Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PRAGMA rootkit found can't remove


  • This topic is locked This topic is locked
28 replies to this topic

#1 Rickvv

Rickvv

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 21 February 2013 - 01:08 PM

WinXP, Avast-Free.

Avast free has found PRAGMAnwecxgerci and even though we run a boot scan, and tell avast to remove the culprit, in keeps coming back.

Tired MBAM in FullScan mode, and Eset online scanner. Those don't find this, but Avast keeps finding it.

What should I do next?

I would appreciate any help.

Thanks,

rickvv



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 21 February 2013 - 01:21 PM

Very interesting! Thats a pretty old rootkit. Lets see what we can find out about it. smile.png

We need to see some information about what is happening in your machine. Please perform the following scan:

  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
  • Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

    Information on A/V control HERE


     

Please download GMER from one of the following locations and save it to your desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
    • Disconnect from the Internet and close all running programs.
    • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
    • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
    • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

      gmer_zip.gif
    • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
    • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
    • Now click the Scan button. If you see a rootkit warning window, click OK.
    • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
    • Click the Copy button and paste the results into your next reply.
    • Exit GMER and re-enable all active protection when done.
  • -- If you encounter any problems, try running GMER in Safe Mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 21 February 2013 - 03:48 PM

Neither of the  Gmer sites are loading for me, even on a clean Mac. I'll try that later. 

I'll do the DDS shortly.

Thanks!



#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 21 February 2013 - 03:55 PM

Sorry, that is my fault, you can download it from here: http://www2.gmer.net/gmer.zip


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 21 February 2013 - 04:19 PM

Forum said my post was too long. I attached gmer.log as zip TXT file. Is that all right?

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Angela at 14:53:10 on 2013-02-21
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1252 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ================
.
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uProxyServer = hxxp=127.0.0.1:1059
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - <orphaned>
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: {DBC80044-A445-435b-BC74-9C25C1C588A9} - <orphaned>
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
mRun: [ftutil2] "rundll32.exe" ftutil2.dll,SetWriteCacheMode
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] "nwiz.exe" /install
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogMeIn Hamachi Ui] "c:\program files\logmein hamachi\hamachi-2-ui.exe" --auto-start
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
StartupFolder: c:\docume~1\angela\startm~1\programs\startup\pinmclnk.lnk - c:\hp\bin\cloaker.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\apcups~1.lnk - c:\program files\apc\apc powerchute personal edition\Display.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {E2D4D26B-0180-43a4-B05F-462D6D54C789} - c:\windows\pchealth\helpctr\vendors\cn=hewlett-packard,l=cupertino,s=ca,c=us\iebutton\support.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://utilities.pcpitstop.com/Nirvana/controls/pcmatic.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper200711281.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1361303023267
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: Interfaces\{16E4634F-55C6-45B6-B74A-4B30797151D8} : NameServer = 204.130.255.3,64.122.32.71
TCP: Interfaces\{892900FC-9814-4488-99C0-81491C1EE93D} : DHCPNameServer = 16.92.3.242 16.92.3.243 16.81.3.243 16.118.3.243
Handler: inbox - {37540F19-DD4C-478B-B2DF-C19281BCAF27} - <orphaned>
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\24.0.1312.57\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
============= SERVICES / DRIVERS ===============
.
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [2006-12-31 19478]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-2-19 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-2-19 361032]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [2006-12-31 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [2006-12-31 431236]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-2-19 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-2-19 44808]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\logmein hamachi\hamachi-2.exe [2012-12-10 1435568]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\logmein\x86\LMIGuardianSvc.exe [2013-1-25 375144]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\logmein\x86\rainfo.sys [2012-11-29 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [2013-2-21 47640]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [2006-12-31 64093]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-2-21 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-2-21 682344]
S2 msav;Moon Secure Antivirus Core;c:\program files\moon secure antivirus\msavcore.exe --> c:\program files\moon secure antivirus\msavcore.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2012-7-13 160944]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [2006-11-16 82048]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [2010-3-26 29184]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-2-21 21104]
S3 NAVENG;NAVENG;\??\c:\progra~1\common~1\symant~1\virusd~1\20060823.066\naveng.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060823.066\NAVENG.SYS [?]
S3 NAVEX15;NAVEX15;\??\c:\progra~1\common~1\symant~1\virusd~1\20060823.066\navex15.sys --> c:\progra~1\common~1\symant~1\virusd~1\20060823.066\NAVEX15.SYS [?]
S3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\drivers\OlyUsbCam.sys [2008-10-19 21952]
S3 SASENUM;SASENUM; [x]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-9 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
=============== Created Last 30 ================
.
2013-02-21 14:05:12 -------- d-----w- c:\documents and settings\angela\application data\Malwarebytes
2013-02-21 14:05:08 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-02-21 14:05:07 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-02-21 14:05:07 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-02-21 13:53:38 -------- d-----w- c:\documents and settings\angela\local settings\application data\LogMeIn
2013-02-21 13:53:35 53096 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\LMIproc.dll
2013-02-21 13:53:35 31592 ----a-w- c:\windows\system32\LMIport.dll
2013-02-21 13:53:34 84352 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2013-02-21 13:53:34 47640 ----a-w- c:\windows\system32\drivers\LMIRfsDriver.sys
2013-02-21 13:53:27 92520 ----a-w- c:\windows\system32\LMIinit.dll
2013-02-21 13:53:23 -------- d-----w- c:\documents and settings\all users\application data\LogMeIn
2013-02-21 13:53:10 -------- d-----w- c:\program files\LogMeIn
2013-02-20 21:52:35 -------- d-----w- c:\program files\Defraggler
2013-02-20 13:39:41 -------- d-sha-r- C:\cmdcons
2013-02-20 01:38:13 -------- d-----w- c:\program files\CCleaner
2013-02-19 20:19:04 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-19 20:18:40 41224 ----a-w- c:\windows\avastSS.scr
2013-02-19 19:49:10 -------- d-----w- c:\windows\system32\winrm
2013-02-19 19:49:07 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-02-09 16:52:22 -------- d-----w- c:\program files\AVAST Software
2013-02-09 16:52:22 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
.
==================== Find3M  ====================
.
2013-02-20 21:43:15 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-02-20 21:43:15 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19:45 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37:01 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 1292288 ------w- c:\windows\system32\quartz.dll
2012-12-26 20:16:29 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16:28 43520 ------w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16:28 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40:59 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-29 17:56:30 25248 ----a-w- c:\windows\system32\lmimirr.dll
2012-11-29 17:56:30 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2012-11-29 17:56:30 10144 ----a-w- c:\windows\system32\drivers\lmimirr.sys
.
============= FINISH: 14:53:17.42 ===============

 

 



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 21 February 2013 - 04:44 PM

That looks like there is more than one rootkit present, one of them indeed the Pragma rootkit Avast detected.

Before continuing, please review the following information:

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#7 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 21 February 2013 - 04:57 PM

Let's proceed, and I'll ask the owner what she would like to do.

Here is TDSSkller log. (only offered quarantine, not "Cure")

