Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Zeroaccess rootkit


  • This topic is locked This topic is locked
25 replies to this topic

#1 husky1954

husky1954

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 01:26 PM

I have a Dell Inspiron 1520 with Windows XP Pro Service Pack 3. The computer is running slow with two processes
taking all the cpu. I decided to run some checks and this is what I did.
Booted in Safe Mode
Ran rkill with no issues found.
Ran MS Malicious Software Removal Tool with quick scan. Nothing found.
Ran Disk Cleanup.
Ran Disk Defragment.
Booted in Normal mode.
Ran rkill. It terminated 3 processes and found Zeroaccess rotkit symptoms. I will post the log.
Ran MS MSRT with full scan. I terminated this after 3 hours. At that point nothing was found.

In normal boot mode the computer is useless and I can not get on the internet.

In safe mode the computer runs well and I can get on the internet.
I ran DDS in safe mode. It ran for 50 minutes and I decided to terminate it and make this post.

Rkill 2.4.5 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2012 BleepingComputer.com
More Information about Rkill can be found at this link:
http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/13/2012 08:23:41 PM in x86 mode.
Windows Version: Microsoft Windows XP Service Pack 3

Checking for Windows services to stop:

* No malware services found to stop.

Checking for processes to terminate:

* C:\WINDOWS\System32\WLTRYSVC.EXE (PID: 1844) [WD-HEUR]
* C:\WINDOWS\System32\bcmwltry.exe (PID: 1908) [WD-HEUR]
* C:\WINDOWS\system32\WLTRAY.exe (PID: 2592) [WD-HEUR]

3 proccesses terminated!

Checking Registry for malware related settings:

* No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

* ALERT: ZEROACCESS rootkit symptoms found!

* HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 [ZA Reg Hijack]
* HKEY_CLASSES_ROOT\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 [ZA Reg Hijack]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\ [ZA Dir]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\L\ [ZA Dir]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\L\00000004.@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\L\201d3dde [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\n [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\ [ZA Dir]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000004.@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000008.@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\000000cb.@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000000.@ [ZA File]
* C:\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000032.@ [ZA File]

Checking Windows Service Integrity:

* BITS [Missing Service]
* wscsvc [Missing Service]
* wuauserv [Missing Service]

* SharedAccess [Missing ImagePath]

Searching for Missing Digital Signatures:

* No issues found.

Checking HOSTS File:

* HOSTS file entries found:

127.0.0.1 localhost

Program finished at: 12/13/2012 08:37:25 PM
Execution time: 0 hours(s), 13 minute(s), and 44 seconds(s)

BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 14 December 2012 - 04:35 PM

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • If Malicious objects are found then ensure Cure is selected
    • If TDLFS File System is found then ensure Cure is selected (if Cure is not available, select Skip)
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)



NEXT



Download ComboFix from the following location:

Link 1

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 04:51 PM

CatByte thank you for your help and quick response. Is it ok to run them in safe mode?

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 14 December 2012 - 04:54 PM

it would be better to run them in normal mode, but if you are unable to do so, then run in safe mode

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 08:04 PM

Booted in safe mode.
Downloaded TDSSKiller.exe and extracted to desktop.
Downloaded Combofix to desktop.
Booted in normal mode.
Ran TDSSKiller with Detect TDLS file System checked as you requested.
No threats were found. clicked close.
Ran Combofix.
After about 2 hours Combofix said norton is active. But, I do not have an icon for it.
Tried to run the Norton interface from the start menu.
Waited 30 minutes and Norton did not run.
I shut everything down. Attempted to shut down the computer. After about 15 minutes I forced a shut down with the on/off button.

Rebooted in safe mode to make this post. I could not find the Combofix log.
If I did anything wrong Please let me know. I will keep trying.

