Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, rootkit/0access & sirefef


  • This topic is locked This topic is locked
18 replies to this topic

#1 jibberjive

jibberjive

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 April 2013 - 12:13 AM

So, I had been receiving help from a different site, when the help fell through before everything was complete and verified clean.  So I'll post the info from what I've already done, as well as the advice from the previous help.  Just today I tried to run DDS again, and it stays stuck at the "this scan should take no more than 3 minutes" screen and never completes.  The previous steps, logs and info posted below:

 

----

 

 

"The machine is running Windows XP SP3.

Symptoms are google search redirects to random other ad pages when links are clicked. When I checked the web history, I was shocked to see that it was also uploading my latest accessed .doc files. I checked the computer for an anti-virus program (it's my parent's, not mine), and there was none on there, and the firewall was disabled as well.

Before I stumbled on this site and the "5-step viruses/spyware/malware preliminary removal instructions" I had already ran MBAM a couple of times and the ESET online scan.

So I'll post the logs that I took in chronological order:

-MBAM (shows rootkit/0access that I tried to have it quarantine unsuccessfully a couple of times. it would show right back up)
-ESET (Quarantined trojans)
Then I followed the "5-step preliminary" and did the following
-Installed Avast AV
-MBAM again (now showing clean after the ESET quarantine)
-GMER
-Tried unsuccessfully to run DDS (it froze system every time, tried disabling AV and internet, tried letting it run all night etc, no dice)

Help would be greatly appreciated!


LOGS:

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.23.10

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702

10/9/2012 11:49:47 AM
mbam-log-2012-10-09 (12-25-50).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 307183
Time elapsed: 50 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 1
C:\WINDOWS\system32\pdlndldl.dll (RootKit.0Access.H) -> No action taken.

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\WINDOWS\system32\pdlndldl.dll (RootKit.0Access.H) -> No action taken.

(end)
---------------------------------------------------------------------
ESET online scan log
C:\WINDOWS\system32\cqmghost.dllWin32/Sirefef.ER trojancleaned by deleting - quarantined
C:\WINDOWS\system32\USB3Nw32.dlla variant of Win32/Wimpixo.AV trojancleaned by deleting (after the next restart) - quarantined
C:\WINDOWS\system32\drivers\meiudf.sysWin32/Sirefef.DA trojancleaned by deleting - quarantined
Operating memorymultiple threats
-----------------------------------------------------------------------
Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org
Database version: v2012.10.25.02
Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
10/25/2012 3:06:57 AM
mbam-log-2012-10-25 (03-06-57).txt
Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 236933
Time elapsed: 27 minute(s), 5 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit quick scan 2012-10-25 03:39:47
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1234GSX rev.AH001A
Running: 3y0r6ze6.exe; Driver: C:\DOCUME~1\KITROM~1\LOCALS~1\Temp\uxtdrpog.sys


---- System - GMER 1.0.15 ----
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9E80CD2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9E80B3D]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9F04E16]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)
AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
---- EOF - GMER 1.0.15 ----

"

 

 

 

Welcome aboard yahooo.gif


============================================

Download TDSSKiller and save it to your desktop.

  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.

==========================================

  • Download RogueKiller on the desktop
  • Close all the running programs
  • Windows Vista/7 users: right click on RogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

==========================================

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it

 

 

 

 

 

 

