681 5008 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
14:22:05.0728 5008 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:22:05.0744 5008 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:22:05.0775 5008 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
14:22:05.0775 5008 [Global] - ok
14:22:05.0775 5008 ================ Scan MBR ==================================
14:22:05.0806 5008 [ B20939CD98B7710036274839082AE757 ] \Device\Harddisk0\DR0
14:22:06.0009 5008 \Device\Harddisk0\DR0 - ok
14:22:06.0009 5008 ================ Scan VBR ==================================
14:22:06.0009 5008 [ 30B0E25C0A66B4810804C70D15682DC2 ] \Device\Harddisk0\DR0\Partition1
14:22:06.0009 5008 \Device\Harddisk0\DR0\Partition1 - ok
14:22:06.0009 5008 [ 50D49C0CFA9ACC0C66D7E9D5EC957EB9 ] \Device\Harddisk0\DR0\Partition2
14:22:06.0009 5008 \Device\Harddisk0\DR0\Partition2 - ok
14:22:06.0009 5008 ============================================================
14:22:06.0009 5008 Scan finished
14:22:06.0009 5008 ============================================================
14:22:06.0025 1216 Detected object count: 12
14:22:06.0025 1216 Actual detected object count: 12
14:22:53.0650 1216 aswSnx ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0650 1216 aswSnx ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0650 1216 cmdAgent ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0650 1216 cmdAgent ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 dmboot ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 dmboot ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 fsssvc ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 fsssvc ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 HSF_DPV ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 HSF_DPV ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 idsvc ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 idsvc ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 nv ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 nv ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 nvUpdatusService ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 nvUpdatusService ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 STHDA ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 STHDA ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 winachsf ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 winachsf ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 wlidsvc ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 wlidsvc ( ForgedFile.Multi.Generic ) - User select action: Skip
14:22:53.0665 1216 WMPNetworkSvc ( ForgedFile.Multi.Generic ) - skipped by user
14:22:53.0665 1216 WMPNetworkSvc ( ForgedFile.Multi.Generic ) - User select action: Skip
14:24:17.0290 6088 Deinitialize success