Here is the TDSSKiller log:
15:13:49.0953 4088 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
15:13:50.0250 4088 ============================================================
15:13:50.0250 4088 Current date / time: 2012/12/14 15:13:50.0250
15:13:50.0250 4088 SystemInfo:
15:13:50.0250 4088
15:13:50.0265 4088 OS Version: 5.1.2600 ServicePack: 3.0
15:13:50.0296 4088 Product type: Workstation
15:13:50.0296 4088 ComputerName: CLJ
15:13:50.0296 4088 UserName: Administrator
15:13:50.0296 4088 Windows directory: C:\WINDOWS
15:13:50.0296 4088 System windows directory: C:\WINDOWS
15:13:50.0296 4088 Processor architecture: Intel x86
15:13:50.0296 4088 Number of processors: 2
15:13:50.0296 4088 Page size: 0x1000
15:13:50.0296 4088 Boot type: Normal boot
15:13:50.0296 4088 ============================================================
15:14:01.0734 4088 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:14:01.0906 4088 Drive \Device\Harddisk1\DR5 - Size: 0x7C60000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:14:01.0906 4088 ============================================================
15:14:01.0906 4088 \Device\Harddisk0\DR0:
15:14:01.0906 4088 MBR partitions:
15:14:01.0906 4088 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x2B24B, BlocksNum 0xD1CD7FE
15:14:01.0968 4088 \Device\Harddisk1\DR5:
15:14:01.0968 4088 MBR partitions:
15:14:01.0968 4088 \Device\Harddisk1\DR5\Partition1: MBR, Type 0x6, StartLBA 0x20, BlocksNum 0x3E2E0
15:14:01.0968 4088 ============================================================
15:14:02.0015 4088 C: <-> \Device\Harddisk0\DR0\Partition1
15:14:02.0015 4088 ============================================================
15:14:02.0015 4088 Initialize success
15:14:02.0015 4088 ============================================================
15:14:57.0312 1384 ============================================================
15:14:57.0312 1384 Scan started
15:14:57.0312 1384 Mode: Manual; TDLFS;
15:14:57.0312 1384 ============================================================
15:14:58.0093 1384 ================ Scan system memory ========================
15:14:58.0093 1384 System memory - ok
15:14:58.0093 1384 ================ Scan services =============================
15:14:58.0671 1384 Abiosdsk - ok
15:14:58.0765 1384 abp480n5 - ok
15:14:58.0812 1384 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:14:58.0859 1384 ACPI - ok
15:14:58.0937 1384 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
15:14:59.0031 1384 ACPIEC - ok
15:14:59.0234 1384 adpu160m - ok
15:14:59.0375 1384 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
15:14:59.0406 1384 aec - ok
15:14:59.0500 1384 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
15:14:59.0546 1384 AFD - ok
15:15:00.0921 1384 Aha154x - ok
15:15:01.0671 1384 aic78u2 - ok
15:15:01.0734 1384 aic78xx - ok
15:15:01.0812 1384 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
15:15:01.0953 1384 Alerter - ok
15:15:01.0984 1384 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
15:15:02.0062 1384 ALG - ok
15:15:02.0125 1384 AliIde - ok
15:15:02.0218 1384 amsint - ok
15:15:02.0359 1384 [ 4B5AE15E5C73EB4DC8DBEC2788230D41 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
15:15:02.0390 1384 Apple Mobile Device - ok
15:15:02.0437 1384 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
15:15:02.0500 1384 AppMgmt - ok
15:15:02.0546 1384 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:15:02.0562 1384 Arp1394 - ok
15:15:02.0656 1384 asc - ok
15:15:02.0718 1384 asc3350p - ok
15:15:02.0781 1384 asc3550 - ok
15:15:03.0187 1384 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:15:06.0125 1384 aspnet_state - ok
15:15:06.0171 1384 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:15:06.0312 1384 AsyncMac - ok
15:15:06.0406 1384 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
15:15:06.0437 1384 atapi - ok
15:15:06.0500 1384 Atdisk - ok
15:15:07.0109 1384 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:15:07.0609 1384 Atmarpc - ok
15:15:07.0687 1384 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
15:15:07.0703 1384 AudioSrv - ok
15:15:07.0765 1384 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
15:15:07.0859 1384 audstub - ok
15:15:08.0031 1384 [ 7C813EB232C7AEFA627A12A104DDA221 ] Automatic LiveUpdate Scheduler C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
15:15:08.0078 1384 Automatic LiveUpdate Scheduler - ok
15:15:08.0234 1384 [ 9208C78BD9283F79A30252AD954C77A2 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
15:15:08.0359 1384 BCM43XX - ok
15:15:08.0406 1384 [ CD4646067CC7DCBA1907FA0ACF7E3966 ] bcm4sbxp C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
15:15:08.0453 1384 bcm4sbxp - ok
15:15:08.0593 1384 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
15:15:08.0640 1384 Beep - ok
15:15:08.0703 1384 [ 3F56903E124E820AEECE6D471583C6C1 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
15:15:08.0734 1384 Bonjour Service - ok
15:15:08.0781 1384 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
15:15:08.0796 1384 Browser - ok
15:15:08.0828 1384 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
15:15:08.0968 1384 cbidf2k - ok
15:15:09.0031 1384 [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:15:09.0156 1384 CCDECODE - ok
15:15:09.0234 1384 [ 2F237AAB91497AAA03AF48EAE68758FC ] ccEvtMgr C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:15:09.0265 1384 ccEvtMgr - ok
15:15:09.0328 1384 [ 2F237AAB91497AAA03AF48EAE68758FC ] ccSetMgr C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:15:09.0359 1384 ccSetMgr - ok
15:15:09.0421 1384 cd20xrnt - ok
15:15:09.0500 1384 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
15:15:09.0515 1384 Cdaudio - ok
15:15:09.0546 1384 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
15:15:09.0578 1384 Cdfs - ok
15:15:09.0671 1384 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:15:09.0734 1384 Cdrom - ok
15:15:09.0781 1384 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
15:15:09.0859 1384 cercsr6 - ok
15:15:10.0015 1384 Changer - ok
15:15:10.0046 1384 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
15:15:10.0203 1384 CiSvc - ok
15:15:10.0250 1384 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
15:15:10.0375 1384 ClipSrv - ok
15:15:10.0421 1384 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:15:13.0718 1384 clr_optimization_v2.0.50727_32 - ok
15:15:14.0359 1384 [ 2F237AAB91497AAA03AF48EAE68758FC ] CLTNetCnService C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:15:14.0375 1384 CLTNetCnService - ok
15:15:14.0468 1384 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
15:15:14.0531 1384 CmBatt - ok
15:15:14.0593 1384 CmdIde - ok
15:15:14.0671 1384 [ 6186B6B953BDC884F0F379B84B3E3A98 ] COH_Mon C:\WINDOWS\system32\Drivers\COH_Mon.sys
15:15:14.0812 1384 COH_Mon - ok
15:15:14.0906 1384 [ 75A69CA9998577F8B2BE8695040E5DF4 ] comHost C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
15:15:17.0125 1384 comHost - ok
15:15:17.0203 1384 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:15:17.0312 1384 Compbatt - ok
15:15:17.0437 1384 COMSysApp - ok
15:15:17.0750 1384 [ 73F5D6835BFA66019C03E316D99649DA ] CO_Mon C:\WINDOWS\system32\drivers\CO_Mon.sys
