Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Request assistance removing Zero Access Trojan/Rootkit


  • This topic is locked This topic is locked
45 replies to this topic

#1 QuasiChameleon

QuasiChameleon

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 25 March 2013 - 11:49 PM

I have tried many antirootkit programs, including TDSSKiller (Kaspersky), NPE (Symantec), RootkitBuster (TrendMicro), RootkitRemover (McAfee), Malwarebytes Anti-Rootkit Utility.

 

I also tried several antivirus/antimalware programs, such as Malwarebytes, SuperAntiSpyware, Symantec Endpoint Protection, Zone Alarm Antivirus, and Microsoft Security Essentials.

 

Finally, I also tried specific Zero Access removal tools from Norton, TrendMicro, etc., and I still can't get rid of it.

 

Only some of these even detect Zero Access is there, but none can remove it, although some have claimed to.

 

I have NOT YET tried HiJackThis or ComboFix, although I suspect you may instruct me to use them.

 

Your assistance is appreciated.  DDS.txt pasted below and attach.txt attached ...

 

Thanks in advance!

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 8.0.6001.18702  BrowserJavaVersion: 10.17.2
Run by Kevin at 20:17:28 on 2013-03-25
#Option MBR scan  is disabled.
.
============== Running Processes ================
.
C:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Kevin\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
BHO: AutorunsDisabled - <orphaned>
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: ThumbnailsBHO Class: {1BD0BEFE-F697-4eee-B7E1-76B849A5CB84} - c:\program files\xmarks\thumbnails for ie\xmarksthumbnails.dll
BHO: Groove GFS Browser Helper: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - c:\program files\microsoft office\office14\GROOVEEX.DLL
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: ZoneAlarm Security Engine Registrar: {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - c:\program files\microsoft office\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: ZoneAlarm Security Engine: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
uRun: [0A0490A6658693B158ABDD8F6D19517D38459327._service_run] "c:\program files\google\chrome\application\chrome.exe" --type=service
uRun: [Xmarks] c:\program files\xmarks\ie extension\xmarkssync.exe -q
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\\nTune.exe" clear
mRun: [CoolSwitch] c:\windows\system32\taskswitch.exe
mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [KeyScrambler] c:\program files\keyscrambler\keyscrambler.exe /a
mRun: [ISW] <no file>
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\amazon~1.lnk - c:\program files\amazon\amazon unbox video\ADVWindowsClientSystemTray.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:323
uPolicies-Explorer: NoDriveAutoRun = dword:67108863
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDrives = dword:0
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:323
mPolicies-Explorer: NoDriveAutoRun = dword:67108863
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~3\office14\ONBttnIE.dll/105
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/sdccommon/download/tgctlsr.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1347469957055
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341511982984
TCP: NameServer = 75.75.76.76 75.75.75.75
TCP: Interfaces\{FF033B28-2370-4FAB-8A3C-E89B1A2090B5} : DHCPNameServer = 75.75.76.76 75.75.75.75
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook - {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - c:\program files\microsoft office\office14\GROOVEEX.DLL
mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\25.0.1364.172\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\kevin\application data\mozilla\firefox\profiles\u0heru65.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\u0heru65.default\extensions\devicedetection@logitech.com\plugins\npLogitechDeviceDetection.dll
FF - plugin: c:\documents and settings\kevin\application data\mozilla\firefox\profiles\u0heru65.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\kevin\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\kevin\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\kevin\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\progra~1\micros~3\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~3\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\adobe\reader 11.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\checkpoint\zaforcefield\trustchecker\bin\npFFApi.dll
FF - plugin: c:\program files\common files\wolfram research\browser\8.0.4.2609412\npmathplugin.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.3.21.135\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_6_602_180.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - ExtSQL: 2013-01-26 10:59; {FFB96CC1-7EB3-449D-B827-DB661701C6BB}; c:\program files\checkpoint\zaforcefield\TrustChecker
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.zonealarm.rvrtMsg, Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN20419448777083-1001&toolbarId=base&affiliateId=1025&Lan={dfltLng}&utid=90e3ecec0000000000000015f250cbba&q=
FF - user.js: extensions.zonealarm.id - 90e3ecec0000000000000015f250cbba
FF - user.js: extensions.zonealarm.instlDay - 15500
FF - user.js: extensions.zonealarm.vrsn - 1.5.23.8
FF - user.js: extensions.zonealarm.vrsni - 1.5.23.8
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.23.821:05:44
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN20419448777083-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - true
FF - user.js: extensions.zonealarm.admin - false
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2013-03-25 20:00:25 -------- d-----w- c:\program files\glassfish-3.1.2.2
2013-03-25 19:42:32 -------- d-----w- c:\program files\NetBeans 7.3
2013-03-25 19:16:34 -------- d-----w- C:\opencv
2013-03-25 18:55:46 20 ----a-w- c:\windows\system32\drivers\SMR322.dat
2013-03-25 18:55:26 98392 ----a-w- c:\windows\system32\drivers\SMR322.SYS
2013-03-25 17:21:55 31424 ----a-w- c:\windows\system32\drivers\ERKRmvrDrv.sys
2013-03-25 15:24:18 7108640 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ca46ba3e-7dc0-4c07-aacd-818bb6c1c15c}\mpengine.dll
2013-03-23 11:43:51 7108640 ------w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2013-03-21 22:31:43 -------- d-----w- c:\documents and settings\kevin\application data\Malwarebytes
2013-03-21 22:31:24 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-21 20:18:28 -------- d-----w- c:\documents and settings\all users\application data\SMR322
2013-03-21 17:44:53 -------- d-----w- c:\documents and settings\kevin\local settings\application data\NPE
2013-03-21 17:44:53 -------- d-----w- c:\documents and settings\all users\application data\Norton
2013-03-20 15:11:23 331776 ----a-w- c:\windows\system32\glew32.dll
2013-03-20 15:11:21 245760 ----a-w- c:\windows\system32\glut32.dll
2013-03-20 03:17:25 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-20 03:17:13 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-20 03:14:31 21664 ----a-w- c:\windows\system32\drivers\HWiNFO32.SYS
2013-03-20 03:09:29 -------- d-----w- c:\program files\HWiNFO32
2013-03-20 01:36:20 -------- d-----w- c:\documents and settings\all users\application data\VS
2013-03-18 19:11:30 -------- d-----w- c:\program files\Microsoft SQL Server
2013-03-18 19:05:23 112832 ----a-w- c:\documents and settings\all users\application data\microsoft\vcexpress\10.0\1033\ResourceCache.dll
2013-03-18 19:00:38 -------- d-----w- c:\program files\Microsoft Help Viewer
2013-03-18 19:00:38 -------- d-----w- c:\program files\common files\Merge Modules
2013-03-18 19:00:37 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2013-03-18 18:07:40 -------- d-----w- c:\documents and settings\all users\application data\Package Cache
2013-03-16 12:33:53 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-16 12:33:53 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
2013-03-12 19:24:28 -------- d-----w- c:\program files\Hubb Client Data Manager
2013-03-07 23:42:42 5664768 ----a-w- c:\documents and settings\all users\application data\microsoft\bingdesktop\updater\BingDesktop.msi
.
==================== Find3M  ====================
.
2013-03-21 18:27:21 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-21 18:27:19 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-20 03:16:46 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-20 03:16:46 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-23 01:30:32 1072544 ----a-w- c:\windows\system32\nvdrsdb0.bin
2013-02-23 01:30:32 1 ----a-w- c:\windows\system32\nvdrssel.bin
2013-02-23 01:30:14 1072544 ----a-w- c:\windows\system32\nvdrsdb1.bin
2013-02-17 13:14:26 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-12 00:32:23 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-08 11:03:02 19189760 ----a-w- c:\windows\system32\nvoglnt.dll
2013-02-08 11:03:02 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-02-08 11:03:00 4494336 ----a-w- c:\windows\system32\nv4_disp.dll
2013-02-08 11:02:58 7536640 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-08 11:02:58 2581792 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-08 11:02:56 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-02-08 11:02:56 2389504 ----a-w- c:\windows\system32\nvapi.dll
2013-02-08 11:02:56 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-08 11:02:44 12648960 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2013-02-08 11:02:42 5967872 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-08 11:02:42 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-02-06 21:27:50 208920 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2013-02-06 16:08:54 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-02-06 15:43:05 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-02-05 20:05:47 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05:46 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05:46 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53:57 385024 ----a-w- c:\windows\system32\html.iec
2013-01-30 10:53:21 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-26 03:55:44 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 21:59:04 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-07 01:16:02 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36:58 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49:10 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49:10 1292288 ----a-w- c:\windows\system32\quartz.dll
.
============= FINISH: 20:19:24.20 ===============
 
 
 

Attached Files



BC AdBot (Login to Remove)

 


#2 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 27 March 2013 - 07:31 PM

Hi and Welcome!!

My name is Jeff. I would be more than happy to take a look at your malware results logs and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • If you happen to have a flash drive/thumb drive please have that ready in the event that we need to use it.
  • Please be sure to subscribe to this topic so that you can see when there are new responses.
  • IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.
    DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your operating system and losing all your programs and data.


    Having said that.... vegeta_zps7f4345cf.gifLet's get going!!


    Could you post the logs that were made by TDSSKiller and Malwarebytes please?
    ---------

    aswmbr-1-1.jpg
  • Please download aswMBR to your desktop.
  • Double click the aswMBR icon to run it.
  • Click the Scan button to start scan.
  • If you are asked to update the Avast Virus database please allow it to do so.
  • When it finishes, press the save log button, save the logfile to your desktop and attach its contents in your next reply.
aswmbrscan.jpg
  • Click the image to enlarge it

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#3 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2013 - 05:53 AM

It took awhile for these to scan, which I ran in this sequence:  TDSSKiller (log pasted), Malwarebytes Anti-Malware (log pasted), and aswMBR (log attached).
 
Note that Malwarebytes Anti-Malware found and removed Trojan.Downloader.
 
 
Fresh log of TDSSKiller ...
 
