Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware Causing 100% CPU from Various Svchost.exe Services


  • This topic is locked This topic is locked
18 replies to this topic

#1 A_Late_Fall

A_Late_Fall

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 28 May 2013 - 03:00 PM

Hi folks, I've enjoyed reading through some of your blogs and threads over the years, as they have helped me sort through a few issues, and are a great resource!

Unfortunately I have a pesky problem that seems somewhat unique (but maybe only to me) and slightly beyond my abilities this time.  I wonder if someone could help me track it down?

The other day my elderly father said he was having trouble with the Google Chrome Browser download.  It was hung and eventually he shut down before it finished (I found it only partially installed).  I uninstalled it and tried again but he was having very sluggish behaviour when connected wirelessly to the internet--otherwise the Dell Dimension 2400 running XP Pro 2002, SP 3 was working fine.  The download worked the second time, but a Java update failed as did a Firefox one and upgrading Chrome to current.  On the other hand Windows Updates did work.  I noticed in Task Manager that a service host was pegging the 2.4 Ghz CPU at 100% and using half of the 2 Gigs of RAM whenever we had the Wireless adapter turned on.  The computer was painfully slow when connected to the network, and even with no browser open.

I downloaded Ccleaner which I normally use, and found a huge number of temp files (my dad never deleted them), Registry cleaning (Ccleaner) found some things, but nothing very unusual, and Norton Security Suite (v. 5.2.2.3) showed nothing in a full scan, though it took forever and showed a lot of mysterious files and folders.  I scandisked the hard drive for errors and found none.  The 75 Gb hard drive was also showing nearly full when I tried to defrag. Using a program called WinDirStat I found  huge chunks taken up by Norton backups, leftover Windows installers (.msp files), and various files left from when the computer belonged to my nieces.  I downloaded MalwareBytes, but a scan only found three suspicious files, which I quarantined.  I also tried ATF Cleaner, and Housecall from Trend Micro, but the problems persisted, and nothing was found in scans.  A Hijack This scan was not conclusive either. 

In freeing up space and trying to delete the bug I deleted Norton's stored files and turned off Backup, left the .msp files alone and took administrative control of my nieces files (they had offloaded everything they wanted previously) and deleted them along with lots of cookies and Temp files that Ccleaner had missed, I guess because it only scans for the current user account. Their account logons had been deleted but somehow the files were still there. Defragmenting then sped up the computer when it was offline, but a svchost still pegged the CPU when connected with or without a browser open.

Norton still showed nothing on scans, but there were occasional intrusion attempts identified as Blackhole Toolkit Website 33, TrueType Font CVE: 2011-34, Exploit Toolkit Website 44, Malicious Toolkit Website 5, and Malicious Java Download [Website?] 13, etc., when connected.

I downloaded Sysinternals' Process Explorer and determined that the svchost.exe causing the CPU overload contained THIRTY services! Following some peoples' recommendaations I tried turning each service off one by one using services.msc to see if it affected CPU.  Nothing really seemed to happen except the ones controlling internet access stopped the CPU overrun along with the internet.  A few couldn't be turned off at all.

Rooting around online on a separate computer on the network (which is fine), I found how to separate out the services into their own service hosts at startup using the SC configuration tool in a Command  prompt.  This worked!  The offending service was Themes!  I turned off Themes service and the CPU usage dropped to normal after a minute or two.  "Great!" I thought, "I will overwrite Themes with a new, uninfected version and see if that fixes it.

Unfortunately, by the time I came back to the computer, Task Scheduler was pegging the CPU.  When I turned that off, Wireless Zero Configuration started using all the power.  Turning this off turned off the internet, but on reboot, Shell Hardware Detection was the offending service. Since then the activity has moved back to Themes.

Also, I found that files were being downloaded (again, without any browsers open) to random folders located in C:\Documents and Settings\NETWORKSERVICE\Temporary Internet Files\Content.IE5

By using Folder Options I exposed hidden files and folders and WINDOWS operating files and extensions.  I could delete Content.IE5 files, which appear to be random website browsing cache files, but they just pop up again, and last time I tried there were embedded files that caused an error saying "Files are in use by another program, please close the program and try again" even if the wireless adapter was unplugged.

Anyone want to help me tackle this?  I am not confident or knowlegable enough to try to find every registry entry and repair it by myself.

I feel frustrated and violated, but mostly upset that someone would take advantage of my old man.

Sorry for the epic post--been working on this one for awhile.

Thanks, sincerely, A_Late_Fall

PS  While I was running DDS scanner, a message from Firefox  appeared, telling me to apply critical updates, but since the last update failed, I ignored it and switched to Internet Explorer.

Also, I have a saved file from Process Explorer for the Themes service when it was using 100% CPU while connected to the internet.  I could attach that as well.  Pls let me know.

 

Here is the DDS log:

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by Main Account at 15:25:10 on 2013-05-28
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.937 [GMT -4:00]
.
AV: Norton Security Suite *Enabled/Outdated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\SMSC\SetIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
BHO: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - c:\program files\norton security suite\engine\5.2.2.3\ips\ipsbho.dll
TB: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\program files\norton security suite\engine\5.2.2.3\coieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [BCMSMMSG] BCMSMMSG.exe
mRun: [iTunesHelper] c:\program files\itunes\iTunesHelper.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [SetIcon] \Program Files\SMSC\SetIcon.exe
mRun: [UserFaultCheck] c:\windows\system32\dumprep 0 -u
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [CLMLServer] "c:\program files\cyberlink\power2go\CLMLSvc.exe"
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UCam_Menu] "c:\program files\cyberlink\youcam\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\youcam" updatewithcreateonce "software\cyberlink\youcam\2.0"
mRun: [LGODDFU] "c:\program files\lg_fwupdate\fwupdate.exe" blrun
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\media suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\media suite" updatewithcreateonce "software\cyberlink\PowerStarter"
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC} - <orphaned>
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
.
INFO: HKCU has more than 50 listed domains.
If you wish to scan all of them, select the 'Force scan all domains' option.
.
.
INFO: HKLM has more than 50 listed domains.
   If you wish to scan all of them, select the 'Force scan all domains' option.
.
DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} - hxxp://www.comcastsupport.com/OneClickFix/tgctlsr.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1368416839718
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1341238729031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-0017-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{35E6AF9C-AEF1-4CD1-92BB-14545832701A} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
TCP: Interfaces\{E80D32D2-F746-4D3B-9299-9693035865FE} : DHCPNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager - {56F9679E-7826-4C84-81F3-532071A8BCC5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\main account\application data\mozilla\firefox\profiles\e31xsve9.default\
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_3_300_262.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
FF - plugin: c:\windows\system32\npwmsdrm.dll
FF - ExtSQL: 2013-05-13 01:51; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\n360\0502020.003\symds.sys [2012-7-16 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0502020.003\symefa.sys [2012-7-16 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\bashdefs\20130515.001\BHDrvx86.sys [2013-5-22 1000024]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\n360\0502020.003\ironx86.sys [2012-7-16 136312]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 N360;Norton Security Suite;c:\program files\norton security suite\engine\5.2.2.3\ccsvchst.exe [2012-7-16 130008]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2013-5-10 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\ipsdefs\20130522.001\IDSXpx86.sys [2013-5-22 373728]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [2012-3-22 1034240]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130522.016\NAVENG.SYS [2013-5-22 93272]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\n360_5.0.0.125\definitions\virusdefs\20130522.016\NAVEX15.SYS [2013-5-22 1611992]
S3 arusb(Atheros);D-Link Wireless Network Adapter Service;c:\windows\system32\drivers\dwarusb.sys [2010-9-11 457728]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [2011-6-11 10112]
.
=============== Created Last 30 ================
.
2013-05-23 08:47:25 -------- d-----w- c:\documents and settings\main account\local settings\application data\Power2Go
2013-05-22 23:52:02 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2013-05-22 23:52:02 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2013-05-22 23:52:02 115016 ----a-w- c:\windows\system32\MSINET.OCX
2013-05-22 23:52:02 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2013-05-22 23:52:02 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2013-05-22 23:52:01 -------- d-----w- c:\program files\lg_fwupdate
2013-05-20 09:39:37 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-20 09:39:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-17 06:37:39 -------- d-----w- c:\program files\ACW
2013-05-17 04:40:49 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2013-05-17 04:40:42 96664 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe
2013-05-17 04:40:42 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe
2013-05-17 04:40:42 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe
2013-05-15 08:19:41 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-05-14 05:02:21 -------- d-----w- c:\documents and settings\main account\application data\Windows Search
2013-05-13 09:53:23 -------- d-----w- c:\documents and settings\main account\application data\ElevatedDiagnostics
2013-05-13 09:50:07 -------- d-----w- c:\program files\Microsoft ATS
2013-05-13 05:35:27 -------- d-----w- c:\windows\system32\XPSViewer
2013-05-13 05:30:15 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-05-13 05:25:48 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-05-13 05:25:48 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-05-13 05:25:48 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-05-13 05:25:48 117760 ------w- c:\windows\system32\prntvpt.dll
2013-05-13 05:25:47 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-05-13 05:25:47 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-05-13 05:25:47 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-05-13 05:25:47 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-05-13 05:25:45 -------- d-----w- C:\5fcc5aeb41332ec0193c7601819fc7c6
2013-05-13 04:43:22 -------- d-----w- c:\documents and settings\main account\application data\Windows Desktop Search
2013-05-13 04:38:14 -------- d-----w- c:\program files\Windows Desktop Search
2013-05-13 04:09:27 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-05-13 04:09:26 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-05-13 04:09:24 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-05-11 15:46:44 -------- d-----w- c:\documents and settings\main account\application data\Malwarebytes
2013-05-11 15:45:11 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2013-05-10 21:54:47 -------- d-----w- c:\program files\WinDirStat
2013-04-29 17:31:52 4126720 ----a-w- c:\program files\GUT6.tmp
2013-04-29 17:31:52 -------- d-----w- c:\program files\GUM5.tmp
.
==================== Find3M  ====================
.
2013-04-27 02:53:25 4126720 ----a-w- c:\program files\GUT5D.tmp
2013-04-27 02:52:59 4126720 ----a-w- c:\program files\GUT63.tmp
2013-04-16 22:17:15 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17:14 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17:14 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28:55 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31:19 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 09:36:01 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-04 09:35:52 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36:22 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28:24 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50:28 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-08 20:00:18 55088 -c--a-w- c:\program files\MFInstall.exe
.
============= FINISH: 15:42:00.79 ===============
 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 31 May 2013 - 12:57 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click on Delete tab follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Rn].txt (n is a number).
Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#3 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 31 May 2013 - 06:45 PM