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-18 17:11:08
-----------------------------
17:11:08.166 OS Version: Windows 5.1.2600 Service Pack 3
17:11:08.166 Number of processors: 2 586 0xF06
17:11:08.166 ComputerName: HARVEYDENT UserName:
17:11:09.228 Initialize success
17:11:09.322 AVAST engine defs: 12101801
17:11:12.244 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:11:12.244 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
17:11:12.291 Disk 0 MBR read successfully
17:11:12.306 Disk 0 MBR scan
17:11:12.306 Disk 0 unknown MBR code
17:11:12.322 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300559 MB offset 9574740
17:11:12.338 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4675 MB offset 63
17:11:12.353 Disk 0 scanning sectors +625121280
17:11:12.447 Disk 0 scanning C:\WINDOWS\system32\drivers
17:11:38.947 Service scanning
17:11:59.509 Modules scanning
17:12:37.259 Disk 0 trace - called modules:
17:12:37.306 ntkrnlpa.exe CLASSPNP.SYS disk.sys IASTOR.SYS hal.dll
17:12:37.322 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b18e030]
17:12:37.338 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8abe0030]
17:12:38.634 AVAST engine scan C:\WINDOWS
17:13:35.994 AVAST engine scan C:\WINDOWS\system32
17:20:05.978 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:13.775 AVAST engine scan C:\Documents and Settings\Administrator
17:25:39.088 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
17:25:39.103 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-18 17:11:08
-----------------------------
17:11:08.166 OS Version: Windows 5.1.2600 Service Pack 3
17:11:08.166 Number of processors: 2 586 0xF06
17:11:08.166 ComputerName: HARVEYDENT UserName:
17:11:09.228 Initialize success
17:11:09.322 AVAST engine defs: 12101801
17:11:12.244 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:11:12.244 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
17:11:12.291 Disk 0 MBR read successfully
17:11:12.306 Disk 0 MBR scan
17:11:12.306 Disk 0 unknown MBR code
17:11:12.322 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300559 MB offset 9574740
17:11:12.338 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4675 MB offset 63
17:11:12.353 Disk 0 scanning sectors +625121280
17:11:12.447 Disk 0 scanning C:\WINDOWS\system32\drivers
17:11:38.947 Service scanning
17:11:59.509 Modules scanning
17:12:37.259 Disk 0 trace - called modules:
17:12:37.306 ntkrnlpa.exe CLASSPNP.SYS disk.sys IASTOR.SYS hal.dll
17:12:37.322 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b18e030]
17:12:37.338 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8abe0030]
17:12:38.634 AVAST engine scan C:\WINDOWS
17:13:35.994 AVAST engine scan C:\WINDOWS\system32
17:20:05.978 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:13.775 AVAST engine scan C:\Documents and Settings\Administrator
17:25:39.088 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
17:25:39.103 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
17:57:06.275 AVAST engine scan C:\Documents and Settings\All Users
17:58:50.478 Scan finished successfully
18:04:13.025 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:04:13.041 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-18 17:11:08
-----------------------------
17:11:08.166 OS Version: Windows 5.1.2600 Service Pack 3
17:11:08.166 Number of processors: 2 586 0xF06
17:11:08.166 ComputerName: HARVEYDENT UserName:
17:11:09.228 Initialize success
17:11:09.322 AVAST engine defs: 12101801
17:11:12.244 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
17:11:12.244 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
17:11:12.291 Disk 0 MBR read successfully
17:11:12.306 Disk 0 MBR scan
17:11:12.306 Disk 0 unknown MBR code
17:11:12.322 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300559 MB offset 9574740
17:11:12.338 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4675 MB offset 63
17:11:12.353 Disk 0 scanning sectors +625121280
17:11:12.447 Disk 0 scanning C:\WINDOWS\system32\drivers
17:11:38.947 Service scanning
17:11:59.509 Modules scanning
17:12:37.259 Disk 0 trace - called modules:
17:12:37.306 ntkrnlpa.exe CLASSPNP.SYS disk.sys IASTOR.SYS hal.dll
17:12:37.322 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b18e030]
17:12:37.338 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8abe0030]
17:12:38.634 AVAST engine scan C:\WINDOWS
17:13:35.994 AVAST engine scan C:\WINDOWS\system32
17:20:05.978 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:13.775 AVAST engine scan C:\Documents and Settings\Administrator
17:25:39.088 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
17:25:39.103 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
17:57:06.275 AVAST engine scan C:\Documents and Settings\All Users
17:58:50.478 Scan finished successfully
18:04:13.025 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:04:13.041 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"
18:04:33.416 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:04:33.431 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"


aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-19 14:24:23
-----------------------------
14:24:23.681 OS Version: Windows 5.1.2600 Service Pack 3
14:24:23.681 Number of processors: 2 586 0xF06
14:24:23.681 ComputerName: HARVEYDENT UserName:
14:24:24.540 Initialize success
14:24:24.665 AVAST engine defs: 12101801
14:24:27.869 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
14:24:27.869 Disk 0 Vendor: WDC_WD32 21.0 Size: 305245MB BusType: 3
14:24:27.931 Disk 0 MBR read successfully
14:24:27.931 Disk 0 MBR scan
14:24:27.947 Disk 0 unknown MBR code
14:24:27.978 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 300559 MB offset 9574740
14:24:27.994 Disk 0 Partition 2 00 0B FAT32 RECOVERY 4675 MB offset 63
14:24:28.040 Disk 0 scanning sectors +625121280
14:24:28.150 Disk 0 scanning C:\WINDOWS\system32\drivers
14:25:06.244 Service scanning
14:25:28.134 Modules scanning
14:26:12.853 Disk 0 trace - called modules:
14:26:12.900 ntkrnlpa.exe CLASSPNP.SYS disk.sys IASTOR.SYS hal.dll
14:26:12.915 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b18e030]
14:26:12.931 3 CLASSPNP.SYS[b8188fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x8abe0030]
14:26:13.790 AVAST engine scan C:\WINDOWS
14:27:32.884 AVAST engine scan C:\WINDOWS\system32
14:35:51.197 AVAST engine scan C:\WINDOWS\system32\drivers
14:37:17.306 AVAST engine scan C:\Documents and Settings\Administrator
15:25:11.759 AVAST engine scan C:\Documents and Settings\All Users
15:28:20.087 Scan finished successfully
16:14:51.899 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
16:14:51.914 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   558bytes   0 downloads


#8 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 19 October 2012 - 07:05 PM

Just a little update. Avast is no longer showing that little warning. It may have just been a small glitch.