20:04:47.0359 0480  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
20:04:47.0796 0480  ============================================================
20:04:47.0796 0480  Current date / time: 2013/03/27 20:04:47.0796
20:04:47.0796 0480  SystemInfo:
20:04:47.0796 0480
20:04:47.0796 0480  OS Version: 5.1.2600 ServicePack: 3.0
20:04:47.0796 0480  Product type: Workstation
20:04:47.0796 0480  ComputerName: HOMER
20:04:47.0796 0480  UserName: Kevin
20:04:47.0796 0480  Windows directory: C:\WINDOWS
20:04:47.0796 0480  System windows directory: C:\WINDOWS
20:04:47.0796 0480  Processor architecture: Intel x86
20:04:47.0796 0480  Number of processors: 1
20:04:47.0796 0480  Page size: 0x1000
20:04:47.0796 0480  Boot type: Normal boot
20:04:47.0796 0480  ============================================================
20:04:50.0968 0480  Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
20:04:51.0046 0480  Drive \Device\Harddisk6\DR30 - Size: 0x2F7B000000 (189.92 Gb), SectorSize: 0x200, Cylinders: 0x60D8, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
20:04:58.0500 0480  ============================================================
20:04:58.0500 0480  \Device\Harddisk0\DR0:
20:04:58.0515 0480  MBR partitions:
20:04:58.0515 0480  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xC8007C1
20:04:58.0515 0480  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0xC800800, BlocksNum 0x4B000000
20:04:58.0515 0480  \Device\Harddisk0\DR0\Partition3: MBR, Type 0x7, StartLBA 0x57800800, BlocksNum 0x1CF06000
20:04:58.0515 0480  \Device\Harddisk6\DR30:
20:04:58.0515 0480  MBR partitions:
20:04:58.0515 0480  \Device\Harddisk6\DR30\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x17BD13D8
20:04:58.0515 0480  ============================================================
20:04:58.0546 0480  C: <-> \Device\Harddisk0\DR0\Partition1
20:04:58.0562 0480  D: <-> \Device\Harddisk0\DR0\Partition2
20:04:58.0593 0480  E: <-> \Device\Harddisk0\DR0\Partition3
20:04:58.0625 0480  L: <-> \Device\Harddisk6\DR30\Partition1
20:04:58.0625 0480  ============================================================
20:04:58.0625 0480  Initialize success
20:04:58.0625 0480  ============================================================
20:06:03.0031 4620  ============================================================
20:06:03.0031 4620  Scan started
20:06:03.0031 4620  Mode: Manual; 
20:06:03.0031 4620  ============================================================
20:06:04.0203 4620  ================ Scan system memory ========================
20:06:07.0609 4620  System memory - ok
20:06:07.0609 4620  ================ Scan services =============================
20:06:07.0656 4620  [ 01E81C84AD1D0ACC61CF3CFD06632210 ] !SASCORE        C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
20:06:07.0656 4620  !SASCORE - ok
20:06:07.0906 4620  Abiosdsk - ok
20:06:07.0921 4620  abp480n5 - ok
20:06:07.0953 4620  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:06:07.0953 4620  ACPI - ok
20:06:07.0984 4620  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
20:06:07.0984 4620  ACPIEC - ok
20:06:08.0031 4620  [ EA856F4A46320389D1899B2CAA7BF40F ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
20:06:08.0703 4620  AdobeFlashPlayerUpdateSvc - ok
20:06:08.0703 4620  adpu160m - ok
20:06:08.0734 4620  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
20:06:08.0734 4620  aec - ok
20:06:08.0765 4620  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
20:06:08.0765 4620  AFD - ok
20:06:08.0781 4620  Aha154x - ok
20:06:08.0781 4620  aic78u2 - ok
20:06:08.0796 4620  aic78xx - ok
20:06:08.0859 4620  [ 95AA37BEC6C72C277C2CAEAEE736DD2D ] ALCXWDM         C:\WINDOWS\system32\drivers\ALCXWDM.SYS
20:06:08.0875 4620  ALCXWDM - ok
20:06:08.0906 4620  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
20:06:08.0906 4620  Alerter - ok
20:06:08.0921 4620  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
20:06:08.0921 4620  ALG - ok
20:06:08.0937 4620  AliIde - ok
20:06:08.0953 4620  [ 59301936898AE62245A6F09C0ABA9475 ] AmdK8           C:\WINDOWS\system32\DRIVERS\AmdK8.sys
20:06:08.0953 4620  AmdK8 - ok
20:06:08.0984 4620  [ E7314D43CD2BE981D8BC4826B50EAF05 ] AmdLLD          C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
20:06:08.0984 4620  AmdLLD - ok
20:06:09.0000 4620  amsint - ok
20:06:09.0031 4620  [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394         C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:06:09.0031 4620  Arp1394 - ok
20:06:09.0031 4620  asc - ok
20:06:09.0046 4620  asc3350p - ok
20:06:09.0062 4620  asc3550 - ok
20:06:09.0125 4620  [ 776ACEFA0CA9DF0FAA51A5FB2F435705 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
20:06:09.0156 4620  aspnet_state - ok
20:06:09.0171 4620  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:06:09.0171 4620  AsyncMac - ok
20:06:09.0203 4620  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
20:06:09.0203 4620  atapi - ok
20:06:09.0218 4620  Atdisk - ok
20:06:09.0234 4620  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:06:09.0250 4620  Atmarpc - ok
20:06:09.0265 4620  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
20:06:09.0265 4620  AudioSrv - ok
20:06:09.0296 4620  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
20:06:09.0296 4620  audstub - ok
20:06:09.0328 4620  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
20:06:09.0328 4620  Beep - ok
20:06:09.0390 4620  [ 8DC837789BBF0E1BEF252A8F7C101F7B ] BingDesktopUpdate C:\Program Files\Microsoft\BingDesktop\BingDesktopUpdater.exe
20:06:09.0812 4620  BingDesktopUpdate - ok
20:06:09.0875 4620  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
20:06:09.0953 4620  BITS - ok
20:06:09.0968 4620  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
20:06:09.0968 4620  Browser - ok
20:06:10.0062 4620  catchme - ok
20:06:10.0109 4620  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
20:06:10.0109 4620  cbidf2k - ok
20:06:10.0125 4620  [ 0BE5AEF125BE881C4F854C554F2B025C ] CCDECODE        C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:06:10.0125 4620  CCDECODE - ok
20:06:10.0187 4620  [ 260A069F403DA226D18C058AD14FD3A3 ] ccEvtMgr        C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
20:06:10.0187 4620  ccEvtMgr - ok
20:06:10.0187 4620  [ 260A069F403DA226D18C058AD14FD3A3 ] ccSetMgr        C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
20:06:10.0203 4620  ccSetMgr - ok
20:06:10.0203 4620  cd20xrnt - ok
20:06:10.0234 4620  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
20:06:10.0234 4620  Cdaudio - ok
20:06:10.0250 4620  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
20:06:10.0250 4620  Cdfs - ok
20:06:10.0281 4620  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:06:10.0281 4620  Cdrom - ok
20:06:10.0312 4620  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
20:06:10.0312 4620  CiSvc - ok
20:06:10.0328 4620  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
20:06:10.0328 4620  ClipSrv - ok
20:06:10.0406 4620  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:06:10.0406 4620  clr_optimization_v2.0.50727_32 - ok
20:06:10.0437 4620  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
20:06:10.0890 4620  clr_optimization_v4.0.30319_32 - ok
20:06:10.0906 4620  CmdIde - ok
20:06:10.0953 4620  [ DE88A385898F6D13026F94F749FBAED2 ] COH_Mon         C:\WINDOWS\system32\Drivers\COH_Mon.sys
20:06:10.0968 4620  COH_Mon - ok
20:06:10.0984 4620  COMSysApp - ok
20:06:11.0000 4620  Cpqarray - ok
20:06:11.0031 4620  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
20:06:11.0031 4620  CryptSvc - ok
20:06:11.0031 4620  dac2w2k - ok
20:06:11.0046 4620  dac960nt - ok
20:06:11.0078 4620  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
20:06:11.0109 4620  DcomLaunch - ok
20:06:11.0125 4620  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
20:06:11.0140 4620  Dhcp - ok
20:06:11.0140 4620  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
20:06:11.0156 4620  Disk - ok
20:06:11.0156 4620  dmadmin - ok
20:06:11.0187 4620  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
20:06:11.0203 4620  dmboot - ok
20:06:11.0203 4620  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
20:06:11.0218 4620  dmio - ok
20:06:11.0234 4620  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
20:06:11.0234 4620  dmload - ok
20:06:11.0265 4620  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
20:06:11.0265 4620  dmserver - ok
20:06:11.0281 4620  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
20:06:11.0281 4620  DMusic - ok
20:06:11.0296 4620  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
20:06:11.0296 4620  Dnscache - ok
20:06:11.0328 4620  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
20:06:11.0328 4620  Dot3svc - ok
20:06:11.0343 4620  dpti2o - ok
20:06:11.0375 4620  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
20:06:11.0375 4620  drmkaud - ok
20:06:11.0406 4620  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
20:06:11.0406 4620  EapHost - ok
20:06:11.0453 4620  [ 85B8B4032A895A746D46A288A9B30DED ] eeCtrl          C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
20:06:11.0609 4620  eeCtrl - ok
20:06:11.0640 4620  [ B5A8A04A6E5B4E86B95B1553AA918F5F ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
20:06:11.0937 4620  EraserUtilRebootDrv - ok
20:06:11.0984 4620  [ B504C8B1C25C543539077D2082770F3D ] ERmvrDrv        C:\WINDOWS\system32\drivers\ERKRmvrDrv.sys
20:06:11.0984 4620  ERmvrDrv - ok
20:06:12.0000 4620  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
20:06:12.0000 4620  ERSvc - ok
20:06:12.0031 4620  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
20:06:12.0031 4620  Eventlog - ok
20:06:12.0062 4620  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\es.dll
20:06:12.0078 4620  EventSystem - ok
20:06:12.0093 4620  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
20:06:12.0109 4620  Fastfat - ok
20:06:12.0140 4620  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
20:06:12.0140 4620  FastUserSwitchingCompatibility - ok
20:06:12.0156 4620  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
20:06:12.0156 4620  Fdc - ok
20:06:12.0171 4620  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
20:06:12.0171 4620  Fips - ok