 11:25:33.0125 2184 TDSS rootkit removing tool 2.8.13.0 Oct 12 2012 17:26:47
11:25:33.0500 2184 ============================================================
11:25:33.0500 2184 Current date / time: 2012/10/26 11:25:33.0500
11:25:33.0500 2184 SystemInfo:
11:25:33.0500 2184
11:25:33.0500 2184 OS Version: 5.1.2600 ServicePack: 3.0
11:25:33.0500 2184 Product type: Workstation
11:25:33.0500 2184 ComputerName: ROMCOM
11:25:33.0500 2184 UserName: Kit Romney
11:25:33.0500 2184 Windows directory: C:\WINDOWS
11:25:33.0500 2184 System windows directory: C:\WINDOWS
11:25:33.0500 2184 Processor architecture: Intel x86
11:25:33.0500 2184 Number of processors: 2
11:25:33.0500 2184 Page size: 0x1000
11:25:33.0500 2184 Boot type: Normal boot
11:25:33.0500 2184 ============================================================
11:25:35.0281 2184 Drive \Device\Harddisk0\DR0 - Size: 0x1BE6AB5200 (111.60 Gb), SectorSize: 0x200, Cylinders: 0x38E9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:25:35.0281 2184 ============================================================
11:25:35.0281 2184 \Device\Harddisk0\DR0:
11:25:35.0281 2184 MBR partitions:
11:25:35.0281 2184 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF3556A
11:25:35.0281 2184 ============================================================
11:25:35.0328 2184 C: <-> \Device\Harddisk0\DR0\Partition1
11:25:35.0328 2184 ============================================================
11:25:35.0328 2184 Initialize success
11:25:35.0328 2184 ============================================================
11:25:46.0171 3988 ============================================================
11:25:46.0171 3988 Scan started
11:25:46.0171 3988 Mode: Manual;
11:25:46.0171 3988 ============================================================
11:25:47.0703 3988 ================ Scan system memory ========================
11:25:47.0703 3988 System memory - ok
11:25:47.0703 3988 ================ Scan services =============================
11:25:48.0187 3988 [ 68885EFEBC326F7FC9D0A35625D47BEA ] Aavmker4 C:\WINDOWS\system32\drivers\Aavmker4.sys
11:25:48.0203 3988 Aavmker4 - ok
11:25:48.0203 3988 Abiosdsk - ok
11:25:48.0203 3988 abp480n5 - ok
11:25:48.0250 3988 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:25:48.0250 3988 ACPI - ok
11:25:48.0265 3988 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
11:25:48.0265 3988 ACPIEC - ok
11:25:48.0265 3988 adpu160m - ok
11:25:48.0296 3988 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
11:25:48.0296 3988 aec - ok
11:25:48.0343 3988 [ 12DAFD934641DCF61E446313BC261EC2 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
11:25:48.0343 3988 AegisP - ok
11:25:48.0390 3988 [ 355556D9E580915118CD7EF736653A89 ] AFD C:\WINDOWS\System32\drivers\afd.sys
11:25:48.0406 3988 AFD - ok
11:25:48.0468 3988 [ B3192376C7A3814B5341EFC2202022F8 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
11:25:48.0484 3988 AgereSoftModem - ok
11:25:48.0484 3988 Aha154x - ok
11:25:48.0500 3988 aic78u2 - ok
11:25:48.0500 3988 aic78xx - ok
11:25:48.0531 3988 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
11:25:48.0531 3988 Alerter - ok
11:25:48.0546 3988 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
11:25:48.0562 3988 ALG - ok
11:25:48.0562 3988 AliIde - ok
11:25:48.0562 3988 amsint - ok
11:25:48.0609 3988 [ 87EC3FDCAF6C5052E2E72B861DEDD3D3 ] ApfiltrService C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
11:25:48.0609 3988 ApfiltrService - ok
11:25:48.0656 3988 [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
11:25:48.0656 3988 AppMgmt - ok
11:25:48.0671 3988 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
11:25:48.0671 3988 Arp1394 - ok
11:25:48.0687 3988 asc - ok
11:25:48.0687 3988 asc3350p - ok
11:25:48.0687 3988 asc3550 - ok
11:25:48.0718 3988 [ D880831279ED91F9A4190A2DB9539EA9 ] ASCTRM C:\WINDOWS\system32\drivers\ASCTRM.sys
11:25:48.0718 3988 ASCTRM - ok
11:25:48.0812 3988 [ E1A1206A4FB19B675E947B29CCD25FBA ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
11:25:48.0828 3988 aspnet_state - ok
11:25:48.0875 3988 [ 598DAF89E7B2AD88FF6511CB9C4BA61A ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys
11:25:48.0875 3988 aswFsBlk - ok
11:25:48.0921 3988 [ 8E69710F6A1016D47CCDDA6393F97D32 ] aswMon2 C:\WINDOWS\system32\drivers\aswMon2.sys
11:25:48.0921 3988 aswMon2 - ok
11:25:48.0968 3988 [ 816C6DCD6BF930C8FD8F68137E1BDDC4 ] AswRdr C:\WINDOWS\system32\drivers\AswRdr.sys
11:25:48.0968 3988 AswRdr - ok
11:25:49.0046 3988 [ 6C8B09E245795E98B6BCC983D0AA4D26 ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys
11:25:49.0062 3988 aswSnx - ok
11:25:49.0125 3988 [ 437E3F4B4529AA616D4979A2B74CF8C5 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys
11:25:49.0125 3988 aswSP - ok
11:25:49.0156 3988 [ BD07C8162C7FAD38FE4AAAE18E835216 ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys
11:25:49.0171 3988 aswTdi - ok
11:25:49.0187 3988 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:25:49.0203 3988 AsyncMac - ok
11:25:49.0218 3988 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
11:25:49.0218 3988 atapi - ok
11:25:49.0218 3988 Atdisk - ok
11:25:49.0250 3988 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:25:49.0250 3988 Atmarpc - ok
11:25:49.0296 3988 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
11:25:49.0296 3988 AudioSrv - ok
11:25:49.0343 3988 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
11:25:49.0343 3988 audstub - ok
11:25:49.0484 3988 [ FB05FF189FC5F57DE636315B1F5E56DB ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
11:25:49.0484 3988 avast! Antivirus - ok
11:25:49.0500 3988 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
11:25:49.0500 3988 Beep - ok
11:25:49.0531 3988 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
11:25:49.0578 3988 BITS - ok
11:25:49.0609 3988 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
11:25:49.0609 3988 Browser - ok
11:25:49.0640 3988 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
11:25:49.0640 3988 cbidf2k - ok
11:25:49.0640 3988 cd20xrnt - ok
11:25:49.0656 3988 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
11:25:49.0656 3988 Cdaudio - ok
11:25:49.0703 3988 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
11:25:49.0703 3988 Cdfs - ok
11:25:49.0718 3988 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:25:49.0718 3988 Cdrom - ok
11:25:49.0812 3988 [ 3CB0CC8879956C187E87E18634EE5164 ] CFSvcs C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
11:25:49.0812 3988 CFSvcs - ok
11:25:49.0828 3988 Changer - ok
11:25:49.0859 3988 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
11:25:49.0859 3988 CiSvc - ok
11:25:49.0875 3988 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
11:25:49.0875 3988 ClipSrv - ok
11:25:49.0906 3988 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
11:25:49.0906 3988 CmBatt - ok
11:25:49.0906 3988 CmdIde - ok
11:25:49.0921 3988 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
11:25:49.0921 3988 Compbatt - ok
11:25:49.0921 3988 COMSysApp - ok
11:25:49.0953 3988 Cpqarray - ok
11:25:49.0984 3988 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
11:25:49.0984 3988 CryptSvc - ok
11:25:49.0984 3988 dac2w2k - ok
11:25:49.0984 3988 dac960nt - ok
11:25:50.0046 3988 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
11:25:50.0062 3988 DcomLaunch - ok
11:25:50.0125 3988 [ 770471DE2550820FEEB7E5D24BF2E273 ] DgiVecp C:\WINDOWS\system32\Drivers\DgiVecp.sys
11:25:50.0125 3988 DgiVecp - ok
11:25:50.0171 3988 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
11:25:50.0171 3988 Dhcp - ok
11:25:50.0187 3988 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
11:25:50.0187 3988 Disk - ok
11:25:50.0250 3988 [ EE4325BECEF51B8C32B4329097E4F301 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
11:25:50.0250 3988 DLABOIOM - ok
11:25:50.0265 3988 [ D979BEBCF7EDCC9C9EE1857D1A68C67B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
11:25:50.0265 3988 DLACDBHM - ok
11:25:50.0296 3988 [ 1E6C6597833A04C2157BE7B39EA92CE1 ] DLADResN C:\WINDOWS\system32\DLA\DLADResN.SYS
11:25:50.0296 3988 DLADResN - ok
11:25:50.0328 3988 [ 752376E109A090970BFA9722F0F40B03 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
11:25:50.0328 3988 DLAIFS_M - ok
11:25:50.0328 3988 [ 62EE7902E74B90BF1CCC4643FC6C07A7 ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
11:25:50.0328 3988 DLAOPIOM - ok
11:25:50.0328 3988 [ 5C220124C5AFEAEE84A9BB89D685C17B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
11:25:50.0343 3988 DLAPoolM - ok
11:25:50.0343 3988 [ 7EE0852AE8907689DF25049DCD2342E8 ] DLARTL_N C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
11:25:50.0343 3988 DLARTL_N - ok
11:25:50.0343 3988 [ 4EBB78D9BBF072119363B35B9B3E518F ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
11:25:50.0359 3988 DLAUDFAM - ok
11:25:50.0359 3988 [ 333B770E52D2CEA7BD86391120466E43 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
11:25:50.0359 3988 DLAUDF_M - ok
11:25:50.0375 3988 dmadmin - ok
11:25:50.0437 3988 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
11:25:50.0453 3988 dmboot - ok
11:25:50.0484 3988 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
11:25:50.0484 3988 dmio - ok
11:25:50.0484 3988 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
11:25:50.0484 3988 dmload - ok
11:25:50.0546 3988 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
11:25:50.0546 3988 dmserver - ok
11:25:50.0562 3988 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
11:25:50.0562 3988 DMusic - ok
11:25:50.0593 3988 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
11:25:50.0609 3988 Dnscache - ok
11:25:50.0640 3988 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
11:25:50.0640 3988 Dot3svc - ok
11:25:50.0656 3988 dpti2o - ok
11:25:50.0671 3988 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
11:25:50.0671 3988 drmkaud - ok
11:25:50.0687 3988 [ FD0F95981FEF9073659D8EC58E40AA3C ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
11:25:50.0703 3988 DRVMCDB - ok
11:25:50.0703 3988 [ B4869D320428CDC5EC4D7F5E808E99B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
11:25:50.0703 3988 DRVNDDM - ok
11:25:50.0734 3988 [ C9FFBD6B8EDC46CD3D13E3C6DB914FB7 ] DVD-RAM_Service C:\WINDOWS\system32\DVDRAMSV.exe
11:25:50.0750 3988 DVD-RAM_Service - ok
11:25:50.0796 3988 [ E1FA10ED8F9F700C1BE1EAE05A80EF57 ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
11:25:50.0796 3988 e1express - ok
11:25:50.0859 3988 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
11:25:50.0875 3988 EapHost - ok
11:25:50.0968 3988 [ 8301243BDE5B6CD316D79C0191D50D9A ] ehRecvr C:\WINDOWS\eHome\ehRecvr.exe
11:25:50.0984 3988 ehRecvr - ok
11:25:51.0046 3988 [ A53243709439AC2A4C216B817F8D7411 ] ehSched C:\WINDOWS\eHome\ehSched.exe
11:25:51.0046 3988 ehSched - ok
11:25:51.0078 3988 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
11:25:51.0078 3988 ERSvc - ok
11:25:51.0109 3988 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
11:25:51.0109 3988 Eventlog - ok
11:25:51.0156 3988 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\Es.dll
11:25:51.0171 3988 EventSystem - ok
11:25:51.0234 3988 [ 56DED3ADE453272E6A0AD582D945D1A4 ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
11:25:51.0234 3988 EvtEng - ok
11:25:51.0250 3988 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
11:25:51.0265 3988 Fastfat - ok
11:25:51.0312 3988 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
11:25:51.0312 3988 FastUserSwitchingCompatibility - ok
11:25:51.0343 3988 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
11:25:51.0343 3988 Fax - ok
11:25:51.0390 3988 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
11:25:51.0390 3988 Fdc - ok
11:25:51.0484 3988 [ 5A8F83707C4CF1395312B23E6AF4DDD7 ] FdRedir C:\Program Files\Common Files\Protector Suite QL\Drivers\FdRedir.sys
11:25:51.0484 3988 FdRedir - ok
11:25:51.0500 3988 [ D7BEFE501CC041C76E3FA976CFD04127 ] FileDisk2 C:\Program Files\Common Files\Protector Suite QL\Drivers\filedisk.sys
11:25:51.0500 3988 FileDisk2 - ok
11:25:51.0515 3988 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
11:25:51.0515 3988 Fips - ok
11:25:51.0515 3988 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
11:25:51.0515 3988 Flpydisk - ok
11:25:51.0562 3988 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
11:25:51.0578 3988 FltMgr - ok
11:25:51.0593 3988 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:25:51.0593 3988 Fs_Rec - ok
11:25:51.0625 3988 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:25:51.0625 3988 Ftdisk - ok
11:25:51.0640 3988 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:25:51.0640 3988 Gpc - ok
11:25:51.0718 3988 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
11:25:51.0718 3988 gupdate - ok
11:25:51.0734 3988 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
11:25:51.0734 3988 gupdatem - ok
11:25:51.0812 3988 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:25:51.0828 3988 gusvc - ok
11:25:51.0890 3988 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
11:25:51.0890 3988 HDAudBus - ok
11:25:51.0984 3988 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:25:51.0984 3988 helpsvc - ok
11:25:52.0031 3988 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