#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 PM

Posted 20 October 2012 - 07:47 AM

Lets continue and see what else is not required on your computer.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please download AdwCleaner by Xplode onto your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the content of that logfile with your next answer.
  • You can find the logfile at C:\AdwCleaner[Rn].txt (n is a number).

Please post the logs and let me know if the problem persists.

#10 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 21 October 2012 - 12:54 AM

I had to run combofix twice, for some reason. The first time it restarted the computer but did not generate a log, the second time it restarted again and successfully created a log. Beyond that, everything went smoothly.

Combofix log:
ComboFix 12-10-19.01 - Administrator 10/20/2012 22:33:11.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2506 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: AVG Firewall *Disabled* {8decf618-9569-4340-b34a-d78d28969b66}
FW: COMODO Firewall *Disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\HPSU_48BitScanUpdate.log
c:\documents and settings\Administrator\Local Settings\Application Data\assembly\tmp
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\AVG\avgfinst.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\avi7.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\crt_x64.msi
c:\documents and settings\All Users\Application Data\TEMP\AVG\files.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\incavi.avm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_cz.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_da.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_fr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ge.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_hu.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_id.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_in.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_it.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_jp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ko.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ms.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_nl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pb.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pl.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_pt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_ru.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sc.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sk.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_sp.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_tr.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_us.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zh.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\license_zt.htm
c:\documents and settings\All Users\Application Data\TEMP\AVG\microavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\miniavi.avg
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.dat
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.exe
c:\documents and settings\All Users\Application Data\TEMP\AVG\setup.ini
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupcz.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupda.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupfr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupge.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuphu.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupid.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupin.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupit.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupjp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupko.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupms.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupnl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppb.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppl.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuppt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupru.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsc.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsk.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupsp.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setuptr.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupus.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzh.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\setupzt.lns
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredis1.cab
c:\documents and settings\All Users\Application Data\TEMP\AVG\vcredist.msi
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\IUSR_NMPR\WINDOWS
c:\documents and settings\UpdatusUser\WINDOWS
c:\windows\dasetup.log
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6760f99bc5d4634f.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\d926370e995e9f38.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET4C6.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\Update.bat
D:\Autorun.inf
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NVSVC
-------\Service_NVSvc
.
.
((((((((((((((((((((((((( Files Created from 2012-09-21 to 2012-10-21 )))))))))))))))))))))))))))))))
.
.
2012-10-19 00:36 . 2012-10-19 01:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-10-19 00:36 . 2012-10-19 00:43 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-10-17 18:43 . 2012-09-25 04:16 93672 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2012-09-29 23:06 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-29 23:06 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-29 23:06 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-29 23:06 . 2012-08-21 09:13 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-09-29 23:06 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-29 23:06 . 2012-08-21 09:13 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-09-29 23:06 . 2012-08-21 09:13 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-09-29 23:06 . 2012-08-21 09:13 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-09-29 23:05 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-29 23:05 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-23 08:33 . 2012-09-23 08:33 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-09 06:28 . 2012-05-22 19:07 696760 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-10-09 06:28 . 2011-05-29 05:51 73656 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-30 00:54 . 2009-12-29 17:34 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-01 11:13 . 2012-05-22 19:06 821736 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-09-01 11:13 . 2011-03-02 20:30 746984 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-28 15:14 . 2006-06-17 09:23 916992 ----a-w- c:\windows\system32\wininet.dll
2012-08-28 15:14 . 2006-06-17 09:23 43520 ------w- c:\windows\system32\licmgr10.dll