15:15:17.0812 1384 CO_Mon - ok
15:15:17.0906 1384 Cpqarray - ok
15:15:17.0921 1384 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
15:15:17.0937 1384 CryptSvc - ok
15:15:18.0031 1384 dac2w2k - ok
15:15:18.0125 1384 dac960nt - ok
15:15:18.0281 1384 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
15:15:18.0375 1384 DcomLaunch - ok
15:15:18.0484 1384 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
15:15:18.0500 1384 Dhcp - ok
15:15:18.0593 1384 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
15:15:18.0718 1384 Disk - ok
15:15:18.0843 1384 dmadmin - ok
15:15:18.0953 1384 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
15:15:19.0187 1384 dmboot - ok
15:15:19.0250 1384 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
15:15:19.0406 1384 dmio - ok
15:15:19.0484 1384 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
15:15:20.0062 1384 dmload - ok
15:15:20.0281 1384 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
15:15:20.0312 1384 dmserver - ok
15:15:20.0406 1384 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
15:15:20.0437 1384 DMusic - ok
15:15:20.0515 1384 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
15:15:20.0531 1384 Dnscache - ok
15:15:20.0671 1384 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
15:15:20.0812 1384 Dot3svc - ok
15:15:20.0875 1384 dpti2o - ok
15:15:20.0953 1384 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
15:15:20.0968 1384 drmkaud - ok
15:15:21.0093 1384 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
15:15:21.0187 1384 EapHost - ok
15:15:21.0328 1384 [ 96BCD90ED9235A21629EFFDE5E941FB1 ] eeCtrl C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:15:21.0343 1384 eeCtrl - ok
15:15:21.0375 1384 [ 392C86F6B45C0BC696C32C27F51E749F ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:15:21.0437 1384 EraserUtilRebootDrv - ok
15:15:21.0515 1384 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
15:15:21.0562 1384 ERSvc - ok
15:15:21.0656 1384 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
15:15:21.0718 1384 Eventlog - ok
15:15:21.0812 1384 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
15:15:21.0843 1384 EventSystem - ok
15:15:21.0890 1384 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
15:15:22.0062 1384 Fastfat - ok
15:15:22.0140 1384 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:15:22.0156 1384 FastUserSwitchingCompatibility - ok
15:15:22.0234 1384 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
15:15:22.0250 1384 Fdc - ok
15:15:22.0312 1384 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
15:15:22.0375 1384 Fips - ok
15:15:22.0468 1384 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
15:15:22.0500 1384 Flpydisk - ok
15:15:22.0546 1384 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
15:15:22.0687 1384 FltMgr - ok
15:15:22.0812 1384 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:15:22.0906 1384 FontCache3.0.0.0 - ok
15:15:22.0968 1384 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:15:23.0031 1384 Fs_Rec - ok
15:15:23.0125 1384 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:15:23.0250 1384 Ftdisk - ok
15:15:23.0328 1384 [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:15:23.0343 1384 GEARAspiWDM - ok
15:15:23.0437 1384 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:15:23.0468 1384 Gpc - ok
15:15:23.0765 1384 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:15:23.0781 1384 HDAudBus - ok
15:15:23.0953 1384 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:15:24.0531 1384 helpsvc - ok
15:15:24.0687 1384 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
15:15:24.0750 1384 HidServ - ok
15:15:24.0859 1384 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:15:24.0968 1384 HidUsb - ok
15:15:25.0140 1384 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
15:15:25.0234 1384 hkmsvc - ok
15:15:25.0343 1384 [ 9082AF24AA72471C620D73334F4E91D0 ] HP1319EWS C:\WINDOWS\system32\DRIVERS\HP1319EWS.SYS
15:15:25.0500 1384 HP1319EWS - ok
15:15:25.0531 1384 [ F847030ED09954F37F5F57551B02F165 ] HP1319FX C:\WINDOWS\system32\DRIVERS\HP1319FAX.SYS
15:15:25.0640 1384 HP1319FX - ok
15:15:25.0734 1384 hpn - ok
15:15:25.0859 1384 [ 290CDBB05903742EA06B7203C5A662F5 ] HSFHWAZL C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
15:15:25.0921 1384 HSFHWAZL - ok
15:15:26.0015 1384 [ 7AB812355F98858B9ECDD46E6FCC221F ] HSF_DPV C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
15:15:26.0046 1384 HSF_DPV - ok
15:15:26.0140 1384 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
15:15:26.0171 1384 HTTP - ok
15:15:26.0296 1384 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
15:15:26.0421 1384 HTTPFilter - ok
15:15:26.0546 1384 i2omgmt - ok
15:15:26.0640 1384 i2omp - ok
15:15:26.0671 1384 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:15:26.0718 1384 i8042prt - ok
15:15:27.0000 1384 [ 200CCA76CD0E0F7EEC78FA56C29B4D67 ] ialm C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
15:15:27.0375 1384 ialm - ok
15:15:27.0593 1384 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:15:27.0890 1384 idsvc - ok
15:15:28.0000 1384 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
15:15:28.0015 1384 Imapi - ok
15:15:28.0125 1384 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
15:15:28.0234 1384 ImapiService - ok
15:15:28.0484 1384 ini910u - ok
15:15:28.0828 1384 IntelIde - ok
15:15:29.0000 1384 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:15:29.0031 1384 intelppm - ok
15:15:29.0140 1384 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
15:15:29.0281 1384 Ip6Fw - ok
15:15:29.0359 1384 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:15:29.0500 1384 IpFilterDriver - ok
15:15:29.0593 1384 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:15:29.0796 1384 IpInIp - ok
15:15:29.0875 1384 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:15:29.0890 1384 IpNat - ok
15:15:29.0984 1384 [ 6E0FAEA90E71C5F1B9F3BC71B4CCA2FA ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
15:15:30.0015 1384 iPod Service - ok
15:15:30.0140 1384 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:15:30.0203 1384 IPSec - ok
15:15:30.0265 1384 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
15:15:30.0343 1384 IRENUM - ok
15:15:30.0437 1384 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:15:30.0578 1384 isapnp - ok
15:15:30.0687 1384 [ 9AA67569D5257462E230767510B0C815 ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
15:15:30.0703 1384 JavaQuickStarterService - ok
15:15:30.0843 1384 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:15:30.0890 1384 Kbdclass - ok
15:15:31.0000 1384 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:15:31.0046 1384 kbdhid - ok
15:15:31.0171 1384 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
15:15:31.0265 1384 kmixer - ok
15:15:31.0328 1384 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
15:15:31.0406 1384 KSecDD - ok
15:15:31.0562 1384 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
15:15:31.0609 1384 lanmanserver - ok
15:15:31.0734 1384 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:15:31.0765 1384 lanmanworkstation - ok
15:15:31.0828 1384 lbrtfdc - ok