11:25:52.0031 3988 HidServ - ok
11:25:52.0078 3988 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:25:52.0078 3988 HidUsb - ok
11:25:52.0109 3988 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
11:25:52.0125 3988 hkmsvc - ok
11:25:52.0125 3988 hpn - ok
11:25:52.0140 3988 [ 30CA91E657CEDE2F95359D6EF186F650 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
11:25:52.0140 3988 HPZid412 - ok
11:25:52.0156 3988 [ EFD31AFA752AA7C7BBB57BCBE2B01C78 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
11:25:52.0187 3988 HPZipr12 - ok
11:25:52.0203 3988 [ 7AC43C38CA8FD7ED0B0A4466F753E06E ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
11:25:52.0203 3988 HPZius12 - ok
11:25:52.0234 3988 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
11:25:52.0250 3988 HTTP - ok
11:25:52.0296 3988 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
11:25:52.0328 3988 HTTPFilter - ok
11:25:52.0328 3988 i2omgmt - ok
11:25:52.0328 3988 i2omp - ok
11:25:52.0359 3988 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
11:25:52.0359 3988 i8042prt - ok
11:25:52.0468 3988 [ BC1F1FF8D5800398937966CDB0A97FDC ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:25:52.0500 3988 ialm - ok
11:25:52.0500 3988 Ias - ok
11:25:52.0515 3988 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
11:25:52.0515 3988 Imapi - ok
11:25:52.0562 3988 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
11:25:52.0562 3988 ImapiService - ok
11:25:52.0578 3988 ini910u - ok
11:25:52.0765 3988 [ B12A9FC49CD2765A43829D834F518AED ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
11:25:52.0953 3988 IntcAzAudAddService - ok
11:25:52.0953 3988 IntelIde - ok
11:25:52.0984 3988 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:25:53.0000 3988 intelppm - ok
11:25:53.0031 3988 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
11:25:53.0031 3988 Ip6Fw - ok
11:25:53.0078 3988 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:25:53.0093 3988 IpFilterDriver - ok
11:25:53.0140 3988 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:25:53.0140 3988 IpInIp - ok
11:25:53.0171 3988 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:25:53.0187 3988 IpNat - ok
11:25:53.0187 3988 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:25:53.0203 3988 IPSec - ok
11:25:53.0218 3988 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
11:25:53.0234 3988 IRENUM - ok
11:25:53.0250 3988 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:25:53.0265 3988 isapnp - ok
11:25:53.0265 3988 [ F59C3569A2F2C464BB78CB1BDCDCA55E ] Iviaspi C:\WINDOWS\system32\drivers\iviaspi.sys
11:25:53.0265 3988 Iviaspi - ok
11:25:53.0359 3988 [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
11:25:53.0359 3988 JavaQuickStarterService - ok
11:25:53.0390 3988 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:25:53.0390 3988 Kbdclass - ok
11:25:53.0406 3988 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:25:53.0406 3988 kbdhid - ok
11:25:53.0421 3988 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
11:25:53.0437 3988 kmixer - ok
11:25:53.0453 3988 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
11:25:53.0453 3988 KSecDD - ok
11:25:53.0500 3988 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
11:25:53.0515 3988 lanmanserver - ok
11:25:53.0562 3988 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
11:25:53.0578 3988 lanmanworkstation - ok
11:25:53.0578 3988 lbrtfdc - ok
11:25:53.0640 3988 [ 5E3498F3D0146C0E275272B94369E3D2 ] LexBceS C:\WINDOWS\system32\LEXBCES.EXE
11:25:53.0656 3988 LexBceS - ok
11:25:53.0703 3988 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
11:25:53.0703 3988 LmHosts - ok
11:25:53.0765 3988 [ DF0A511F38F16016BF658FCA0090CB87 ] McrdSvc C:\WINDOWS\ehome\mcrdsvc.exe
11:25:53.0765 3988 McrdSvc - ok
11:25:53.0765 3988 mdmxsdk - ok
11:25:53.0781 3988 meiudf - ok
11:25:53.0796 3988 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
11:25:53.0812 3988 Messenger - ok
11:25:53.0843 3988 [ B7521F69C0A9B29D356157229376FB21 ] MHN C:\WINDOWS\System32\mhn.dll
11:25:53.0859 3988 MHN - ok
11:25:53.0890 3988 [ 7F2F1D2815A6449D346FCCCBC569FBD6 ] MHNDRV C:\WINDOWS\system32\DRIVERS\mhndrv.sys
11:25:53.0906 3988 MHNDRV - ok
11:25:53.0921 3988 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
11:25:53.0921 3988 mnmdd - ok
11:25:53.0953 3988 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
11:25:53.0968 3988 mnmsrvc - ok
11:25:54.0000 3988 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
11:25:54.0000 3988 Modem - ok
11:25:54.0015 3988 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:25:54.0015 3988 Mouclass - ok
11:25:54.0046 3988 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:25:54.0062 3988 mouhid - ok
11:25:54.0078 3988 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
11:25:54.0078 3988 MountMgr - ok
11:25:54.0078 3988 mraid35x - ok
11:25:54.0093 3988 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:25:54.0093 3988 MRxDAV - ok
11:25:54.0156 3988 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:25:54.0156 3988 MRxSmb - ok
11:25:54.0187 3988 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
11:25:54.0187 3988 MSDTC - ok
11:25:54.0203 3988 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
11:25:54.0203 3988 Msfs - ok
11:25:54.0203 3988 MSIServer - ok
11:25:54.0218 3988 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:25:54.0234 3988 MSPCLOCK - ok
11:25:54.0250 3988 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
11:25:54.0250 3988 MSPQM - ok
11:25:54.0281 3988 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:25:54.0281 3988 mssmbios - ok
11:25:54.0328 3988 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
11:25:54.0328 3988 Mup - ok
11:25:54.0375 3988 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
11:25:54.0375 3988 napagent - ok
11:25:54.0437 3988 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
11:25:54.0437 3988 NDIS - ok
11:25:54.0468 3988 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:25:54.0484 3988 NdisTapi - ok
11:25:54.0484 3988 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:25:54.0484 3988 Ndisuio - ok
11:25:54.0500 3988 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:25:54.0500 3988 NdisWan - ok
11:25:54.0515 3988 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
11:25:54.0531 3988 NDProxy - ok
11:25:54.0531 3988 NecUsb - ok
11:25:54.0578 3988 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
11:25:54.0578 3988 Net Driver HPZ12 - ok
11:25:54.0578 3988 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
11:25:54.0578 3988 NetBIOS - ok
11:25:54.0609 3988 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
11:25:54.0609 3988 NetBT - ok
11:25:54.0656 3988 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
11:25:54.0656 3988 NetDDE - ok
11:25:54.0671 3988 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
11:25:54.0671 3988 NetDDEdsdm - ok
11:25:54.0687 3988 [ 1265EB253ED4EBE4ACB3BD5F548FF796 ] Netdevio C:\WINDOWS\system32\DRIVERS\netdevio.sys
11:25:54.0703 3988 Netdevio - ok
11:25:54.0734 3988 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
11:25:54.0734 3988 Netlogon - ok
11:25:54.0765 3988 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
11:25:54.0765 3988 Netman - ok
11:25:54.0781 3988 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
11:25:54.0781 3988 NIC1394 - ok
11:25:54.0828 3988 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
11:25:54.0843 3988 Nla - ok
11:25:54.0875 3988 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
11:25:54.0875 3988 Npfs - ok
11:25:54.0937 3988 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
11:25:54.0953 3988 Ntfs - ok
11:25:54.0953 3988 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
11:25:54.0968 3988 NtLmSsp - ok
11:25:55.0000 3988 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
11:25:55.0031 3988 NtmsSvc - ok
11:25:55.0078 3988 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
11:25:55.0078 3988 Null - ok
11:25:55.0109 3988 [ 2C2FD0E6B0180F94C260DD26706AA5F4 ] NWCWorkstation C:\WINDOWS\System32\nwwks.dll
11:25:55.0125 3988 NWCWorkstation - ok
11:25:55.0140 3988 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:25:55.0140 3988 NwlnkFlt - ok
11:25:55.0171 3988 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:25:55.0171 3988 NwlnkFwd - ok
11:25:55.0171 3988 [ 8B8B1BE2DBA4025DA6786C645F77F123 ] NwlnkIpx C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
11:25:55.0171 3988 NwlnkIpx - ok
11:25:55.0203 3988 [ 56D34A67C05E94E16377C60609741FF8 ] NwlnkNb C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
11:25:55.0203 3988 NwlnkNb - ok
11:25:55.0218 3988 [ C0BB7D1615E1ACBDC99757F6CEAF8CF0 ] NwlnkSpx C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
11:25:55.0218 3988 NwlnkSpx - ok
11:25:55.0234 3988 [ 36B9B950E3D2E100970A48D8BAD86740 ] NWRDR C:\WINDOWS\system32\DRIVERS\nwrdr.sys
11:25:55.0234 3988 NWRDR - ok
11:25:55.0406 3988 [ 1F0E05DFF4F5A833168E49BE1256F002 ] odserv C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
11:25:55.0421 3988 odserv - ok
11:25:55.0437 3988 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
11:25:55.0437 3988 ohci1394 - ok
11:25:55.0500 3988 [ 5A432A042DAE460ABE7199B758E8606C ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:25:55.0500 3988 ose - ok
11:25:55.0546 3988 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
11:25:55.0546 3988 Parport - ok
11:25:55.0546 3988 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
11:25:55.0546 3988 PartMgr - ok
11:25:55.0578 3988 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
11:25:55.0578 3988 ParVdm - ok
11:25:55.0578 3988 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
11:25:55.0593 3988 PCI - ok
11:25:55.0593 3988 PCIDump - ok
11:25:55.0593 3988 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
11:25:55.0593 3988 PCIIde - ok
11:25:55.0625 3988 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
11:25:55.0625 3988 Pcmcia - ok
11:25:55.0625 3988 PDCOMP - ok
11:25:55.0640 3988 PDFRAME - ok
11:25:55.0640 3988 PDRELI - ok
11:25:55.0640 3988 PDRFRAME - ok
11:25:55.0656 3988 perc2 - ok
11:25:55.0656 3988 perc2hib - ok
11:25:55.0671 3988 [ 444F122E68DB44C0589227781F3C8B3F ] Pfc C:\WINDOWS\system32\drivers\pfc.sys
11:25:55.0671 3988 Pfc - ok
11:25:55.0687 3988 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
11:25:55.0703 3988 PlugPlay - ok
11:25:55.0718 3988 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
11:25:55.0734 3988 Pml Driver HPZ12 - ok
11:25:55.0765 3988 [ CF7C1868B90C90A265FC3F60CE46265B ] Point32 C:\WINDOWS\system32\DRIVERS\point32.sys
11:25:55.0765 3988 Point32 - ok
11:25:55.0765 3988 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
11:25:55.0781 3988 PolicyAgent - ok
11:25:55.0781 3988 pop3d32 - ok
11:25:55.0796 3988 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:25:55.0812 3988 PptpMiniport - ok
11:25:55.0812 3988 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
11:25:55.0812 3988 ProtectedStorage - ok
11:25:55.0828 3988 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
11:25:55.0828 3988 PSched - ok
11:25:55.0828 3988 PTDCBus - ok
11:25:55.0843 3988 PTDCMdm - ok
11:25:55.0843 3988 PTDCVsp - ok
11:25:55.0843 3988 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:25:55.0843 3988 Ptilink - ok
11:25:55.0859 3988 [ 86724469CD077901706854974CD13C3E ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
11:25:55.0859 3988 PxHelp20 - ok
11:25:55.0859 3988 ql1080 - ok
11:25:55.0859 3988 Ql10wnt - ok
11:25:55.0875 3988 ql12160 - ok
11:25:55.0875 3988 ql1240 - ok
11:25:55.0875 3988 ql1280 - ok
11:25:55.0906 3988 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:25:55.0906 3988 RasAcd - ok
11:25:55.0953 3988 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
11:25:55.0953 3988 RasAuto - ok
11:25:55.0984 3988 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:25:55.0984 3988 Rasl2tp - ok
11:25:56.0046 3988 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
11:25:56.0046 3988 RasMan - ok
11:25:56.0062 3988 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:25:56.0062 3988 RasPppoe - ok
11:25:56.0062 3988 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
11:25:56.0062 3988 Raspti - ok
11:25:56.0093 3988 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:25:56.0109 3988 Rdbss - ok
11:25:56.0156 3988 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:25:56.0156 3988 RDPCDD - ok
11:25:56.0203 3988 [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:25:56.0218 3988 rdpdr - ok
11:25:56.0250 3988 [ FC105DD312ED64EB66BFF111E8EC6EAC ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
11:25:56.0265 3988 RDPWD - ok
11:25:56.0281 3988 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
11:25:56.0312 3988 RDSessMgr - ok
11:25:56.0328 3988 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
11:25:56.0328 3988 redbook - ok
11:25:56.0359 3988 [ 1B2857EF12D79A9F9ADBA14B0637CBF8 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
11:25:56.0359 3988 RegSrvc - ok
11:25:56.0406 3988 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
11:25:56.0406 3988 RemoteAccess - ok
11:25:56.0453 3988 [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
11:25:56.0468 3988 RemoteRegistry - ok