20:06:12.0187 4620  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:06:12.0203 4620  Flpydisk - ok
20:06:12.0203 4620  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
20:06:12.0203 4620  FltMgr - ok
20:06:12.0250 4620  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
20:06:12.0718 4620  FontCache3.0.0.0 - ok
20:06:12.0718 4620  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:06:12.0718 4620  Fs_Rec - ok
20:06:12.0750 4620  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:06:12.0750 4620  Ftdisk - ok
20:06:12.0765 4620  [ 065639773D8B03F33577F6CDAEA21063 ] gameenum        C:\WINDOWS\system32\DRIVERS\gameenum.sys
20:06:12.0765 4620  gameenum - ok
20:06:12.0796 4620  [ 185ADA973B5020655CEE342059A86CBB ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
20:06:13.0140 4620  GEARAspiWDM - ok
20:06:13.0156 4620  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:06:13.0156 4620  Gpc - ok
20:06:13.0218 4620  [ F02A533F517EB38333CB12A9E8963773 ] gupdate         C:\Program Files\Google\Update\GoogleUpdate.exe
20:06:14.0062 4620  gupdate - ok
20:06:14.0078 4620  [ F02A533F517EB38333CB12A9E8963773 ] gupdatem        C:\Program Files\Google\Update\GoogleUpdate.exe
20:06:14.0078 4620  gupdatem - ok
20:06:14.0125 4620  [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc           C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
20:06:14.0468 4620  gusvc - ok
20:06:14.0515 4620  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:06:14.0515 4620  helpsvc - ok
20:06:14.0546 4620  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         C:\WINDOWS\System32\hidserv.dll
20:06:14.0546 4620  HidServ - ok
20:06:14.0562 4620  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:06:14.0562 4620  hidusb - ok
20:06:14.0578 4620  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
20:06:14.0578 4620  hkmsvc - ok
20:06:14.0593 4620  hpn - ok
20:06:14.0625 4620  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
20:06:14.0625 4620  HTTP - ok
20:06:14.0656 4620  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
20:06:14.0656 4620  HTTPFilter - ok
20:06:14.0687 4620  [ 070E133F9D46BF83E2D36BFD208DE513 ] HWiNFO32        C:\WINDOWS\system32\drivers\HWiNFO32.SYS
20:06:14.0687 4620  HWiNFO32 - ok
20:06:14.0703 4620  i2omp - ok
20:06:14.0734 4620  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:06:14.0734 4620  i8042prt - ok
20:06:14.0796 4620  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
20:06:14.0812 4620  idsvc - ok
20:06:14.0828 4620  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
20:06:14.0828 4620  Imapi - ok
20:06:14.0859 4620  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
20:06:14.0859 4620  ImapiService - ok
20:06:14.0875 4620  ini910u - ok
20:06:14.0890 4620  IntelIde - ok
20:06:14.0953 4620  [ D9DA7B3117BF5EFF921C0CDED4D58050 ] IntuitUpdateServiceV4 C:\Program Files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
20:06:15.0156 4620  IntuitUpdateServiceV4 - ok
20:06:15.0187 4620  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
20:06:15.0187 4620  Ip6Fw - ok
20:06:15.0203 4620  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:06:15.0218 4620  IpFilterDriver - ok
20:06:15.0218 4620  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:06:15.0218 4620  IpInIp - ok
20:06:15.0250 4620  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:06:15.0250 4620  IpNat - ok
20:06:15.0296 4620  [ BC0EA61246F8D940FBC5F652D337D6BD ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
20:06:15.0781 4620  iPod Service - ok
20:06:15.0796 4620  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:06:15.0796 4620  IPSec - ok
20:06:15.0812 4620  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
20:06:15.0812 4620  IRENUM - ok
20:06:15.0828 4620  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:06:15.0843 4620  isapnp - ok
20:06:15.0890 4620  [ 33112D12B95BD1DE18AF409D865DF10C ] ISWKL           C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys
20:06:16.0109 4620  ISWKL - ok
20:06:16.0156 4620  [ CFF1CD2C1CC8F5271967AA268982E878 ] IswSvc          C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe
20:06:16.0156 4620  IswSvc - ok
20:06:16.0234 4620  [ 999DB5F88C8E145CCA9D471E33227143 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
20:06:16.0734 4620  JavaQuickStarterService - ok
20:06:16.0765 4620  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:06:16.0765 4620  Kbdclass - ok
20:06:16.0796 4620  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:06:16.0796 4620  kbdhid - ok
20:06:16.0828 4620  [ 60EE3594D819DF944CD88BC60715C8F6 ] KeyScrambler    C:\WINDOWS\system32\drivers\keyscrambler.sys
20:06:16.0828 4620  KeyScrambler - ok
20:06:16.0859 4620  [ 186B54479D98E48AEE0E9ADA4B3C4D31 ] KL1             C:\WINDOWS\system32\DRIVERS\kl1.sys
20:06:16.0859 4620  KL1 - ok
20:06:16.0875 4620  [ BF485BFBA13C0AB116701FD9C55324D0 ] kl2             C:\WINDOWS\system32\DRIVERS\kl2.sys
20:06:16.0875 4620  kl2 - ok
20:06:16.0906 4620  [ D42359C8A1404EFCB9432DC4CDCCBEA1 ] KLIF            C:\WINDOWS\system32\DRIVERS\klif.sys
20:06:16.0906 4620  KLIF - ok
20:06:16.0921 4620  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
20:06:16.0937 4620  kmixer - ok
20:06:16.0953 4620  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
20:06:16.0953 4620  KSecDD - ok
20:06:16.0968 4620  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
20:06:16.0968 4620  lanmanserver - ok
20:06:16.0984 4620  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
20:06:17.0000 4620  lanmanworkstation - ok
20:06:17.0015 4620  [ BE2DC24D403643A2D1D98F33C7087B38 ] LBeepKE         C:\WINDOWS\system32\Drivers\LBeepKE.sys
20:06:17.0015 4620  LBeepKE - ok
20:06:17.0078 4620  [ 910344E2A984010435AE84783B25E5EB ] LBTServ         C:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
20:06:17.0234 4620  LBTServ - ok
20:06:17.0265 4620  [ 717E6714BCA808F2A372E636AFF3D15A ] LEqdUsb         C:\WINDOWS\system32\Drivers\LEqdUsb.Sys
20:06:17.0265 4620  LEqdUsb - ok
20:06:17.0281 4620  [ 2786F7B4003ADFF88CE28BC1800B5407 ] LHidEqd         C:\WINDOWS\system32\Drivers\LHidEqd.Sys
20:06:17.0281 4620  LHidEqd - ok
20:06:17.0296 4620  [ 01CC7FB6E790EF044B411377F3A1FF41 ] LHidFilt        C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
20:06:17.0296 4620  LHidFilt - ok
20:06:17.0390 4620  [ 6105B28F5D03C4AFFA7197B228768849 ] LiveUpdate      C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
20:06:17.0734 4620  LiveUpdate - ok
20:06:17.0765 4620  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
20:06:17.0765 4620  LmHosts - ok
20:06:17.0796 4620  [ A2E7EAE8898D7B4B8C302B8F4E836BB5 ] LMouFilt        C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
20:06:17.0812 4620  LMouFilt - ok
20:06:17.0828 4620  [ 81642F134929946AB4B9572C4C17298C ] LUsbFilt        C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
20:06:18.0000 4620  LUsbFilt - ok
20:06:18.0046 4620  [ 4A5FFDF0FE830C448830BD4B02B02B4B ] mbamchameleon   C:\WINDOWS\system32\drivers\mbamchameleon.sys
20:06:18.0312 4620  mbamchameleon - ok
20:06:18.0343 4620  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
20:06:18.0343 4620  Messenger - ok
20:06:18.0343 4620  MFE_RR - ok
20:06:18.0390 4620  Microsoft SharePoint Workspace Audit Service - ok
20:06:18.0406 4620  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
20:06:18.0406 4620  mnmdd - ok
20:06:18.0437 4620  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
20:06:18.0453 4620  mnmsrvc - ok
20:06:18.0468 4620  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
20:06:18.0468 4620  Modem - ok
20:06:18.0500 4620  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:06:18.0500 4620  Mouclass - ok
20:06:18.0515 4620  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:06:18.0515 4620  mouhid - ok
20:06:18.0546 4620  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
20:06:18.0546 4620  MountMgr - ok
20:06:18.0562 4620  [ CF105EE42E3F71E648CEBB3F666E1CF0 ] MpFilter        C:\WINDOWS\system32\DRIVERS\MpFilter.sys
20:06:18.0562 4620  MpFilter - ok
20:06:18.0578 4620  mraid35x - ok
20:06:18.0593 4620  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:06:18.0718 4620  MRxDAV - ok
20:06:18.0750 4620  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:06:18.0750 4620  MRxSmb - ok
20:06:18.0781 4620  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
20:06:18.0781 4620  MSDTC - ok
20:06:18.0812 4620  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
20:06:18.0812 4620  Msfs - ok
20:06:18.0812 4620  MSIServer - ok
20:06:18.0843 4620  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:06:18.0843 4620  MSKSSRV - ok
20:06:18.0906 4620  [ C1F19D2BACBEE9AB64D9AE69E9859AC0 ] MsMpSvc         C:\Program Files\Microsoft Security Client\MsMpEng.exe
20:06:18.0906 4620  MsMpSvc - ok
20:06:18.0906 4620  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:06:18.0906 4620  MSPCLOCK - ok
20:06:18.0921 4620  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
20:06:18.0921 4620  MSPQM - ok
20:06:18.0953 4620  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:06:18.0953 4620  mssmbios - ok
20:06:18.0984 4620  [ E53736A9E30C45FA9E7B5EAC55056D1D ] MSTEE           C:\WINDOWS\system32\drivers\MSTEE.sys
20:06:19.0000 4620  MSTEE - ok
20:06:19.0015 4620  [ CA3E22598F411199ADC2DFEE76CD0AE0 ] ms_mpu401       C:\WINDOWS\system32\drivers\msmpu401.sys
20:06:19.0015 4620  ms_mpu401 - ok
20:06:19.0046 4620  [ D48659BB24C48345D926ECB45C1EBDF5 ] MTsensor        C:\WINDOWS\system32\DRIVERS\ASACPI.sys
20:06:19.0046 4620  MTsensor - ok
20:06:19.0078 4620  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
20:06:19.0078 4620  Mup - ok
20:06:19.0125 4620  [ 5B50F1B2A2ED47D560577B221DA734DB ] NABTSFEC        C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:06:19.0125 4620  NABTSFEC - ok
20:06:19.0156 4620  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
20:06:19.0156 4620  napagent - ok
20:06:19.0218 4620  [ 7D7A3BC6640C1A0D1442816B30856928 ] NAVENG          C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130326.017\NAVENG.SYS
20:06:19.0218 4620  NAVENG - ok
20:06:19.0265 4620  [ 28494C43D62AA7584BDCA2FADFBC4D11 ] NAVEX15         C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130326.017\NAVEX15.SYS