15:54:27.0187 0832  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
15:54:27.0859 0832  ============================================================
15:54:27.0859 0832  Current date / time: 2013/02/21 15:54:27.0859
15:54:27.0859 0832  SystemInfo:
15:54:27.0859 0832 
15:54:27.0859 0832  OS Version: 5.1.2600 ServicePack: 3.0
15:54:27.0859 0832  Product type: Workstation
15:54:27.0859 0832  ComputerName: HAJDUCH
15:54:27.0859 0832  UserName: Angela
15:54:27.0859 0832  Windows directory: C:\WINDOWS
15:54:27.0859 0832  System windows directory: C:\WINDOWS
15:54:27.0859 0832  Processor architecture: Intel x86
15:54:27.0859 0832  Number of processors: 2
15:54:27.0859 0832  Page size: 0x1000
15:54:27.0859 0832  Boot type: Normal boot
15:54:27.0859 0832  ============================================================
15:54:28.0827 0832  Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0xA181, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000054
15:54:28.0890 0832  Drive \Device\Harddisk5\DR15 - Size: 0x7A0D1A00 (1.91 Gb), SectorSize: 0x200, Cylinders: 0xF8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
15:54:28.0890 0832  ============================================================
15:54:28.0890 0832  \Device\Harddisk0\DR0:
15:54:28.0890 0832  MBR partitions:
15:54:28.0890 0832  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x24278211
15:54:28.0890 0832  \Device\Harddisk0\DR0\Partition2: MBR, Type 0xC, StartLBA 0x2427BD60, BlocksNum 0x11B15B0
15:54:28.0890 0832  \Device\Harddisk5\DR15:
15:54:28.0890 0832  MBR partitions:
15:54:28.0890 0832  \Device\Harddisk5\DR15\Partition1: MBR, Type 0xB, StartLBA 0x3F, BlocksNum 0x3CCAF8
15:54:28.0890 0832  ============================================================
15:54:28.0906 0832  C: <-> \Device\Harddisk0\DR0\Partition1
15:54:28.0937 0832  D: <-> \Device\Harddisk0\DR0\Partition2
15:54:28.0937 0832  ============================================================
15:54:28.0937 0832  Initialize success
15:54:28.0937 0832  ============================================================
15:54:33.0531 0556  ============================================================
15:54:33.0531 0556  Scan started
15:54:33.0531 0556  Mode: Manual; TDLFS;
15:54:33.0531 0556  ============================================================
15:54:34.0390 0556  ================ Scan system memory ========================
15:54:34.0390 0556  System memory - ok
15:54:34.0390 0556  ================ Scan services =============================
15:54:34.0531 0556  [ 149A8F7ADF9742554DC323E290551E3E ] Aavmker4        C:\WINDOWS\system32\drivers\Aavmker4.sys
15:54:34.0531 0556  Aavmker4 - ok
15:54:34.0531 0556  Abiosdsk - ok
15:54:34.0531 0556  abp480n5 - ok
15:54:34.0577 0556  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:54:34.0577 0556  ACPI - ok
15:54:34.0609 0556  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
15:54:34.0609 0556  ACPIEC - ok
15:54:34.0671 0556  [ 563CDCFEEAEF97163E206AF71A61AA6E ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:54:34.0671 0556  AdobeFlashPlayerUpdateSvc - ok
15:54:34.0671 0556  adpu160m - ok
15:54:34.0687 0556  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
15:54:34.0702 0556  aec - ok
15:54:34.0718 0556  [ A7B8A3A79D35215D798A300DF49ED23F ] Afc             C:\WINDOWS\system32\drivers\Afc.sys
15:54:34.0718 0556  Afc - ok
15:54:34.0749 0556  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
15:54:34.0749 0556  AFD - ok
15:54:34.0765 0556  Aha154x - ok
15:54:34.0765 0556  aic78u2 - ok
15:54:34.0765 0556  aic78xx - ok
15:54:34.0812 0556  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
15:54:34.0812 0556  Alerter - ok
15:54:34.0843 0556  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
15:54:34.0843 0556  ALG - ok
15:54:34.0843 0556  AliIde - ok
15:54:34.0874 0556  [ 59301936898AE62245A6F09C0ABA9475 ] AmdK8           C:\WINDOWS\system32\DRIVERS\AmdK8.sys
15:54:34.0874 0556  AmdK8 - ok
15:54:34.0874 0556  amsint - ok
15:54:34.0921 0556  [ 29DEB59DE57EA97553B1566F04B39D11 ] APC UPS Service C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
15:54:34.0921 0556  APC UPS Service - ok
15:54:34.0984 0556  [ 018857EAD9A077A56AEDFC0E5EF7A24A ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
15:54:34.0984 0556  Apple Mobile Device - ok
15:54:35.0031 0556  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
15:54:35.0031 0556  AppMgmt - ok
15:54:35.0062 0556  [ 00523019E3579C8F8A94457FE25F0F24 ] aracpi          C:\WINDOWS\system32\DRIVERS\aracpi.sys
15:54:35.0062 0556  aracpi - ok
15:54:35.0093 0556  [ 9FEDAA46EB1A572AC4D9EE6B5F123CF2 ] arhidfltr       C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
15:54:35.0093 0556  arhidfltr - ok
15:54:35.0124 0556  [ 82969576093CD983DD559F5A86F382B4 ] arkbcfltr       C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
15:54:35.0124 0556  arkbcfltr - ok
15:54:35.0140 0556  [ 9B21791D8A78FAECE999FADBEBDA6C22 ] armoucfltr      C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
15:54:35.0140 0556  armoucfltr - ok
15:54:35.0171 0556  [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394         C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:54:35.0171 0556  Arp1394 - ok
15:54:35.0171 0556  [ 7A2DA7C7B0C524EF26A79F17A5C69FDE ] ARPolicy        C:\WINDOWS\system32\DRIVERS\arpolicy.sys
15:54:35.0171 0556  ARPolicy - ok
15:54:35.0187 0556  [ 9A0D9B2E263BEDE80FB79DDBAD240EC1 ] ARSVC           C:\WINDOWS\arservice.exe
15:54:35.0187 0556  ARSVC - ok
15:54:35.0187 0556  asc - ok
15:54:35.0202 0556  asc3350p - ok
15:54:35.0202 0556  asc3550 - ok
15:54:35.0296 0556  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:54:35.0296 0556  aspnet_state - ok
15:54:35.0343 0556  [ DE6ED95AEF259979B2830450072A627B ] aswFsBlk        C:\WINDOWS\system32\drivers\aswFsBlk.sys
15:54:35.0343 0556  aswFsBlk - ok
15:54:35.0343 0556  [ 84F0BE324EE111338589F448C3E8BAB2 ] aswMon2         C:\WINDOWS\system32\drivers\aswMon2.sys
15:54:35.0343 0556  aswMon2 - ok
15:54:35.0359 0556  [ 7C9F0A2AB17D52261A9252A2EB320884 ] AswRdr          C:\WINDOWS\system32\drivers\AswRdr.sys
15:54:35.0359 0556  AswRdr - ok
15:54:35.0374 0556  [ B32E9AD44A1DBB3E8095E80F8DF32B03 ] aswSnx          C:\WINDOWS\system32\drivers\aswSnx.sys
15:54:35.0374 0556  aswSnx - ok
15:54:35.0406 0556  [ 67B558895695545FB0568B7541F3BCA7 ] aswSP           C:\WINDOWS\system32\drivers\aswSP.sys
15:54:35.0406 0556  aswSP - ok
15:54:35.0421 0556  [ E3E73B2B73A4DFADFDDF557192C4B08A ] aswTdi          C:\WINDOWS\system32\drivers\aswTdi.sys
15:54:35.0421 0556  aswTdi - ok
15:54:35.0437 0556  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:54:35.0437 0556  AsyncMac - ok
15:54:35.0452 0556  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
15:54:35.0452 0556  atapi - ok
15:54:35.0452 0556  Atdisk - ok
15:54:35.0499 0556  [ 5B80E84AF6B02ECAB72DAE9AFEE06309 ] atksgt          C:\WINDOWS\system32\DRIVERS\atksgt.sys
15:54:35.0499 0556  atksgt - ok
15:54:35.0531 0556  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:54:35.0531 0556  Atmarpc - ok
15:54:35.0546 0556  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
15:54:35.0546 0556  AudioSrv - ok
15:54:35.0577 0556  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
15:54:35.0577 0556  audstub - ok
15:54:35.0640 0556  [ 8FA553E9AE69808D99C164733A0F9590 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
15:54:35.0640 0556  avast! Antivirus - ok
15:54:35.0656 0556  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
15:54:35.0656 0556  Beep - ok
15:54:35.0702 0556  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
15:54:35.0702 0556  BITS - ok
15:54:35.0765 0556  [ 673CF4F6BB1FBE09331B526802FBB892 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
15:54:35.0765 0556  Bonjour Service - ok
15:54:35.0796 0556  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
15:54:35.0796 0556  Browser - ok
15:54:35.0890 0556  catchme - ok
15:54:35.0906 0556  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
15:54:35.0906 0556  cbidf2k - ok
15:54:35.0937 0556  [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE        C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:54:35.0952 0556  CCDECODE - ok
15:54:35.0952 0556  cd20xrnt - ok
15:54:35.0968 0556  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
15:54:35.0984 0556  Cdaudio - ok
15:54:35.0984 0556  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
15:54:35.0984 0556  Cdfs - ok
15:54:35.0999 0556  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:54:35.0999 0556  Cdrom - ok
15:54:36.0015 0556  Changer - ok
15:54:36.0046 0556  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
15:54:36.0046 0556  CiSvc - ok
15:54:36.0062 0556  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
15:54:36.0062 0556  ClipSrv - ok
15:54:36.0140 0556  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:54:36.0140 0556  clr_optimization_v2.0.50727_32 - ok
15:54:36.0202 0556  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:54:36.0202 0556  clr_optimization_v4.0.30319_32 - ok
15:54:36.0202 0556  CmdIde - ok
15:54:36.0234 0556  [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt        C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:54:36.0234 0556  Compbatt - ok
15:54:36.0249 0556  COMSysApp - ok
15:54:36.0249 0556  Cpqarray - ok
15:54:36.0265 0556  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
15:54:36.0265 0556  CryptSvc - ok
15:54:36.0296 0556  [ B083323430C780F91FBD064CE19A7A6B ] CXFALCON        C:\WINDOWS\system32\drivers\cxfalcon.sys
15:54:36.0296 0556  CXFALCON - ok
15:54:36.0312 0556  dac2w2k - ok
15:54:36.0312 0556  dac960nt - ok
15:54:36.0343 0556  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
15:54:36.0359 0556  DcomLaunch - ok
15:54:36.0374 0556  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
15:54:36.0374 0556  Dhcp - ok
15:54:36.0374 0556  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
15:54:36.0374 0556  Disk - ok
15:54:36.0374 0556  dmadmin - ok
15:54:36.0437 0556  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
15:54:36.0437 0556  dmboot - ok
15:54:36.0484 0556  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
15:54:36.0484 0556  dmio - ok
15:54:36.0499 0556  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
15:54:36.0499 0556  dmload - ok
15:54:36.0531 0556  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
15:54:36.0531 0556  dmserver - ok
15:54:36.0546 0556  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
15:54:36.0546 0556  DMusic - ok
15:54:36.0577 0556  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
15:54:36.0577 0556  Dnscache - ok
15:54:36.0609 0556  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
15:54:36.0609 0556  Dot3svc - ok
15:54:36.0624 0556  dpti2o - ok
15:54:36.0640 0556  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
15:54:36.0640 0556  drmkaud - ok
15:54:36.0687 0556  [ F35B5D0CC142B87E687FC504BAA69D82 ] dsiarhwprog     C:\WINDOWS\system32\Drivers\dsiarhwprog.sys
15:54:36.0687 0556  dsiarhwprog - ok
15:54:36.0718 0556  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
15:54:36.0718 0556  EapHost - ok
15:54:36.0749 0556  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
15:54:36.0749 0556  ERSvc - ok
15:54:36.0781 0556  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
15:54:36.0796 0556  Eventlog - ok
15:54:36.0812 0556  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
15:54:36.0812 0556  EventSystem - ok
15:54:36.0843 0556  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
15:54:36.0843 0556  Fastfat - ok
15:54:36.0874 0556  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:54:36.0890 0556  FastUserSwitchingCompatibility - ok