11:25:56.0468 3988 rootmodem - ok
11:25:56.0468 3988 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
11:25:56.0484 3988 RpcLocator - ok
11:25:56.0500 3988 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
11:25:56.0515 3988 RpcSs - ok
11:25:56.0578 3988 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
11:25:56.0578 3988 RSVP - ok
11:25:56.0656 3988 [ 6C5155CC0E805C7BE6028BFF7AC14524 ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
11:25:56.0656 3988 S24EventMonitor - ok
11:25:56.0671 3988 [ 1CC074E0D48383D4E9BFFC6A26C2A58A ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
11:25:56.0671 3988 s24trans - ok
11:25:56.0703 3988 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
11:25:56.0703 3988 SamSs - ok
11:25:56.0750 3988 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
11:25:56.0765 3988 SCardSvr - ok
11:25:56.0781 3988 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
11:25:56.0796 3988 Schedule - ok
11:25:56.0843 3988 [ 8D04819A3CE51B9EB47E5689B44D43C4 ] sdbus C:\WINDOWS\system32\DRIVERS\sdbus.sys
11:25:56.0843 3988 sdbus - ok
11:25:56.0890 3988 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:25:56.0890 3988 Secdrv - ok
11:25:56.0953 3988 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
11:25:56.0968 3988 seclogon - ok
11:25:56.0968 3988 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
11:25:56.0984 3988 SENS - ok
11:25:57.0015 3988 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
11:25:57.0031 3988 Serial - ok
11:25:57.0046 3988 [ 0FA803C64DF0914B41F807EA276BF2A6 ] sffdisk C:\WINDOWS\system32\DRIVERS\sffdisk.sys
11:25:57.0062 3988 sffdisk - ok
11:25:57.0078 3988 [ C17C331E435ED8737525C86A7557B3AC ] sffp_sd C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
11:25:57.0078 3988 sffp_sd - ok
11:25:57.0109 3988 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
11:25:57.0109 3988 Sfloppy - ok
11:25:57.0156 3988 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
11:25:57.0171 3988 SharedAccess - ok
11:25:57.0203 3988 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
11:25:57.0203 3988 ShellHWDetection - ok
11:25:57.0218 3988 Simbad - ok
11:25:57.0265 3988 [ B9DE57348D93B28739C70B04EEE9D133 ] smihlp C:\Program Files\Protector Suite QL\smihlp.sys
11:25:57.0265 3988 smihlp - ok
11:25:57.0265 3988 Sparrow - ok
11:25:57.0281 3988 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
11:25:57.0296 3988 splitter - ok
11:25:57.0328 3988 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
11:25:57.0343 3988 Spooler - ok
11:25:57.0359 3988 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
11:25:57.0359 3988 sr - ok
11:25:57.0406 3988 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
11:25:57.0421 3988 srservice - ok
11:25:57.0468 3988 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
11:25:57.0484 3988 Srv - ok
11:25:57.0484 3988 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
11:25:57.0500 3988 SSDPSRV - ok
11:25:57.0500 3988 SSPORT - ok
11:25:57.0562 3988 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
11:25:57.0578 3988 stisvc - ok
11:25:57.0625 3988 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
11:25:57.0625 3988 swenum - ok
11:25:57.0656 3988 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
11:25:57.0671 3988 swmidi - ok
11:25:57.0671 3988 SwPrv - ok
11:25:57.0718 3988 [ 486A64AABD88E4E174681E89E9736BC9 ] Swupdtmr c:\Toshiba\IVP\swupdate\swupdtmr.exe
11:25:57.0718 3988 Swupdtmr - ok
11:25:57.0734 3988 symc810 - ok
11:25:57.0734 3988 symc8xx - ok
11:25:57.0750 3988 sym_hi - ok
11:25:57.0750 3988 sym_u3 - ok
11:25:57.0796 3988 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
11:25:57.0796 3988 sysaudio - ok
11:25:57.0828 3988 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
11:25:57.0843 3988 SysmonLog - ok
11:25:57.0875 3988 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
11:25:57.0890 3988 TapiSrv - ok
11:25:57.0937 3988 [ 7147B0575BCC93A6AB7D5C90F47C0B9F ] tbiosdrv C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
11:25:57.0937 3988 tbiosdrv - ok
11:25:58.0000 3988 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:25:58.0015 3988 Tcpip - ok
11:25:58.0031 3988 [ FC6FE02F400308606A911640E72326B5 ] TcUsb C:\WINDOWS\system32\Drivers\tcusb.sys
11:25:58.0031 3988 TcUsb - ok
11:25:58.0062 3988 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
11:25:58.0062 3988 TDPIPE - ok
11:25:58.0078 3988 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
11:25:58.0078 3988 TDTCP - ok
11:25:58.0109 3988 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
11:25:58.0109 3988 TermDD - ok
11:25:58.0156 3988 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
11:25:58.0171 3988 TermService - ok
11:25:58.0203 3988 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
11:25:58.0203 3988 Themes - ok
11:25:58.0234 3988 [ 244CFBFFDEFB77F3DF571A8CD108FC06 ] tifm21 C:\WINDOWS\system32\drivers\tifm21.sys
11:25:58.0234 3988 tifm21 - ok
11:25:58.0281 3988 [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe
11:25:58.0281 3988 TlntSvr - ok
11:25:58.0296 3988 TosIde - ok
11:25:58.0312 3988 [ 9FFFFB4C5B06C7B75E8159F1106006AC ] TPwSav C:\WINDOWS\system32\Drivers\TPwSav.sys
11:25:58.0312 3988 TPwSav - ok
11:25:58.0359 3988 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
11:25:58.0359 3988 TrkWks - ok
11:25:58.0421 3988 [ CC6763889198EF975B143D49789BCFA9 ] Tvs C:\WINDOWS\system32\DRIVERS\Tvs.sys
11:25:58.0421 3988 Tvs - ok
11:25:58.0453 3988 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
11:25:58.0453 3988 Udfs - ok
11:25:58.0468 3988 ultra - ok
11:25:58.0500 3988 [ 9651E5D850B6F6BD7C77C70AA06F02BF ] UMWdf C:\WINDOWS\system32\wdfmgr.exe
11:25:58.0515 3988 UMWdf - ok
11:25:58.0578 3988 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
11:25:58.0593 3988 Update - ok
11:25:58.0625 3988 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
11:25:58.0640 3988 upnphost - ok
11:25:58.0640 3988 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
11:25:58.0656 3988 UPS - ok
11:25:58.0656 3988 upsmonservice - ok
11:25:58.0687 3988 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:25:58.0687 3988 usbccgp - ok
11:25:58.0703 3988 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:25:58.0703 3988 usbehci - ok
11:25:58.0718 3988 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:25:58.0734 3988 usbhub - ok
11:25:58.0765 3988 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
11:25:58.0765 3988 usbohci - ok
11:25:58.0765 3988 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:25:58.0765 3988 usbprint - ok
11:25:58.0796 3988 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
11:25:58.0796 3988 usbscan - ok
11:25:58.0843 3988 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:25:58.0843 3988 USBSTOR - ok
11:25:58.0906 3988 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:25:58.0906 3988 usbuhci - ok
11:25:58.0921 3988 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
11:25:58.0921 3988 VgaSave - ok
11:25:58.0921 3988 ViaIde - ok
11:25:58.0953 3988 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
11:25:58.0953 3988 VolSnap - ok
11:25:59.0000 3988 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
11:25:59.0000 3988 VSS - ok
11:25:59.0031 3988 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
11:25:59.0046 3988 W32Time - ok
11:25:59.0156 3988 [ B1F126E7E28877106D60E6FF3998D033 ] w39n51 C:\WINDOWS\system32\DRIVERS\w39n51.sys
11:25:59.0171 3988 w39n51 - ok
11:25:59.0218 3988 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:25:59.0218 3988 Wanarp - ok
11:25:59.0281 3988 [ 0A716C08CB13C3A8F4F51E882DBF7416 ] wanatw C:\WINDOWS\system32\DRIVERS\wanatw4.sys
11:25:59.0281 3988 wanatw - ok
11:25:59.0281 3988 WDICA - ok
11:25:59.0328 3988 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
11:25:59.0328 3988 wdmaud - ok
11:25:59.0375 3988 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
11:25:59.0390 3988 WebClient - ok
11:25:59.0453 3988 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
11:25:59.0468 3988 winmgmt - ok
11:25:59.0515 3988 [ B9715B9C18BC6C8F4B66733D208CC9F7 ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
11:25:59.0515 3988 WmdmPmSN - ok
11:25:59.0578 3988 [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi C:\WINDOWS\System32\advapi32.dll
11:25:59.0593 3988 Wmi - ok
11:25:59.0625 3988 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:25:59.0625 3988 WmiApSrv - ok
11:25:59.0671 3988 [ BBAEACA1FFA3C86361CF0998474F6C3A ] WpdUsb C:\WINDOWS\system32\Drivers\wpdusb.sys
11:25:59.0671 3988 WpdUsb - ok
11:25:59.0671 3988 WSearch - ok
11:25:59.0718 3988 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
11:25:59.0750 3988 WZCSVC - ok
11:25:59.0781 3988 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
11:25:59.0796 3988 xmlprov - ok
11:25:59.0812 3988 zpnodecollector - ok
11:25:59.0812 3988 ================ Scan global ===============================
11:25:59.0859 3988 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
11:25:59.0906 3988 [ 95CF3446911A6E25EE4086DF8A45B2AA ] C:\WINDOWS\system32\winsrv.dll
11:25:59.0921 3988 [ 95CF3446911A6E25EE4086DF8A45B2AA ] C:\WINDOWS\system32\winsrv.dll
11:25:59.0968 3988 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
11:25:59.0968 3988 [Global] - ok
11:25:59.0968 3988 ================ Scan MBR ==================================
11:26:00.0000 3988 [ 671B81004FDD1588FA9ED1331C9CECA9 ] \Device\Harddisk0\DR0
11:26:00.0156 3988 \Device\Harddisk0\DR0 - ok
11:26:00.0156 3988 ================ Scan VBR ==================================
11:26:00.0171 3988 [ E8C7F0E5E3F12D1FD71DA7AE008A2D8B ] \Device\Harddisk0\DR0\Partition1
11:26:00.0171 3988 \Device\Harddisk0\DR0\Partition1 - ok
11:26:00.0171 3988 ============================================================
11:26:00.0171 3988 Scan finished
11:26:00.0171 3988 ============================================================
11:26:00.0187 3112 Detected object count: 0
11:26:00.0187 3112 Actual detected object count: 0
11:27:30.0109 4044 Deinitialize success
RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kit Romney [Admin rights]
Mode : Scan -- Date : 10/26/2012 11:29:32
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK1234GSX +++++
--- User ---
[MBR] 02bc6b37f47a09f182f144f9037007a3
[BSP] 5e47b50246e58b794bca04f29dd90dd8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114282 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[1].txt >>
RKreport[1].txt
RogueKiller V8.2.1 [10/29/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com
Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kit Romney [Admin rights]
Mode : Remove -- Date : 10/26/2012 11:29:45
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 3 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyPics (0) -> REPLACED (1)
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> REPLACED (1)
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> REPLACED (0)
¤¤¤ Particular Files / Folders: ¤¤¤
¤¤¤ Driver : [LOADED] ¤¤¤
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
¤¤¤ MBR Check: ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK1234GSX +++++
--- User ---
[MBR] 02bc6b37f47a09f182f144f9037007a3
[BSP] 5e47b50246e58b794bca04f29dd90dd8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114282 Mo
User = LL1 ... OK!
User = LL2 ... OK!
Finished : << RKreport[2].txt >>
RKreport[1].txt ; RKreport[2].txt
aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-10-29 19:24:12
-----------------------------
19:24:12.359 OS Version: Windows 5.1.2600 Service Pack 3
19:24:12.359 Number of processors: 2 586 0xE08
19:24:12.359 ComputerName: ROMCOM UserName:
19:24:12.937 Initialize success
19:24:13.046 AVAST engine defs: 12102901
19:24:38.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
19:24:38.140 Disk 0 Vendor: TOSHIBA_MK1234GSX AH001A Size: 114282MB BusType: 3
19:24:38.171 Disk 0 MBR read successfully
19:24:38.171 Disk 0 MBR scan
19:24:38.171 Disk 0 unknown MBR code
19:24:38.171 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 114282 MB offset 63
19:24:38.187 Disk 0 scanning sectors +234050985
19:24:38.250 Disk 0 scanning C:\WINDOWS\system32\drivers
19:24:47.421 Service scanning
19:25:03.890 Modules scanning
19:25:09.187 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
19:25:11.015 Disk 0 trace - called modules:
19:25:11.046 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
19:25:11.046 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86b25ab8]
19:25:11.046 3 CLASSPNP.SYS[f76acfd7] -> nt!IofCallDriver -> \Device\00000082[0x86b7c9e8]
19:25:11.046 5 ACPI.sys[f7603620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86b28940]
19:25:11.546 AVAST engine scan C:\WINDOWS
19:25:17.984 AVAST engine scan C:\WINDOWS\system32
19:27:02.312 AVAST engine scan C:\WINDOWS\system32\drivers
19:27:18.562 AVAST engine scan C:\Documents and Settings\Kit Romney
19:25:04.968 AVAST engine scan C:\Documents and Settings\All Users
19:25:28.593 Scan finished successfully
19:26:53.984 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Kit Romney\My Documents\Compromised\MBR.dat"
19:26:54.000 The log file has been saved successfully to "C:\Documents and Settings\Kit Romney\My Documents\Compromised\aswMBR.txt"