20:06:19.0296 4620  NAVEX15 - ok
20:06:19.0312 4620  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
20:06:19.0312 4620  NDIS - ok
20:06:19.0328 4620  [ 7FF1F1FD8609C149AA432F95A8163D97 ] NdisIP          C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:06:19.0343 4620  NdisIP - ok
20:06:19.0359 4620  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:06:19.0359 4620  NdisTapi - ok
20:06:19.0390 4620  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:06:19.0390 4620  Ndisuio - ok
20:06:19.0406 4620  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:06:19.0406 4620  NdisWan - ok
20:06:19.0421 4620  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
20:06:19.0421 4620  NDProxy - ok
20:06:19.0453 4620  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
20:06:19.0453 4620  NetBIOS - ok
20:06:19.0468 4620  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
20:06:19.0468 4620  NetBT - ok
20:06:19.0500 4620  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
20:06:19.0500 4620  NetDDE - ok
20:06:19.0515 4620  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
20:06:19.0515 4620  NetDDEdsdm - ok
20:06:19.0546 4620  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
20:06:19.0546 4620  Netlogon - ok
20:06:19.0562 4620  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
20:06:19.0562 4620  Netman - ok
20:06:19.0593 4620  [ D22CD77D4F0D63D1169BB35911BFF12D ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
20:06:19.0875 4620  NetTcpPortSharing - ok
20:06:19.0890 4620  [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394         C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:06:19.0890 4620  NIC1394 - ok
20:06:19.0921 4620  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
20:06:19.0921 4620  Nla - ok
20:06:19.0953 4620  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
20:06:19.0953 4620  Npfs - ok
20:06:19.0968 4620  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
20:06:19.0984 4620  Ntfs - ok
20:06:20.0000 4620  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
20:06:20.0000 4620  NtLmSsp - ok
20:06:20.0046 4620  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
20:06:20.0062 4620  NtmsSvc - ok
20:06:20.0078 4620  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
20:06:20.0078 4620  Null - ok
20:06:20.0281 4620  [ 7C56F3FD65B2BDB315CA3605A5392D7B ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:06:20.0421 4620  nv - ok
20:06:20.0468 4620  [ DCE353985C988BFB7E84FD942068151F ] nvata           C:\WINDOWS\system32\DRIVERS\nvata.sys
20:06:20.0484 4620  nvata - ok
20:06:20.0515 4620  [ 7D275ECDA4628318912F6C945D5CF963 ] NVENETFD        C:\WINDOWS\system32\DRIVERS\NVENETFD.sys
20:06:20.0515 4620  NVENETFD - ok
20:06:20.0546 4620  [ B64AACEFAD2BE5BFF5353FE681253C67 ] nvnetbus        C:\WINDOWS\system32\DRIVERS\nvnetbus.sys
20:06:20.0546 4620  nvnetbus - ok
20:06:20.0578 4620  [ 32F7DEC3729B3BAE66EEBCAB7B03B18F ] NVSvc           C:\WINDOWS\system32\nvsvc32.exe
20:06:20.0578 4620  NVSvc - ok
20:06:20.0671 4620  [ 2CC4E45B0EB4C48392CEC9C83B5B8E3B ] nvUpdatusService C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
20:06:21.0109 4620  nvUpdatusService - ok
20:06:21.0140 4620  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:06:21.0140 4620  NwlnkFlt - ok
20:06:21.0156 4620  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:06:21.0156 4620  NwlnkFwd - ok
20:06:21.0171 4620  [ 8B8B1BE2DBA4025DA6786C645F77F123 ] NwlnkIpx        C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
20:06:21.0171 4620  NwlnkIpx - ok
20:06:21.0187 4620  [ 56D34A67C05E94E16377C60609741FF8 ] NwlnkNb         C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
20:06:21.0187 4620  NwlnkNb - ok
20:06:21.0203 4620  [ C0BB7D1615E1ACBDC99757F6CEAF8CF0 ] NwlnkSpx        C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
20:06:21.0203 4620  NwlnkSpx - ok
20:06:21.0234 4620  [ 4B83FCBBE72AF5F99D109798653E8B78 ] NwSapAgent      C:\WINDOWS\System32\ipxsap.dll
20:06:21.0250 4620  NwSapAgent - ok
20:06:21.0265 4620  [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394        C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:06:21.0265 4620  ohci1394 - ok
20:06:21.0296 4620  [ 9D10F99A6712E28F8ACD5641E3A7EA6B ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
20:06:21.0296 4620  ose - ok
20:06:21.0421 4620  [ 358A9CCA612C68EB2F07DDAD4CE1D8D7 ] osppsvc         C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
20:06:21.0468 4620  osppsvc - ok
20:06:21.0500 4620  [ 68CB569EDE9CFB3B0BF17966428DF025 ] P0630VID        C:\WINDOWS\system32\DRIVERS\P0630Vid.sys
20:06:21.0515 4620  P0630VID - ok
20:06:21.0546 4620  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
20:06:21.0562 4620  Parport - ok
20:06:21.0578 4620  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
20:06:21.0578 4620  PartMgr - ok
20:06:21.0593 4620  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
20:06:21.0593 4620  ParVdm - ok
20:06:21.0609 4620  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
20:06:21.0609 4620  PCI - ok
20:06:21.0625 4620  PCIDump - ok
20:06:21.0640 4620  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\DRIVERS\pciide.sys
20:06:21.0640 4620  PCIIde - ok
20:06:21.0671 4620  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
20:06:21.0671 4620  Pcmcia - ok
20:06:21.0687 4620  perc2 - ok
20:06:21.0687 4620  perc2hib - ok
20:06:21.0734 4620  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
20:06:21.0734 4620  PlugPlay - ok
20:06:21.0734 4620  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
20:06:21.0750 4620  PolicyAgent - ok
20:06:21.0765 4620  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:06:21.0765 4620  PptpMiniport - ok
20:06:21.0781 4620  [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor       C:\WINDOWS\system32\DRIVERS\processr.sys
20:06:21.0781 4620  Processor - ok
20:06:21.0796 4620  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
20:06:21.0796 4620  ProtectedStorage - ok
20:06:21.0828 4620  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
20:06:21.0828 4620  PSched - ok
20:06:21.0843 4620  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:06:21.0843 4620  Ptilink - ok
20:06:21.0859 4620  [ E42E3433DBB4CFFE8FDD91EAB29AEA8E ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:06:21.0859 4620  PxHelp20 - ok
20:06:21.0875 4620  ql1080 - ok
20:06:21.0890 4620  Ql10wnt - ok
20:06:21.0890 4620  ql12160 - ok
20:06:21.0906 4620  ql1240 - ok
20:06:21.0906 4620  ql1280 - ok
20:06:21.0921 4620  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:06:21.0921 4620  RasAcd - ok
20:06:21.0953 4620  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
20:06:21.0953 4620  RasAuto - ok
20:06:21.0953 4620  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:06:21.0953 4620  Rasl2tp - ok
20:06:21.0968 4620  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
20:06:21.0984 4620  RasMan - ok
20:06:21.0984 4620  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:06:21.0984 4620  RasPppoe - ok
20:06:22.0000 4620  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
20:06:22.0000 4620  Raspti - ok
20:06:22.0031 4620  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:06:22.0031 4620  Rdbss - ok
20:06:22.0046 4620  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:06:22.0046 4620  RDPCDD - ok
20:06:22.0078 4620  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
20:06:22.0078 4620  RDPWD - ok
20:06:22.0109 4620  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
20:06:22.0109 4620  RDSessMgr - ok
20:06:22.0125 4620  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
20:06:22.0125 4620  redbook - ok
20:06:22.0156 4620  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
20:06:22.0156 4620  RemoteAccess - ok
20:06:22.0171 4620  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
20:06:22.0171 4620  RpcLocator - ok
20:06:22.0203 4620  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\System32\rpcss.dll
20:06:22.0203 4620  RpcSs - ok
20:06:22.0234 4620  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
20:06:22.0234 4620  RSVP - ok
20:06:22.0250 4620  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
20:06:22.0250 4620  SamSs - ok
20:06:22.0281 4620  [ 39763504067962108505BFF25F024345 ] SASDIFSV        C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
20:06:22.0281 4620  SASDIFSV - ok
20:06:22.0281 4620  [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL        C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
20:06:22.0281 4620  SASKUTIL - ok
20:06:22.0312 4620  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
20:06:22.0328 4620  SCardSvr - ok
20:06:22.0359 4620  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
20:06:22.0359 4620  Schedule - ok
20:06:22.0390 4620  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:06:22.0390 4620  Secdrv - ok
20:06:22.0421 4620  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
20:06:22.0421 4620  seclogon - ok
20:06:22.0437 4620  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
20:06:22.0437 4620  SENS - ok
20:06:22.0453 4620  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
20:06:22.0453 4620  serenum - ok
20:06:22.0468 4620  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
20:06:22.0468 4620  Serial - ok
20:06:22.0500 4620  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
20:06:22.0515 4620  Sfloppy - ok
20:06:22.0546 4620  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
20:06:22.0546 4620  SharedAccess - ok
20:06:22.0578 4620  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
20:06:22.0578 4620  ShellHWDetection - ok
20:06:22.0625 4620  [ 09889D435EDC82435B18C7C311FE5721 ] Si3114r5        C:\WINDOWS\system32\DRIVERS\Si3114r5.sys
20:06:22.0625 4620  Si3114r5 - ok
20:06:22.0625 4620  [ 46B92189FE4DB53A09E3A0099AA3084C ] SiFilter        C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
20:06:22.0625 4620  SiFilter - ok
20:06:22.0640 4620  Simbad - ok
20:06:22.0656 4620  [ B688378D258D1ECCE4768CDB55D48D92 ] SiRemFil        C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
20:06:22.0656 4620  SiRemFil - ok