15:15:32.0187 1384 [ 63ED50A6ED61829C2DEF5B733D258A05 ] LiveUpdate C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
15:15:32.0250 1384 LiveUpdate - ok
15:15:32.0390 1384 [ 2F237AAB91497AAA03AF48EAE68758FC ] LiveUpdate Notice C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
15:15:32.0453 1384 LiveUpdate Notice - ok
15:15:32.0531 1384 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
15:15:32.0562 1384 LmHosts - ok
15:15:32.0609 1384 [ 0CEA2D0D3FA284B85ED5B68365114F76 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:15:32.0625 1384 mdmxsdk - ok
15:15:32.0765 1384 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
15:15:32.0843 1384 Messenger - ok
15:15:32.0968 1384 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
15:15:33.0000 1384 mnmdd - ok
15:15:33.0156 1384 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
15:15:33.0265 1384 mnmsrvc - ok
15:15:33.0281 1384 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
15:15:33.0281 1384 Modem - ok
15:15:33.0328 1384 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:15:33.0453 1384 Mouclass - ok
15:15:33.0625 1384 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:15:33.0703 1384 mouhid - ok
15:15:33.0812 1384 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
15:15:33.0921 1384 MountMgr - ok
15:15:34.0078 1384 mraid35x - ok
15:15:34.0203 1384 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:15:34.0234 1384 MRxDAV - ok
15:15:34.0359 1384 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:15:34.0421 1384 MRxSmb - ok
15:15:34.0609 1384 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
15:15:34.0765 1384 MSDTC - ok
15:15:35.0234 1384 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
15:15:35.0296 1384 Msfs - ok
15:15:35.0453 1384 MSIServer - ok
15:15:35.0640 1384 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:15:35.0734 1384 MSKSSRV - ok
15:15:35.0843 1384 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:15:35.0953 1384 MSPCLOCK - ok
15:15:36.0046 1384 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
15:15:36.0140 1384 MSPQM - ok
15:15:36.0453 1384 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:15:36.0484 1384 mssmbios - ok
15:15:36.0609 1384 [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE C:\WINDOWS\system32\drivers\MSTEE.sys
15:15:36.0718 1384 MSTEE - ok
15:15:36.0750 1384 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
15:15:36.0906 1384 Mup - ok
15:15:37.0031 1384 [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:15:37.0109 1384 NABTSFEC - ok
15:15:37.0218 1384 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
15:15:37.0375 1384 napagent - ok
15:15:37.0500 1384 [ 78D629767DBCDBB1EE888F4FDA841ACD ] NAVENG C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091210.003\NAVENG.SYS
15:15:37.0531 1384 NAVENG - ok
15:15:37.0640 1384 [ 6176CE576509EE71BAC1B61FC8F1F138 ] NAVEX15 C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20091210.003\NAVEX15.SYS
15:15:37.0671 1384 NAVEX15 - ok
15:15:37.0812 1384 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
15:15:38.0015 1384 NDIS - ok
15:15:38.0125 1384 [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:15:38.0234 1384 NdisIP - ok
15:15:38.0375 1384 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:15:38.0390 1384 NdisTapi - ok
15:15:38.0468 1384 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:15:38.0484 1384 Ndisuio - ok
15:15:38.0562 1384 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:15:38.0609 1384 NdisWan - ok
15:15:38.0734 1384 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
15:15:38.0796 1384 NDProxy - ok
15:15:38.0921 1384 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
15:15:38.0984 1384 NetBIOS - ok
15:15:39.0109 1384 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
15:15:39.0140 1384 NetBT - ok
15:15:39.0328 1384 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
15:15:39.0390 1384 NetDDE - ok
15:15:39.0484 1384 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
15:15:39.0515 1384 NetDDEdsdm - ok
15:15:39.0609 1384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
15:15:39.0828 1384 Netlogon - ok
15:15:39.0984 1384 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
15:15:40.0000 1384 Netman - ok
15:15:40.0140 1384 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:15:40.0187 1384 NetTcpPortSharing - ok
15:15:40.0250 1384 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:15:40.0296 1384 NIC1394 - ok
15:15:40.0312 1384 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
15:15:40.0312 1384 Nla - ok
15:15:40.0375 1384 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
15:15:40.0375 1384 Npfs - ok
15:15:40.0390 1384 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
15:15:40.0578 1384 Ntfs - ok
15:15:40.0609 1384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
15:15:40.0656 1384 NtLmSsp - ok
15:15:40.0718 1384 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
15:15:40.0859 1384 NtmsSvc - ok
15:15:40.0875 1384 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
15:15:40.0875 1384 Null - ok
15:15:40.0906 1384 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:15:41.0031 1384 NwlnkFlt - ok
15:15:41.0046 1384 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:15:41.0140 1384 NwlnkFwd - ok
15:15:41.0265 1384 [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
15:15:43.0421 1384 odserv - ok
15:15:43.0531 1384 [ 19CAC780B858822055F46C58A111723C ] OEM02Dev C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys
15:15:43.0531 1384 OEM02Dev - ok
15:15:43.0578 1384 [ 86326062A90494BDD79CE383511D7D69 ] OEM02Vfx C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys
15:15:43.0578 1384 OEM02Vfx - ok
15:15:43.0593 1384 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:15:43.0593 1384 ohci1394 - ok
15:15:43.0671 1384 [ C8444A549BD0580AF373202F5EC2B65F ] Online Backup Service C:\Program Files\Data Deposit Box\nts.exe
15:15:43.0687 1384 Online Backup Service - ok
15:15:43.0750 1384 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:15:49.0562 1384 ose - ok
15:15:49.0625 1384 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
15:15:50.0093 1384 Parport - ok
15:15:50.0093 1384 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
15:15:50.0218 1384 PartMgr - ok
15:15:50.0281 1384 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
15:15:50.0375 1384 ParVdm - ok
15:15:50.0375 1384 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
15:15:50.0453 1384 PCI - ok
15:15:50.0484 1384 PCIDump - ok
15:15:50.0515 1384 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
15:15:50.0593 1384 PCIIde - ok
15:15:50.0609 1384 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
15:15:50.0718 1384 Pcmcia - ok
15:15:50.0734 1384 PDCOMP - ok
15:15:50.0734 1384 PDFRAME - ok
15:15:50.0750 1384 PDRELI - ok
15:15:50.0781 1384 PDRFRAME - ok
15:15:50.0812 1384 perc2 - ok
15:15:50.0843 1384 perc2hib - ok
15:15:51.0125 1384 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
15:15:51.0125 1384 PlugPlay - ok
15:15:51.0140 1384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
15:15:51.0140 1384 PolicyAgent - ok
15:15:51.0171 1384 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:15:51.0171 1384 PptpMiniport - ok