 

 

 

-----

 

PLease re-run MBAM one more time and post new log.

Then...

Create new restore point before proceeding with the next step....
How to:
- Windows 7: http://www.howtogeek.com/howto/3195/create-a-system-restore-point-in-windows-7/
- Vista: http://www.howtogeek.com/howto/wind...tore-point-for-windows-vistas-system-restore/
- XP: http://support.microsoft.com/kb/948247

====================================

Please download ComboFix from Here, Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • Never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    If the connection is not there use restore point you created prior to running Combofix.
  • Double click on combofix.exe & follow the prompts.

  • NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt"

**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG and CA Internet Security (Total Defense Internet Security) users: ComboFix will not run until AVG/CA Internet Security is uninstalled as a protective measure against the anti-virus. This is because AVG/CA Internet Security "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG/CA Internet Security cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG/CA Internet Security first.
Use AppRemover to uninstall it: http://www.appremover.com/
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.
**Note 4: Some infections may take some significant time to be cured. As long as your computer clock is running Combofix is still working. Be patient.


Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try the following...

Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.
Download Rkill (courtesy of BleepingComputer.com) to your desktop.
There are 2 different versions. If one of them won't run then download and try to run the other one.
You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

rKill.exe: http://www.bleepingcomputer.com/download/rkill/dl/10/
iExplore.exe (renamed rKill.exe): http://www.bleepingcomputer.com/download/rkill/dl/11/

Restart computer in safe mode
 

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.


When the scan is done Notepad will open with rKill.txt log.
NOTE. rKill.txt log will also be present on your desktop.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

IF you had to run rKill post BOTH logs, rKill.txt and Combofix.txt.

 

 

 

 

MBAM log

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.25.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kit Romney :: ROMCOM [administrator]

10/29/2012 8:11:07 PM
mbam-log-2012-10-29 (20-11-07).txt

Scan type: Full scan (C:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 306403
Time elapsed: 1 hour(s), 8 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

-------

 

 

I tried to run ComboFix, but it was unsuccessful. I disabled AV beforehand, ran ComboFix, installed Recovery Console, it said it found a rootkit, was scanning I believe, and I let it run overnight with no change in screen. I had to reset the comptuer. I'll go back to the recovery point I set beforehand and try it again, but it will be a couple of days because the computer is not with me here.

Thank you for your help BTW!

 

 

-----

 

Do NOT use restore point.

Re-run Combofix from safe mode.

 

 

 

-----

 

 

I re-ran combofix in Safe Mode like you said, and it failed and froze the screen in the same manner.  I can't get combofix to run and complete.



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 08 April 2013 - 01:09 AM


Hello jibberjive

I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Gringo and I will be glad to help you with your malware problems.


I found your other topic and it is pretty old so some of the programs I am going to have you rerun.


Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.




These are the programs I would like you to run next, if you have any problems with these just skip it and run the next one.