15:54:36.0921 0556  [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax             C:\WINDOWS\system32\fxssvc.exe
15:54:36.0937 0556  Fax - ok
15:54:36.0952 0556  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
15:54:36.0952 0556  Fdc - ok
15:54:36.0984 0556  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
15:54:36.0984 0556  Fips - ok
15:54:36.0984 0556  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
15:54:36.0999 0556  Flpydisk - ok
15:54:37.0031 0556  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
15:54:37.0031 0556  FltMgr - ok
15:54:37.0140 0556  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:54:37.0140 0556  FontCache3.0.0.0 - ok
15:54:37.0171 0556  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:54:37.0171 0556  Fs_Rec - ok
15:54:37.0187 0556  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:54:37.0187 0556  Ftdisk - ok
15:54:37.0202 0556  [ 22399D3CE5840C6082844679CCA5D2FC ] ftsata2         C:\WINDOWS\system32\DRIVERS\ftsata2.sys
15:54:37.0202 0556  ftsata2 - ok
15:54:37.0234 0556  [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM     C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
15:54:37.0234 0556  GEARAspiWDM - ok
15:54:37.0265 0556  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:54:37.0265 0556  Gpc - ok
15:54:37.0327 0556  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
15:54:37.0327 0556  gupdate - ok
15:54:37.0343 0556  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
15:54:37.0343 0556  gupdatem - ok
15:54:37.0390 0556  [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc           C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
15:54:37.0390 0556  gusvc - ok
15:54:37.0421 0556  [ 833051C6C6C42117191935F734CFBD97 ] hamachi         C:\WINDOWS\system32\DRIVERS\hamachi.sys
15:54:37.0421 0556  hamachi - ok
15:54:37.0468 0556  [ 616399E27A55C97AE859230EB13984D8 ] Hamachi2Svc     C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
15:54:37.0484 0556  Hamachi2Svc - ok
15:54:37.0515 0556  [ 55E4DA7C8CBBA1F2D71720FCA7A5C086 ] hcwPP2          C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
15:54:37.0515 0556  hcwPP2 - ok
15:54:37.0515 0556  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:54:37.0515 0556  HDAudBus - ok
15:54:37.0562 0556  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:54:37.0562 0556  helpsvc - ok
15:54:37.0577 0556  [ 748031FF4FE45CCC47546294905FEAB8 ] HidBatt         C:\WINDOWS\system32\DRIVERS\HidBatt.sys
15:54:37.0593 0556  HidBatt - ok
15:54:37.0609 0556  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         C:\WINDOWS\System32\hidserv.dll
15:54:37.0609 0556  HidServ - ok
15:54:37.0656 0556  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:54:37.0671 0556  HidUsb - ok
15:54:37.0718 0556  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
15:54:37.0718 0556  hkmsvc - ok
15:54:37.0718 0556  hpn - ok
15:54:37.0765 0556  [ 30CA91E657CEDE2F95359D6EF186F650 ] HPZid412        C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:54:37.0765 0556  HPZid412 - ok
15:54:37.0796 0556  [ EFD31AFA752AA7C7BBB57BCBE2B01C78 ] HPZipr12        C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:54:37.0796 0556  HPZipr12 - ok
15:54:37.0812 0556  [ 7AC43C38CA8FD7ED0B0A4466F753E06E ] HPZius12        C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:54:37.0812 0556  HPZius12 - ok
15:54:37.0843 0556  [ 1F5C64B0C6B2E2F48735A77AE714CCB8 ] HSXHWBS2        C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
15:54:37.0843 0556  HSXHWBS2 - ok
15:54:37.0859 0556  [ A7F8C9228898A1E871D2AE7082F50AC3 ] HSX_DP          C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
15:54:37.0874 0556  HSX_DP - ok
15:54:37.0906 0556  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
15:54:37.0906 0556  HTTP - ok
15:54:37.0937 0556  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
15:54:37.0937 0556  HTTPFilter - ok
15:54:37.0952 0556  i2omgmt - ok
15:54:37.0952 0556  i2omp - ok
15:54:37.0984 0556  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:54:37.0984 0556  i8042prt - ok
15:54:38.0140 0556  [ 6F95324909B502E2651442C1548AB12F ] IDriverT        C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
15:54:38.0156 0556  IDriverT - ok
15:54:38.0296 0556  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:54:38.0296 0556  idsvc - ok
15:54:38.0327 0556  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
15:54:38.0327 0556  Imapi - ok
15:54:38.0359 0556  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
15:54:38.0374 0556  ImapiService - ok
15:54:38.0374 0556  ini910u - ok
15:54:38.0484 0556  [ AB2FE0FAA519880BD16E4A0792D633D2 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:54:38.0515 0556  IntcAzAudAddService - ok
15:54:38.0546 0556  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
15:54:38.0546 0556  IntelIde - ok
15:54:38.0577 0556  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:54:38.0577 0556  intelppm - ok
15:54:38.0593 0556  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
15:54:38.0593 0556  Ip6Fw - ok
15:54:38.0640 0556  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:54:38.0656 0556  IpFilterDriver - ok
15:54:38.0671 0556  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:54:38.0687 0556  IpInIp - ok
15:54:38.0702 0556  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:54:38.0702 0556  IpNat - ok
15:54:38.0749 0556  [ 6351B24DC3CB7DFFDE917D1276EE166C ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
15:54:38.0749 0556  iPod Service - ok
15:54:38.0765 0556  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:54:38.0765 0556  IPSec - ok
15:54:38.0796 0556  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
15:54:38.0796 0556  IRENUM - ok
15:54:38.0812 0556  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:54:38.0812 0556  isapnp - ok
15:54:38.0827 0556  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:54:38.0827 0556  Kbdclass - ok
15:54:38.0843 0556  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:54:38.0843 0556  kbdhid - ok
15:54:38.0859 0556  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
15:54:38.0859 0556  kmixer - ok
15:54:38.0874 0556  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
15:54:38.0874 0556  KSecDD - ok
15:54:38.0906 0556  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
15:54:38.0906 0556  lanmanserver - ok
15:54:38.0937 0556  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:54:38.0952 0556  lanmanworkstation - ok
15:54:38.0952 0556  lbrtfdc - ok
15:54:38.0999 0556  [ 4C52DC5C6481D13275653CCEB59BF53A ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
15:54:38.0999 0556  LightScribeService - ok
15:54:39.0031 0556  [ 975B6CF65F44E95883F3855BAE8CECAF ] lirsgt          C:\WINDOWS\system32\DRIVERS\lirsgt.sys
15:54:39.0031 0556  lirsgt - ok
15:54:39.0062 0556  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
15:54:39.0062 0556  LmHosts - ok
15:54:39.0171 0556  [ BFD4CE736798DB8229E30D543CFC9B73 ] LMIGuardianSvc  C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
15:54:39.0171 0556  LMIGuardianSvc - ok
15:54:39.0202 0556  [ 4F69FAAABB7DB0D43E327C0B6AAB40FC ] LMIInfo         C:\Program Files\LogMeIn\x86\RaInfo.sys
15:54:39.0202 0556  LMIInfo - ok
15:54:39.0249 0556  [ CDC85188F76BA17B4181419450E77DE5 ] LMIMaint        C:\Program Files\LogMeIn\x86\RaMaint.exe
15:54:39.0249 0556  LMIMaint - ok
15:54:39.0265 0556  [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr         C:\WINDOWS\system32\DRIVERS\lmimirr.sys
15:54:39.0265 0556  lmimirr - ok
15:54:39.0281 0556  LMIRfsClientNP - ok
15:54:39.0296 0556  [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver    C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
15:54:39.0296 0556  LMIRfsDriver - ok
15:54:39.0343 0556  [ 432618FA75B61059D2C57D6A7E55147A ] LogMeIn         C:\Program Files\LogMeIn\x86\LogMeIn.exe
15:54:39.0359 0556  LogMeIn - ok
15:54:39.0374 0556  [ A2AE666CEE860BABE7FA6F1662B71737 ] MASPINT         C:\WINDOWS\system32\drivers\MASPINT.sys
15:54:39.0374 0556  MASPINT - ok
15:54:39.0406 0556  [ 629CABB0421668C9D3D402A3C3D77E14 ] MBAMProtector   C:\WINDOWS\system32\drivers\mbam.sys
15:54:39.0406 0556  MBAMProtector - ok
15:54:39.0437 0556  [ 1ACAA67676E9E7BDA5E0C41B6E0DECAF ] MBAMScheduler   C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
15:54:39.0437 0556  MBAMScheduler - ok
15:54:39.0468 0556  [ 916B8954AC3E06DC9E898AFFB41F3FB6 ] MBAMService     C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
15:54:39.0468 0556  MBAMService - ok
15:54:39.0515 0556  [ DF0A511F38F16016BF658FCA0090CB87 ] McrdSvc         C:\WINDOWS\ehome\mcrdsvc.exe
15:54:39.0515 0556  McrdSvc - ok
15:54:39.0515 0556  [ E246A32C445056996074A397DA56E815 ] mdmxsdk         C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:54:39.0531 0556  mdmxsdk - ok
15:54:39.0546 0556  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
15:54:39.0562 0556  Messenger - ok
15:54:39.0609 0556  [ B7521F69C0A9B29D356157229376FB21 ] MHN             C:\WINDOWS\System32\mhn.dll
15:54:39.0609 0556  MHN - ok
15:54:39.0671 0556  [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV          C:\WINDOWS\system32\DRIVERS\mhndrv.sys
15:54:39.0671 0556  MHNDRV - ok
15:54:39.0687 0556  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
15:54:39.0687 0556  mnmdd - ok
15:54:39.0749 0556  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
15:54:39.0749 0556  mnmsrvc - ok
15:54:39.0781 0556  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
15:54:39.0781 0556  Modem - ok
15:54:39.0796 0556  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:54:39.0796 0556  Mouclass - ok
15:54:39.0843 0556  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:54:39.0843 0556  mouhid - ok
15:54:39.0874 0556  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
15:54:39.0874 0556  MountMgr - ok
15:54:39.0890 0556  mraid35x - ok
15:54:39.0890 0556  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:54:39.0890 0556  MRxDAV - ok
15:54:39.0937 0556  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:54:39.0937 0556  MRxSmb - ok
15:54:39.0968 0556  msav - ok
15:54:39.0968 0556  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
15:54:39.0984 0556  Msfs - ok
15:54:39.0984 0556  MSIServer - ok
15:54:40.0015 0556  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:54:40.0015 0556  MSKSSRV - ok
15:54:40.0046 0556  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:54:40.0046 0556  MSPCLOCK - ok
15:54:40.0077 0556  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
15:54:40.0077 0556  MSPQM - ok
15:54:40.0109 0556  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:54:40.0109 0556  mssmbios - ok
15:54:40.0124 0556  [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE           C:\WINDOWS\system32\drivers\MSTEE.sys
15:54:40.0124 0556  MSTEE - ok
15:54:40.0140 0556  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
15:54:40.0140 0556  Mup - ok
15:54:40.0171 0556  [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC        C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:54:40.0171 0556  NABTSFEC - ok
15:54:40.0218 0556  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
15:54:40.0234 0556  napagent - ok
15:54:40.0281 0556  NAVENG - ok
15:54:40.0296 0556  NAVEX15 - ok
15:54:40.0327 0556  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
15:54:40.0327 0556  NDIS - ok
15:54:40.0359 0556  [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP          C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:54:40.0359 0556  NdisIP - ok