15:15:51.0171 1384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
15:15:51.0187 1384 ProtectedStorage - ok
15:15:51.0218 1384 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
15:15:51.0218 1384 PSched - ok
15:15:51.0234 1384 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:15:51.0234 1384 Ptilink - ok
15:15:51.0281 1384 ql1080 - ok
15:15:51.0312 1384 Ql10wnt - ok
15:15:51.0343 1384 ql12160 - ok
15:15:51.0406 1384 ql1240 - ok
15:15:51.0468 1384 ql1280 - ok
15:15:51.0531 1384 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:15:51.0531 1384 RasAcd - ok
15:15:51.0578 1384 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
15:15:51.0656 1384 RasAuto - ok
15:15:51.0687 1384 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:15:51.0687 1384 Rasl2tp - ok
15:15:51.0750 1384 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
15:15:51.0750 1384 RasMan - ok
15:15:51.0765 1384 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:15:51.0765 1384 RasPppoe - ok
15:15:51.0781 1384 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
15:15:51.0781 1384 Raspti - ok
15:15:51.0812 1384 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:15:51.0812 1384 Rdbss - ok
15:15:51.0828 1384 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:15:51.0828 1384 RDPCDD - ok
15:15:51.0843 1384 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:15:51.0859 1384 rdpdr - ok
15:15:51.0890 1384 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
15:15:52.0468 1384 RDPWD - ok
15:15:52.0531 1384 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
15:15:52.0625 1384 RDSessMgr - ok
15:15:52.0625 1384 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
15:15:52.0640 1384 redbook - ok
15:15:52.0671 1384 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
15:15:52.0781 1384 RemoteAccess - ok
15:15:52.0890 1384 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
15:15:52.0890 1384 RemoteRegistry - ok
15:15:52.0968 1384 [ D85E3FA9F5B1F29BB4ED185C450D1470 ] rimmptsk C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
15:15:52.0968 1384 rimmptsk - ok
15:15:52.0984 1384 [ DB8EB01C58C9FADA00C70B1775278AE0 ] rimsptsk C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
15:15:52.0984 1384 rimsptsk - ok
15:15:53.0078 1384 [ F17713D108ACA124A139FDE877EEF68A ] RimUsb C:\WINDOWS\system32\Drivers\RimUsb.sys
15:15:53.0562 1384 RimUsb - ok
15:15:53.0593 1384 [ 6C1F93C0760C9F79A1869D07233DF39D ] rismxdp C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
15:15:53.0828 1384 rismxdp - ok
15:15:53.0906 1384 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
15:15:54.0109 1384 RpcLocator - ok
15:15:54.0359 1384 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
15:15:54.0484 1384 RpcSs - ok
15:15:54.0703 1384 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
15:15:54.0875 1384 RSVP - ok
15:15:55.0000 1384 s24trans - ok
15:15:55.0203 1384 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
15:15:55.0218 1384 SamSs - ok
15:15:55.0406 1384 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
15:15:55.0546 1384 SCardSvr - ok
15:15:55.0859 1384 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
15:15:55.0890 1384 Schedule - ok
15:15:56.0218 1384 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
15:15:56.0234 1384 sdbus - ok
15:15:56.0703 1384 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:15:56.0890 1384 Secdrv - ok
15:15:57.0468 1384 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
15:15:57.0484 1384 seclogon - ok
15:15:57.0656 1384 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
15:15:57.0671 1384 SENS - ok
15:15:57.0828 1384 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
15:15:57.0843 1384 Serial - ok
15:15:58.0093 1384 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
15:15:58.0125 1384 Sfloppy - ok
15:15:58.0421 1384 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
15:15:58.0437 1384 ShellHWDetection - ok
15:15:58.0531 1384 Simbad - ok
15:15:58.0625 1384 [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP C:\WINDOWS\system32\DRIVERS\SLIP.sys
15:15:58.0718 1384 SLIP - ok
15:15:59.0125 1384 [ A1ECEEAA5C5E74B2499EB51D38185B84 ] SONYPVU1 C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
15:15:59.0250 1384 SONYPVU1 - ok
15:15:59.0343 1384 Sparrow - ok
15:15:59.0421 1384 [ DC4DC886D3779C446F9B0E9D6B006E72 ] SPBBCDrv C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
15:15:59.0437 1384 SPBBCDrv - ok
15:15:59.0515 1384 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
15:15:59.0515 1384 splitter - ok
15:15:59.0562 1384 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
15:15:59.0578 1384 Spooler - ok
15:15:59.0609 1384 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
15:15:59.0718 1384 sr - ok
15:15:59.0828 1384 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
15:15:59.0953 1384 srservice - ok
15:16:00.0031 1384 [ 655773F2F1A3730C6CF20280A49F4EE1 ] SRTSP C:\WINDOWS\system32\Drivers\SRTSP.SYS
15:16:00.0046 1384 SRTSP - ok
15:16:00.0187 1384 [ 2A0AAF370D4C6574A34AE2F4A0709CAE ] SRTSPL C:\WINDOWS\system32\Drivers\SRTSPL.SYS
15:16:00.0328 1384 SRTSPL - ok
15:16:00.0531 1384 [ 3104BDCEACE2D5710776DD05E6A286C1 ] SRTSPX C:\WINDOWS\system32\Drivers\SRTSPX.SYS
15:16:00.0546 1384 SRTSPX - ok
15:16:00.0843 1384 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
15:16:00.0875 1384 Srv - ok
15:16:01.0093 1384 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
15:16:01.0109 1384 SSDPSRV - ok
15:16:01.0265 1384 [ 951801DFB54D86F611F0AF47825476F9 ] STHDA C:\WINDOWS\system32\drivers\sthda.sys
15:16:01.0312 1384 STHDA - ok
15:16:01.0437 1384 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
15:16:01.0468 1384 stisvc - ok
15:16:01.0609 1384 [ 77813007BA6265C4B6098187E6ED79D2 ] streamip C:\WINDOWS\system32\DRIVERS\StreamIP.sys
15:16:01.0718 1384 streamip - ok
15:16:01.0781 1384 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
15:16:01.0812 1384 swenum - ok
15:16:02.0015 1384 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
15:16:02.0031 1384 swmidi - ok
15:16:02.0312 1384 SwPrv - ok
15:16:03.0140 1384 [ FA2F6A8849219B16460BF44F9D1F3AA7 ] Symantec Core LC C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
15:16:03.0406 1384 Symantec Core LC - ok
15:16:03.0468 1384 symc810 - ok
15:16:03.0781 1384 symc8xx - ok
15:16:03.0890 1384 [ FE9F8B3A8BC22D85332B42E92308DDF9 ] SYMDNS C:\WINDOWS\System32\Drivers\SYMDNS.SYS
15:16:03.0921 1384 SYMDNS - ok
15:16:04.0203 1384 [ 06B95820DF51502099A8A15C93E87986 ] SymEvent C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:16:04.0234 1384 SymEvent - ok
15:16:04.0390 1384 [ A0EA9D273889E53CFAABF2444692CCBF ] SYMFW C:\WINDOWS\System32\Drivers\SYMFW.SYS
15:16:04.0421 1384 SYMFW - ok
15:16:04.0750 1384 [ 23527B9CD4F7B9E31160E98D340E7E85 ] SYMIDS C:\WINDOWS\System32\Drivers\SYMIDS.SYS
15:16:05.0015 1384 SYMIDS - ok
15:16:05.0390 1384 [ D65255D470CD5103CCE573CD7B5A88D2 ] SYMIDSCO C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\ipsdefs\20091120.005\SymIDSCo.sys
15:16:05.0421 1384 SYMIDSCO - ok
15:16:05.0640 1384 [ B54F7959AFB4AAF1A8C589B0AA7FDE02 ] SymIM C:\WINDOWS\system32\DRIVERS\SymIM.sys
15:16:05.0812 1384 SymIM - ok