-Security Check-
  • Download Security Check by screen317 from here.
    • Save it to your Desktop.
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
-AdwCleaner-
  • Please download AdwCleaner by Xplode onto your desktop.
    • Close all open programs and internet browsers.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • Confirm each time with Ok.
    • Your computer will be rebooted automatically. A text file will open after the restart.
    • Please post the content of that logfile with your next answer.
    • You can find the logfile at C:\AdwCleaner[S1].txt as well.
--RogueKiller--
  • Download & SAVE to your Desktop RogueKiller for 32bit or Roguekiller for 64bit
    • Quit all programs that you may have started.
    • Please disconnect any USB or external drives from the computer before you run this scan!
    • For Vista or Windows 7, right-click and select "Run as Administrator to start"
    • For Windows XP, double-click to start.
    • Wait until Prescan has finished ...
    • Then Click on "Scan" button
    • Wait until the Status box shows "Scan Finished"
    • click on "delete"
    • Wait until the Status box shows "Deleting Finished"
    • Click on "Report" and copy/paste the content of the Notepad into your next reply.
    • The log should be found in RKreport[1].txt on your Desktop
    • Exit/Close RogueKiller+
  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 April 2013 - 05:58 AM

Here are the requested logs.  Thanks!

 

 

 

 Results of screen317's Security Check version 0.99.62  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:`````````````` 
 Windows Firewall Enabled!  
Please wait while WMIC compiles updated MOF files.d 
ECHO is off.
ECHO is off.
ECHO is off.
ECHO is off.
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:````````` 
 Malwarebytes Anti-Malware version 1.70.0.1100  
 Google Chrome 25.0.1364.172  
 Google Chrome 26.0.1410.43  
````````Process Check: objlist.exe by Laurent````````  
 Microsoft Security Essentials MSMpEng.exe 
 Microsoft Security Essentials msseces.exe 
 Malwarebytes Anti-Malware mbamservice.exe  
 Malwarebytes Anti-Malware mbamgui.exe  
 Malwarebytes' Anti-Malware mbamscheduler.exe   
`````````````````System Health check````````````````` 
 Total Fragmentation on Drive C:: 16% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log`````````````````````` 
 
 
 
 

# AdwCleaner v2.200 - Logfile created 04/05/2013 at 13:04:31
# Updated 02/04/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Kit Romney - ROMCOM
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Kit Romney\Desktop\adwcleaner.exe
# Option [Delete]
 
 
***** [Services] *****
 
 
***** [Files / Folders] *****
 
File Deleted : C:\DOCUME~1\KITROM~1\LOCALS~1\Temp\Uninstall.exe
Folder Deleted : C:\Documents and Settings\NetworkService\Application Data\AVG Secure Search
 
***** [Registry] *****
 
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{95B7759C-8C7F-4BF1-B163-73684A933233}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F25AF245-4A81-40DC-92F9-E9021F207706}
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtl.1
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary
Key Deleted : HKLM\SOFTWARE\Classes\AxMetaStream.MetaStreamCtlSecondary.1
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AVG Secure Search
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}]
 
***** [Internet Browsers] *****
 
-\\ Internet Explorer v8.0.6001.18702
 
Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://isearch.avg.com/?cid={1F7D29C3-16C7-4B64-ACF9-942694919C8E}&mid=daff645c40f647d1926dd15a444fc400-dc8a35e27b159582503f872ea4d88e5f5a20b51b&lang=en&ds=ts025&pr=sa&d=2012-02-03 21:49:27&v=8.0.0.34&sap=hp --> hxxp://www.google.com
 
-\\ Google Chrome v26.0.1410.43
 
File : C:\Documents and Settings\Kit Romney\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences
 
Deleted [l.2004] : homepage = "hxxp://isearch.avg.com/?cid={1F7D29C3-16C7-4B64-ACF9-942694919C8E}&mid=daff645c40f64[...]
 
*************************
 
AdwCleaner[R1].txt - [3038 octets] - [05/04/2013 13:00:30]
AdwCleaner[S1].txt - [2926 octets] - [05/04/2013 13:04:31]
 
########## EOF - C:\AdwCleaner[S1].txt - [2986 octets] ##########
 
 
 
 

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
 
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Kit Romney [Admin rights]
Mode : Remove -- Date : 04/05/2013 13:09:39
| ARK || FAK || MBR |
 
¤¤¤ Bad processes : 0 ¤¤¤
 
¤¤¤ Registry Entries : 1 ¤¤¤
[HJPOL] HKCU\[...]\System : disableregistrytools (0) -> DELETED
 
¤¤¤ Particular Files / Folders: ¤¤¤
 
¤¤¤ Driver : [LOADED] ¤¤¤
 
¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts
 
 
 
¤¤¤ MBR Check: ¤¤¤
 
+++++ PhysicalDrive0: TOSHIBA MK1234GSX +++++
--- User ---
[MBR] 02bc6b37f47a09f182f144f9037007a3
[BSP] 5e47b50246e58b794bca04f29dd90dd8 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 114282 Mo
User = LL1 ... OK!
User = LL2 ... OK!
 
Finished : << RKreport[4]_D_04052013_02d1309.txt >>
RKreport[1].txt ; RKreport[2].txt ; RKreport[3]_S_04052013_02d1255.txt ; RKreport[4]_D_04052013_02d1309.txt
 
 
 


#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 08 April 2013 - 07:05 AM


Hello jibberjive

I know this will probably not run but just try it once for me

Please print out or make a copy in notepad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

  • Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 April 2013 - 09:21 AM

So, it started out hopeful when it said it had found a zero access root kit in the "TCP/IP" something (if I recall correctly).  It said that this is a particularly tough infection, and that it may take a while.  After about 3 or 4 hours, the cursor stopped blinking, and eventually the machine froze up.  I'm not sure how to proceed from here.



#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 08 April 2013 - 12:45 PM


Hello jibberjive

I would like you to try this to see if combofix will run

combofix
ComboFix /nombr
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
    • click ok
  • copy and paste the report into this topic for me to review

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 April 2013 - 09:38 PM

Success with ComboFix!  Logs as follows:

 

 

ComboFix 13-04-08.02 - Kit Romney 04/08/2013   9:24.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.524 [GMT -6:00]
Running from: c:\documents and settings\Kit Romney\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\fLT0l671.exe.b
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\Kit Romney\WINDOWS
c:\windows\system32\Cache
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\ac47b4c848637eb3.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\b13f7d528776d706.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\dds_trash_log.cmd
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\vrlogon.dll
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_IAS
-------\Service_Ias
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-08 to 2013-04-08  )))))))))))))))))))))))))))))))
.
.
2013-04-05 19:32 . 2013-03-15 06:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-05 19:31 . 2013-04-02 10:33 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-04-05 19:27 . 2013-04-05 19:28 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-05 19:25 . 2013-03-15 06:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB5D7963-33C2-478E-8005-8ACCEBFE3BE6}\mpengine.dll
2013-04-05 19:18 . 2013-04-05 19:18 -------- d-----w- c:\windows\system32\XPSViewer
2013-04-05 19:18 . 2013-04-05 19:18 -------- d-----w- c:\program files\MSBuild
2013-04-05 19:18 . 2013-04-05 19:18 -------- d-----w- c:\program files\Reference Assemblies
2013-04-05 19:17 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-04-05 19:16 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-04-05 19:16 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-04-05 19:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-04-05 19:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-04-05 19:16 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-04-05 19:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-04-05 19:16 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-04-05 19:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-04-05 19:16 . 2013-04-05 19:17 -------- d-----w- C:\bef121c1d38053a19e3131833acc31
2013-04-05 19:10 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-04-05 19:10 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-04-05 19:10 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-04-05 19:09 . 2013-04-05 19:09 -------- d-----w- c:\program files\Windows Media Connect 2
2013-04-05 19:06 . 2013-04-05 19:07 -------- d-----w- c:\windows\system32\drivers\UMDF
2013-04-05 19:05 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2013-04-05 19:05 . 2013-04-05 19:05 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\documents and settings\Kit Romney\Local Settings\Application Data\VS Revo Group
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\VS Revo Group
2013-04-05 18:56 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\program files\VS Revo Group
2013-04-05 18:55 . 2013-04-05 18:45 -------- d-----w- c:\windows\SxsCaPendDel
2013-04-05 18:54 . 2013-04-05 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-05 18:54 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-24 13:52 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-24 13:52 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-06 22:32 . 2012-10-25 08:37 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-12 00:32 . 2008-10-02 18:44 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2006-02-16 20:59 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2006-02-16 20:59 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2006-02-16 20:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2006-02-16 20:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2006-02-16 20:59 385024 ----a-w- c:\windows\system32\html.iec
2013-01-26 03:55 . 2006-02-16 20:59 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2013-01-20 21:59 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-14 53248]
"Whitney2_S2P"="c:\program files\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe" [2007-01-26 245760]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-03-18 536576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-11-29 63048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-20 155648]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-12-18 16:33 92664 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-01-14 02:40 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ   msv1_0 nwprovau
Notification Packages REG_MULTI_SZ   scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kristina  Romney^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kristina  Romney\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-10-15 14:29 88203 ----a-w- c:\windows\agrsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
2005-12-01 19:13 671744 ----a-w- c:\program files\TOSHIBA\E-KEY\CeEKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-10-06 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2004-05-01 21:45 28672 ----a-w- c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-11-28 21:52 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-11-28 21:55 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-28 21:55 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-11-28 18:41 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-05 19:37 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2004-08-18 11:37 184320 ----a-w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-07-15 18:52 1077322 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 01:37 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-01-14 02:28 30208 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2004-05-01 21:45 65536 ----a-w- c:\program files\TOSHIBA\Windows Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]
2006-01-04 00:11 28672 ----a-w- c:\windows\system32\TCtrlIOHook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-12-27 21:22 73728 ----a-w- c:\windows\system32\TDispVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 01:16 282624 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2005-11-30 20:25 73728 ----a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
2005-06-06 17:58 24576 ----a-w- c:\windows\system32\ZoomingHook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"CFSvcs"=2 (0x2)
"DVD-RAM_Service"=2 (0x2)
"gusvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [1/13/2006 8:52 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [1/13/2006 8:52 PM 33024]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/18/2012 10:32 AM 375296]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/29/2012 12:56 PM 12856]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/5/2013 12:54 PM 398184]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/5/2013 12:54 PM 682344]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [1/13/2006 8:24 PM 3456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/5/2013 12:54 PM 21104]
S1 MpKsl18df13ef;MpKsl18df13ef;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB5D7963-33C2-478E-8005-8ACCEBFE3BE6}\MpKsl18df13ef.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB5D7963-33C2-478E-8005-8ACCEBFE3BE6}\MpKsl18df13ef.sys [?]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [2/16/2006 2:59 PM 14336]
S2 SSPORT;SSPORT; [x]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/5/2013 12:56 PM 27064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ   Pml Driver HPZ12 Net Driver HPZ12
NecUsbSevice REG_MULTI_SZ   NecUsb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
upsmonservice
pop3d32
rootmodem
mdmxsdk
zpnodecollector
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-02 15:50 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:12]
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:12]
.
2013-04-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2008-11-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]
.
2008-11-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2006-09-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-16 00:12]
.
2013-04-08 c:\windows\Tasks\User_Feed_Synchronization-{7D76021F-7634-419C-BD33-87124734F52D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-RunOnce-FlashPlayerUpdate - c:\windows\system32\Macromed\Flash\FlashUtil10i_ActiveX.exe
Notify-NecUsb3Sevice - USB3Nw32.dll
Notify-USB3Nw32 - USB3Nw32.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS
MSConfigStartUp-NDSTray - NDSTray.exe
MSConfigStartUp-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
MSConfigStartUp-TFncKy - TFncKy.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-08 09:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ... 
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,57,41,90,09,64,23,4c,b4,1c,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,57,41,90,09,64,23,4c,b4,1c,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\system32\LMIinit.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'lsass.exe'(936)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
- - - - - - - > 'explorer.exe'(3232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Protector Suite QL\mysafe.dll
c:\program files\Protector Suite QL\infra.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\windows\system32\SearchIndexer.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\windows\RTHDCPL.EXE
c:\program files\Apoint2K\Apntex.exe
c:\program files\Dell AIO Printer A940\dlbabmon.exe
.
**************************************************************************
.
Completion time: 2013-04-08  09:29:53 - machine was rebooted
ComboFix-quarantined-files.txt  2013-04-08 15:29
.
Pre-Run: 89,377,329,152 bytes free
Post-Run: 90,138,210,304 bytes free
.
- - End Of File - - FB887502AC094E3B018E5F087A50BFDA