Hello,  I had a problem with my reply, please excuse me if this is a double post.

 

Hi! 

Thank you for helping me with this challenging problem.

I have run the scans you asked me to with no issues.  Included here are the log files.  The further issues I am having is that there is continued activity in the Themes service, with CPU usage indicated for that service (in Process Explorer) jumping from o% to 95, 96, 97% rather than remaining pegged at 100%.  In addition, there are still folders in C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5 that I can't delete because individual files within them are indicated as "in use (an error message pops up) by another program" even when no browsers are open.  Some of them apper to be .eot files.  I expect I can figure out how to delete them, but as I was trying to do that more randomly named (Eight letters or digits) folders were being created within Content.IE5.  These were hidden folders which I deleted.  More popped up and I deleted those, more popped up and I deleted them.  Currently (7:15pm) they have stopped being created and activity is low, though still spiking to near 100% occasionally. 

Again, I appreciate the help.

A_Late_Fall

 

 

This is the AdWare log:

# AdwCleaner v2.301 - Logfile created 05/31/2013 at 17:17:50
# Updated 16/05/2013 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Main Account - OWNER-510F5D3C7
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Main Account\Desktop\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Documents and Settings\All Users\Application Data\Viewpoint
Folder Deleted : C:\Program Files\Trymedia

***** [Registry] *****

Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Viewpoint
Key Deleted : HKCU\Software\YahooPartnerToolbar
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{9DBB28C1-1925-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{03F998B2-0E00-11D3-A498-00104B6EB52E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1B00725B-C455-4DE6-BFB6-AD540AD427CD}
Key Deleted : HKLM\Software\Viewpoint
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{D4027C7F-154A-4066-A1AD-4243D8127440}]

***** [Internet Browsers] *****

-\\ Internet Explorer v8.0.6001.18702

[OK] Registry is clean.

-\\ Mozilla Firefox v20.0.1 (en-US)

File : C:\Documents and Settings\Main Account\Application Data\Mozilla\Firefox\Profiles\e31xsve9.default\prefs.js

[OK] File is clean.

-\\ Google Chrome v [Unable to get version]

File : C:\Documents and Settings\Main Account\Local Settings\Application Data\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [354 octets] - [31/05/2013 17:16:22]
AdwCleaner[S2].txt - [1784 octets] - [31/05/2013 17:17:50]

########## EOF - C:\AdwCleaner[S2].txt - [1844 octets] ##########

 

This is the ComboFix log:

ComboFix 13-05-31.02 - Main Account 05/31/2013  18:17:07.1.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1077 [GMT -4:00]
Running from: c:\documents and settings\Main Account\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DirectCDUserNameE.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\{01FB4998-33C4-4431-85ED-079E3EEFE75D}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe
c:\documents and settings\All Users\Application Data\TEMP\{5DB1DF0C-AABC-4362-8A6D-CEFDFB036E41}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\PostBuild.exe
c:\documents and settings\All Users\Application Data\TEMP\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\setb0.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
c:\windows\system32\WanPacket.dll
c:\windows\system32\wpcap.dll
.
.
(((((((((((((((((((((((((   Files Created from 2013-04-28 to 2013-05-31  )))))))))))))))))))))))))))))))
.
.
2013-05-23 08:47 . 2013-05-23 08:47 -------- d-----w- c:\documents and settings\Main Account\Local Settings\Application Data\Power2Go
2013-05-22 23:52 . 2006-02-17 18:19 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2013-05-22 23:52 . 2001-08-30 01:00 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2013-05-22 23:52 . 1998-07-22 04:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2013-05-22 23:52 . 1998-07-22 04:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2013-05-22 23:52 . 1998-06-24 04:00 115016 ----a-w- c:\windows\system32\MSINET.OCX
2013-05-22 23:52 . 2013-05-31 21:22 -------- d-----w- c:\program files\lg_fwupdate
2013-05-22 23:50 . 2013-05-23 00:34 -------- d-----w- c:\documents and settings\Main Account\Application Data\CyberLink
2013-05-22 23:45 . 2013-05-22 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2013-05-20 09:39 . 2013-05-20 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-20 09:39 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-17 15:10 . 2013-05-17 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2013-05-17 06:37 . 2013-05-17 06:37 -------- d-----w- c:\program files\ACW
2013-05-17 04:40 . 2013-05-17 04:40 74136 ----a-w- c:\program files\Mozilla Firefox\breakpadinjector.dll
2013-05-17 04:40 . 2013-05-17 04:40 96664 ----a-w- c:\program files\Mozilla Firefox\webapprt-stub.exe
2013-05-17 04:40 . 2013-05-17 04:40 26520 ----a-w- c:\program files\Mozilla Firefox\plugin-hang-ui.exe
2013-05-17 04:40 . 2013-05-17 04:40 170232 ----a-w- c:\program files\Mozilla Firefox\webapp-uninstaller.exe
2013-05-15 08:19 . 2012-07-27 02:02 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-05-15 07:56 . 2013-05-15 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2013-05-15 07:56 . 2013-05-15 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2013-05-14 06:30 . 2013-05-14 06:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-05-14 05:25 . 2013-05-14 05:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2013-05-14 05:02 . 2013-05-14 05:02 -------- d-----w- c:\documents and settings\Main Account\Application Data\Windows Search
2013-05-13 09:53 . 2013-05-13 09:53 -------- d-----w- c:\documents and settings\Main Account\Application Data\ElevatedDiagnostics
2013-05-13 09:50 . 2013-05-13 09:50 -------- d-----w- c:\program files\Microsoft ATS
2013-05-13 08:43 . 2013-05-13 08:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2013-05-13 05:35 . 2013-05-15 01:07 -------- d-----w- c:\windows\system32\XPSViewer
2013-05-13 05:34 . 2013-05-13 05:34 -------- d-----w- c:\program files\MSBuild
2013-05-13 05:33 . 2013-05-13 05:33 -------- d-----w- c:\program files\Reference Assemblies
2013-05-13 05:30 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-05-13 05:25 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-05-13 05:25 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-05-13 05:25 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-05-13 05:25 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-05-13 05:25 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-05-13 05:25 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-05-13 05:25 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-05-13 05:25 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-05-13 05:25 . 2013-05-13 05:30 -------- d-----w- C:\5fcc5aeb41332ec0193c7601819fc7c6
2013-05-13 04:38 . 2013-05-30 08:56 -------- d-----w- c:\program files\Windows Desktop Search
2013-05-13 04:09 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-05-13 04:09 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-05-13 04:09 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-05-11 15:46 . 2013-05-11 15:46 -------- d-----w- c:\documents and settings\Main Account\Application Data\Malwarebytes
2013-05-11 15:45 . 2013-05-11 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-10 21:54 . 2013-05-10 21:54 -------- d-----w- c:\program files\WinDirStat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-04-29 20:07 . 2013-04-29 17:31 4126720 ----a-w- c:\program files\GUT6.tmp
2013-04-27 02:53 . 2013-04-26 22:18 4126720 ----a-w- c:\program files\GUT5D.tmp
2013-04-27 02:52 . 2013-04-27 00:43 4126720 ----a-w- c:\program files\GUT63.tmp
2013-04-16 22:17 . 2004-08-12 13:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-12 13:20 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-12 13:33 1876352 ----a-w- c:\windows\system32\win32k.sys
2013-04-04 09:36 . 2012-07-01 03:59 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-04-04 09:35 . 2010-06-28 04:33 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-03-08 08:36 . 2004-08-12 13:33 293376 ----a-w- c:\windows\system32\winsrv.dll
2013-03-07 01:28 . 2004-08-12 13:25 2193408 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-03-07 00:50 . 2004-08-03 22:59 2070016 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-06-08 20:00 . 2010-06-08 20:00 55088 -c--a-w- c:\program files\MFInstall.exe
2013-05-17 04:40 . 2012-07-01 02:16 263064 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
"SetIcon"="\Program Files\SMSC\SetIcon.exe" [2004-04-28 42496]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-04-04 843712]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"UpdatePSTShortCut"="c:\program files\CyberLink\Media Suite\MUITransfer\MUIStartMenu.exe" [2011-12-15 222504]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [7/16/2012 3:52 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [7/16/2012 3:52 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130515.001\BHDrvx86.sys [5/22/2013 12:46 AM 1000024]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [7/16/2012 3:52 PM 136312]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [7/16/2012 3:52 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2013 8:25 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130530.001\IDSXpx86.sys [5/31/2013 5:44 PM 373728]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [3/22/2012 7:22 PM 1034240]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 arusb(Atheros);D-Link Wireless Network Adapter Service;c:\windows\system32\drivers\dwarusb.sys [9/11/2010 10:39 AM 457728]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [6/11/2011 2:52 AM 10112]
.
Contents of the 'Scheduled Tasks' folder
.
2013-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
FF - ProfilePath - c:\documents and settings\Main Account\Application Data\Mozilla\Firefox\Profiles\e31xsve9.default\
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2013-05-13 01:51; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
HKU-Default-Run-ALUAlert - c:\program files\Symantec\LiveUpdate\ALUNotify.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-05-31 18:36
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll
.
Completion time: 2013-05-31  18:44:57
ComboFix-quarantined-files.txt  2013-05-31 22:44
.
Pre-Run: 51,239,964,672 bytes free
Post-Run: 52,196,564,992 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - E4841B31F99E935A7FAC85D86F849D29

 

This is the Security Check log:

 Results of screen317's Security Check version 0.99.64 
 Windows XP Service Pack 3 x86  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled! 
Norton Security Suite  
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 Windows Defender Signatures  
 Malwarebytes Anti-Malware version 1.75.0.1300 
 CCleaner    
 Adobe Flash Player  11.3.300.262 
 Adobe Reader 10.1.3 Adobe Reader out of Date! 
 Mozilla Firefox 20.0.1 Firefox out of Date! 
 Google Chrome 26.0.1410.64 
````````Process Check: objlist.exe by Laurent```````` 
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 1%
````````````````````End of Log``````````````````````



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 01 June 2013 - 08:03 AM

Please scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetonlinebtn.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer.
      Save it to your Desktop.
    • Double click on the esetsmartinstaller_enu.png to download the ESET Smart Installer. icon on your Desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.


#5 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 01 June 2013 - 02:33 PM

Hi nasdaq,

I performed the ESET scan (about 4 hrs. with competition for CPU) which found a few suspicious items and quarantined them.  The ESET scan didn't give an option to download to the desktop, although there is a free trial available.  However, running the tool from the online setup worked as you described.

It doesn't look like anything was affected as far as the main problem, i.e. still high CPU usage from Themes and new hidden folders created in Content.IE5

 

Here are the results of the scan:

C:\Attic\FELIX2.EXE Win32/Joke.ScreenMate application cleaned by deleting - quarantined
C:\Family History\Documents\BAKER\iLividSetupV1.exe Win32/Toolbar.SearchSuite application cleaned by deleting - quarantined
C:\System Volume Information\_restore{0DF83B8F-B4D9-4896-B959-3ED786FCF9F1}\RP17\A0006485.exe a variant of Win32/Toolbar.MyWebSearch.O application cleaned by deleting - quarantined



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 02 June 2013 - 07:33 AM

oblem, i.e. still high CPU usage from Themes and new hidden folders created in Content.IE5

If you disable the Theses does the problem persists?

Delete all the Files in the Temporary internet folders, NOT THE folders. Are new folders being spawned?
If the folders are delete the operating system will create new ones with a random name.

I think CCleaner can help you remove the files.

#7 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 02 June 2013 - 03:34 PM

Hi nasdaq,

Thanks for taking the time to help me.
I turned off Themes service using services.msc in the command (Run) box after disabling the wireless adapter in Control Panel>Wireless Connectings.  All activity in Themes svchost.exe stopped.  Also, having done that I was able to go back and delete files in Content.IE5 that had previously contained files that said they were in use.  As you instructed, I left the newest hidden file folders in place, but deleted the contents inside.  Ccleaner did not delete these files even after Themes had been stopped.  It looks like it is cleaning files from other TEMP folders, but not these.  I will try to write down which ones it is cleaning next time.

When I restarted the wireless adapter, and without opening any internet programs, activity immediately started up in Shell Hardware Detection service in a different svchost.exe (remember I have them all split into their own svchost.exes).  And more files were created in the hidden file folders that I had emptied.  These include desktop.ini files and other files of an unknown type that just say they are "files" under properties, for example one is called background_gradient[1] and one called navcancl[1].  Another hidden folder contains bullet[1], errorPageStrings[1], info_48[2].

The Process Explorer info saves from these processes are interesting in that in the "mutant" portion they show contact between files that I recognise in the Temporary Internet Files folders and websites that I have never visited.  I am attaching these .txt files retrieved from each of the services, Themes, and Shell Hardware  Detection.  I don't know if you will be able to derive any information, but I don't understand the way in which these services are controlling internet access.

This time when I tried to disable the wireless adapter I got an error message saying:

Error Disabling Connection
It is not possible to disable the connection at this time.  This connection may be using one or more protocols that do not support plug and play or it may have been intitiated by another user on the system account.

Pysically unplugging the adapter stopped all activity in Shell Hardware Services.

 

I am sure I attached something before, but now I don't see how to.  Please let me know if you would like to see the Process Explorer logs for each service as it is running since I believe they contain pertinent information as to how this malware is operating.

 

Thanks again,

A_Late_Fall



#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 03 June 2013 - 07:14 AM

What version of Internet Explorer is installed in this computer.

===


If problem exists in Firefox and or Chrome, I suggest you remove them one by one using the Add/Remove programs applet, restart the computer after each un-installation and then re-install each application.