15:16:06.0000 1384 [ B54F7959AFB4AAF1A8C589B0AA7FDE02 ] SymIMMP C:\WINDOWS\system32\DRIVERS\SymIM.sys
15:16:06.0015 1384 SymIMMP - ok
15:16:06.0031 1384 [ D605AF3A380A83F4A562F1AD3EE19ECD ] SYMNDIS C:\WINDOWS\System32\Drivers\SYMNDIS.SYS
15:16:06.0031 1384 SYMNDIS - ok
15:16:06.0125 1384 [ 7C6505EA598E58099D3B7E1F70426864 ] SYMREDRV C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
15:16:06.0156 1384 SYMREDRV - ok
15:16:06.0312 1384 [ E6FF7ACE71D07CA90119F2C6AB592BA4 ] SYMTDI C:\WINDOWS\System32\Drivers\SYMTDI.SYS
15:16:06.0390 1384 SYMTDI - ok
15:16:06.0546 1384 sym_hi - ok
15:16:06.0703 1384 sym_u3 - ok
15:16:06.0921 1384 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
15:16:06.0937 1384 sysaudio - ok
15:16:06.0984 1384 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
15:16:07.0062 1384 SysmonLog - ok
15:16:07.0234 1384 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
15:16:07.0250 1384 TapiSrv - ok
15:16:07.0484 1384 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:16:07.0500 1384 Tcpip - ok
15:16:07.0703 1384 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
15:16:08.0093 1384 TDPIPE - ok
15:16:08.0125 1384 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
15:16:08.0281 1384 TDTCP - ok
15:16:08.0515 1384 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
15:16:08.0578 1384 TermDD - ok
15:16:09.0281 1384 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
15:16:09.0312 1384 TermService - ok
15:16:09.0546 1384 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
15:16:09.0562 1384 Themes - ok
15:16:09.0875 1384 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
15:16:10.0000 1384 TlntSvr - ok
15:16:10.0250 1384 TosIde - ok
15:16:10.0500 1384 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
15:16:10.0593 1384 TrkWks - ok
15:16:11.0109 1384 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
15:16:11.0250 1384 Udfs - ok
15:16:11.0562 1384 ultra - ok
15:16:11.0828 1384 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
15:16:12.0062 1384 Update - ok
15:16:12.0265 1384 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
15:16:12.0437 1384 upnphost - ok
15:16:12.0640 1384 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
15:16:12.0750 1384 UPS - ok
15:16:12.0812 1384 [ 1DF89C499BF45D878B87EBD4421D462D ] USBAAPL C:\WINDOWS\system32\Drivers\usbaapl.sys
15:16:12.0906 1384 USBAAPL - ok
15:16:14.0109 1384 [ E919708DB44ED8543A7C017953148330 ] usbaudio C:\WINDOWS\system32\drivers\usbaudio.sys
15:16:14.0250 1384 usbaudio - ok
15:16:15.0406 1384 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:16:15.0484 1384 usbccgp - ok
15:16:16.0140 1384 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:16:16.0203 1384 usbehci - ok
15:16:17.0343 1384 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:16:17.0359 1384 usbhub - ok
15:16:18.0562 1384 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:16:18.0812 1384 usbprint - ok
15:16:19.0140 1384 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:16:19.0265 1384 usbscan - ok
15:16:19.0500 1384 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:16:19.0625 1384 USBSTOR - ok
15:16:22.0187 1384 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:16:22.0218 1384 usbuhci - ok
15:16:23.0093 1384 [ 63BBFCA7F390F4C49ED4B96BFB1633E0 ] usbvideo C:\WINDOWS\system32\Drivers\usbvideo.sys
15:16:23.0203 1384 usbvideo - ok
15:16:23.0359 1384 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
15:16:23.0390 1384 VgaSave - ok
15:16:23.0609 1384 ViaIde - ok
15:16:23.0671 1384 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
15:16:23.0796 1384 VolSnap - ok
15:16:24.0156 1384 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
15:16:24.0265 1384 VSS - ok
15:16:24.0640 1384 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
15:16:24.0781 1384 W32Time - ok
15:16:24.0968 1384 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:16:25.0015 1384 Wanarp - ok
15:16:25.0156 1384 WDICA - ok
15:16:25.0390 1384 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
15:16:25.0468 1384 wdmaud - ok
15:16:25.0625 1384 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
15:16:25.0656 1384 WebClient - ok
15:16:25.0906 1384 [ A8596CF86D445269A42ECC08B7066A4C ] winachsf C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
15:16:25.0984 1384 winachsf - ok
15:16:26.0468 1384 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
15:16:26.0546 1384 winmgmt - ok
15:16:27.0921 1384 wltrysvc - ok
15:16:28.0312 1384 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
15:16:28.0515 1384 WmdmPmSN - ok
15:16:28.0781 1384 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
15:16:28.0828 1384 Wmi - ok
15:16:29.0000 1384 [ C42584FD66CE9E17403AEBCA199F7BDB ] WmiAcpi C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
15:16:29.0031 1384 WmiAcpi - ok
15:16:29.0515 1384 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:16:29.0609 1384 WmiApSrv - ok
15:16:29.0812 1384 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
15:16:33.0656 1384 WMPNetworkSvc - ok
15:16:33.0703 1384 [ CF4DEF1BF66F06964DC0D91844239104 ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:16:33.0984 1384 WpdUsb - ok
15:16:33.0984 1384 WSearch - ok
15:16:34.0578 1384 [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
15:16:35.0328 1384 WSTCODEC - ok
15:16:36.0546 1384 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:16:37.0078 1384 WudfPf - ok
15:16:37.0656 1384 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:16:38.0296 1384 WudfRd - ok
15:16:39.0093 1384 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
15:16:39.0234 1384 WudfSvc - ok
15:16:39.0500 1384 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
15:16:39.0578 1384 WZCSVC - ok
15:16:43.0234 1384 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
15:16:43.0375 1384 xmlprov - ok
15:16:44.0625 1384 ================ Scan global ===============================
15:16:44.0656 1384 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:16:44.0687 1384 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:16:44.0718 1384 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:16:44.0750 1384 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:16:44.0765 1384 [Global] - ok
15:16:44.0765 1384 ================ Scan MBR ==================================
15:16:44.0781 1384 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
15:16:46.0312 1384 \Device\Harddisk0\DR0 - ok
15:16:46.0343 1384 [ 5F549E0A200B7179806806E6C0CF098C ] \Device\Harddisk1\DR5
15:19:49.0765 1384 \Device\Harddisk1\DR5 - ok
15:19:49.0765 1384 ================ Scan VBR ==================================
15:19:49.0828 1384 [ 37E16173169EE6D9A7B9ECCFEDEC0679 ] \Device\Harddisk0\DR0\Partition1
15:19:49.0828 1384 \Device\Harddisk0\DR0\Partition1 - ok
15:19:49.0843 1384 [ 7E0070352A96D9EFDD4984B5FD65D584 ] \Device\Harddisk1\DR5\Partition1
15:19:49.0859 1384 \Device\Harddisk1\DR5\Partition1 - ok
15:19:50.0062 1384 ============================================================
15:19:50.0062 1384 Scan finished
15:19:50.0062 1384 ============================================================
15:19:50.0109 1324 Detected object count: 0
15:19:50.0109 1324 Actual detected object count: 0
15:21:49.0515 4012 Deinitialize success