20:06:22.0671 4620  [ 866D538EBE33709A5C9F5C62B73B7D14 ] SLIP            C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:06:22.0671 4620  SLIP - ok
20:06:22.0734 4620  [ 0DC94380BE7D36AE241029C72807692E ] SmcService      C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
20:06:22.0765 4620  SmcService - ok
20:06:22.0765 4620  [ 0A07295A3A4BBEA54D9DFCEAEDFDA331 ] SMR322          C:\WINDOWS\system32\drivers\SMR322.SYS
20:06:22.0765 4620  SMR322 - ok
20:06:22.0812 4620  [ 65E1EBF379856B677979802C8D5BCD87 ] SNAC            C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
20:06:23.0078 4620  SNAC - ok
20:06:23.0093 4620  Sparrow - ok
20:06:23.0156 4620  [ E87CF104F12C92401C4D33C50A3D5DC8 ] SPBBCDrv        C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
20:06:23.0656 4620  SPBBCDrv - ok
20:06:23.0671 4620  speccy - ok
20:06:23.0703 4620  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
20:06:23.0703 4620  splitter - ok
20:06:23.0734 4620  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
20:06:23.0734 4620  Spooler - ok
20:06:23.0765 4620  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
20:06:23.0765 4620  sr - ok
20:06:23.0796 4620  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
20:06:23.0796 4620  srservice - ok
20:06:23.0828 4620  [ 5A293729E1F9FCE3A2106D1F5DC5E98A ] SRTSP           C:\WINDOWS\system32\Drivers\SRTSP.SYS
20:06:23.0828 4620  SRTSP - ok
20:06:23.0843 4620  [ 0DDB7FBA32BE09D8057063C0CEE24137 ] SRTSPL          C:\WINDOWS\system32\Drivers\SRTSPL.SYS
20:06:23.0859 4620  SRTSPL - ok
20:06:23.0875 4620  [ A99719DFB61B61AA5026341BBB733C0A ] SRTSPX          C:\WINDOWS\system32\Drivers\SRTSPX.SYS
20:06:23.0875 4620  SRTSPX - ok
20:06:23.0890 4620  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
20:06:23.0906 4620  Srv - ok
20:06:23.0921 4620  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
20:06:23.0921 4620  SSDPSRV - ok
20:06:23.0953 4620  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
20:06:23.0968 4620  stisvc - ok
20:06:23.0984 4620  [ 77813007BA6265C4B6098187E6ED79D2 ] streamip        C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:06:24.0000 4620  streamip - ok
20:06:24.0015 4620  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
20:06:24.0015 4620  swenum - ok
20:06:24.0031 4620  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
20:06:24.0046 4620  swmidi - ok
20:06:24.0046 4620  SwPrv - ok
20:06:24.0125 4620  [ F3A4EAD0B3946E439F0397F7A4D09952 ] Symantec AntiVirus C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
20:06:24.0140 4620  Symantec AntiVirus - ok
20:06:24.0156 4620  symc810 - ok
20:06:24.0156 4620  symc8xx - ok
20:06:24.0171 4620  [ A54FF04BD6E75DC4D8CB6F3E352635E0 ] SymEvent        C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
20:06:24.0171 4620  SymEvent - ok
20:06:24.0203 4620  [ 394B2368212114D538316812AF60FDDD ] SYMREDRV        C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
20:06:24.0203 4620  SYMREDRV - ok
20:06:24.0218 4620  [ D46676BB414C7531BDFFE637A33F5033 ] SYMTDI          C:\WINDOWS\System32\Drivers\SYMTDI.SYS
20:06:24.0218 4620  SYMTDI - ok
20:06:24.0234 4620  sym_hi - ok
20:06:24.0234 4620  sym_u3 - ok
20:06:24.0250 4620  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
20:06:24.0250 4620  sysaudio - ok
20:06:24.0296 4620  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
20:06:24.0296 4620  SysmonLog - ok
20:06:24.0343 4620  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
20:06:24.0343 4620  TapiSrv - ok
20:06:24.0390 4620  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:06:24.0390 4620  Tcpip - ok
20:06:24.0406 4620  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
20:06:24.0593 4620  TDPIPE - ok
20:06:24.0609 4620  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
20:06:24.0718 4620  TDTCP - ok
20:06:24.0734 4620  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
20:06:24.0734 4620  TermDD - ok
20:06:24.0765 4620  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
20:06:24.0765 4620  TermService - ok
20:06:24.0796 4620  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
20:06:24.0796 4620  Themes - ok
20:06:24.0812 4620  TosIde - ok
20:06:24.0828 4620  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
20:06:24.0828 4620  TrkWks - ok
20:06:24.0859 4620  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
20:06:24.0859 4620  Udfs - ok
20:06:24.0875 4620  ultra - ok
20:06:24.0890 4620  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
20:06:24.0890 4620  Update - ok
20:06:24.0921 4620  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
20:06:24.0921 4620  upnphost - ok
20:06:24.0953 4620  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
20:06:24.0953 4620  UPS - ok
20:06:24.0984 4620  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:06:24.0984 4620  usbccgp - ok
20:06:25.0000 4620  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:06:25.0000 4620  usbehci - ok
20:06:25.0015 4620  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:06:25.0015 4620  usbhub - ok
20:06:25.0031 4620  [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci         C:\WINDOWS\system32\DRIVERS\usbohci.sys
20:06:25.0031 4620  usbohci - ok
20:06:25.0046 4620  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:06:25.0046 4620  usbprint - ok
20:06:25.0062 4620  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:06:25.0078 4620  usbscan - ok
20:06:25.0078 4620  [ A32426D9B14A089EAA1D922E0C5801A9 ] usbstor         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:06:25.0078 4620  usbstor - ok
20:06:25.0093 4620  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
20:06:25.0093 4620  VgaSave - ok
20:06:25.0109 4620  ViaIde - ok
20:06:25.0125 4620  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
20:06:25.0125 4620  VolSnap - ok
20:06:25.0171 4620  [ 919D8DAB890C5A7DC0446C1E19BDB086 ] Vsdatant        C:\WINDOWS\system32\vsdatant.sys
20:06:25.0187 4620  Vsdatant - ok
20:06:25.0203 4620  vsmon - ok
20:06:25.0250 4620  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
20:06:25.0265 4620  VSS - ok
20:06:25.0281 4620  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
20:06:25.0281 4620  W32Time - ok
20:06:25.0296 4620  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:06:25.0312 4620  Wanarp - ok
20:06:25.0343 4620  [ D918617B46457B9AC28027722E30F647 ] Wdf01000        C:\WINDOWS\system32\Drivers\wdf01000.sys
20:06:25.0343 4620  Wdf01000 - ok
20:06:25.0359 4620  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
20:06:25.0359 4620  wdmaud - ok
20:06:25.0390 4620  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
20:06:25.0390 4620  WebClient - ok
20:06:25.0468 4620  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
20:06:25.0468 4620  winmgmt - ok
20:06:25.0515 4620  [ 18F347402DA544A780949B8FDF83351B ] WinRM           C:\WINDOWS\system32\WsmSvc.dll
20:06:25.0531 4620  WinRM - ok
20:06:25.0562 4620  [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
20:06:25.0562 4620  WmdmPmSN - ok
20:06:25.0593 4620  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:06:25.0593 4620  WmiApSrv - ok
20:06:25.0656 4620  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
20:06:25.0671 4620  WMPNetworkSvc - ok
20:06:25.0734 4620  [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
20:06:25.0734 4620  WPFFontCache_v0400 - ok
20:06:25.0781 4620  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
20:06:25.0781 4620  WS2IFSL - ok
20:06:25.0812 4620  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
20:06:25.0812 4620  wscsvc - ok
20:06:25.0828 4620  WSearch - ok
20:06:25.0859 4620  [ C98B39829C2BBD34E454150633C62C78 ] WSTCODEC        C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:06:25.0859 4620  WSTCODEC - ok
20:06:25.0859 4620  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
20:06:25.0875 4620  wuauserv - ok
20:06:25.0890 4620  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:06:25.0890 4620  WudfPf - ok
20:06:25.0906 4620  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:06:25.0921 4620  WudfRd - ok
20:06:25.0937 4620  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
20:06:25.0937 4620  WudfSvc - ok
20:06:25.0984 4620  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
20:06:26.0000 4620  WZCSVC - ok
20:06:26.0031 4620  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
20:06:26.0031 4620  xmlprov - ok
20:06:26.0062 4620  [ 4322C32CED8C4772E039616DCBF01D3F ] yukonwxp        C:\WINDOWS\system32\DRIVERS\yk51x86.sys
20:06:26.0062 4620  yukonwxp - ok
20:06:26.0093 4620  ================ Scan global ===============================
20:06:26.0125 4620  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
20:06:26.0140 4620  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:06:26.0156 4620  [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
20:06:26.0171 4620  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
20:06:26.0187 4620  [Global] - ok
20:06:26.0187 4620  ================ Scan MBR ==================================
20:06:26.0203 4620  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
20:06:26.0312 4620  \Device\Harddisk0\DR0 - ok
20:06:26.0312 4620  [ 671B81004FDD1588FA9ED1331C9CECA9 ] \Device\Harddisk6\DR30
20:06:26.0328 4620  \Device\Harddisk6\DR30 - ok
20:06:26.0328 4620  ================ Scan VBR ==================================
20:06:26.0328 4620  [ 009A8DC1C70784FB19185DEAC65CE917 ] \Device\Harddisk0\DR0\Partition1
20:06:26.0328 4620  \Device\Harddisk0\DR0\Partition1 - ok
20:06:26.0343 4620  [ 534F9A154D891C3DC3558BB2BE740294 ] \Device\Harddisk0\DR0\Partition2
20:06:26.0343 4620  \Device\Harddisk0\DR0\Partition2 - ok
20:06:26.0375 4620  [ 4BC14CF180FEEBD57F21DD023612BE1C ] \Device\Harddisk0\DR0\Partition3
20:06:26.0375 4620  \Device\Harddisk0\DR0\Partition3 - ok
20:06:26.0375 4620  [ FA4C2AFE846478FFCAA92AA3710F479B ] \Device\Harddisk6\DR30\Partition1
20:06:26.0375 4620  \Device\Harddisk6\DR30\Partition1 - ok
20:06:26.0375 4620  ============================================================
20:06:26.0375 4620  Scan finished
20:06:26.0375 4620  ============================================================
20:06:26.0390 0292  Detected object count: 0
20:06:26.0390 0292  Actual detected object count: 0
 