In IE it's not that simple we should try to reset it to it's original setting. Need to know what version is installed.

#9 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 03 June 2013 - 03:58 PM

Hi nasdaq,
Because I was reading about all of the security holes in Java and Adobe Flash, I tried again to update them to the newest configuration.  This was successful, but did not affect the problem.  I now have Java SE version 7 Update 21 installed, as well as Adobe Flash 11.7.700.202, and also Adobe Reader XI version 11.0.03.  As I was installing the Adobe programs, Google Chrome and Google Toolbar for Internet Explorer were also automatically downloaded/updated.  Not too happy about them not offering a choice about that, but at least Chrome now showed up in Control Panel>Add and Remove Programs, because before yesterday it didn't.  I went ahead and uninstalled Google Toolbar (twice), AND uninstalled Chrome, AND uninstalled Firefox.

Unfortunately all of my symptoms remain, including that new hidden folders are created in Content.IE5 with random web content and various services use all of the CPU and a lot of memory when connected to the internet.  Disconnecting from the internet and stopping whatever service is using resources allows me to delete the folders (the original three that I left empty stayed empty and new hidden folders were created alongside them in Content.IE5) and the computer then operates normally, but without internet access of course.

In addition, my father requested I run The Norton Power Eraser tool, which I did.  I made sure it didn't delete ComboFix or Security Check, but other than that all it found was an unspecified startup item called "run"  Perhaps that was part of something else we have tried, I'm not sure, but deleting it causes no change in function so far.

Whatever this is seems to be a rootkit and series of commands that looks mostly like the normal operating system only it is being run remotely after some signal from this machine.  Very frustrating.

The version of Internet Explorer installed on this computer (it is a Dell Dimension 4600, not 2400 as I thought earlier) is

Internet Explorer 8  version 8.0.6001.18702

Let me know what steps I need to take to restore it to defaults and then how to proceed from there, as well as if we need to do any of the scans again.

One other thing is that my homepage is reset to Google today, but I don't know if that happened when I uninstalled Chrome, because they also wanted me to fill out a survey which popped up in IE8.  Google is far overstepping the bounds of friendly usage these days IMHO.

Thanks, sincerely
A_Late_Fall



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 04 June 2013 - 07:13 AM

Try the automatic setting on this page.

Reset Internet Explorer 8 settings
http://windows.microsoft.com/en-ca/windows-vista/reset-internet-explorer-8-settings

#11 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 04 June 2013 - 01:28 PM

I reset Internet explorer.  No change was noticeable, that is, Themes was still accessing the internet.
I rebooted Windows and turned off Themes, then reset Internet Explorer again.  I got a message soon after from Windows Update saying there were two new Security patches for Internet Explorer, so I installed those (KB2829530 and KB2847204).  I went to Content.IE5 and deleted all the hidden files.  There were twelve files plus a .DAT file and a desktop.ini.
Everything seemed fine for awhile, but while I was trying to figure out why the ability to open other windows as tabs has disappeared in Internet Explorer, the malware switched activity to the DHCP Client service and resumed accessing the internet.  This is the pattern of behaviour it has always follwed when one service is stopped.  As long as the adapter is active and internet is available it will create a link and use the computer's resources regardless of what else is going on.

A_Late_Fall



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 05 June 2013 - 07:25 AM


Lets check deeper.

Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#13 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 05 June 2013 - 05:41 PM

Hi nasdaq,

Thanks again for your help.  It is very much appreciated.

I ran Kaspersky TDSSKiller with the "process modules" box unchecked (since it wasn't mentioned) and under "change parameter"s checked the boxes for "Verify Driver Digital Signature" and "Detect TDLFS file system". Beforehand I checked to see what service was drawing resources.  This time it was Workstation service [lanmanworkstation] trying to use 100% of the CPU.  I thought about rebooting to reset the malware back to its more standard Themes service, but then I thought that the less time TDSSKiller was on my system before I ran it, the better it might be.
Several suspicious items were detected in the scan, some of which may be some unsigned drivers that I think may be associated with a new LG external DVD burner that I had just installed before talking with you in order to back up files.  I don't know if that's what they are for certain, but I thought I recognized a few that I had already looked up.  I haven't had a chance to check for newer drivers for that device and its associated programs yet. Hopefully they will think to sign their work.  I left those suspicious files set to "skip".
So, the good/bad news, depending on point of view, is that the scan also turned up a Malicious Object, which was Rootkit.Boot.Harbinger.a.  I am unfamiliar with it, but I think this is at least part of our problems!  I left the entry set to "Cure" and clicked "Continue", after which TDSSKiller asked for a reboot.  I clicked "Reboot" within the program and a very long shutdown happened during which the computer finally hung on the Windows XP "logging off" portion.  After about ten minutes near the end of which I tried Ctrl+Alt+Delete a few times, I finally forced a shutdown with the power button.
Upon restart TDSSkiller popped up and asked if I wanted to run the program.  I wasn't sure so I clicked run, but it just took me back to the beginning of a scan.  I exited and downloaded Avast! aswMBR.
At this point there were no services using resources and nothing accessing the internet but me.  A ray of hope!
On the first run aswMBR crashed while scanning the TDSSKiller files and closed itself after I declined the Microsoft Error Reporting tool's request to send Microsoft a crash report.  On running the program again it finished successfully.
Another reboot is showing no further malicious activity so far.
I am happy to finally critically disturb this thing's operation.  Is it that the rootkit was hiding in a partition?
Thanks again, and please let me know how to proceed from here.

A_Late_Fall

 

Here is the log for Kaspersky TDSSKiller:

15:34:36.0656 3664  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
15:34:38.0656 3664  ============================================================
15:34:38.0656 3664  Current date / time: 2013/06/05 15:34:38.0656
15:34:38.0656 3664  SystemInfo:
15:34:38.0656 3664 
15:34:38.0656 3664  OS Version: 5.1.2600 ServicePack: 3.0
15:34:38.0656 3664  Product type: Workstation
15:34:38.0656 3664  ComputerName: OWNER-510F5D3C7
15:34:38.0656 3664  UserName: Main Account
15:34:38.0656 3664  Windows directory: C:\WINDOWS
15:34:38.0656 3664  System windows directory: C:\WINDOWS
15:34:38.0656 3664  Processor architecture: Intel x86
15:34:38.0656 3664  Number of processors: 1
15:34:38.0656 3664  Page size: 0x1000
15:34:38.0656 3664  Boot type: Normal boot
15:34:38.0656 3664  ============================================================
15:34:43.0671 3664  Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:34:43.0703 3664  ============================================================
15:34:43.0703 3664  \Device\Harddisk0\DR0:
15:34:43.0703 3664  MBR partitions:
15:34:43.0703 3664  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xFB04, BlocksNum 0x94EEEB9
15:34:43.0703 3664  ============================================================
15:34:43.0968 3664  C: <-> \Device\Harddisk0\DR0\Partition1
15:34:43.0968 3664  ============================================================
15:34:44.0000 3664  Initialize success
15:34:44.0000 3664  ============================================================
15:35:36.0578 1348  ============================================================
15:35:36.0578 1348  Scan started
15:35:36.0578 1348  Mode: Manual; SigCheck; TDLFS;
15:35:36.0578 1348  ============================================================
15:35:37.0250 1348  ================ Scan system memory ========================
15:35:37.0281 1348  System memory - ok
15:35:37.0281 1348  ================ Scan services =============================
15:35:37.0687 1348  Abiosdsk - ok
15:35:37.0687 1348  abp480n5 - ok
15:35:37.0750 1348  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:37:50.0140 1348  ACPI - ok
15:37:50.0187 1348  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
15:37:52.0906 1348  ACPIEC - ok
15:37:53.0031 1348  [ E42F7B36B4D8866184E8DF9776CA4226 ] AdobeActiveFileMonitor C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
15:37:53.0703 1348  AdobeActiveFileMonitor ( UnsignedFile.Multi.Generic ) - warning
15:37:53.0703 1348  AdobeActiveFileMonitor - detected UnsignedFile.Multi.Generic (1)
15:37:53.0750 1348  [ F040037B149FD0F5A5044AE563390FA7 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
15:38:25.0734 1348  AdobeFlashPlayerUpdateSvc - ok
15:38:25.0750 1348  adpu160m - ok
15:38:25.0828 1348  [ 11C04B17ED2ABBB4833694BCD644AC90 ] aeaudio         C:\WINDOWS\system32\drivers\aeaudio.sys
15:38:49.0156 1348  aeaudio - ok
15:38:49.0171 1348  [ 8BED39E3C35D6A489438B8141717A557 ] aec             C:\WINDOWS\system32\drivers\aec.sys
15:38:52.0484 1348  aec - ok
15:38:54.0156 1348  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
15:39:10.0359 1348  AFD - ok
15:39:10.0390 1348  [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440          C:\WINDOWS\system32\DRIVERS\agp440.sys
15:39:11.0953 1348  agp440 - ok
15:39:11.0953 1348  Aha154x - ok
15:39:11.0968 1348  aic78u2 - ok
15:39:12.0046 1348  aic78xx - ok
15:39:12.0078 1348  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
15:39:14.0203 1348  Alerter - ok
15:39:14.0218 1348  [ 8C515081584A38AA007909CD02020B3D ] ALG             C:\WINDOWS\System32\alg.exe
15:39:15.0390 1348  ALG - ok
15:39:15.0468 1348  AliIde - ok
15:39:15.0484 1348  amsint - ok
15:39:15.0515 1348  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
15:39:18.0078 1348  AppMgmt - ok
15:39:18.0125 1348  [ 3D4B69962452A1770386A7D5EBB2AB52 ] arusb(Atheros)  C:\WINDOWS\system32\DRIVERS\dwarusb.sys
15:39:18.0531 1348  arusb(Atheros) ( UnsignedFile.Multi.Generic ) - warning
15:39:18.0531 1348  arusb(Atheros) - detected UnsignedFile.Multi.Generic (1)
15:39:18.0531 1348  asc - ok
15:39:18.0578 1348  asc3350p - ok
15:39:18.0640 1348  asc3550 - ok
15:39:18.0859 1348  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:39:19.0140 1348  aspnet_state - ok
15:39:19.0187 1348  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:39:19.0812 1348  AsyncMac - ok
15:39:19.0828 1348  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
15:39:20.0312 1348  atapi - ok
15:39:20.0312 1348  Atdisk - ok
15:39:20.0375 1348  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:39:21.0265 1348  Atmarpc - ok
15:39:21.0312 1348  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
15:39:21.0937 1348  AudioSrv - ok
15:39:21.0953 1348  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
15:39:23.0046 1348  audstub - ok
15:39:23.0156 1348  [ 438179ABE9B7A922A21B8D6369FF52FF ] BCM42RLY        C:\WINDOWS\System32\BCM42RLY.SYS
15:39:24.0515 1348  BCM42RLY ( UnsignedFile.Multi.Generic ) - warning
15:39:24.0515 1348  BCM42RLY - detected UnsignedFile.Multi.Generic (1)
15:39:24.0609 1348  [ 41347688046D49CDE0F6D138A534F73D ] BCMModem        C:\WINDOWS\system32\DRIVERS\BCMSM.sys
15:39:46.0187 1348  BCMModem - ok
15:39:46.0203 1348  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
15:39:49.0109 1348  Beep - ok
15:39:49.0390 1348  [ 6C6AC7CA8A034C15C52B35189BAD58EE ] BHDrvx86        C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130531.001\BHDrvx86.sys
15:40:09.0796 1348  BHDrvx86 - ok
15:40:09.0859 1348  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            C:\WINDOWS\system32\qmgr.dll
15:40:11.0234 1348  BITS - ok
15:40:11.0265 1348  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         C:\WINDOWS\System32\browser.dll
15:40:21.0859 1348  Browser - ok
15:40:21.0953 1348  catchme - ok
15:40:21.0984 1348  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
15:40:22.0375 1348  cbidf2k - ok
15:40:22.0437 1348  [ 5753532C476B83119D85AA43B1B10AB3 ] CCALib8         C:\Program Files\Canon\CAL\CALMAIN.exe
15:40:22.0500 1348  CCALib8 ( UnsignedFile.Multi.Generic ) - warning
15:40:22.0500 1348  CCALib8 - detected UnsignedFile.Multi.Generic (1)
15:40:22.0515 1348  cd20xrnt - ok
15:40:22.0562 1348  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
15:40:23.0265 1348  Cdaudio - ok
15:40:23.0281 1348  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
15:40:24.0234 1348  Cdfs - ok
15:40:24.0265 1348  [ 297ACC7D7C66EC86EE0B4EB5AF9A8FD3 ] Cdr4_xp         C:\WINDOWS\system32\drivers\Cdr4_xp.sys
15:40:24.0906 1348  Cdr4_xp ( UnsignedFile.Multi.Generic ) - warning
15:40:24.0906 1348  Cdr4_xp - detected UnsignedFile.Multi.Generic (1)
15:40:24.0953 1348  [ 5E31ABF467A6FD857710C0927C88EE4C ] Cdralw2k        C:\WINDOWS\system32\drivers\Cdralw2k.sys
15:40:25.0359 1348  Cdralw2k ( UnsignedFile.Multi.Generic ) - warning
15:40:25.0359 1348  Cdralw2k - detected UnsignedFile.Multi.Generic (1)
15:40:25.0421 1348  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:40:26.0218 1348  Cdrom - ok
15:40:26.0250 1348  [ CFD81F2140193FC7F1812E6D6EAF6795 ] cdudf_xp        C:\WINDOWS\system32\drivers\cdudf_xp.sys
15:40:27.0953 1348  cdudf_xp ( UnsignedFile.Multi.Generic ) - warning
15:40:28.0046 1348  cdudf_xp - detected UnsignedFile.Multi.Generic (1)
15:40:28.0062 1348  Changer - ok
15:40:28.0093 1348  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           C:\WINDOWS\system32\cisvc.exe
15:40:29.0765 1348  CiSvc - ok
15:40:29.0812 1348  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
15:40:31.0250 1348  ClipSrv - ok
15:40:31.0296 1348  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:40:31.0671 1348  clr_optimization_v2.0.50727_32 - ok
15:40:31.0718 1348  CmdIde - ok
15:40:31.0734 1348  COMSysApp - ok
15:40:31.0828 1348  Cpqarray - ok
15:40:31.0875 1348  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
15:40:42.0453 1348  CryptSvc - ok
15:40:42.0453 1348  dac2w2k - ok
15:40:42.0468 1348  dac960nt - ok
15:40:42.0531 1348  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
15:40:51.0640 1348  DcomLaunch - ok
15:40:51.0703 1348  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
15:40:52.0062 1348  Dhcp - ok
15:40:52.0078 1348  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
15:40:52.0375 1348  Disk - ok
15:40:52.0375 1348  dmadmin - ok
15:40:52.0453 1348  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
15:40:53.0125 1348  dmboot - ok
15:40:53.0156 1348  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
15:40:53.0609 1348  dmio - ok