15:54:40.0390 0556  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:54:40.0390 0556  NdisTapi - ok
15:54:40.0421 0556  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:54:40.0421 0556  Ndisuio - ok
15:54:40.0421 0556  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:54:40.0421 0556  NdisWan - ok
15:54:40.0452 0556  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
15:54:40.0468 0556  NDProxy - ok
15:54:40.0468 0556  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
15:54:40.0484 0556  NetBIOS - ok
15:54:40.0484 0556  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
15:54:40.0484 0556  NetBT - ok
15:54:40.0546 0556  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
15:54:40.0546 0556  NetDDE - ok
15:54:40.0546 0556  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
15:54:40.0562 0556  NetDDEdsdm - ok
15:54:40.0609 0556  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
15:54:40.0609 0556  Netlogon - ok
15:54:40.0624 0556  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
15:54:40.0640 0556  Netman - ok
15:54:40.0656 0556  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
15:54:40.0671 0556  NetTcpPortSharing - ok
15:54:40.0671 0556  [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394         C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:54:40.0687 0556  NIC1394 - ok
15:54:40.0702 0556  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
15:54:40.0718 0556  Nla - ok
15:54:40.0734 0556  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
15:54:40.0734 0556  Npfs - ok
15:54:40.0765 0556  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
15:54:40.0781 0556  Ntfs - ok
15:54:40.0781 0556  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
15:54:40.0796 0556  NtLmSsp - ok
15:54:40.0843 0556  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
15:54:40.0859 0556  NtmsSvc - ok
15:54:40.0906 0556  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
15:54:40.0906 0556  Null - ok
15:54:40.0999 0556  [ 642A87877F83313EB5302749CD479024 ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:54:41.0031 0556  nv - ok
15:54:41.0046 0556  [ 22EEDB34C4D7613A25B10C347C6C4C21 ] NVENETFD        C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
15:54:41.0046 0556  NVENETFD - ok
15:54:41.0062 0556  [ 5E3F6AD5CAD0F12D3CCCD06FD964087A ] nvnetbus        C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
15:54:41.0077 0556  nvnetbus - ok
15:54:41.0109 0556  [ B0903C021BFCD6055C053A569EF98AEF ] NVSvc           C:\WINDOWS\system32\nvsvc32.exe
15:54:41.0109 0556  NVSvc - ok
15:54:41.0140 0556  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:54:41.0140 0556  NwlnkFlt - ok
15:54:41.0156 0556  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:54:41.0156 0556  NwlnkFwd - ok
15:54:41.0234 0556  [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
15:54:41.0234 0556  odserv - ok
15:54:41.0249 0556  [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394        C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:54:41.0249 0556  ohci1394 - ok
15:54:41.0296 0556  [ B90ED00CA338EC1943CF167605AD8746 ] OlyUsbCam       C:\WINDOWS\system32\DRIVERS\OlyUsbCam.sys
15:54:41.0296 0556  OlyUsbCam - ok
15:54:41.0359 0556  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:54:41.0359 0556  ose - ok
15:54:41.0421 0556  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
15:54:41.0421 0556  Parport - ok
15:54:41.0421 0556  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
15:54:41.0421 0556  PartMgr - ok
15:54:41.0452 0556  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
15:54:41.0452 0556  ParVdm - ok
15:54:41.0484 0556  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
15:54:41.0484 0556  PCI - ok
15:54:41.0484 0556  PCIDump - ok
15:54:41.0499 0556  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
15:54:41.0499 0556  PCIIde - ok
15:54:41.0515 0556  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
15:54:41.0531 0556  Pcmcia - ok
15:54:41.0531 0556  PDCOMP - ok
15:54:41.0531 0556  PDFRAME - ok
15:54:41.0546 0556  PDRELI - ok
15:54:41.0546 0556  PDRFRAME - ok
15:54:41.0546 0556  perc2 - ok
15:54:41.0562 0556  perc2hib - ok
15:54:41.0593 0556  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
15:54:41.0593 0556  PlugPlay - ok
15:54:41.0624 0556  [ 45E333C6B7197ED61C70736472F3703B ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
15:54:41.0640 0556  Pml Driver HPZ12 - ok
15:54:41.0640 0556  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
15:54:41.0656 0556  PolicyAgent - ok
15:54:41.0687 0556  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:54:41.0687 0556  PptpMiniport - ok
15:54:41.0687 0556  ================ Scan global ===============================
15:54:41.0718 0556  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:54:41.0734 0556  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:54:41.0749 0556  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:54:41.0765 0556  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:54:41.0781 0556  [Global] - ok
15:54:41.0781 0556  ================ Scan MBR ==================================
15:54:41.0781 0556  [ ED18B096BC416BFB306882A7C2EBA877 ] \Device\Harddisk0\DR0
15:54:41.0952 0556  \Device\Harddisk0\DR0 ( TDSS File System ) - warning
15:54:41.0968 0556  \Device\Harddisk0\DR0 - detected TDSS File System (1)
15:54:41.0968 0556  [ 5E9AEF0915A3B50BF575ED81BFB0085F ] \Device\Harddisk5\DR15
15:54:42.0140 0556  \Device\Harddisk5\DR15 ( Rootkit.Win32.BackBoot.gen ) - warning
15:54:42.0156 0556  \Device\Harddisk5\DR15 - detected Rootkit.Win32.BackBoot.gen (1)
15:54:42.0234 0556  \Device\Harddisk5\DR15 ( TDSS File System ) - warning
15:54:42.0234 0556  \Device\Harddisk5\DR15 - detected TDSS File System (1)
15:54:42.0234 0556  ================ Scan VBR ==================================
15:54:42.0249 0556  [ 9951F0E1872463AA162DE050D4A0B91D ] \Device\Harddisk0\DR0\Partition1
15:54:42.0249 0556  \Device\Harddisk0\DR0\Partition1 - ok
15:54:42.0249 0556  [ 330DE2B1791D4EB826CB6E9E5A0FC02F ] \Device\Harddisk0\DR0\Partition2
15:54:42.0249 0556  \Device\Harddisk0\DR0\Partition2 - ok
15:54:42.0249 0556  [ 67347747B954C112A76947C7F9470762 ] \Device\Harddisk5\DR15\Partition1
15:54:42.0265 0556  \Device\Harddisk5\DR15\Partition1 - ok
15:54:42.0265 0556  ============================================================
15:54:42.0265 0556  Scan finished
15:54:42.0265 0556  ============================================================
15:54:42.0265 1892  Detected object count: 3
15:54:42.0265 1892  Actual detected object count: 3
15:54:53.0468 1892  \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
15:54:53.0468 1892  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
15:54:53.0468 1892  \Device\Harddisk5\DR15 ( Rootkit.Win32.BackBoot.gen ) - skipped by user
15:54:53.0468 1892  \Device\Harddisk5\DR15 ( Rootkit.Win32.BackBoot.gen ) - User select action: Skip
15:54:53.0468 1892  \Device\Harddisk5\DR15 ( TDSS File System ) - skipped by user
15:54:53.0468 1892  \Device\Harddisk5\DR15 ( TDSS File System ) - User select action: Skip
15:55:01.0421 2996  ============================================================
15:55:01.0421 2996  Scan started
15:55:01.0421 2996  Mode: Manual;
15:55:01.0421 2996  ============================================================
15:55:01.0749 2996  ================ Scan system memory ========================
15:55:01.0749 2996  System memory - ok
15:55:01.0749 2996  ================ Scan services =============================
15:55:01.0859 2996  [ 149A8F7ADF9742554DC323E290551E3E ] Aavmker4        C:\WINDOWS\system32\drivers\Aavmker4.sys
15:55:01.0859 2996  Aavmker4 - ok
15:55:01.0874 2996  Abiosdsk - ok
15:55:01.0874 2996  abp480n5 - ok
15:55:01.0906 2996  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:55:01.0921 2996  ACPI - ok
15:55:01.0937 2996  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
15:55:01.0937 2996  ACPIEC - ok
15:55:01.0984 2996  [ 563CDCFEEAEF97163E206AF71A61AA6E ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:55:01.0984 2996  AdobeFlashPlayerUpdateSvc - ok
15:55:01.0984 2996  adpu160m - ok
15:55:02.0015 2996  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
15:55:02.0015 2996  aec - ok
15:55:02.0046 2996  [ A7B8A3A79D35215D798A300DF49ED23F ] Afc             C:\WINDOWS\system32\drivers\Afc.sys
15:55:02.0046 2996  Afc - ok
15:55:02.0062 2996  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
15:55:02.0062 2996  AFD - ok
15:55:02.0077 2996  Aha154x - ok
15:55:02.0077 2996  aic78u2 - ok
15:55:02.0077 2996  aic78xx - ok
15:55:02.0124 2996  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
15:55:02.0124 2996  Alerter - ok
15:55:02.0156 2996  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
15:55:02.0156 2996  ALG - ok
15:55:02.0171 2996  AliIde - ok
15:55:02.0202 2996  [ 59301936898AE62245A6F09C0ABA9475 ] AmdK8           C:\WINDOWS\system32\DRIVERS\AmdK8.sys
15:55:02.0202 2996  AmdK8 - ok
15:55:02.0202 2996  amsint - ok
15:55:02.0249 2996  [ 29DEB59DE57EA97553B1566F04B39D11 ] APC UPS Service C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
15:55:02.0249 2996  APC UPS Service - ok
15:55:02.0312 2996  [ 018857EAD9A077A56AEDFC0E5EF7A24A ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
15:55:02.0312 2996  Apple Mobile Device - ok
15:55:02.0343 2996  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
15:55:02.0359 2996  AppMgmt - ok
15:55:02.0390 2996  [ 00523019E3579C8F8A94457FE25F0F24 ] aracpi          C:\WINDOWS\system32\DRIVERS\aracpi.sys
15:55:02.0390 2996  aracpi - ok
15:55:02.0421 2996  [ 9FEDAA46EB1A572AC4D9EE6B5F123CF2 ] arhidfltr       C:\WINDOWS\system32\DRIVERS\arhidfltr.sys
15:55:02.0421 2996  arhidfltr - ok
15:55:02.0452 2996  [ 82969576093CD983DD559F5A86F382B4 ] arkbcfltr       C:\WINDOWS\system32\DRIVERS\arkbcfltr.sys
15:55:02.0452 2996  arkbcfltr - ok
15:55:02.0452 2996  [ 9B21791D8A78FAECE999FADBEBDA6C22 ] armoucfltr      C:\WINDOWS\system32\DRIVERS\armoucfltr.sys
15:55:02.0452 2996  armoucfltr - ok
15:55:02.0484 2996  [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394         C:\WINDOWS\system32\DRIVERS\arp1394.sys
15:55:02.0484 2996  Arp1394 - ok
15:55:02.0499 2996  [ 7A2DA7C7B0C524EF26A79F17A5C69FDE ] ARPolicy        C:\WINDOWS\system32\DRIVERS\arpolicy.sys
15:55:02.0499 2996  ARPolicy - ok
15:55:02.0499 2996  [ 9A0D9B2E263BEDE80FB79DDBAD240EC1 ] ARSVC           C:\WINDOWS\arservice.exe
15:55:02.0499 2996  ARSVC - ok
15:55:02.0515 2996  asc - ok
15:55:02.0515 2996  asc3350p - ok
15:55:02.0531 2996  asc3550 - ok
15:55:02.0624 2996  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
15:55:02.0624 2996  aspnet_state - ok
15:55:02.0656 2996  [ DE6ED95AEF259979B2830450072A627B ] aswFsBlk        C:\WINDOWS\system32\drivers\aswFsBlk.sys
15:55:02.0656 2996  aswFsBlk - ok
15:55:02.0656 2996  [ 84F0BE324EE111338589F448C3E8BAB2 ] aswMon2         C:\WINDOWS\system32\drivers\aswMon2.sys
15:55:02.0656 2996  aswMon2 - ok
15:55:02.0671 2996  [ 7C9F0A2AB17D52261A9252A2EB320884 ] AswRdr          C:\WINDOWS\system32\drivers\AswRdr.sys
15:55:02.0671 2996  AswRdr - ok
15:55:02.0687 2996  [ B32E9AD44A1DBB3E8095E80F8DF32B03 ] aswSnx          C:\WINDOWS\system32\drivers\aswSnx.sys
15:55:02.0687 2996  aswSnx - ok
15:55:02.0718 2996  [ 67B558895695545FB0568B7541F3BCA7 ] aswSP           C:\WINDOWS\system32\drivers\aswSP.sys
15:55:02.0718 2996  aswSP - ok
15:55:02.0734 2996  [ E3E73B2B73A4DFADFDDF557192C4B08A ] aswTdi          C:\WINDOWS\system32\drivers\aswTdi.sys
15:55:02.0734 2996  aswTdi - ok
15:55:02.0749 2996  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:55:02.0765 2996  AsyncMac - ok