 
Fresh log of Malwarebytes Anti-Malware with latest updates ...
 
 Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org
 
Database version: v2013.03.28.01
 
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kevin :: HOMER [administrator]
 
3/27/2013 8:12:10 PM
mbam-log-2013-03-27 (20-12-10).txt
 
Scan type: Full scan (C:\|D:\|E:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 854223
Time elapsed: 4 hour(s), 38 minute(s), 25 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 1
E:\System Volume Information\_restore{F9A2887D-7BC0-4591-8C52-6F9790424E73}\RP2\A0000096.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
 
(end)

Attached Files



#4 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 28 March 2013 - 06:56 AM

Good job...thanks.   :)
 
 
 
ComboFix
 
Please read through these instructions to familarize yourself with what to expect when this tool runs
 
Download ComboFix from one of these locations:
 
Link 1
Link 2
 
* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.  Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
     

    RCUpdate1.png

     
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
     
    RC2-1.png
     
    Click on Yes, to continue scanning for malware.
     
    When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.
     
    Notes:
     
    1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. CF disconnects your machine from the internet.  The connection is automatically restored before CF completes its run.  If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    4. If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.
    ----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#5 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2013 - 10:45 AM

Attached is ComboFix.txt.

 

Note that I ran ComboFix twice.  I couldn't find the log the first time as I was looking in the wrong directory, so I rebooted and ran ComboFix a second time.

Attached Files



#6 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 28 March 2013 - 12:53 PM

Please go to: VirusTotal
On the page you'll find a "Choose File" button.
Click on the Choose File button.
In the Choose File to Upload window which opens, copy and paste this into the File Name box.

c:\docume~1\Kevin\LOCALS~1\Temp\dea7ac42-1780-4bf7-9778-e70be1f6aa54

Next, click the Open button.
Then click the "Scan It!" button just below.
This will scan the file. Please be patient.
If you get a message saying File has already been analyzed: click Reanalyze file now
Once scanned, copy and paste the link to the results page in your next reply.
----------

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#7 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2013 - 01:00 PM

I cannot find the file at c:\docume~1\Kevin\LOCALS~1\Temp\dea7ac42-1780-4bf7-9778-e70be1f6aa54



#8 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 28 March 2013 - 03:22 PM

You can't find it or it's just not there?  :)


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#9 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2013 - 03:36 PM

It's not there.



#10 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 28 March 2013 - 08:36 PM

Ok thanks for letting me know. :)

ComboFix
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the box below:
ClearJavaCache::
 
File::
c:\docume~1\Kevin\LOCALS~1\Temp\mfe_rr.sys
c:\docume~1\Kevin\LOCALS~1\Temp\dea7ac42-1780-4bf7-9778-e70be1f6aa54
 
Driver::
MFE_RR
speccy
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
CFScriptB-4.gif
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Post the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Post the new Combofix log and let me know how your system is running now. :)

WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#11 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 28 March 2013 - 09:44 PM

I would have to verify that Zero Access is gone by scanning with Trend Micro's RootkitBuster, that informed me in the first place.  With your permission, I will scan with RootkitBuster.
 
 
Here's the log ...
 
 
ComboFix 13-03-28.01 - Kevin 03/28/2013  21:11:16.7.1 - x86
Running from: d:\documents and settings\Kevin\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Kevin\Desktop\CFScript.txt
 * Created a new restore point
.
FILE ::
"c:\docume~1\Kevin\LOCALS~1\Temp\dea7ac42-1780-4bf7-9778-e70be1f6aa54"
"c:\docume~1\Kevin\LOCALS~1\Temp\mfe_rr.sys"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MFE_RR
-------\Service_MFE_RR
-------\Service_speccy
.
.
(((((((((((((((((((((((((   Files Created from 2013-02-28 to 2013-03-29  )))))))))))))))))))))))))))))))
.
.
2013-03-28 01:09 . 2013-03-28 01:10 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-03-27 19:02 . 2013-03-15 07:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EE147C29-FC7B-4081-BC4A-AC5222C46F80}\mpengine.dll
2013-03-26 19:02 . 2013-03-15 07:21 7108640 ------w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-03-25 20:00 . 2013-03-25 20:03 -------- d-----w- c:\program files\glassfish-3.1.2.2
2013-03-25 19:42 . 2013-03-25 20:05 -------- d-----w- c:\program files\NetBeans 7.3
2013-03-25 19:16 . 2012-11-02 20:51 -------- d-----w- C:\opencv
2013-03-25 17:21 . 2013-03-25 17:21 31424 ----a-w- c:\windows\system32\drivers\ERKRmvrDrv.sys
2013-03-21 22:31 . 2013-03-21 22:31 -------- d-----w- c:\documents and settings\Kevin\Application Data\Malwarebytes
2013-03-21 22:31 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-21 20:18 . 2013-03-21 20:18 -------- d-----w- c:\documents and settings\All Users\Application Data\SMR322
2013-03-21 17:44 . 2013-03-25 18:56 -------- d-----w- c:\documents and settings\Kevin\Local Settings\Application Data\NPE
2013-03-21 17:44 . 2013-03-21 17:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2013-03-20 15:11 . 2011-08-27 13:19 331776 ----a-w- c:\windows\system32\glew32.dll
2013-03-20 15:11 . 2010-01-25 00:44 245760 ----a-w- c:\windows\system32\glut32.dll
2013-03-20 03:17 . 2013-03-20 03:16 143872 ----a-w- c:\windows\system32\javacpl.cpl
2013-03-20 03:17 . 2013-03-20 03:16 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-03-20 03:14 . 2013-03-20 03:14 21664 ----a-w- c:\windows\system32\drivers\HWiNFO32.SYS
2013-03-20 03:09 . 2013-03-20 03:09 -------- d-----w- c:\program files\HWiNFO32
2013-03-20 01:36 . 2013-03-20 01:36 -------- d-----w- c:\documents and settings\All Users\Application Data\VS
2013-03-18 19:11 . 2013-03-18 19:11 -------- d-----w- c:\program files\Microsoft SQL Server
2013-03-18 19:05 . 2013-03-20 15:17 112832 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\VCExpress\10.0\1033\ResourceCache.dll
2013-03-18 19:00 . 2013-03-18 19:00 -------- d-----w- c:\windows\symbols
2013-03-18 19:00 . 2013-03-18 19:00 -------- d-----w- c:\program files\Microsoft Help Viewer
2013-03-18 19:00 . 2013-03-18 19:00 -------- d-----w- c:\program files\Common Files\Merge Modules
2013-03-18 19:00 . 2013-03-18 19:02 -------- d-----w- c:\program files\Microsoft Visual Studio 10.0
2013-03-18 19:00 . 2013-03-18 19:00 -------- d-----w- c:\program files\Microsoft SDKs
2013-03-18 18:07 . 2013-03-20 19:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Package Cache
2013-03-18 17:27 . 2013-03-18 17:27 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2013-03-18 17:16 . 2013-03-18 17:16 -------- d-sh--w- c:\documents and settings\Default User\PrivacIE
2013-03-16 12:33 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-16 12:33 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
2013-03-12 19:24 . 2013-03-12 19:24 -------- d-----w- c:\program files\Hubb Client Data Manager
2013-03-07 23:42 . 2013-03-07 23:42 5664768 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\BingDesktop\Updater\BingDesktop.msi
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-21 18:27 . 2012-04-03 03:45 693976 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-03-21 18:27 . 2012-03-10 03:37 73432 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-03-20 03:16 . 2012-04-17 23:04 861088 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-03-20 03:16 . 2011-01-16 15:40 782240 ----a-w- c:\windows\system32\deployJava1.dll
2013-02-17 13:14 . 2011-01-18 01:28 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2013-02-12 00:32 . 2011-01-16 00:12 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2004-08-04 12:00 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-08 11:03 . 2012-02-10 03:40 1010464 ----a-w- c:\windows\system32\nvdispco32.dll
2013-02-08 11:03 . 2005-07-21 04:07 19189760 ----a-w- c:\windows\system32\nvoglnt.dll
2013-02-08 11:03 . 2005-07-21 04:07 4494336 ----a-w- c:\windows\system32\nv4_disp.dll
2013-02-08 11:02 . 2010-07-10 11:38 7536640 ----a-w- c:\windows\system32\nvcuda.dll
2013-02-08 11:02 . 2010-07-10 11:38 2581792 ----a-w- c:\windows\system32\nvcuvid.dll
2013-02-08 11:02 . 2013-02-08 11:02 892704 ----a-w- c:\windows\system32\nvdispgenco32.dll
2013-02-08 11:02 . 2010-07-10 11:38 2389504 ----a-w- c:\windows\system32\nvapi.dll
2013-02-08 11:02 . 2010-07-10 11:38 17551360 ----a-w- c:\windows\system32\nvcompiler.dll
2013-02-08 11:02 . 2005-07-21 04:07 12648960 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2013-02-08 11:02 . 2013-02-08 11:02 5967872 ----a-w- c:\windows\system32\nvopencl.dll
2013-02-08 11:02 . 2010-07-10 11:38 1869088 ----a-w- c:\windows\system32\nvcuvenc.dll
2013-02-06 21:27 . 2012-09-30 21:07 208920 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2013-02-06 16:08 . 2013-02-06 16:08 35144 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2013-02-06 15:43 . 2013-02-06 15:43 256904 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-02-05 20:05 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2013-01-30 10:53 . 2012-01-31 03:40 232336 ------w- c:\windows\system32\MpSigStub.exe
2013-01-26 03:55 . 2004-08-04 12:00 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2011-04-18 18:18 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
2013-01-14 14:48 . 2013-01-14 14:48 10 ----a-w- c:\windows\Fonts\wfonts.key
2013-01-07 01:16 . 2004-08-04 12:00 2193024 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-01-07 00:36 . 2004-08-03 22:59 2069760 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-01-04 01:20 . 2004-08-04 12:00 1867264 ----a-w- c:\windows\system32\win32k.sys
2013-01-02 06:49 . 2004-08-04 12:00 148992 ----a-w- c:\windows\system32\mpg2splt.ax
2013-01-02 06:49 . 2004-08-04 12:00 1292288 ----a-w- c:\windows\system32\quartz.dll
2012-08-19 01:16 . 2012-02-20 17:25 136672 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2012-11-13 23:32 129272 ----a-w- c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.17.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D44}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2013-03-07 21:31 576976 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"0A0490A6658693B158ABDD8F6D19517D38459327._service_run"="c:\program files\Google\Chrome\Application\chrome.exe" [2013-03-11 1274320]
"Xmarks"="c:\program files\Xmarks\IE Extension\xmarkssync.exe" [2012-03-07 1122848]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2010-09-29 115560]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\\nTune.exe" [2004-12-06 532480]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-19 45632]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2012-11-20 73392]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
"KeyScrambler"="c:\program files\KeyScrambler\keyscrambler.exe" [2013-02-10 534160]
"ISW"="" [BU]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Amazon Unbox.lnk - c:\program files\Amazon\Amazon Unbox Video\ADVWindowsClientSystemTray.exe [2010-9-13 97384]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-10-28 10:13 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MSIServer]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kevin^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-12-03 07:35 946352 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2012-10-12 02:56 59280 ----a-w- c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCSSync]
2010-03-13 20:54 91520 ----a-w- c:\program files\Microsoft Office\Office14\BCSSync.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BingDesktop]
2012-11-22 16:50 2127896 ----a-w- c:\program files\Microsoft\BingDesktop\BingDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccleaner]
2013-02-25 17:48 3288856 ----a-w- c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-07-28 23:08 1259376 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2011-05-10 07:41 49208 ----a-w- c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2012-09-10 04:30 421776 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2012-10-25 08:12 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2012-07-03 14:04 252848 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2011-01-16 15:14 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Kevin\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Documents and Settings\\Kevin\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management 
.
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [x]
R3 ERmvrDrv;ESET standalone malware removal tool kernel-mode driver;c:\windows\system32\drivers\ERKRmvrDrv.sys [x]
R3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]
R3 P0630VID;Creative WebCam Live!;c:\windows\system32\DRIVERS\P0630Vid.sys [x]
S1 HWiNFO32;HWiNFO32/64 Kernel Driver;c:\windows\system32\drivers\HWiNFO32.SYS [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [x]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [x]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [x]
S2 BingDesktopUpdate;Bing Desktop Update service;c:\program files\Microsoft\BingDesktop\BingDesktopUpdater.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 ISWKL;ZoneAlarm LTD Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [x]
S2 IswSvc;ZoneAlarm LTD Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\IswSvc.exe [x]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys [x]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [x]
S3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [x]
S3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;c:\windows\system32\Drivers\LEqdUsb.Sys [x]
S3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;c:\windows\system32\Drivers\LHidEqd.Sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-03-18 16:53 1629648 ----a-w- c:\program files\Google\Chrome\Application\25.0.1364.172\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-03-21 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-03 18:27]
.
2012-10-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 15:14]
.
2013-02-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-01-16 15:14]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1659004503-725345543-1004Core.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-18 03:22]
.
2012-09-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-796845957-1659004503-725345543-1004UA.job
- c:\documents and settings\Kevin\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-01-18 03:22]
.
2012-06-25 c:\windows\Tasks\HP Photo Creations Communicator.job
- c:\documents and settings\All Users\Application Data\HP Photo Creations\MessageCheck.exe [2012-02-21 01:50]
.
2013-03-28 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2013-03-28 c:\windows\Tasks\User_Feed_Synchronization-{CEFD98F5-6C22-4C64-B588-3F80828D6060}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~3\Office14\ONBttnIE.dll/105
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
FF - ProfilePath - c:\documents and settings\Kevin\Application Data\Mozilla\Firefox\Profiles\u0heru65.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true);user_pref(extensions.zonealarm.rvrtMsg, Click Yes to keep current home page and default search settings, Click No to restore original settings
FF - user.js: extensions.zonealarm.autoRvrt - true
FF - user.js: extensions.zonealarm_i.newTab - false
FF - user.js: extensions.zonealarm.tlbrSrchUrl - hxxp://search.zonealarm.com/search?Source=ToolBar&oemCode=ZLN20419448777083-1001&toolbarId=base&affiliateId=1025&Lan={dfltLng}&utid=90e3ecec0000000000000015f250cbba&q=
FF - user.js: extensions.zonealarm.id - 90e3ecec0000000000000015f250cbba
FF - user.js: extensions.zonealarm.instlDay - 15500
FF - user.js: extensions.zonealarm.vrsn - 1.5.23.8
FF - user.js: extensions.zonealarm.vrsni - 1.5.23.8
FF - user.js: extensions.zonealarm_i.vrsnTs - 1.5.23.821:05
FF - user.js: extensions.zonealarm.prtnrId - checkpoint
FF - user.js: extensions.zonealarm.prdct - zonealarm
FF - user.js: extensions.zonealarm.aflt - 1025
FF - user.js: extensions.zonealarm_i.smplGrp - none
FF - user.js: extensions.zonealarm.tlbrId - base
FF - user.js: extensions.zonealarm.instlRef - ZLN20419448777083-1001
FF - user.js: extensions.zonealarm.dfltLng - en
FF - user.js: extensions.zonealarm.excTlbr - true
FF - user.js: extensions.zonealarm.admin - false
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{81017EA9-9AA8-4A6A-9734-7AF40E7D593F} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-03-28 21:33
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,58,b2,a1,64,14,70,b5,41,be,98,2b,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,58,b2,a1,64,14,70,b5,41,be,98,2b,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}]
@Denied: (A 2 3) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\InProcServer32]
@="\\Explorer.exe"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\ProgID]
@="DAO.Client"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{C8618CE4-B0B4-4D1D-8336-866A8B88B639}\TypeLib]
@="{C8618CE4-0572-1026-8336-6A6C6D6E7139}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'lsass.exe'(812)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
- - - - - - - > 'explorer.exe'(2020)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\documents and settings\Kevin\Application Data\Dropbox\bin\DropboxExt.17.dll
c:\program files\Google\Drive\googledrivesync32.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~3\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Symantec\Symantec Endpoint Protection\Smc.exe
c:\program files\Common Files\Symantec Shared\ccSvcHst.exe
c:\program files\Google\Update\1.3.21.135\GoogleCrashHandler.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
c:\program files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\Symantec Endpoint Protection\SmcGui.exe
.
**************************************************************************
.
Completion time: 2013-03-28  21:39:00 - machine was rebooted
ComboFix-quarantined-files.txt  2013-03-29 02:38
ComboFix2.txt  2013-03-28 14:58
ComboFix3.txt  2013-03-21 20:51
ComboFix4.txt  2013-03-21 19:56
.
Pre-Run: 56,263,606,272 bytes free
Post-Run: 56,112,955,392 bytes free
.
- - End Of File - - 7960B5BE65BD7768674C5E1DFDE72465