15:40:53.0625 1348  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
15:40:53.0968 1348  dmload - ok
15:40:54.0000 1348  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        C:\WINDOWS\System32\dmserver.dll
15:40:54.0343 1348  dmserver - ok
15:40:54.0375 1348  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
15:40:54.0750 1348  DMusic - ok
15:40:54.0796 1348  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
15:40:55.0140 1348  Dnscache - ok
15:40:55.0171 1348  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
15:40:55.0578 1348  Dot3svc - ok
15:40:55.0593 1348  dpti2o - ok
15:40:55.0656 1348  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
15:40:56.0093 1348  drmkaud - ok
15:40:56.0140 1348  [ 677829F7010768EEEED8D0083E510DAB ] dvd_2K          C:\WINDOWS\system32\drivers\dvd_2K.sys
15:40:56.0218 1348  dvd_2K ( UnsignedFile.Multi.Generic ) - warning
15:40:56.0218 1348  dvd_2K - detected UnsignedFile.Multi.Generic (1)
15:40:56.0281 1348  [ 98B46B331404A951CABAD8B4877E1276 ] E100B           C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:40:56.0421 1348  E100B - ok
15:40:56.0484 1348  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         C:\WINDOWS\System32\eapsvc.dll
15:40:56.0828 1348  EapHost - ok
15:40:56.0968 1348  [ 85B8B4032A895A746D46A288A9B30DED ] eeCtrl          C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
15:40:57.0203 1348  eeCtrl - ok
15:40:57.0250 1348  [ B5A8A04A6E5B4E86B95B1553AA918F5F ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
15:40:57.0312 1348  EraserUtilRebootDrv - ok
15:40:57.0359 1348  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           C:\WINDOWS\System32\ersvc.dll
15:40:57.0828 1348  ERSvc - ok
15:40:57.0875 1348  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        C:\WINDOWS\system32\services.exe
15:40:58.0000 1348  Eventlog - ok
15:40:58.0046 1348  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     C:\WINDOWS\system32\Es.dll
15:40:58.0281 1348  EventSystem - ok
15:40:58.0296 1348  [ 38D332A6D56AF32635675F132548343E ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
15:40:58.0671 1348  Fastfat - ok
15:40:58.0750 1348  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:40:59.0171 1348  FastUserSwitchingCompatibility - ok
15:40:59.0203 1348  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
15:40:59.0687 1348  Fdc - ok
15:40:59.0718 1348  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
15:41:00.0265 1348  Fips - ok
15:41:00.0281 1348  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:41:00.0781 1348  Flpydisk - ok
15:41:00.0812 1348  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          C:\WINDOWS\system32\drivers\fltmgr.sys
15:41:01.0328 1348  FltMgr - ok
15:41:01.0437 1348  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:41:01.0484 1348  FontCache3.0.0.0 - ok
15:41:01.0515 1348  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:41:02.0375 1348  Fs_Rec - ok
15:41:02.0406 1348  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:41:02.0875 1348  Ftdisk - ok
15:41:02.0906 1348  [ 5AE3A887ECE5BBB72CFAB273C2FD1CFA ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
15:41:03.0109 1348  GEARAspiWDM - ok
15:41:03.0156 1348  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:41:03.0562 1348  Gpc - ok
15:41:03.0609 1348  [ FC80052194D5708254A346568F0E77C0 ] GTNDIS5         C:\WINDOWS\system32\GTNDIS5.SYS
15:41:03.0656 1348  GTNDIS5 ( UnsignedFile.Multi.Generic ) - warning
15:41:03.0656 1348  GTNDIS5 - detected UnsignedFile.Multi.Generic (1)
15:41:03.0734 1348  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:41:04.0125 1348  helpsvc - ok
15:41:04.0140 1348  HidServ - ok
15:41:04.0187 1348  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:41:04.0734 1348  HidUsb - ok
15:41:04.0796 1348  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
15:41:05.0234 1348  hkmsvc - ok
15:41:05.0250 1348  hpn - ok
15:41:05.0281 1348  [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412        C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:41:05.0625 1348  HPZid412 - ok
15:41:05.0734 1348  [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12        C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:41:06.0187 1348  HPZipr12 - ok
15:41:06.0234 1348  [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12        C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:41:06.0671 1348  HPZius12 - ok
15:41:06.0750 1348  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
15:41:06.0921 1348  HTTP - ok
15:41:06.0953 1348  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
15:41:07.0296 1348  HTTPFilter - ok
15:41:07.0312 1348  i2omgmt - ok
15:41:07.0328 1348  i2omp - ok
15:41:07.0359 1348  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:41:07.0687 1348  i8042prt - ok
15:41:07.0734 1348  [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT        C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
15:41:07.0828 1348  IDriverT ( UnsignedFile.Multi.Generic ) - warning
15:41:07.0828 1348  IDriverT - detected UnsignedFile.Multi.Generic (1)
15:41:07.0906 1348  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:41:08.0218 1348  idsvc - ok
15:41:08.0343 1348  [ C19BF2A07BE972A110220DF6B1E89D14 ] IDSxpx86        C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130604.001\IDSxpx86.sys
15:41:08.0390 1348  IDSxpx86 - ok
15:41:08.0437 1348  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
15:41:08.0812 1348  Imapi - ok
15:41:08.0859 1348  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    C:\WINDOWS\system32\imapi.exe
15:41:09.0328 1348  ImapiService - ok
15:41:09.0343 1348  ini910u - ok
15:41:09.0390 1348  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
15:41:09.0843 1348  IntelIde - ok
15:41:09.0875 1348  [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:41:10.0234 1348  intelppm - ok
15:41:10.0265 1348  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           C:\WINDOWS\system32\drivers\ip6fw.sys
15:41:10.0562 1348  Ip6Fw - ok
15:41:10.0609 1348  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:41:11.0078 1348  IpFilterDriver - ok
15:41:11.0093 1348  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:41:11.0406 1348  IpInIp - ok
15:41:11.0453 1348  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:41:11.0890 1348  IpNat - ok
15:41:11.0984 1348  [ 834656CCAE6AA3C20A42BE2AAD651649 ] iPodService     C:\Program Files\iPod\bin\iPodService.exe
15:41:12.0109 1348  iPodService ( UnsignedFile.Multi.Generic ) - warning
15:41:12.0109 1348  iPodService - detected UnsignedFile.Multi.Generic (1)
15:41:12.0140 1348  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:41:12.0796 1348  IPSec - ok
15:41:12.0828 1348  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
15:41:13.0015 1348  IRENUM - ok
15:41:13.0046 1348  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:41:13.0437 1348  isapnp - ok
15:41:13.0562 1348  [ 5739F2821D49975CEDE6BF0153D0CF01 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
15:41:13.0687 1348  JavaQuickStarterService - ok
15:41:13.0703 1348  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:41:14.0156 1348  Kbdclass - ok
15:41:14.0187 1348  [ 692BCF44383D056AED41B045A323D378 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
15:41:14.0546 1348  kmixer - ok
15:41:14.0593 1348  [ B467646C54CC746128904E1654C750C1 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
15:41:15.0359 1348  KSecDD - ok
15:41:15.0421 1348  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
15:41:15.0750 1348  lanmanserver - ok
15:41:15.0828 1348  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:41:16.0109 1348  lanmanworkstation - ok
15:41:16.0140 1348  lbrtfdc - ok
15:41:16.0265 1348  [ BCDF72DCE41874B3AD9143D537B493B2 ] Linksys_adapter_H C:\WINDOWS\system32\DRIVERS\AE2500xp.sys
15:41:16.0687 1348  Linksys_adapter_H - ok
15:41:16.0734 1348  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
15:41:17.0156 1348  LmHosts - ok
15:41:17.0203 1348  [ 5BB01B9F582259D1FB7653C5C1DA3653 ] MCSTRM          C:\WINDOWS\system32\drivers\MCSTRM.sys
15:41:17.0343 1348  MCSTRM ( UnsignedFile.Multi.Generic ) - warning
15:41:17.0343 1348  MCSTRM - detected UnsignedFile.Multi.Generic (1)
15:41:17.0390 1348  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
15:41:17.0734 1348  Messenger - ok
15:41:17.0765 1348  [ 9B90303A9C9405A6CE1466FF4AA20FDD ] mmc_2K          C:\WINDOWS\system32\drivers\mmc_2K.sys
15:41:17.0953 1348  mmc_2K ( UnsignedFile.Multi.Generic ) - warning