15:55:02.0765 2996  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
15:55:02.0765 2996  atapi - ok
15:55:02.0781 2996  Atdisk - ok
15:55:02.0812 2996  [ 5B80E84AF6B02ECAB72DAE9AFEE06309 ] atksgt          C:\WINDOWS\system32\DRIVERS\atksgt.sys
15:55:02.0812 2996  atksgt - ok
15:55:02.0843 2996  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:55:02.0843 2996  Atmarpc - ok
15:55:02.0859 2996  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
15:55:02.0859 2996  AudioSrv - ok
15:55:02.0890 2996  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
15:55:02.0890 2996  audstub - ok
15:55:02.0952 2996  [ 8FA553E9AE69808D99C164733A0F9590 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
15:55:02.0952 2996  avast! Antivirus - ok
15:55:02.0968 2996  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
15:55:02.0968 2996  Beep - ok
15:55:03.0015 2996  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
15:55:03.0015 2996  BITS - ok
15:55:03.0062 2996  [ 673CF4F6BB1FBE09331B526802FBB892 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
15:55:03.0077 2996  Bonjour Service - ok
15:55:03.0109 2996  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
15:55:03.0109 2996  Browser - ok
15:55:03.0202 2996  catchme - ok
15:55:03.0218 2996  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
15:55:03.0218 2996  cbidf2k - ok
15:55:03.0265 2996  [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE        C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
15:55:03.0265 2996  CCDECODE - ok
15:55:03.0265 2996  cd20xrnt - ok
15:55:03.0296 2996  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
15:55:03.0296 2996  Cdaudio - ok
15:55:03.0296 2996  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
15:55:03.0296 2996  Cdfs - ok
15:55:03.0312 2996  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:55:03.0312 2996  Cdrom - ok
15:55:03.0327 2996  Changer - ok
15:55:03.0359 2996  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
15:55:03.0359 2996  CiSvc - ok
15:55:03.0374 2996  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
15:55:03.0374 2996  ClipSrv - ok
15:55:03.0452 2996  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:55:03.0452 2996  clr_optimization_v2.0.50727_32 - ok
15:55:03.0499 2996  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:55:03.0499 2996  clr_optimization_v4.0.30319_32 - ok
15:55:03.0515 2996  CmdIde - ok
15:55:03.0546 2996  [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt        C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:55:03.0546 2996  Compbatt - ok
15:55:03.0546 2996  COMSysApp - ok
15:55:03.0562 2996  Cpqarray - ok
15:55:03.0577 2996  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
15:55:03.0577 2996  CryptSvc - ok
15:55:03.0609 2996  [ B083323430C780F91FBD064CE19A7A6B ] CXFALCON        C:\WINDOWS\system32\drivers\cxfalcon.sys
15:55:03.0609 2996  CXFALCON - ok
15:55:03.0609 2996  dac2w2k - ok
15:55:03.0609 2996  dac960nt - ok
15:55:03.0656 2996  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
15:55:03.0656 2996  DcomLaunch - ok
15:55:03.0671 2996  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
15:55:03.0671 2996  Dhcp - ok
15:55:03.0687 2996  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
15:55:03.0687 2996  Disk - ok
15:55:03.0687 2996  dmadmin - ok
15:55:03.0765 2996  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
15:55:03.0765 2996  dmboot - ok
15:55:03.0796 2996  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
15:55:03.0796 2996  dmio - ok
15:55:03.0812 2996  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
15:55:03.0812 2996  dmload - ok
15:55:03.0843 2996  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
15:55:03.0843 2996  dmserver - ok
15:55:03.0859 2996  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
15:55:03.0859 2996  DMusic - ok
15:55:03.0890 2996  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
15:55:03.0890 2996  Dnscache - ok
15:55:03.0921 2996  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
15:55:03.0921 2996  Dot3svc - ok
15:55:03.0921 2996  dpti2o - ok
15:55:03.0952 2996  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
15:55:03.0952 2996  drmkaud - ok
15:55:03.0968 2996  [ F35B5D0CC142B87E687FC504BAA69D82 ] dsiarhwprog     C:\WINDOWS\system32\Drivers\dsiarhwprog.sys
15:55:03.0968 2996  dsiarhwprog - ok
15:55:03.0999 2996  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
15:55:03.0999 2996  EapHost - ok
15:55:04.0031 2996  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
15:55:04.0031 2996  ERSvc - ok
15:55:04.0062 2996  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
15:55:04.0077 2996  Eventlog - ok
15:55:04.0093 2996  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
15:55:04.0093 2996  EventSystem - ok
15:55:04.0109 2996  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
15:55:04.0124 2996  Fastfat - ok
15:55:04.0156 2996  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:55:04.0156 2996  FastUserSwitchingCompatibility - ok
15:55:04.0202 2996  [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax             C:\WINDOWS\system32\fxssvc.exe
15:55:04.0218 2996  Fax - ok
15:55:04.0234 2996  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\drivers\Fdc.sys
15:55:04.0234 2996  Fdc - ok
15:55:04.0265 2996  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
15:55:04.0265 2996  Fips - ok
15:55:04.0265 2996  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\drivers\Flpydisk.sys
15:55:04.0281 2996  Flpydisk - ok
15:55:04.0312 2996  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
15:55:04.0312 2996  FltMgr - ok
15:55:04.0421 2996  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:55:04.0421 2996  FontCache3.0.0.0 - ok
15:55:04.0452 2996  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:55:04.0452 2996  Fs_Rec - ok
15:55:04.0468 2996  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:55:04.0468 2996  Ftdisk - ok
15:55:04.0484 2996  [ 22399D3CE5840C6082844679CCA5D2FC ] ftsata2         C:\WINDOWS\system32\DRIVERS\ftsata2.sys
15:55:04.0484 2996  ftsata2 - ok
15:55:04.0515 2996  [ 8182FF89C65E4D38B2DE4BB0FB18564E ] GEARAspiWDM     C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
15:55:04.0515 2996  GEARAspiWDM - ok
15:55:04.0546 2996  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:55:04.0546 2996  Gpc - ok
15:55:04.0609 2996  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
15:55:04.0609 2996  gupdate - ok
15:55:04.0624 2996  [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
15:55:04.0624 2996  gupdatem - ok
15:55:04.0671 2996  [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc           C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
15:55:04.0671 2996  gusvc - ok
15:55:04.0718 2996  [ 833051C6C6C42117191935F734CFBD97 ] hamachi         C:\WINDOWS\system32\DRIVERS\hamachi.sys
15:55:04.0718 2996  hamachi - ok
15:55:04.0781 2996  [ 616399E27A55C97AE859230EB13984D8 ] Hamachi2Svc     C:\Program Files\LogMeIn Hamachi\hamachi-2.exe
15:55:04.0781 2996  Hamachi2Svc - ok
15:55:04.0812 2996  [ 55E4DA7C8CBBA1F2D71720FCA7A5C086 ] hcwPP2          C:\WINDOWS\system32\DRIVERS\hcwPP2.sys
15:55:04.0812 2996  hcwPP2 - ok
15:55:04.0827 2996  [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus        C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:55:04.0827 2996  HDAudBus - ok
15:55:04.0874 2996  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:55:04.0874 2996  helpsvc - ok
15:55:04.0890 2996  [ 748031FF4FE45CCC47546294905FEAB8 ] HidBatt         C:\WINDOWS\system32\DRIVERS\HidBatt.sys
15:55:04.0890 2996  HidBatt - ok
15:55:04.0906 2996  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         C:\WINDOWS\System32\hidserv.dll
15:55:04.0906 2996  HidServ - ok
15:55:04.0937 2996  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:55:04.0937 2996  HidUsb - ok
15:55:04.0999 2996  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
15:55:04.0999 2996  hkmsvc - ok
15:55:04.0999 2996  hpn - ok
15:55:05.0046 2996  [ 30CA91E657CEDE2F95359D6EF186F650 ] HPZid412        C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:55:05.0046 2996  HPZid412 - ok
15:55:05.0077 2996  [ EFD31AFA752AA7C7BBB57BCBE2B01C78 ] HPZipr12        C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:55:05.0077 2996  HPZipr12 - ok
15:55:05.0093 2996  [ 7AC43C38CA8FD7ED0B0A4466F753E06E ] HPZius12        C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:55:05.0093 2996  HPZius12 - ok
15:55:05.0124 2996  [ 1F5C64B0C6B2E2F48735A77AE714CCB8 ] HSXHWBS2        C:\WINDOWS\system32\DRIVERS\HSXHWBS2.sys
15:55:05.0124 2996  HSXHWBS2 - ok
15:55:05.0156 2996  [ A7F8C9228898A1E871D2AE7082F50AC3 ] HSX_DP          C:\WINDOWS\system32\DRIVERS\HSX_DP.sys
15:55:05.0156 2996  HSX_DP - ok
15:55:05.0187 2996  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
15:55:05.0187 2996  HTTP - ok
15:55:05.0218 2996  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
15:55:05.0234 2996  HTTPFilter - ok
15:55:05.0234 2996  i2omgmt - ok
15:55:05.0249 2996  i2omp - ok
15:55:05.0281 2996  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:55:05.0281 2996  i8042prt - ok
15:55:05.0437 2996  [ 6F95324909B502E2651442C1548AB12F ] IDriverT        C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
15:55:05.0437 2996  IDriverT - ok
15:55:05.0577 2996  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:55:05.0577 2996  idsvc - ok
15:55:05.0624 2996  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
15:55:05.0624 2996  Imapi - ok
15:55:05.0656 2996  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
15:55:05.0656 2996  ImapiService - ok
15:55:05.0671 2996  ini910u - ok
15:55:05.0765 2996  [ AB2FE0FAA519880BD16E4A0792D633D2 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:55:05.0796 2996  IntcAzAudAddService - ok
15:55:05.0843 2996  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
15:55:05.0843 2996  IntelIde - ok
15:55:05.0874 2996  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:55:05.0874 2996  intelppm - ok
15:55:05.0890 2996  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
15:55:05.0890 2996  Ip6Fw - ok
15:55:05.0937 2996  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:55:05.0937 2996  IpFilterDriver - ok
15:55:05.0968 2996  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:55:05.0968 2996  IpInIp - ok
15:55:05.0984 2996  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:55:05.0984 2996  IpNat - ok
15:55:06.0031 2996  [ 6351B24DC3CB7DFFDE917D1276EE166C ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
15:55:06.0031 2996  iPod Service - ok
15:55:06.0046 2996  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:55:06.0046 2996  IPSec - ok
15:55:06.0077 2996  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
15:55:06.0077 2996  IRENUM - ok
15:55:06.0109 2996  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:55:06.0109 2996  isapnp - ok
15:55:06.0109 2996  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:55:06.0124 2996  Kbdclass - ok
15:55:06.0124 2996  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:55:06.0124 2996  kbdhid - ok
15:55:06.0140 2996  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
15:55:06.0140 2996  kmixer - ok
15:55:06.0171 2996  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
15:55:06.0171 2996  KSecDD - ok
15:55:06.0187 2996  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
15:55:06.0202 2996  lanmanserver - ok
15:55:06.0234 2996  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:55:06.0249 2996  lanmanworkstation - ok
15:55:06.0249 2996  lbrtfdc - ok
15:55:06.0296 2996  [ 4C52DC5C6481D13275653CCEB59BF53A ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