#12 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 29 March 2013 - 06:39 AM

With your permission, I will scan with RootkitBuster.

Feel free to do so.  :)  Let me know the results.


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#13 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 29 March 2013 - 11:39 AM

I still have Zero Access.  Logs below ...
 
 
 
+----------------------------------------------------
| Trend Micro RootkitBuster
| Module version: 5.0.0.1129
| Computer Name: HOMER
| OS version: 5.1-2600
| User Name: Kevin
+----------------------------------------------------
 
 
--== Dump Hidden MBR, Hidden Files and Alternate Data Streams on C:\ ==--
[FILE_STREAM]:
FullPath      : C:\Documents and Settings\Administrator\My Documents\Downloads\kss12.0.1.117EN_RU_DE_FR_2926.exe:Zone.Identifier:$DATA
FullPathLength: 96
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Documents and Settings\Administrator\My Documents\Downloads\RootkitRevealer.zip:Zone.Identifier:$DATA
FullPathLength: 82
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Documents and Settings\Default User\Favorites\Links\Suggested Sites.url:favicon:$DATA
FullPathLength: 74
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Documents and Settings\Kevin\Local Settings\Application Data\Xmarks\Backup\Links\Suggested Sites.url:favicon:$DATA
FullPathLength: 103
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Backup\IntegerArray.txt.bak:Zone.Identifier:$DATA
FullPathLength: 52
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x21
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\Batch.chl:Zone.Identifier:$DATA
FullPathLength: 47
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\commonlisp.chl:Zone.Identifier:$DATA
FullPathLength: 52
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\Highlighter.chl:Zone.Identifier:$DATA
FullPathLength: 53
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\Latex.chl:Zone.Identifier:$DATA
FullPathLength: 47
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\Matlab6.chl:Zone.Identifier:$DATA
FullPathLength: 49
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\MatlabTLC.chl:Zone.Identifier:$DATA
FullPathLength: 51
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\rscript.chl:Zone.Identifier:$DATA
FullPathLength: 49
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
[FILE_STREAM]:
FullPath      : C:\Program Files\ConTEXT\Highlighters\vbScript.chl:Zone.Identifier:$DATA
FullPathLength: 50
DesiredAccess : 0x0
Options       : 0x0
Attributes    : 0x20
ShareAccess   : 0x0
Type          : 0x0
 13 hidden files found.
 
--== Dump Hidden Registry Value on HKLM ==--
No hidden registry entries found.
 
 
--== Dump Hidden Process ==--
No hidden processes found.
 
--== Dump Hidden Driver ==--
No hidden drivers found.
 