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 14 December 2012 - 08:06 PM

please try running ComboFix in safe mode > "ok" through the Norton warnings

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 09:02 PM

Booted in safe mode.
Ran Combofix.
Combofix tried to install the Restore console. I had the cable unpluged for saftey. So this failed.
Combofix kept going and rebooted in mormal mode.
While compbfix was running Norton poped up and asked about the firewall.
I shut this down and combofix finished.

Here is the log:
ComboFix 12-12-14.01 - Administrator 12/14/2012 18:23:02.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1775 [GMT -7:00]
Running from: c:\documents and settings\Administrator.CLJ\Desktop\ComboFix.exe
AV: Norton Internet Security *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CLJ\Application Data\dlspr.dll
c:\documents and settings\Administrator.CLJ\Application Data\mlundw.dll
c:\documents and settings\Administrator.CLJ\Application Data\pupiet.dll
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\L\00000004.@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\L\201d3dde
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\n
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000004.@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000008.@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\000000cb.@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000000.@
c:\recycler\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000032.@
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))
.
.
2012-12-14 03:45 . 2012-12-14 16:31 -------- d-----w- c:\windows\system32\MpEngineStore
2012-12-14 02:31 . 2012-12-14 02:31 -------- d-----w- c:\documents and settings\Administrator.CLJ\Application Data\Malwarebytes
2012-12-08 21:43 . 2012-12-13 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54
2012-12-08 21:42 . 2012-12-08 21:42 59904 ---ha-w- c:\windows\system32\hosthost.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 08:37 . 2004-08-04 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-04 10:00 58368 ----a-w- c:\windows\system32\synceng.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify"="c:\documents and settings\Administrator.CLJ\Application Data\Spotify\spotify.exe" [2012-10-27 7880664]
"Spotify Web Helper"="c:\documents and settings\Administrator.CLJ\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-10-27 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KineticD.lnk - c:\program files\Data Deposit Box\starter.exe [2009-9-15 324896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator.CLJ\\Application Data\\Spotify\\spotify.exe"=
.
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2009 1:45 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.SYS [9/16/2009 2:07 PM 10752]
S3 HP1319FX;HP1319FX;c:\windows\system32\drivers\HP1319FAX.SYS [9/16/2009 2:06 PM 11264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2012-12-05 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
2012-12-15 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-09-22 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-pupiet - c:\documents and settings\Administrator.CLJ\Application Data\pupiet.dll
HKLM-Run-dlspr - c:\documents and settings\Administrator.CLJ\Application Data\dlspr.dll
HKLM-Run-mlundw - c:\documents and settings\Administrator.CLJ\Application Data\mlundw.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-14 18:35
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\documents and settings\Administrator.CLJ\Application Data\Spotify\Users\1216813059-user\Apps\home\Cookies-journal 9800 bytes
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1767777339-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,c6,e2,8e,e7,4e,df,4c,ae,a6,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,19,e1,63,f0,f1,ab,4f,9f,c8,94,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,c6,e2,8e,e7,4e,df,4c,ae,a6,c8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(1772)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\program files\Data Deposit Box\usrhook1.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Data Deposit Box\nts.exe
c:\program files\Data Deposit Box\startup.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Data Deposit Box\backup.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Data Deposit Box\status.exe
c:\program files\iPod\bin\iPodService.exe
c:\progra~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
c:\windows\system32\SearchFilterHost.exe
c:\windows\system32\SearchProtocolHost.exe
.
**************************************************************************
.
Completion time: 2012-12-14 18:42:29 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-15 01:42
.
Pre-Run: 73,254,744,064 bytes free
Post-Run: 75,800,248,320 bytes free
.
- - End Of File - - 3F5F88C1974C0BC5B7FD5D4D19F17097

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 14 December 2012 - 09:13 PM

Please connect back up to the internet as I would like to get a file submitted and your machine should have the recovery console installed

Please do the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Press the WinKey + R to open a run box, type Notepad > click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic478445.html/page__pid__2921632#entry2921632

Collect::
c:\windows\system32\hosthost.dll

DirLook::
c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT


Please download Junkware Removal Tool to your desktop.
  • Shutdown your antivirus to avoid any conflicts.
  • Right-mouse click JRT.exe and select Run as administrator
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message


NEXT


Download AdwCleaner from here and save it to your desktop.
  • Run AdwCleaner and select Delete
  • Once done it will ask to reboot, allow the reboot
  • On reboot a log will be produced, please attach the content of the log to your next reply


NEXT

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 10:15 PM

Plugged in cable.
Created CFScript.txt and dragged it to Combofix.
Combofix installed the restore console and finished.
I will do the rest of the tasks you requested.
Things are running much better. Woo Hoo can't lose with a bleeping tiger on my teem.

Here is the Combofix log:
ComboFix 12-12-14.01 - Administrator 12/14/2012 19:36:05.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2038.1396 [GMT -7:00]
Running from: c:\documents and settings\Administrator.CLJ\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator.CLJ\Desktop\CFScript.txt
AV: Norton Internet Security *Disabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
* Created a new restore point
.
file zipped: c:\windows\system32\hosthost.dll
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator.CLJ\My Documents\My Music\My Music.url
c:\windows\assembly\GAC\Desktop.ini
c:\windows\EventSystem.log
c:\windows\system32\AegisI5Installer.exe
c:\windows\system32\hosthost.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-11-15 to 2012-12-15 )))))))))))))))))))))))))))))))
.
.
2012-12-15 01:42 . 2012-12-15 01:42 12568 ----a-w- c:\windows\system32\drivers\PROCEXP113.SYS
2012-12-14 03:45 . 2012-12-14 16:31 -------- d-----w- c:\windows\system32\MpEngineStore
2012-12-14 02:31 . 2012-12-14 02:31 -------- d-----w- c:\documents and settings\Administrator.CLJ\Application Data\Malwarebytes
2012-12-08 21:43 . 2012-12-13 01:50 -------- d-----w- c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-22 08:37 . 2004-08-04 10:00 1866368 ----a-w- c:\windows\system32\win32k.sys
2012-10-02 18:04 . 2004-08-04 10:00 58368 ----a-w- c:\windows\system32\synceng.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54 ----
.
2012-12-08 21:45 . 2012-12-13 01:50 2960 ----a-w- c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54\94A084F026AAC5BE0000949FF056CC54
2012-12-08 21:43 . 2012-12-08 21:43 4286 ----a-w- c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54\94A084F026AAC5BE0000949FF056CC54.ico
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Spotify"="c:\documents and settings\Administrator.CLJ\Application Data\Spotify\spotify.exe" [2012-10-27 7880664]
"Spotify Web Helper"="c:\documents and settings\Administrator.CLJ\Application Data\Spotify\Data\SpotifyWebHelper.exe" [2012-10-27 1199576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-05-16 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-05-16 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-05-16 137752]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-06-02 2220032]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
"osCheck"="c:\program files\Norton Internet Security\osCheck.exe" [2007-08-25 714608]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-09-05 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
KineticD.lnk - c:\program files\Data Deposit Box\starter.exe [2009-9-15 324896]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Administrator.CLJ\\Application Data\\Spotify\\spotify.exe"=
.
R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [8/24/2007 10:07 PM 149352]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [9/14/2009 1:45 PM 102448]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [5/29/2007 1:55 PM 23888]
S3 HP1319EWS;HP1319EWS;c:\windows\system32\drivers\HP1319EWS.SYS [9/16/2009 2:07 PM 10752]
S3 HP1319FX;HP1319FX;c:\windows\system32\drivers\HP1319FAX.SYS [9/16/2009 2:06 PM 11264]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-04 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]
.
2012-12-05 c:\windows\Tasks\Norton Internet Security - Run Full System Scan - Administrator.job
- c:\program files\Norton Internet Security\Norton AntiVirus\Navw32.exe [2007-08-27 01:19]
.
2012-12-15 c:\windows\Tasks\SDMsgUpdate (SD).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2009-09-22 16:53]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-12-14 19:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-790525478-1767777339-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,c6,e2,8e,e7,4e,df,4c,ae,a6,c8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,2c,19,e1,63,f0,f1,ab,4f,9f,c8,94,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,5a,c6,e2,8e,e7,4e,df,4c,ae,a6,c8,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(208)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2012-12-14 20:00:49 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-15 03:00
ComboFix2.txt 2012-12-15 01:42
.
Pre-Run: 75,646,017,536 bytes free
Post-Run: 75,708,440,576 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 04DA3345EBAC61F81BC28BFE832A3287
Upload was successful