2012-08-28 15:14 . 2006-06-17 09:23 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-08-28 12:07 . 2006-06-17 09:23 385024 ------w- c:\windows\system32\html.iec
2012-08-24 13:53 . 2006-06-17 09:23 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-08-21 13:33 . 2006-06-17 09:23 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-08-21 12:58 . 2004-08-04 05:59 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-10-14 02:23 . 2012-10-14 02:22 261600 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1dad3af3-ef2f-4f64-ac4b-11789189fcb6}]
2012-02-10 16:28 1307928 ----a-w- c:\program files\Microsoft\BingBar\7.1.361.0\BingExt.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]
"Steam"="c:\program files\Steam\steam.exe" [2012-08-05 1353080]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2011-12-16 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2012-04-19 421888]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2012-05-15 1634112]
"NvMediaCenter"="NvMCTray.dll" [2012-05-15 108352]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2012-05-15 15504192]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
"IntelAudioStudio"="c:\program files\Intel Audio Studio\IntelAudioStudio.exe" [2006-04-20 9125888]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-03-12 49208]
"Gateway Extended Warranty"="c:\program files\Gateway\GWCares\GWCares.exe" [2004-02-09 73728]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2012-03-11 6749512]
"CCUTRAYICON"="c:\program files\Intel\IntelDH\CCU\CCU_TrayIcon.exe" [2006-06-16 303104]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast]
2012-08-21 09:12 4282728 ----a-w- c:\program files\AVAST Software\Avast\AvastUI.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\fallout new vegas\\FalloutNVLauncher.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Update Core\\daemonu.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\SkyrimLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\skyrim\\CreationKit.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\spiral knights\\java_vm\\bin\\javaw.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\realm of the mad god\\Realm of the Mad God.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\SuperMNC\\UberLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\SuperMNC\\Binaries\\Win32\\SuperMNCGameClient.exe"=
.
R0 stmtpm;STM TPM Service;c:\windows\system32\drivers\stm_tpm.sys [2/17/2009 6:10 PM 21504]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/29/2012 6:06 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/29/2012 6:06 PM 355632]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [1/17/2012 10:00 PM 494968]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [12/19/2011 7:59 PM 31704]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [8/11/2011 6:38 PM 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/29/2012 6:06 PM 21256]
R2 BBSvc;BingBar Service;c:\program files\Microsoft\BingBar\7.1.361.0\BBSvc.EXE [2/10/2012 11:28 AM 193816]
R3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [2/17/2009 5:40 PM 40448]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe [6/6/2012 8:55 PM 1262400]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/22/2012 2:07 PM 250808]
S3 BBUpdate;BBUpdate;c:\program files\Microsoft\BingBar\7.1.361.0\SeaPort.EXE [2/10/2012 11:28 AM 240408]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 10:58 AM 11336]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-22 06:28]
.
2012-10-21 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-09-29 09:12]
.
2012-10-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1989709313-1610608697-3441285579-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 22:02]
.
2012-10-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1989709313-1610608697-3441285579-500.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 22:02]
.
2012-10-20 c:\windows\Tasks\User_Feed_Synchronization-{D89596D2-31FB-49EF-9C6E-C86EB4937AF8}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.msn.com
uInternet Connection Wizard,ShellNext = hxxp://www.gateway.com/g/startpage.html?Ch=Consumer&Br=GTW&Loc=ENG_US&Sys=DTP&M=FX510S
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
Trusted Zone: amazon.com\www
Trusted Zone: microsoft.com\www.update
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{354AA276-F51B-4060-98B2-6A4F3FCE459D}: NameServer = 8.26.56.26,156.154.70.22
TCP: Interfaces\{A62FB6C8-71E4-4552-9603-C61C17A96FF6}: NameServer = 8.26.56.26,156.154.70.22
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oxlcp4xu.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.msn.com/default.aspx?mypg=1
FF - prefs.js: keyword.URL - hxxp://search.avg.com/route/?d=4b8b3f7c&v=7.008.031.001&i=26&tp=ab&iy=&ychte=us&lng=en-US&q=
FF - ExtSQL: !HIDDEN! 2009-06-24 03:00; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-EA Core - c:\program files\Electronic Arts\EADM\Core.exe
HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
HKLM-Run-SysTrayApp - c:\program files\IDT\WDM\sttray.exe
HKLM-Run-SigmatelSysTrayApp - sttray.exe
HKLM-Run-ROC_roc_dec12 - c:\program files\AVG Secure Search\ROC_roc_dec12.exe
Notify-MRI_DISABLED - avgrsstx.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-20 22:53
Windows 5.1.2600 Service Pack 3 NTFS
.
detected NTDLL code modification:
ZwClose
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1989709313-1610608697-3441285579-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,a2,f6,af,00,d7,31,10,47,a1,f7,eb,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,31,84,06,80,d3,0a,72,47,87,e5,29,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,93,e6,ad,8f,46,c3,4c,85,e2,c9,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll
c:\program files\Netscape Internet Service\Netscape Web Accelerator\sliplsp.dll
.
- - - - - - - > 'explorer.exe'(2376)
c:\windows\system32\WININET.dll
c:\windows\system32\guard32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
- - - - - - - > 'csrss.exe'(780)
c:\windows\system32\cmdcsr.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\Intel\IntelDH\CCU\AlertService.exe
c:\program files\Wave Systems Corp\Common\DataServer.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Netscape Internet Service\ncupdatesvc.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\NTRU Cryptosystems\NTRU Hybrid TSS v1.05\bin\tcsd_win32.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Intel\IntelDH\Intel® Quick Resume Technology Drivers\Elservice.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\RunDLL32.exe
c:\program files\Intel\IntelDH\CCU\CCU_Engine.exe
c:\windows\eHome\ehmsas.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2012-10-20 23:00:42 - machine was rebooted
ComboFix-quarantined-files.txt 2012-10-21 04:00
.
Pre-Run: 126,038,728,704 bytes free
Post-Run: 127,041,818,624 bytes free
.
- - End Of File - - 13AF6437EDC86E243F102C11EBADF3E4