15:55:06.0296 2996  LightScribeService - ok
15:55:06.0327 2996  [ 975B6CF65F44E95883F3855BAE8CECAF ] lirsgt          C:\WINDOWS\system32\DRIVERS\lirsgt.sys
15:55:06.0327 2996  lirsgt - ok
15:55:06.0343 2996  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
15:55:06.0359 2996  LmHosts - ok
15:55:06.0452 2996  [ BFD4CE736798DB8229E30D543CFC9B73 ] LMIGuardianSvc  C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
15:55:06.0468 2996  LMIGuardianSvc - ok
15:55:06.0499 2996  [ 4F69FAAABB7DB0D43E327C0B6AAB40FC ] LMIInfo         C:\Program Files\LogMeIn\x86\RaInfo.sys
15:55:06.0499 2996  LMIInfo - ok
15:55:06.0531 2996  [ CDC85188F76BA17B4181419450E77DE5 ] LMIMaint        C:\Program Files\LogMeIn\x86\RaMaint.exe
15:55:06.0531 2996  LMIMaint - ok
15:55:06.0562 2996  [ 4477689E2D8AE6B78BA34C9AF4CC1ED1 ] lmimirr         C:\WINDOWS\system32\DRIVERS\lmimirr.sys
15:55:06.0562 2996  lmimirr - ok
15:55:06.0562 2996  LMIRfsClientNP - ok
15:55:06.0577 2996  [ 3FAA563DDF853320F90259D455A01D79 ] LMIRfsDriver    C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
15:55:06.0577 2996  LMIRfsDriver - ok
15:55:06.0640 2996  [ 432618FA75B61059D2C57D6A7E55147A ] LogMeIn         C:\Program Files\LogMeIn\x86\LogMeIn.exe
15:55:06.0640 2996  LogMeIn - ok
15:55:06.0671 2996  [ A2AE666CEE860BABE7FA6F1662B71737 ] MASPINT         C:\WINDOWS\system32\drivers\MASPINT.sys
15:55:06.0671 2996  MASPINT - ok
15:55:06.0687 2996  [ 629CABB0421668C9D3D402A3C3D77E14 ] MBAMProtector   C:\WINDOWS\system32\drivers\mbam.sys
15:55:06.0687 2996  MBAMProtector - ok
15:55:06.0718 2996  [ 1ACAA67676E9E7BDA5E0C41B6E0DECAF ] MBAMScheduler   C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
15:55:06.0718 2996  MBAMScheduler - ok
15:55:06.0749 2996  [ 916B8954AC3E06DC9E898AFFB41F3FB6 ] MBAMService     C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
15:55:06.0749 2996  MBAMService - ok
15:55:06.0796 2996  [ DF0A511F38F16016BF658FCA0090CB87 ] McrdSvc         C:\WINDOWS\ehome\mcrdsvc.exe
15:55:06.0812 2996  McrdSvc - ok
15:55:06.0812 2996  [ E246A32C445056996074A397DA56E815 ] mdmxsdk         C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
15:55:06.0812 2996  mdmxsdk - ok
15:55:06.0843 2996  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
15:55:06.0843 2996  Messenger - ok
15:55:06.0890 2996  [ B7521F69C0A9B29D356157229376FB21 ] MHN             C:\WINDOWS\System32\mhn.dll
15:55:06.0890 2996  MHN - ok
15:55:06.0952 2996  [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV          C:\WINDOWS\system32\DRIVERS\mhndrv.sys
15:55:06.0952 2996  MHNDRV - ok
15:55:06.0968 2996  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
15:55:06.0968 2996  mnmdd - ok
15:55:07.0015 2996  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
15:55:07.0015 2996  mnmsrvc - ok
15:55:07.0046 2996  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
15:55:07.0046 2996  Modem - ok
15:55:07.0062 2996  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:55:07.0062 2996  Mouclass - ok
15:55:07.0109 2996  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:55:07.0109 2996  mouhid - ok
15:55:07.0140 2996  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
15:55:07.0140 2996  MountMgr - ok
15:55:07.0140 2996  mraid35x - ok
15:55:07.0156 2996  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:55:07.0156 2996  MRxDAV - ok
15:55:07.0202 2996  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:55:07.0202 2996  MRxSmb - ok
15:55:07.0234 2996  msav - ok
15:55:07.0234 2996  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
15:55:07.0234 2996  Msfs - ok
15:55:07.0249 2996  MSIServer - ok
15:55:07.0281 2996  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:55:07.0281 2996  MSKSSRV - ok
15:55:07.0312 2996  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:55:07.0312 2996  MSPCLOCK - ok
15:55:07.0343 2996  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
15:55:07.0343 2996  MSPQM - ok
15:55:07.0374 2996  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:55:07.0390 2996  mssmbios - ok
15:55:07.0390 2996  [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE           C:\WINDOWS\system32\drivers\MSTEE.sys
15:55:07.0390 2996  MSTEE - ok
15:55:07.0406 2996  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
15:55:07.0421 2996  Mup - ok
15:55:07.0452 2996  [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC        C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
15:55:07.0452 2996  NABTSFEC - ok
15:55:07.0499 2996  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
15:55:07.0515 2996  napagent - ok
15:55:07.0562 2996  NAVENG - ok
15:55:07.0577 2996  NAVEX15 - ok
15:55:07.0609 2996  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
15:55:07.0609 2996  NDIS - ok
15:55:07.0640 2996  [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP          C:\WINDOWS\system32\DRIVERS\NdisIP.sys
15:55:07.0640 2996  NdisIP - ok
15:55:07.0671 2996  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:55:07.0671 2996  NdisTapi - ok
15:55:07.0702 2996  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:55:07.0702 2996  Ndisuio - ok
15:55:07.0702 2996  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:55:07.0702 2996  NdisWan - ok
15:55:07.0734 2996  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
15:55:07.0749 2996  NDProxy - ok
15:55:07.0749 2996  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
15:55:07.0765 2996  NetBIOS - ok
15:55:07.0796 2996  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
15:55:07.0796 2996  NetBT - ok
15:55:07.0859 2996  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
15:55:07.0874 2996  NetDDE - ok
15:55:07.0874 2996  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
15:55:07.0874 2996  NetDDEdsdm - ok
15:55:07.0921 2996  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
15:55:07.0937 2996  Netlogon - ok
15:55:07.0952 2996  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
15:55:07.0952 2996  Netman - ok
15:55:07.0984 2996  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
15:55:07.0984 2996  NetTcpPortSharing - ok
15:55:08.0015 2996  [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394         C:\WINDOWS\system32\DRIVERS\nic1394.sys
15:55:08.0015 2996  NIC1394 - ok
15:55:08.0046 2996  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
15:55:08.0046 2996  Nla - ok
15:55:08.0062 2996  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
15:55:08.0062 2996  Npfs - ok
15:55:08.0093 2996  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
15:55:08.0109 2996  Ntfs - ok
15:55:08.0124 2996  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
15:55:08.0124 2996  NtLmSsp - ok
15:55:08.0187 2996  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
15:55:08.0202 2996  NtmsSvc - ok
15:55:08.0249 2996  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
15:55:08.0249 2996  Null - ok
15:55:08.0343 2996  [ 642A87877F83313EB5302749CD479024 ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:55:08.0359 2996  nv - ok
15:55:08.0390 2996  [ 22EEDB34C4D7613A25B10C347C6C4C21 ] NVENETFD        C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
15:55:08.0390 2996  NVENETFD - ok
15:55:08.0406 2996  [ 5E3F6AD5CAD0F12D3CCCD06FD964087A ] nvnetbus        C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
15:55:08.0406 2996  nvnetbus - ok
15:55:08.0437 2996  [ B0903C021BFCD6055C053A569EF98AEF ] NVSvc           C:\WINDOWS\system32\nvsvc32.exe
15:55:08.0437 2996  NVSvc - ok
15:55:08.0468 2996  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:55:08.0468 2996  NwlnkFlt - ok
15:55:08.0468 2996  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:55:08.0468 2996  NwlnkFwd - ok
15:55:08.0546 2996  [ 785F487A64950F3CB8E9F16253BA3B7B ] odserv          C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
15:55:08.0546 2996  odserv - ok
15:55:08.0577 2996  [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394        C:\WINDOWS\system32\DRIVERS\ohci1394.sys
15:55:08.0577 2996  ohci1394 - ok
15:55:08.0624 2996  [ B90ED00CA338EC1943CF167605AD8746 ] OlyUsbCam       C:\WINDOWS\system32\DRIVERS\OlyUsbCam.sys
15:55:08.0624 2996  OlyUsbCam - ok
15:55:08.0671 2996  [ 5A432A042DAE460ABE7199B758E8606C ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:55:08.0671 2996  ose - ok
15:55:08.0734 2996  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
15:55:08.0734 2996  Parport - ok
15:55:08.0749 2996  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
15:55:08.0749 2996  PartMgr - ok
15:55:08.0781 2996  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
15:55:08.0781 2996  ParVdm - ok
15:55:08.0796 2996  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
15:55:08.0796 2996  PCI - ok
15:55:08.0812 2996  PCIDump - ok
15:55:08.0812 2996  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
15:55:08.0827 2996  PCIIde - ok
15:55:08.0843 2996  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
15:55:08.0843 2996  Pcmcia - ok
15:55:08.0843 2996  PDCOMP - ok
15:55:08.0859 2996  PDFRAME - ok
15:55:08.0859 2996  PDRELI - ok
15:55:08.0859 2996  PDRFRAME - ok
15:55:08.0874 2996  perc2 - ok
15:55:08.0874 2996  perc2hib - ok
15:55:08.0906 2996  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
15:55:08.0906 2996  PlugPlay - ok
15:55:08.0921 2996  [ 45E333C6B7197ED61C70736472F3703B ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
15:55:08.0937 2996  Pml Driver HPZ12 - ok
15:55:08.0937 2996  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
15:55:08.0952 2996  PolicyAgent - ok
15:55:08.0984 2996  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:55:08.0984 2996  PptpMiniport - ok
15:55:08.0984 2996  ================ Scan global ===============================
15:55:09.0015 2996  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:55:09.0031 2996  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:55:09.0046 2996  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:55:09.0062 2996  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:55:09.0062 2996  [Global] - ok
15:55:09.0062 2996  ================ Scan MBR ==================================
15:55:09.0077 2996  [ ED18B096BC416BFB306882A7C2EBA877 ] \Device\Harddisk0\DR0
15:55:09.0234 2996  \Device\Harddisk0\DR0 - ok
15:55:09.0249 2996  [ 5E9AEF0915A3B50BF575ED81BFB0085F ] \Device\Harddisk5\DR15
15:55:09.0421 2996  \Device\Harddisk5\DR15 ( Rootkit.Win32.BackBoot.gen ) - warning
15:55:09.0421 2996  \Device\Harddisk5\DR15 - detected Rootkit.Win32.BackBoot.gen (1)
15:55:09.0421 2996  ================ Scan VBR ==================================
15:55:09.0437 2996  [ 9951F0E1872463AA162DE050D4A0B91D ] \Device\Harddisk0\DR0\Partition1
15:55:09.0437 2996  \Device\Harddisk0\DR0\Partition1 - ok
15:55:09.0437 2996  [ 330DE2B1791D4EB826CB6E9E5A0FC02F ] \Device\Harddisk0\DR0\Partition2
15:55:09.0437 2996  \Device\Harddisk0\DR0\Partition2 - ok
15:55:09.0437 2996  [ 67347747B954C112A76947C7F9470762 ] \Device\Harddisk5\DR15\Partition1
15:55:09.0437 2996  \Device\Harddisk5\DR15\Partition1 - ok
15:55:09.0437 2996  ============================================================
15:55:09.0437 2996  Scan finished
15:55:09.0437 2996  ============================================================
15:55:09.0452 1600  Detected object count: 1
15:55:09.0452 1600  Actual detected object count: 1
15:55:19.0843 1600  \Device\Harddisk5\DR15\# - copied to quarantine
15:55:19.0843 1600  \Device\Harddisk5\DR15 - copied to quarantine
15:55:19.0843 1600  \Device\Harddisk5\DR15 ( Rootkit.Win32.BackBoot.gen ) - User select action: Quarantine
15:55:22.0562 1968  Deinitialize success
 