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 14 December 2012 - 10:37 PM

As well as the rest of the scans, please do the following:

these entries are a little suspicious

c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54\94A084F026AAC5BE0000949FF056CC54
c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54\94A084F026AAC5BE0000949FF056CC54.ico

please navigate to that folder (you will need to show hidden files and folders)

right click on the .ico file and see if there is any indication of what this might belong to.

Please upload it for analysis

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file c:\documents and settings\All Users\Application Data\94A084F026AAC5BE0000949FF056CC54\94A084F026AAC5BE0000949FF056CC54.ico
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.

To show hidden files and folders
  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 14 December 2012 - 11:52 PM

Downloaded JRT.exe to desktop and ran it.
Downloaded AdwCleaner and ran it.
Could not get Malwarebytes to update.
Windows automatic update installed 9 updates.

JRT log:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 4.1.4 (12.14.2012:2)
OS: Microsoft Windows XP x86
Ran by Administrator on Fri 12/14/2012 at 20:20:19.84
Blog: http://thisisudax.blogspot.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 12/14/2012 at 20:30:45.67
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


AdwClearner log:
# AdwCleaner v2.100 - Logfile created 12/14/2012 at 20:43:13
# Updated 09/12/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Administrator - CLJ
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Administrator.CLJ\Desktop\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

*************************

AdwCleaner[S1].txt - [545 octets] - [14/12/2012 20:43:13]

########## EOF - C:\AdwCleaner[S1].txt - [604 octets] ##########

#12 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 15 December 2012 - 12:17 AM

Results of file scan.
The files were created on 12-8-12. The ico file looks like a list of virus checkers.

https://www.virustotal.com/file/4d52aa6c57e65d1edad0f1d9367ec4390d6c2ad3cce4e2bb3fa829c98fcb8b3e/analysis/1355548245/

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 15 December 2012 - 12:20 AM

OK, looks like Emisoft has tagged it as a rogue security program, so right click the whole folder and delete it.

Please continue with the ESET online scan

please advise how the computer is running and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 husky1954

husky1954
  • Topic Starter

  • Members
  • 41 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Eagle, CO
  • Local time:05:28 PM

Posted 15 December 2012 - 11:33 AM

Deleted folder.
Installed and ran ESET. Found 25 infected files.

I tried a few things with the computer. Freecell, Mediaplayer. Things seem to be ok.
I still can't update Malwarebytes.

Here are the results of ESET:
C:\Documents and Settings\Administrator.CLJ\Local Settings\Application Data\981034c2-5f0c-4029-acde-e5035b898492.crx JS/Redirector.NCG trojan
C:\Qoobox\Quarantine\[4]-Submit_2012-12-14_19.36.00.zip Win32/PSW.Papras.CE trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.CLJ\Application Data\dlspr.dll.vir a variant of Win32/Medfos.GT trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.CLJ\Application Data\mlundw.dll.vir a variant of Win32/Medfos.GT trojan
C:\Qoobox\Quarantine\C\Documents and Settings\Administrator.CLJ\Application Data\pupiet.dll.vir a variant of Win32/Medfos.GO trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\n.vir Win32/Sirefef.EV trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000004.@.vir Win32/Conedex.D trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\00000008.@.vir Win32/Sirefef.FG trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\000000cb.@.vir Win32/Conedex.E trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000000.@.vir Win32/Sirefef.FA trojan
C:\Qoobox\Quarantine\C\RECYCLER\S-1-5-18\$a16a088e5aefe86cf0ad2d7756221b8e\U\80000032.@.vir probably a variant of Win32/Sirefef.FD trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0050940.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051940.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051943.exe a variant of Win32/Kryptik.AQHW trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051950.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051957.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051973.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051984.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0051993.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0052001.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0052008.ini Win32/Sirefef.EZ trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0053117.dll a variant of Win32/Medfos.GT trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0053118.dll a variant of Win32/Medfos.GT trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP740\A0053119.dll a variant of Win32/Medfos.GO trojan
C:\System Volume Information\_restore{15F542BC-82C1-48FE-8C23-4BB8227D8665}\RP741\A0053290.ini Win32/Sirefef.EZ trojan

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:08:28 PM

Posted 15 December 2012 - 11:40 AM

most of those detections are either in quarantine or old restore points which we will clean up at the end

Please navigate to the following file and delete it (you will need to show hidden files and folders)

C:\Documents and Settings\Administrator.CLJ\Local Settings\Application Data\981034c2-5f0c-4029-acde-e5035b898492.crx

  • Double-click My Computer.
  • Click the Tools menu, and then click Folder Options.
  • Click the View tab.
  • Clear "Hide file extensions for known file types."
  • Under the "Hidden files" folder, select "Show hidden files and folders."
  • Clear "Hide protected operating system files."
  • Click Apply, and then click OK.



NEXT



  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer (very important).
  • Download and run this utility.
  • It will ask to restart your computer (please allow it to).
  • After the computer restarts, install the latest version from here.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users