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 08 April 2013 - 10:03 PM

How are things doing now?

gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 08 April 2013 - 11:49 PM

It's running fine, no detectable redirects, though there hasn't been any detectable redirects since before I started this thread in this forum.  Ideally I am looking to confirm that the rootkit is all cleaned out now that combofix successfully ran.  Do you think that took care of everything?



#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 09 April 2013 - 12:18 AM


Hello jibberjive

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Please start by opening Notepad and copy/paste the text in the box into the window:
ClearJavaCache::

NoMBR::
 
Save it to your desktop as CFScript.txt

Referring to the picture above, drag CFScript.txt into ComboFix.exe
CFScriptB-4.gif
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion." Please restart the computer

"information and logs"
  • In your next post I need the following
    • report from Combofix
      • let me know of any problems you may have had
        • How is the computer doing now after running the script?
      Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 April 2013 - 02:02 AM

So when I ran it again as instructed, it proceeded the same as before, and said that it detected a rootkit in the tcp/ip stack.  So maybe the first time didn't get rid of the rootkit?  Log below:

 

 

 

ComboFix 13-04-08.04 - Kit Romney 04/08/2013   9:23.2.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1014.669 [GMT -6:00]
Running from: c:\documents and settings\Kit Romney\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kit Romney\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
(((((((((((((((((((((((((   Files Created from 2013-03-08 to 2013-04-08  )))))))))))))))))))))))))))))))
.
.
2013-04-08 15:43 . 2013-03-15 06:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D2789291-9425-4802-9425-1EF16CF1B105}\mpengine.dll
2013-04-05 19:32 . 2013-03-15 06:21 7108640 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-04-05 19:31 . 2013-04-02 10:33 237088 ------w- c:\windows\system32\MpSigStub.exe
2013-04-05 19:27 . 2013-04-05 19:28 -------- d-----w- c:\program files\Microsoft Security Client
2013-04-05 19:18 . 2013-04-08 16:13 -------- d-----w- c:\windows\system32\XPSViewer
2013-04-05 19:18 . 2013-04-05 19:18 -------- d-----w- c:\program files\MSBuild
2013-04-05 19:18 . 2013-04-05 19:18 -------- d-----w- c:\program files\Reference Assemblies
2013-04-05 19:17 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-04-05 19:16 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-04-05 19:16 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-04-05 19:16 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-04-05 19:16 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-04-05 19:16 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-04-05 19:16 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-04-05 19:16 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-04-05 19:16 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-04-05 19:16 . 2013-04-05 19:17 -------- d-----w- C:\bef121c1d38053a19e3131833acc31
2013-04-05 19:10 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-04-05 19:10 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-04-05 19:10 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-04-05 19:09 . 2013-04-05 19:09 -------- d-----w- c:\program files\Windows Media Connect 2
2013-04-05 19:06 . 2013-04-05 19:07 -------- d-----w- c:\windows\system32\drivers\UMDF
2013-04-05 19:05 . 2011-08-16 10:45 6144 -c----w- c:\windows\system32\dllcache\iecompat.dll
2013-04-05 19:05 . 2013-04-05 19:05 -------- d--h--w- c:\windows\system32\GroupPolicy
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\documents and settings\Kit Romney\Local Settings\Application Data\VS Revo Group
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\VS Revo Group
2013-04-05 18:56 . 2009-12-30 16:20 27064 ----a-w- c:\windows\system32\drivers\revoflt.sys
2013-04-05 18:56 . 2013-04-05 18:56 -------- d-----w- c:\program files\VS Revo Group
2013-04-05 18:55 . 2013-04-05 18:45 -------- d-----w- c:\windows\SxsCaPendDel
2013-04-05 18:54 . 2013-04-05 18:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-04-05 18:54 . 2012-12-14 22:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-03-24 13:52 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys
2013-03-24 13:52 . 2013-02-12 00:32 12928 -c----w- c:\windows\system32\dllcache\usb8023.sys
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-03-06 22:32 . 2012-10-25 08:37 228600 ----a-w- c:\windows\system32\aswBoot.exe
2013-02-12 00:32 . 2008-10-02 18:44 12928 ------w- c:\windows\system32\drivers\usb8023x.sys
2013-02-12 00:32 . 2006-02-16 20:59 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys
2013-02-05 20:05 . 2006-02-16 20:59 916480 ----a-w- c:\windows\system32\wininet.dll
2013-02-05 20:05 . 2006-02-16 20:59 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-02-05 20:05 . 2006-02-16 20:59 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-02-05 05:53 . 2006-02-16 20:59 385024 ----a-w- c:\windows\system32\html.iec
2013-01-26 03:55 . 2006-02-16 20:59 552448 ----a-w- c:\windows\system32\oleaut32.dll
2013-01-20 21:59 . 2013-01-20 21:59 195296 ----a-w- c:\windows\system32\drivers\MpFilter.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RTHDCPL"="RTHDCPL.EXE" [2005-12-09 15691264]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2004-03-24 196608]
"TPNF"="c:\program files\TOSHIBA\TouchPad\TPTray.exe" [2005-12-14 53248]
"Whitney2_S2P"="c:\program files\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe" [2007-01-26 245760]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\ssmmgr.exe" [2008-03-18 536576]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2008-06-10 1442888]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2008-06-10 1406024]
"Dell AIO Printer A940"="c:\program files\Dell AIO Printer A940\dlbabmgr.exe" [2003-02-17 86102]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2012-11-29 63048]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2013-01-27 947152]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\MRI_DISABLED
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-20 155648]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoThumbnailCache"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-12-18 16:33 92664 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\psfus]
2006-01-14 02:40 40448 ----a-w- c:\windows\system32\psqlpwd.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ    msv1_0 nwprovau
Notification Packages REG_MULTI_SZ    scecli psqlpwd
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=c:\windows\pss\Windows Desktop Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Kristina  Romney^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Kristina  Romney\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CFSServ.exe]
CFSServ.exe -NoClient [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2005-10-15 14:29 88203 ----a-w- c:\windows\agrsmmsg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CeEKEY]
2005-12-01 19:13 671744 ----a-w- c:\program files\TOSHIBA\E-KEY\CeEKey.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-10-06 13:20 122940 ----a-w- c:\windows\system32\DLA\DLACTRLW.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HWSetup]
2004-05-01 21:45 28672 ----a-w- c:\program files\TOSHIBA\TOSHIBA Applet\HWSetup.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
2005-11-28 21:52 77824 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
2005-11-28 21:55 118784 ----a-w- c:\windows\system32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
2005-11-28 21:55 98304 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2005-11-28 18:41 602182 ----a-w- c:\program files\Intel\Wireless\Bin\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelZeroConfig]
2005-12-05 19:37 667718 ----a-w- c:\program files\Intel\Wireless\Bin\ZCfgSvc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2004-08-18 11:37 184320 ----a-w- c:\program files\ltmoh\ltmoh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PadTouch]
2005-07-15 18:52 1077322 ----a-w- c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pinger]
2005-03-18 01:37 151552 ----a-w- c:\toshiba\IVP\ISM\pinger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSQLLauncher]
2006-01-14 02:28 30208 ----a-w- c:\program files\Protector Suite QL\launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmoothView]
2005-04-27 00:13 122880 ----a-w- c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SVPWUTIL]
2004-05-01 21:45 65536 ----a-w- c:\program files\TOSHIBA\Windows Utilities\SVPWUTIL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TCtryIOHook]
2006-01-04 00:11 28672 ----a-w- c:\windows\system32\TCtrlIOHook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TDispVol]
2005-12-27 21:22 73728 ----a-w- c:\windows\system32\TDispVol.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 01:16 282624 ----a-w- c:\windows\system32\TPSMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tvs]
2005-11-30 20:25 73728 ----a-w- c:\program files\TOSHIBA\Tvs\TvsTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ZoomingHook]
2005-06-06 17:58 24576 ----a-w- c:\windows\system32\ZoomingHook.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AOL ACS"=2 (0x2)
"AOL TopSpeedMonitor"=2 (0x2)
"CFSvcs"=2 (0x2)
"DVD-RAM_Service"=2 (0x2)
"gusvc"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\TOSHIBA\\ConfigFree\\CFXFER.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Google\\Chrome\\Application\\chrome.exe"=
.
R2 FdRedir;FdRedir;c:\program files\Common Files\Protector Suite QL\Drivers\FdRedir.sys [1/13/2006 8:52 PM 13568]
R2 FileDisk2;FileDisk Protector Kernel Driver;c:\program files\Common Files\Protector Suite QL\Drivers\filedisk.sys [1/13/2006 8:52 PM 33024]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [12/18/2012 10:32 AM 375296]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [11/29/2012 12:56 PM 12856]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [4/5/2013 12:54 PM 398184]
R2 smihlp;SMI helper driver;c:\program files\Protector Suite QL\smihlp.sys [1/13/2006 8:24 PM 3456]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/5/2013 12:54 PM 21104]
S1 MpKsl18df13ef;MpKsl18df13ef;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB5D7963-33C2-478E-8005-8ACCEBFE3BE6}\MpKsl18df13ef.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{EB5D7963-33C2-478E-8005-8ACCEBFE3BE6}\MpKsl18df13ef.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/5/2013 12:54 PM 682344]
S2 NecUsb;USB Service;c:\windows\System32\svchost.exe -k NecUsbSevice [2/16/2006 2:59 PM 14336]
S2 SSPORT;SSPORT; [x]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [4/5/2013 12:56 PM 27064]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ    Pml Driver HPZ12 Net Driver HPZ12
NecUsbSevice REG_MULTI_SZ    NecUsb
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
upsmonservice
pop3d32
rootmodem
mdmxsdk
zpnodecollector
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2013-04-02 15:50 1642448 ----a-w- c:\program files\Google\Chrome\Application\26.0.1410.43\Installer\chrmstp.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:12]
.
2013-04-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-28 20:12]
.
2013-04-08 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2013-01-27 17:11]
.
2008-11-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2008-06-10 19:56]
.
2008-11-30 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2008-06-10 19:56]
.
2006-09-27 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-16 00:12]
.
2013-04-08 c:\windows\Tasks\User_Feed_Synchronization-{7D76021F-7634-419C-BD33-87124734F52D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 10:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: DhcpNameServer = 75.75.76.76 75.75.75.75
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-04-08 09:38
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,57,41,90,09,64,23,4c,b4,1c,a3,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,7c,57,41,90,09,64,23,4c,b4,1c,a3,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(876)
c:\windows\system32\LMIinit.dll
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
c:\windows\system32\biologon.dll
c:\program files\Protector Suite QL\homepass.dll
c:\program files\Protector Suite QL\bio.dll
c:\program files\Protector Suite QL\remote.dll
.
- - - - - - - > 'lsass.exe'(932)
c:\windows\system32\psqlpwd.dll
c:\program files\Protector Suite QL\infra.dll
c:\program files\Protector Suite QL\homefus2.dll
.
Completion time: 2013-04-08  09:40:28
ComboFix-quarantined-files.txt  2013-04-08 15:40
ComboFix2.txt  2013-04-08 15:29
.
Pre-Run: 88,868,200,448 bytes free
Post-Run: 88,906,588,160 bytes free
.
- - End Of File - - D92DDC60BE12B17759F1EDB42762D838
 