#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 21 February 2013 - 05:11 PM

You can now rerun the scan and delete the detected TDLFS file system (it will by default be set to Skip).

We need to run a scan with Combofix:
  • Please go to the download page for ComboFix by sUBs.
  • Click the Download Now button pictured below and save the file to your desktop:

    download.png
  • Disable any anti-virus and/or firewall software you have installed.
    instructions can be found here if needed
  • Close all open windows including your web browser
    as mentioned in the first post, you may want to print out all instructions before starting
  • Double-click on the ComboFix icon on your desktop. cf-icon.jpg
  • Read the Disclaimer and click I Agree if you want to run the software, then you should see a window like the one below:

    cf-preparing.jpg
  • DO NOT use your computer while ComboFix is running. There are a lot of things going on behind the scenes and a single mouse click can cause the program to stall.

    However, if you see the prompt below, please click Yes to download the Microsoft Windows Recovery Console.

    recovery-console-prompt.jpg

    If an Internet connection is not available or you choose not to install the recovery console, ComboFix will run in Reduced Functionality mode
  • Allow ComboFix to reboot the computer if necessary, it will run again after you log back in.
  • When complete, a log file will be displayed, please copy and paste the contents of this file into your next post.

    cf-log.jpg
  • More information about downloading and using ComboFix can be found here if needed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#9 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 21 February 2013 - 05:55 PM

ComboFix 13-02-21.02 - Angela 02/21/2013  16:21:21.3.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1131 [GMT -6:00]
Running from: c:\documents and settings\Angela\Desktop\Combo-Fix.exe
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\HP_Administrator\Application Data\Toolbar4
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0533ddea046b79382344642507f45004
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0b9a7a3e0c1c165779dd33b229048b21
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0c74e33c6b89503129478a0eae095b4d
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0e1466e34ff25e57fa813d21ebfe7cf6
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\0fb67f15ee619bf63699876db03ab661
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\24234224fe547fa5f61335a325f858b5
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\2612ed9846214cbf7e954476bb044b3b
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\323af8f156d5bb22bb38cd2ce83959de
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\36402215e280142e9fec69a27ce97d32
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\3739298d2bc9d6b94dadd7b19b48ecb3
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\476905aa92e1c9a617bd41ce5318660f
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4c667e8e6ec412f944dcb9352b851013
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4d2e45ddaef75a6d2c9afdbc763c3752
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\4e2d5ba12b0ed08ba8960c3e874a01cb
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\560ff84a7533e0f37b61b702a5403538
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\59a443f04bf13d1170b3dfc61f51b928
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5bc8ebf64906d196c815a3f28ee7be81
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5dcc33988f89c01e09411de1fadabde2
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5e4a0304a53d72265f5f470649d2f616
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\5fceefa5d8207202cd84891c2e491f65
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\753df778c49000ceb420710ab27250f3
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\7aab54a686f169a739561ca08b97d70b
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\829a174ff56578e2e86c6ea74ceac599
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8ab60027ede7a5409caf6d1f39cee25f
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\8c192effd1339f8e52b7695d8409b038
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9222ff6c3153356869fc34c2bec05e71
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\97be6f9cdebaa8074491269ce024994b
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\9ac01b227ded0862f1cacbfb3aa57c30
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a03f31127270e5ec9c753d5978824827
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\a0c60a9410bfbe84abdf5e97d0c4c25b
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\aa65030026dd406f81e1d2f100fe7920
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b4129101a6dd1056cc66cb8ee0ed07cb
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b576b7d306b9484794e87c4894171e9c
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\b8cb931520574f1fbe2d6a417ab188a3
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\c9430f8d5d64f3217a9e99836294f6c5
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cadd36508a4b8f2e96e6251f59441e6d
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\cf00f968a680ae7de4f426758f29e399
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d210e926e7fc2fc8277b03dcf0f51bf7
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\d5df3e47dbba341f2f3587a30d3147a9
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\dd63f857ccdda3776635728c6e9c9da5
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\df93d78ff74b9089b7e56bad7abf8d54
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e0274c4eebf32d7d1bf0e38726e4ea71
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\e676561c84d9a41ec2ac1b9379b89748
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\ec6799973f1db7f39bff366162a4850e
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fdcfc40763b6755ae687e945adb4dba4
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\fe98d58b0232c74e3b47d141e87aaa18
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\cache\merchant_notification
c:\documents and settings\HP_Administrator\Application Data\Toolbar4\{8660E5B3-6C41-44DE-8503-98D99BBECD41}\include_files\879ecc39d0be00e1ba71e4872c078138
.
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\ERDNT\cache\userinit.exe
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-21 to 2013-02-21  )))))))))))))))))))))))))))))))
.
.
2013-02-21 21:53 . 2013-02-21 22:13 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-21 20:58 . 2013-02-21 20:58 -------- d-----w- C:\gmer
2013-02-20 21:52 . 2013-02-20 21:52 -------- d-----w- c:\program files\Defraggler
2013-02-20 16:06 . 2013-02-20 16:06 -------- d-sh--w- c:\documents and settings\Rhianna\IECompatCache
2013-02-20 01:38 . 2013-02-20 01:38 -------- d-----w- c:\program files\CCleaner
2013-02-19 20:19 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-02-19 20:19 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-02-19 20:19 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-02-19 20:19 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-19 20:19 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-02-19 20:19 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-02-19 20:19 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-02-19 20:19 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-02-19 20:18 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-02-19 20:18 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-19 19:49 . 2013-02-19 19:49 -------- d-----w- c:\windows\system32\winrm
2013-02-19 19:49 . 2013-02-19 19:49 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-02-09 16:52 . 2013-02-19 20:18 -------- d-----w- c:\program files\AVAST Software
2013-02-09 16:52 . 2013-02-19 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-20 21:43 . 2013-01-03 03:37 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-20 21:43 . 2011-12-23 01:50 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-26 03:55 . 2004-08-09 21:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2004-08-10 04:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-10 04:00 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-09 21:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-09 21:00 1292288 ------w- c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-09 21:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2004-08-09 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2004-08-09 21:00 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23 . 2004-08-09 21:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-29 17:56 . 2012-11-29 17:56 25248 ----a-w- c:\windows\system32\lmimirr.dll
2012-11-29 17:56 . 2012-11-29 17:56 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2012-11-29 17:56 . 2012-11-29 17:56 10144 ----a-w- c:\windows\system32\drivers\lmimirr.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-02-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-12-10 2254768]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-11-29 63048]
.
c:\documents and settings\Jack\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-16 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\Angela\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-12-15 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-16 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-01-25 22:37 92520 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 22:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 08:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 23:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 06:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 15:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [12/31/2006 10:39 AM 19478]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/19/2013 2:19 PM 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/19/2013 2:19 PM 361032]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [12/31/2006 10:39 AM 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [12/31/2006 10:39 AM 431236]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/19/2013 2:19 PM 21256]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/10/2012 5:29 PM 1435568]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/25/2013 4:37 PM 375144]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/29/2012 11:56 AM 12856]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2/21/2013 8:05 AM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2013 8:05 AM 682344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2013 8:05 AM 21104]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [12/31/2006 10:39 AM 64093]
S2 msav;Moon Secure Antivirus Core;c:\program files\Moon Secure Antivirus\msavcore.exe --> c:\program files\Moon Secure Antivirus\msavcore.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/16/2006 2:09 PM 82048]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [3/26/2010 7:42 PM 29184]
S3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\drivers\OlyUsbCam.sys [10/19/2008 1:36 PM 21952]
S3 SASENUM;SASENUM; [x]
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 23:23 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-03 21:43]
.
2013-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
2013-02-21 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-02-19 23:50]
.
2012-01-11 c:\windows\Tasks\DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job
- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe [2006-04-13 10:05]
.
2013-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-04 00:18]
.
2013-02-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-04 00:18]
.
2013-02-21 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-01-31 16:21]
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:1059
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 204.130.255.3 209.63.0.6
TCP: Interfaces\{16E4634F-55C6-45B6-B74A-4B30797151D8}: NameServer = 204.130.255.3,64.122.32.71
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-21 16:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3403347833-366765913-3541161794-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(960)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\arservice.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\RTHDCPL.EXE
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2013-02-21  16:52:29 - machine was rebooted
ComboFix-quarantined-files.txt  2013-02-21 22:52
ComboFix2.txt  2013-02-20 13:49
.
Pre-Run: 208,650,952,704 bytes free
Post-Run: 208,600,031,232 bytes free
.
- - End Of File - - 0E2A8390951BAFBEE87908F09AC2920E
 



#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 22 February 2013 - 03:22 AM

That didn't catch the rootkit, so lets use the following tool.