Security Check:
Results of screen317's Security Check version 0.99.53
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
avast! Antivirus
Antivirus up to date! (On Access scanning disabled!)
`````````Anti-malware/Other Utilities Check:`````````
Spybot - Search & Destroy
SUPERAntiSpyware
Malwarebytes Anti-Malware version 1.65.1.1000
JavaFX 2.1.1
Java™ 6 Update 29
Java 7 Update 9
Java 2 Runtime Environment, SE v1.4.2
Adobe Flash Player 11.4.402.287
Adobe Reader X (10.1.4)
Mozilla Firefox (16.0.1)
````````Process Check: objlist.exe by Laurent````````
Comodo Firewall cmdagent.exe
Comodo Firewall cfp.exe
AVAST Software Avast AvastSvc.exe
AVAST Software Avast avastUI.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C:: 8%
````````````````````End of Log``````````````````````


AdwCleaner Log:
# AdwCleaner v2.005 - Logfile created 10/20/2012 at 23:02:15
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - HARVEYDENT
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains\incredibar.com

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

Profile name : default
File : C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\oxlcp4xu.default\prefs.js

Deleted : user_pref("extensions.aniweather.timeShifted", 1697031);

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[R1].txt - [3741 octets] - [18/10/2012 15:36:54]
AdwCleaner[R2].txt - [3801 octets] - [18/10/2012 15:37:44]
AdwCleaner[S1].txt - [3615 octets] - [18/10/2012 15:38:22]
AdwCleaner[R3].txt - [1745 octets] - [20/10/2012 23:01:54]
AdwCleaner[S2].txt - [1686 octets] - [20/10/2012 23:02:15]

########## EOF - C:\AdwCleaner[S2].txt - [1746 octets] ##########

#11 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 21 October 2012 - 03:18 AM

Guess what? After doing a little searching, sharing my info with some people at Avast (I was not seeking removal help I was just checking the file out with them) and scanning another computer that happened to be a Gateway just like the one we're working on... I found out it was a screensaver.

I got so worried because it had been repeatedly picked up by other programs, but it's all for the same reason. It's a packed executable, that's a red flag I guess.

Anyway, we can finish up here or whatever. After that I'm gonna move this computer, so I can flip a desk.

Edited by VicVegas, 21 October 2012 - 03:18 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:07:13 PM

Posted 21 October 2012 - 08:37 AM

That was a good cleanup. All your logs are clean.

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

To remove AdwCleaner.

Please double click on adwcleaner.exe to run the tool.
Click on Uninstall.
Confirm with Yes.

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#13 VicVegas

VicVegas
  • Topic Starter

  • Members
  • 202 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cornville, USA
  • Local time:06:13 PM

Posted 21 October 2012 - 09:41 PM

That was a good cleanup. All your logs are clean.

So there was nothing else in here? Great!

Everything is done and uninstalled. Thanks for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users