15:41:17.0953 1348  mmc_2K - detected UnsignedFile.Multi.Generic (1)
15:41:18.0000 1348  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
15:41:18.0406 1348  mnmdd - ok
15:41:18.0437 1348  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
15:41:18.0796 1348  mnmsrvc - ok
15:41:18.0843 1348  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
15:41:19.0203 1348  Modem - ok
15:41:19.0234 1348  [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA        C:\WINDOWS\system32\drivers\MODEMCSA.sys
15:41:19.0515 1348  MODEMCSA - ok
15:41:19.0562 1348  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:41:19.0921 1348  Mouclass - ok
15:41:19.0968 1348  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:41:20.0343 1348  mouhid - ok
15:41:20.0375 1348  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
15:41:20.0703 1348  MountMgr - ok
15:41:20.0703 1348  mraid35x - ok
15:41:20.0718 1348  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:41:21.0140 1348  MRxDAV - ok
15:41:21.0234 1348  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:41:22.0625 1348  MRxSmb - ok
15:41:22.0656 1348  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
15:41:23.0109 1348  MSDTC - ok
15:41:23.0156 1348  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
15:41:23.0484 1348  Msfs - ok
15:41:23.0484 1348  MSIServer - ok
15:41:23.0515 1348  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:41:23.0781 1348  MSKSSRV - ok
15:41:23.0812 1348  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:41:24.0109 1348  MSPCLOCK - ok
15:41:24.0156 1348  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
15:41:24.0484 1348  MSPQM - ok
15:41:24.0500 1348  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:41:24.0734 1348  mssmbios - ok
15:41:24.0781 1348  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
15:41:24.0875 1348  Mup - ok
15:41:24.0968 1348  [ E78A365CC3E0FBFC018A33DCE01909F8 ] N360            C:\Program Files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe
15:41:25.0015 1348  N360 - ok
15:41:25.0140 1348  [ 0102140028FAD045756796E1C685D695 ] napagent        C:\WINDOWS\System32\qagentrt.dll
15:41:25.0437 1348  napagent - ok
15:41:25.0531 1348  [ CE2156DF796D41614AB60E68D107D573 ] NAVENG          C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20130605.002\NAVENG.SYS
15:41:25.0546 1348  NAVENG - ok
15:41:25.0625 1348  [ 19CEB8F4EC8C800A53D0B67E658E0367 ] NAVEX15         C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\VirusDefs\20130605.002\NAVEX15.SYS
15:41:25.0718 1348  NAVEX15 - ok
15:41:25.0750 1348  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
15:41:25.0984 1348  NDIS - ok
15:41:26.0031 1348  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:41:26.0156 1348  NdisTapi - ok
15:41:26.0187 1348  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:41:26.0390 1348  Ndisuio - ok
15:41:26.0390 1348  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:41:26.0718 1348  NdisWan - ok
15:41:26.0765 1348  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
15:41:26.0921 1348  NDProxy - ok
15:41:26.0953 1348  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
15:41:27.0296 1348  NetBIOS - ok
15:41:27.0343 1348  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
15:41:27.0546 1348  NetBT - ok
15:41:27.0593 1348  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          C:\WINDOWS\system32\netdde.exe
15:41:27.0875 1348  NetDDE - ok
15:41:27.0890 1348  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
15:41:28.0125 1348  NetDDEdsdm - ok
15:41:28.0187 1348  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        C:\WINDOWS\system32\lsass.exe
15:41:28.0421 1348  Netlogon - ok
15:41:28.0484 1348  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          C:\WINDOWS\System32\netman.dll
15:41:28.0812 1348  Netman - ok
15:41:28.0890 1348  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:41:28.0921 1348  NetTcpPortSharing - ok
15:41:28.0953 1348  [ 943337D786A56729263071623BBB9DE5 ] Nla             C:\WINDOWS\System32\mswsock.dll
15:41:29.0015 1348  Nla - ok
15:41:29.0046 1348  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
15:41:29.0406 1348  Npfs - ok
15:41:29.0500 1348  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
15:41:29.0921 1348  Ntfs - ok
15:41:29.0953 1348  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
15:41:30.0375 1348  NtLmSsp - ok
15:41:30.0421 1348  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
15:41:31.0046 1348  NtmsSvc - ok
15:41:31.0062 1348  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
15:41:31.0296 1348  Null - ok
15:41:31.0484 1348  [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
15:41:32.0109 1348  nv - ok
15:41:32.0171 1348  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:41:32.0500 1348  NwlnkFlt - ok
15:41:32.0531 1348  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:41:32.0734 1348  NwlnkFwd - ok
15:41:32.0781 1348  [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI            C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
15:41:32.0812 1348  OMCI ( UnsignedFile.Multi.Generic ) - warning
15:41:32.0812 1348  OMCI - detected UnsignedFile.Multi.Generic (1)
15:41:32.0890 1348  [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
15:41:32.0953 1348  ose - ok
15:41:32.0984 1348  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
15:41:33.0218 1348  Parport - ok
15:41:33.0250 1348  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
15:41:33.0578 1348  PartMgr - ok
15:41:33.0625 1348  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
15:41:33.0843 1348  ParVdm - ok
15:41:33.0859 1348  [ A219903CCF74233761D92BEF471A07B1 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
15:41:34.0156 1348  PCI - ok
15:41:34.0171 1348  PCIDump - ok
15:41:34.0187 1348  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\drivers\PCIIde.sys
15:41:34.0500 1348  PCIIde - ok
15:41:34.0531 1348  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
15:41:35.0000 1348  Pcmcia - ok
15:41:35.0000 1348  PDCOMP - ok
15:41:35.0015 1348  PDFRAME - ok
15:41:35.0062 1348  PDRELI - ok
15:41:35.0078 1348  PDRFRAME - ok
15:41:35.0093 1348  perc2 - ok
15:41:35.0093 1348  perc2hib - ok
15:41:35.0171 1348  [ D0F9F362023BF94CF58A1C3CDBBEBE06 ] PhotoshopElementsDeviceConnect C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
15:41:35.0265 1348  PhotoshopElementsDeviceConnect ( UnsignedFile.Multi.Generic ) - warning
15:41:35.0265 1348  PhotoshopElementsDeviceConnect - detected UnsignedFile.Multi.Generic (1)
15:41:35.0296 1348  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        C:\WINDOWS\system32\services.exe
15:41:35.0343 1348  PlugPlay - ok
15:41:35.0390 1348  [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
15:41:35.0406 1348  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
15:41:35.0406 1348  Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
15:41:35.0421 1348  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
15:41:35.0718 1348  PolicyAgent - ok
15:41:35.0781 1348  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:41:36.0140 1348  PptpMiniport - ok
15:41:36.0156 1348  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
15:41:36.0453 1348  ProtectedStorage - ok
15:41:36.0468 1348  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
15:41:36.0812 1348  PSched - ok
15:41:36.0843 1348  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:41:37.0234 1348  Ptilink - ok
15:41:37.0250 1348  [ D8B90616A8BD53DE281DBDB664C0984A ] pwd_2k          C:\WINDOWS\system32\drivers\pwd_2k.sys
15:41:37.0296 1348  pwd_2k ( UnsignedFile.Multi.Generic ) - warning
15:41:37.0312 1348  pwd_2k - detected UnsignedFile.Multi.Generic (1)
15:41:37.0343 1348  [ B5DFB86A6CAEAE9B2BF3DEDB43BE6393 ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
15:41:37.0390 1348  PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
15:41:37.0390 1348  PxHelp20 - detected UnsignedFile.Multi.Generic (1)
15:41:37.0406 1348  ql1080 - ok
15:41:37.0421 1348  Ql10wnt - ok
15:41:37.0437 1348  ql12160 - ok
15:41:37.0453 1348  ql1240 - ok
15:41:37.0453 1348  ql1280 - ok
15:41:37.0500 1348  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:41:37.0890 1348  RasAcd - ok
15:41:37.0937 1348  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         C:\WINDOWS\System32\rasauto.dll
15:41:38.0250 1348  RasAuto - ok
15:41:38.0281 1348  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:41:38.0531 1348  Rasl2tp - ok
15:41:38.0687 1348  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          C:\WINDOWS\System32\rasmans.dll