Please download PragmaFix from the link below:

http://noahdfear.net/downloads/PragmaFix.exe

Run PragmaFix by double clicking the file (you need an internet connection)
When done a log will open (it is saved to c:\PragmaFix.log). Please post me its contents.


We need to execute a CF-script.
DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:1059

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Start > Run and in the box that opens type notepad and press enter. Copy/paste the text in the codebox below into it:
  • Save this as CFScript.txt, in the same location as ComboFix.exe

    CFScriptB-4.gif

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#11 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 22 February 2013 - 07:07 AM

Thanks for all your help, so far!

When I run the PragmaFix, it doesn't see an active internet, even though we have one on this PC/

What do you think?



#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 22 February 2013 - 09:12 AM

Please restart your computer once and try it again.

If it doesn't work, try it from Safe Mode with Networking.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#13 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 22 February 2013 - 09:57 AM

Hi Elise,

I tried it both ways. Restarted and tried PragmaFix with Avast on and Avast 'off'. No connection.

Then I did safe-mode with networking, and still got "no connection" error.

 

I have not do the CF-script.

PC is still in safemode.

What do you think...Time to wipe it out?

Thank you,

rickvv



#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,441 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:28 AM

Posted 22 February 2013 - 10:54 AM

Then lets download it manually. :)

Please download this tool; http://download.sysinternals.com/files/Regdelnull.zip

 

Unzip the file and make sure it is located in c:\ (so you should have c:\regdelnull.exe). Then try to run pragmafix again, this should skip the download part.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#15 Rickvv

Rickvv
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:09:28 PM

Posted 22 February 2013 - 12:58 PM

All in SafeMode, the standlone sysinternals thing ran (never said it was finished, though). After a few moments, I ran the CFscript.

And got this result:

 

ComboFix 13-02-22.01 - Angela 02/22/2013  11:34:19.4.2 - x86 NETWORK
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1982.1503 [GMT -6:00]
Running from: c:\documents and settings\Angela\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Angela\Desktop\CFscript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((   Files Created from 2013-01-22 to 2013-02-22  )))))))))))))))))))))))))))))))
.
.
2013-02-22 17:26 . 2006-11-01 19:06 162616 ------w- C:\RegDelNull.exe
2013-02-21 21:53 . 2013-02-21 22:13 -------- d-----w- C:\TDSSKiller_Quarantine
2013-02-21 20:58 . 2013-02-21 20:58 -------- d-----w- C:\gmer
2013-02-20 21:52 . 2013-02-20 21:52 -------- d-----w- c:\program files\Defraggler
2013-02-20 16:06 . 2013-02-20 16:06 -------- d-sh--w- c:\documents and settings\Rhianna\IECompatCache
2013-02-20 01:38 . 2013-02-20 01:38 -------- d-----w- c:\program files\CCleaner
2013-02-19 20:19 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-02-19 20:19 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-02-19 20:19 . 2012-10-30 23:51 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2013-02-19 20:19 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-02-19 20:19 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-02-19 20:19 . 2012-10-30 23:51 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2013-02-19 20:19 . 2012-10-30 23:51 89752 ----a-w- c:\windows\system32\drivers\aswmon.sys
2013-02-19 20:19 . 2012-10-30 23:51 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2013-02-19 20:18 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-02-19 20:18 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-19 19:49 . 2013-02-19 19:49 -------- d-----w- c:\windows\system32\winrm
2013-02-19 19:49 . 2013-02-19 19:49 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2013-02-09 16:52 . 2013-02-19 20:18 -------- d-----w- c:\program files\AVAST Software
2013-02-09 16:52 . 2013-02-19 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-02-20 21:43 . 2013-01-03 03:37 691568 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-02-20 21:43 . 2011-12-23 01:50 71024 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-01-26 03:55 . 2004-08-09 21:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-07 01:19 . 2004-08-10 04:00 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:37 . 2004-08-10 04:00 2027520 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-09 21:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-09 21:00 1292288 ------w- c:\windows\system32\quartz.dll
2012-12-26 20:16 . 2004-08-09 21:00 916480 ----a-w- c:\windows\system32\wininet.dll
2012-12-26 20:16 . 2004-08-09 21:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-12-26 20:16 . 2004-08-09 21:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-12-24 06:40 . 2004-08-09 21:00 385024 ----a-w- c:\windows\system32\html.iec
2012-12-16 12:23 . 2004-08-09 21:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-29 17:56 . 2012-11-29 17:56 25248 ----a-w- c:\windows\system32\lmimirr.dll
2012-11-29 17:56 . 2012-11-29 17:56 11552 ----a-w- c:\windows\system32\lmimirr2.dll
2012-11-29 17:56 . 2012-11-29 17:56 10144 ----a-w- c:\windows\system32\drivers\lmimirr.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 01:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2013-02-09 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ftutil2"="ftutil2.dll" [2004-06-07 106496]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-13 16239616]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-05-09 7311360]
"nwiz"="nwiz.exe" [2006-05-09 1519616]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-09-08 421888]
"LogMeIn Hamachi Ui"="c:\program files\LogMeIn Hamachi\hamachi-2-ui.exe" [2012-12-10 2254768]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-12-18 946352]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-11-29 63048]
.
c:\documents and settings\Jack\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\LogMeInRemoteUser\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-16 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\Angela\Start Menu\Programs\Startup\
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2006-12-15 221295]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2006-2-19 288472]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Pin.lnk - c:\hp\bin\CLOAKER.EXE [2006-11-16 27136]
PinMcLnk.lnk - c:\hp\bin\cloaker.exe [2006-11-16 27136]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2013-01-25 22:37 92520 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 22:01 67584 ----a-w- c:\windows\ehome\ehtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2006-02-19 08:41 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPBootOp]
2006-02-15 23:34 249856 ----a-w- c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-11-11 06:40 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 10:42 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 16:17 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
2010-06-01 15:17 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"ccSetMgr"=2 (0x2)
"ccEvtMgr"=2 (0x2)
"Automatic LiveUpdate Scheduler"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 sonypvl2;sonypvl2;c:\windows\system32\drivers\sonypvl2.sys [12/31/2006 10:39 AM 19478]
R1 sonypvf2;sonypvf2;c:\windows\system32\drivers\sonypvf2.sys [12/31/2006 10:39 AM 635017]
R1 sonypvt2;sonypvt2;c:\windows\system32\drivers\sonypvt2.sys [12/31/2006 10:39 AM 431236]
R2 Hamachi2Svc;LogMeIn Hamachi Tunneling Engine;c:\program files\LogMeIn Hamachi\hamachi-2.exe [12/10/2012 5:29 PM 1435568]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2/19/2013 2:19 PM 738504]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2/19/2013 2:19 PM 361032]
S1 SASDIFSV;SASDIFSV; [x]
S1 SASKUTIL;SASKUTIL; [x]
S1 sonypvd2;sonypvd2;c:\windows\system32\drivers\sonypvd2.sys [12/31/2006 10:39 AM 64093]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2/19/2013 2:19 PM 21256]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [1/25/2013 4:37 PM 375144]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/29/2012 11:56 AM 12856]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [2/21/2013 8:05 AM 398184]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/21/2013 8:05 AM 682344]
S2 msav;Moon Secure Antivirus Core;c:\program files\Moon Secure Antivirus\msavcore.exe --> c:\program files\Moon Secure Antivirus\msavcore.exe [?]
S2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [7/13/2012 12:28 PM 160944]
S3 CXFALCON;Conexant Falcon II NTSC Video Capture;c:\windows\system32\drivers\cxfalcon.sys [11/16/2006 2:09 PM 82048]
S3 dsiarhwprog;dsiarhwprog;c:\windows\system32\drivers\dsiarhwprog.sys [3/26/2010 7:42 PM 29184]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/21/2013 8:05 AM 21104]
S3 OlyUsbCam;OLYMPUS USB Camera;c:\windows\system32\drivers\OlyUsbCam.sys [10/19/2008 1:36 PM 21952]
S3 SASENUM;SASENUM; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MDMXSDK
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-02-01 23:23 1607120 ----a-w- c:\program files\Google\Chrome\Application\24.0.1312.57\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-02-22 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-01-03 21:43]
.
2013-02-16 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:34]
.
2013-02-22 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2013-02-19 23:50]
.
2012-01-11 c:\windows\Tasks\DMATask 0 {D2B22905-47C9-4b82-8E74-47AA9D2DE378} 0~0.job
- c:\program files\HP DigitalMedia Archive\DMAScheduler.exe [2006-04-13 10:05]
.
2013-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-04 00:18]
.
2013-02-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2013-01-04 00:18]
.
2013-02-22 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2010-01-31 16:21]
.
.
------- Supplementary Scan -------
.
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
TCP: DhcpNameServer = 204.130.255.3 209.63.0.6
TCP: Interfaces\{16E4634F-55C6-45B6-B74A-4B30797151D8}: NameServer = 204.130.255.3,64.122.32.71
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-02-22 11:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3403347833-366765913-3541161794-1008\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_168_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(688)
c:\windows\system32\WININET.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\windows\system32\ieframe.dll
.
Completion time: 2013-02-22  11:43:14
ComboFix-quarantined-files.txt  2013-02-22 17:43
ComboFix2.txt  2013-02-21 22:52
ComboFix3.txt  2013-02-20 13:49
.
Pre-Run: 208,595,570,688 bytes free
Post-Run: 208,589,348,864 bytes free
.
- - End Of File - - 767ED5D13A0F7D85DD295AFE19E720A9
 






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users