#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 09 April 2013 - 02:04 AM


Hello jibberjive

I have seen that happen with XP before and it is ok

I would like to see a report that combofix makes.

extra combofix report
C:\Qoobox\Add-Remove Programs.txt
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
    • click ok
  • copy and paste the report into this topic for me to review

    Gringo



I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 April 2013 - 02:13 AM

Requested log:

 

 

32 Bit HP CIO Components Installer
7-Zip 9.20
ALPS Touch Pad Driver
BufferChm
CD/DVD Drive Acoustic Silencer
Dell AIO Printer A940
DVD-RAM Driver
ESET Online Scanner v3
Google Chrome
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD Creator 2
InterVideo WinDVD for TOSHIBA
LogMeIn
Malwarebytes Anti-Malware version 1.70.0.1100
mCore
mDrWiFi
mHelp
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2742597)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft Application Error Reporting
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 6.3
Microsoft IntelliType Pro 6.3
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Security Client
Microsoft Security Essentials
Microsoft Software Update for Web Folders  (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mWlsSafe
mXML
mZConfig
Office 2003 Trial Assistant
Protector Suite 5.4
Readiris Pro 10
Realtek High Definition Audio Driver
Revo Uninstaller Pro 3.0.2
Samsung SCX-4725 Series
SD Secure Module
Security Update for Microsoft Office 2007 suites (KB2596615) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596672) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596744) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687311) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687441) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2687499) 32-Bit Edition
Security Update for Microsoft Office 2007 suites (KB2760416) 32-Bit Edition
Security Update for Microsoft Office Excel 2007 (KB2687307) 32-Bit Edition
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Word 2007 (KB2760421) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB2792100)
Security Update for Windows Internet Explorer 8 (KB2797052)
Security Update for Windows Internet Explorer 8 (KB2799329)
Security Update for Windows Internet Explorer 8 (KB2809289)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219-v2)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135-v2)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2727528)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2757638)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2778344)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB2780091)
Security Update for Windows XP (KB2799494)
Security Update for Windows XP (KB2802968)
Security Update for Windows XP (KB2807986)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SmarThru 4
SmarThru PC Fax
SMSC IrCC V5.1.3600.5 SP2
Sonic DLA
Sonic Encoders
Sonic RecordNow!
Tenant Pro 7
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
Toolbox
TOSHIBA Accessibility
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Controls
TOSHIBA Fn-esse
TOSHIBA Hardware Setup
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA Supervisor Password
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Touch and Launch
TouchPad On/Off Utility
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596660) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596848) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows Internet Explorer 8 (KB2632503)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2492386)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Utility Common Driver
VLC media player 1.1.4
WebFldrs XP
Windows Desktop Search 3.01
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB925766
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
 



#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,773 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:38 PM

Posted 09 April 2013 - 03:11 AM


Hello

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

Clean Out Temp Files
  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. default settings are fine
    • Click Run Cleaner.
    • Close CCleaner.
: Malwarebytes' Anti-Malware :

I see that you have MBAM installed - That is great!! and at this time I would like you to update it and run me a quick scan
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
    Click OK to either and let MBAM proceed with the disinfection process.
    If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



    Download HijackThis
    • Go Here to download HijackThis program
    • Save HijackThis to your desktop.
    • Right Click on Hijackthis and select "Run as Admin" (XP users just need to double click to run)
    • Click on "Do A system scan and save a logfile" (if you do not see "Do A system scan and save a logfile" then click on main menu)
    • copy and paste hijackthis report into the topic
    "information and logs"
    • In your next post I need the following
      • Log From MBAM
        • report from Hijackthis
          • let me know of any problems you may have had
            • How is the computer doing now?
          Gringo




I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 jibberjive

jibberjive
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:10:38 AM

Posted 09 April 2013 - 03:42 AM

MBAM and hijack this logs;

 

Malwarebytes Anti-Malware (PRO) 1.70.0.1100
www.malwarebytes.org

Database version: v2013.04.08.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Kit Romney :: ROMCOM [administrator]

Protection: Disabled

4/8/2013 10:06:50 AM
mbam-log-2013-04-08 (10-06-50).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 226675
Time elapsed: 5 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

 

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:22:21 AM, on 4/8/2013
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Kit Romney\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [Whitney2_S2P] C:\Program Files\Samsung\Samsung SCX-4725 Series\SPanel\RCP\Scan2pc.exe
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: MRI_DISABLED
O4 - Global Startup: MRI_DISABLED
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.toshibadirect.com/dpdstart
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1365187810156
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: MBAMScheduler - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation  - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Swupdtmr - Unknown owner - c:\Toshiba\IVP\swupdate\swupdtmr.exe

--
End of file - 6073 bytes






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users