--== Service Win32 API Hook List ==--
[HOOKED_SERVICE_API]:
Service API     : ZwAdjustPrivilegesToken
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805e27c2
CurrentHandler  : 0xf13d0414
ServiceNumber   : 0xb
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwAlertResumeThread
Image Path      : 
OriginalHandler : 0x805cb024
CurrentHandler  : 0x86e6fa50
ServiceNumber   : 0xc
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwAlertThread
Image Path      : 
OriginalHandler : 0x805cafd4
CurrentHandler  : 0x85bb53e0
ServiceNumber   : 0xd
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwAllocateVirtualMemory
Image Path      : 
OriginalHandler : 0x8059df54
CurrentHandler  : 0x85d29588
ServiceNumber   : 0x11
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwClose
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805b1df8
CurrentHandler  : 0xf136c8a6
ServiceNumber   : 0x19
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwConnectPort
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80599a7e
CurrentHandler  : 0xf11b1346
ServiceNumber   : 0x1f
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateEvent
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x80605ca4
CurrentHandler  : 0xf136ce1e
ServiceNumber   : 0x23
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateFile
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8056e3ee
CurrentHandler  : 0xf11ab5e4
ServiceNumber   : 0x25
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061ae02
CurrentHandler  : 0xf11ca846
ServiceNumber   : 0x29
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateMutant
Image Path      : 
OriginalHandler : 0x8060e330
CurrentHandler  : 0x8676f700
ServiceNumber   : 0x2b
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreatePort
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8059a59a
CurrentHandler  : 0xf11b1ad2
ServiceNumber   : 0x2e
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateProcess
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805c75f6
CurrentHandler  : 0xf13d238e
ServiceNumber   : 0x2f
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateProcessEx
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805c7540
CurrentHandler  : 0xf13d25aa
ServiceNumber   : 0x30
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateSection
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805a0880
CurrentHandler  : 0xf13d346a
ServiceNumber   : 0x32
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateSemaphore
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8060bcda
CurrentHandler  : 0xf136cf3e
ServiceNumber   : 0x33
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateThread
Image Path      : 
OriginalHandler : 0x805c73de
CurrentHandler  : 0x85d1d560
ServiceNumber   : 0x35
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwCreateWaitablePort
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8059a5be
CurrentHandler  : 0xf11b1c08
ServiceNumber   : 0x38
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDebugActiveProcess
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8063a87c
CurrentHandler  : 0xf13d2234
ServiceNumber   : 0x39
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDeleteFile
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8056bf8e
CurrentHandler  : 0xf11ac1fa
ServiceNumber   : 0x3e
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDeleteKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061b29e
CurrentHandler  : 0xf11cc18c
ServiceNumber   : 0x3f
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDeleteValueKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061b46e
CurrentHandler  : 0xf11cbaa6
ServiceNumber   : 0x41
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDeviceIoControlFile
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8056e5b4
CurrentHandler  : 0xf136c8ea
ServiceNumber   : 0x42
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwDuplicateObject
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805b3a0c
CurrentHandler  : 0xf13d0556
ServiceNumber   : 0x44
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwEnumerateKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061b64e
CurrentHandler  : 0xf137e6d0
ServiceNumber   : 0x47
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwEnumerateValueKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061b8b8
CurrentHandler  : 0xf137f064
ServiceNumber   : 0x49
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwFreeVirtualMemory
Image Path      : 
OriginalHandler : 0x805a85ae
CurrentHandler  : 0x86da2de8
ServiceNumber   : 0x53
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwImpersonateAnonymousToken
Image Path      : 
OriginalHandler : 0x805ef70c
CurrentHandler  : 0x85d173e0
ServiceNumber   : 0x59
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwImpersonateThread
Image Path      : 
OriginalHandler : 0x805cdc9a
CurrentHandler  : 0x85bbdba8
ServiceNumber   : 0x5b
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwLoadDriver
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x80579714
CurrentHandler  : 0xf13d01be
ServiceNumber   : 0x61
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwLoadKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061d026
CurrentHandler  : 0xf11ccb96
ServiceNumber   : 0x62
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwLoadKey2
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061cc32
CurrentHandler  : 0xf11ccd9e
ServiceNumber   : 0x63
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwMapViewOfSection
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805a762e
CurrentHandler  : 0xf11cee8e
ServiceNumber   : 0x6c
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwNotifyChangeKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061cff0
CurrentHandler  : 0xf1381e20
ServiceNumber   : 0x6f
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenEvent
Image Path      : 
OriginalHandler : 0x80605da4
CurrentHandler  : 0x85dde838
ServiceNumber   : 0x72
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenFile
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8056f50c
CurrentHandler  : 0xf11abe0c
ServiceNumber   : 0x74
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenMutant
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8060e408
CurrentHandler  : 0xf136cd94
ServiceNumber   : 0x78
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenProcess
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805c1462
CurrentHandler  : 0xf13d1ddc
ServiceNumber   : 0x7a
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenProcessToken
Image Path      : 
OriginalHandler : 0x805e43b2
CurrentHandler  : 0x86e69b40
ServiceNumber   : 0x7b
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenSection
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8059f8b6
CurrentHandler  : 0xf13d3716
ServiceNumber   : 0x7d
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenSemaphore
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8060bdd4
CurrentHandler  : 0xf136cfd4
ServiceNumber   : 0x7e
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenThread
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805c16ee
CurrentHandler  : 0xf13d27ca
ServiceNumber   : 0x80
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwOpenThreadToken
Image Path      : 
OriginalHandler : 0x805e43d0
CurrentHandler  : 0x86e071c0
ServiceNumber   : 0x81
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwQueryKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061c522
CurrentHandler  : 0xf137d510
ServiceNumber   : 0xa0
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwQueryMultipleValueKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x80619f50
CurrentHandler  : 0xf137ecd2
ServiceNumber   : 0xa1
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwQueryObject
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805bb20a
CurrentHandler  : 0xf138202c
ServiceNumber   : 0xa3
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwQueryValueKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x80619026
CurrentHandler  : 0xf137eac6
ServiceNumber   : 0xb1
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwQueueApcThread
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805c8b72
CurrentHandler  : 0xf13d3118
ServiceNumber   : 0xb4
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwRenameKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061a824
CurrentHandler  : 0xf11cdb2c
ServiceNumber   : 0xc0
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwReplaceKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061ced6
CurrentHandler  : 0xf11cd462
ServiceNumber   : 0xc1
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwReplyPort
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8059a99a
CurrentHandler  : 0xf1383c90
ServiceNumber   : 0xc2
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwReplyWaitReceivePort
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8059b962
CurrentHandler  : 0xf1383b1e
ServiceNumber   : 0xc3
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwReplyWaitReceivePortEx
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8059b36a
CurrentHandler  : 0xf1383bd4
ServiceNumber   : 0xc4
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwRequestWaitReplyPort
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80598224
CurrentHandler  : 0xf11b0f14
ServiceNumber   : 0xc8
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwRestoreKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x8061c7e2
CurrentHandler  : 0xf11ce4fe
ServiceNumber   : 0xcc
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwResumeThread
Image Path      : 
OriginalHandler : 0x805cae60
CurrentHandler  : 0x8729b228
ServiceNumber   : 0xce
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSaveKey
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061c8de
CurrentHandler  : 0xf137d994
ServiceNumber   : 0xcf
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSaveKeyEx
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061c9c4
CurrentHandler  : 0xf137db2a
ServiceNumber   : 0xd0
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSaveMergedKeys
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8061caec
CurrentHandler  : 0xf137dcc6
ServiceNumber   : 0xd1
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSecureConnectPort
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x80599212
CurrentHandler  : 0xf13837ea
ServiceNumber   : 0xd2
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetContextThread
Image Path      : 
OriginalHandler : 0x805c9036
CurrentHandler  : 0x85bc6ba8
ServiceNumber   : 0xd5
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetInformationFile
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805703f6
CurrentHandler  : 0xf11ac5be
ServiceNumber   : 0xe0
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetInformationProcess
Image Path      : 
OriginalHandler : 0x805c3f20
CurrentHandler  : 0x86ddb2e8
ServiceNumber   : 0xe4
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetInformationThread
Image Path      : 
OriginalHandler : 0x805c1ee0
CurrentHandler  : 0x86db30b0
ServiceNumber   : 0xe5
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetInformationToken
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x805f0b3a
CurrentHandler  : 0xf136d05e
ServiceNumber   : 0xe6
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetSecurityObject
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x805b617e
CurrentHandler  : 0xf11ce06c
ServiceNumber   : 0xed
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetSystemInformation
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x806069f6
CurrentHandler  : 0xf13d02c8
ServiceNumber   : 0xf0
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSetValueKey
Image Path      : C:\WINDOWS\System32\vsdatant.sys
OriginalHandler : 0x80619374
CurrentHandler  : 0xf11cb22e
ServiceNumber   : 0xf7
ModuleName      : vsdatant.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSuspendProcess
Image Path      : 
OriginalHandler : 0x805caf28
CurrentHandler  : 0x85d20a20
ServiceNumber   : 0xfd
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSuspendThread
Image Path      : 
OriginalHandler : 0x805cad9a
CurrentHandler  : 0x86eee560
ServiceNumber   : 0xfe
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwSystemDebugControl
Image Path      : C:\WINDOWS\system32\DRIVERS\klif.sys
OriginalHandler : 0x8060ed4c
CurrentHandler  : 0xf136d070
ServiceNumber   : 0xff
ModuleName      : klif.sys
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwTerminateProcess
Image Path      : 
OriginalHandler : 0x805c86ea
CurrentHandler  : 0x86f01228
ServiceNumber   : 0x101
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwTerminateThread
Image Path      : 
OriginalHandler : 0x805c88e4
CurrentHandler  : 0x85baf508
ServiceNumber   : 0x102
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwUnmapViewOfSection
Image Path      : 
OriginalHandler : 0x805a8444
CurrentHandler  : 0x85bc7ba8
ServiceNumber   : 0x10b
ModuleName      : 
SDTType         : 0x0
[HOOKED_SERVICE_API]:
Service API     : ZwWriteVirtualMemory
Image Path      : 
OriginalHandler : 0x805a99ce
CurrentHandler  : 0x86db0aa0
ServiceNumber   : 0x115
ModuleName      : 
SDTType         : 0x0
No hidden operating system service hooks found.
 
--== Dump Hidden Port ==--
No hidden ports found.
 
--== Dump Kernel Code Patching ==--
No kernel code patching detected.
 
--== Dump Hidden Services ==--
No hidden services found.


#14 jeffce

jeffce

    Bleepin' Super Saiyan


  • Malware Response Team
  • 3,442 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:12:48 AM

Posted 29 March 2013 - 11:43 AM

Where do you see that you have ZeroAccess infection??


WFxJwA4.png
 
mvp_horizontal_fullcolor-(copy2).jpeg
 


#15 QuasiChameleon

QuasiChameleon
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:12:48 AM

Posted 29 March 2013 - 11:47 AM

Everything that has a Zw* in front of it.  A Google search reveals they are associated with the Zero Access trojan.

 

 

Also, McAfee RootkitRemover keeps reporting the following ...

 

 

 

 

[TimeStamp: 20130328214607]
 
 
Rootkit Remover v0.8.9.160 [Dec  4 2012 - 17:44:01]
 
McAfee Labs.
 
 
 
Windows build 5.1.2600 x86 Service Pack 3
 
Checking for updates ...
 
 
 
Now Scanning...
 
    Malware Found --> ZeroAccess trojan detected!!!
 
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{f3130cdb-aa52-4c3a-ab32-85ffc23af9c1}\InprocServer32 ( fixed )
 
    --> Registry key: HKEY_CLASSES_ROOT\CLSID\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InprocServer32 ( fixed )
 
    ZeroAccess trojan was cleaned successfully! 
 
 
 
Scan Finished
 
 
 
PLEASE REBOOT IMMEDIATELY TO COMPLETE CLEANING.
 
 
 
Other recommendations:
 
   1. Perform full scan with McAfee VirusScan product after reboot.
 
 
 
 
 
Press any key to exit.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users