15:41:38.0937 1348  RasMan - ok
15:41:38.0968 1348  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:41:39.0234 1348  RasPppoe - ok
15:41:39.0250 1348  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
15:41:39.0484 1348  Raspti - ok
15:41:39.0515 1348  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:41:39.0781 1348  Rdbss - ok
15:41:39.0812 1348  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:41:40.0093 1348  RDPCDD - ok
15:41:40.0125 1348  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:41:40.0390 1348  rdpdr - ok
15:41:40.0421 1348  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
15:41:40.0562 1348  RDPWD - ok
15:41:40.0593 1348  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
15:41:41.0015 1348  RDSessMgr - ok
15:41:41.0046 1348  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
15:41:41.0250 1348  redbook - ok
15:41:41.0296 1348  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
15:41:41.0578 1348  RemoteAccess - ok
15:41:41.0625 1348  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
15:41:41.0890 1348  RemoteRegistry - ok
15:41:41.0906 1348  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      C:\WINDOWS\system32\locator.exe
15:41:42.0140 1348  RpcLocator - ok
15:41:42.0203 1348  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           C:\WINDOWS\System32\rpcss.dll
15:41:42.0265 1348  RpcSs - ok
15:41:42.0296 1348  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
15:41:42.0562 1348  RSVP - ok
15:41:42.0609 1348  [ 7436BFD3A542CF6FF55097200031B293 ] RT73            C:\WINDOWS\system32\DRIVERS\rt73.sys
15:41:42.0765 1348  RT73 - ok
15:41:42.0781 1348  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           C:\WINDOWS\system32\lsass.exe
15:41:43.0031 1348  SamSs - ok
15:41:43.0078 1348  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
15:41:43.0312 1348  SCardSvr - ok
15:41:43.0343 1348  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        C:\WINDOWS\system32\schedsvc.dll
15:41:43.0609 1348  Schedule - ok
15:41:43.0656 1348  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:41:43.0828 1348  Secdrv - ok
15:41:43.0859 1348  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        C:\WINDOWS\System32\seclogon.dll
15:41:44.0125 1348  seclogon - ok
15:41:44.0156 1348  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            C:\WINDOWS\system32\sens.dll
15:41:44.0515 1348  SENS - ok
15:41:44.0562 1348  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
15:41:45.0062 1348  serenum - ok
15:41:45.0093 1348  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
15:41:45.0406 1348  Serial - ok
15:41:45.0468 1348  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
15:41:45.0734 1348  Sfloppy - ok
15:41:45.0781 1348  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
15:41:46.0093 1348  SharedAccess - ok
15:41:46.0125 1348  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
15:41:46.0171 1348  ShellHWDetection - ok
15:41:46.0171 1348  Simbad - ok
15:41:46.0234 1348  [ 5018A9DB5EB62E3EDB3110F82F556285 ] smwdm           C:\WINDOWS\system32\drivers\smwdm.sys
15:41:46.0296 1348  smwdm - ok
15:41:46.0312 1348  Sparrow - ok
15:41:46.0343 1348  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
15:41:46.0531 1348  splitter - ok
15:41:46.0578 1348  [ 60784F891563FB1B767F70117FC2428F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
15:41:46.0656 1348  Spooler - ok
15:41:46.0671 1348  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
15:41:46.0781 1348  sr - ok
15:41:46.0828 1348  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       C:\WINDOWS\system32\srsvc.dll
15:41:46.0906 1348  srservice - ok
15:41:47.0000 1348  [ 83726CF02ECED69138948083E06B6EAC ] SRTSP           C:\WINDOWS\System32\Drivers\N360\0502020.003\SRTSP.SYS
15:41:47.0046 1348  SRTSP - ok
15:41:47.0093 1348  [ 4E7EAB2E5615D39CF1F1DF9C71E5E225 ] SRTSPX          C:\WINDOWS\system32\drivers\N360\0502020.003\SRTSPX.SYS
15:41:47.0140 1348  SRTSPX - ok
15:41:47.0203 1348  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
15:41:47.0296 1348  Srv - ok
15:41:47.0328 1348  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
15:41:47.0421 1348  SSDPSRV - ok
15:41:47.0453 1348  [ F843301BDADB2728822C83413EF5F132 ] ssmirrdr        C:\WINDOWS\system32\DRIVERS\ssmirrdr.sys
15:41:47.0484 1348  ssmirrdr - ok
15:41:47.0531 1348  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
15:41:47.0796 1348  stisvc - ok
15:41:47.0843 1348  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
15:41:48.0062 1348  swenum - ok
15:41:48.0093 1348  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
15:41:48.0328 1348  swmidi - ok
15:41:48.0343 1348  SwPrv - ok
15:41:48.0359 1348  symc810 - ok
15:41:48.0375 1348  symc8xx - ok
15:41:48.0421 1348  [ 9BBEB8C6258E72D62E7560E6667AAD39 ] SymDS           C:\WINDOWS\system32\drivers\N360\0502020.003\SYMDS.SYS
15:41:48.0453 1348  SymDS - ok
15:41:48.0515 1348  [ D5C02629C02A820A7E71BCA3D44294A3 ] SymEFA          C:\WINDOWS\system32\drivers\N360\0502020.003\SYMEFA.SYS
15:41:48.0578 1348  SymEFA - ok
15:41:48.0625 1348  [ AB33C3B196197CA467CBDDA717860DBA ] SymEvent        C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
15:41:48.0687 1348  SymEvent - ok
15:41:48.0718 1348  [ A73399804D5D4A8B20BA60FCF70C9F1F ] SymIRON         C:\WINDOWS\system32\drivers\N360\0502020.003\Ironx86.SYS
15:41:48.0750 1348  SymIRON - ok
15:41:48.0781 1348  [ 336CACE58F0359D5CBB1AE6B8A2FB205 ] SYMTDI          C:\WINDOWS\System32\Drivers\N360\0502020.003\SYMTDI.SYS
15:41:48.0843 1348  SYMTDI - ok
15:41:48.0859 1348  sym_hi - ok
15:41:48.0875 1348  sym_u3 - ok
15:41:48.0906 1348  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
15:41:49.0125 1348  sysaudio - ok
15:41:49.0171 1348  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
15:41:49.0390 1348  SysmonLog - ok
15:41:49.0437 1348  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
15:41:49.0625 1348  TapiSrv - ok
15:41:49.0687 1348  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:41:49.0781 1348  Tcpip - ok
15:41:49.0796 1348  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
15:41:50.0015 1348  TDPIPE - ok
15:41:50.0046 1348  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
15:41:50.0281 1348  TDTCP - ok
15:41:50.0312 1348  [ 88155247177638048422893737429D9E ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
15:41:50.0515 1348  TermDD - ok
15:41:50.0578 1348  [ FF3477C03BE7201C294C35F684B3479F ] TermService     C:\WINDOWS\System32\termsrv.dll
15:41:50.0843 1348  TermService - ok
15:41:50.0875 1348  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          C:\WINDOWS\System32\shsvcs.dll
15:41:50.0890 1348  Themes - ok
15:41:50.0921 1348  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
15:41:51.0031 1348  TlntSvr - ok
15:41:51.0046 1348  TosIde - ok
15:41:51.0078 1348  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          C:\WINDOWS\system32\trkwks.dll
15:41:51.0296 1348  TrkWks - ok
15:41:51.0328 1348  [ 4E75005B74BE901C30F2636DF40B0C15 ] UdfReadr_xp     C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
15:41:51.0359 1348  UdfReadr_xp ( UnsignedFile.Multi.Generic ) - warning
15:41:51.0359 1348  UdfReadr_xp - detected UnsignedFile.Multi.Generic (1)
15:41:51.0390 1348  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
15:41:51.0593 1348  Udfs - ok
15:41:51.0609 1348  ultra - ok
15:41:51.0671 1348  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
15:41:51.0953 1348  Update - ok
15:41:51.0984 1348  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        C:\WINDOWS\System32\upnphost.dll
15:41:52.0078 1348  upnphost - ok
15:41:52.0109 1348  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             C:\WINDOWS\System32\ups.exe
15:41:52.0375 1348  UPS - ok
15:41:52.0406 1348  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:41:52.0593 1348  usbccgp - ok
15:41:52.0640 1348  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:41:52.0906 1348  usbehci - ok
15:41:52.0937 1348  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:41:53.0125 1348  usbhub - ok
15:41:53.0140 1348  [ A717C8721046828520C9EDF31288FC00 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:41:53.0359 1348  usbprint - ok
15:41:53.0375 1348  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:41:53.0609 1348  usbscan - ok
15:41:53.0640 1348  [ 1C888B000C2F9492F4B15B5B6B84873E ] usbser          C:\WINDOWS\system32\DRIVERS\usbser.sys
15:41:53.0843 1348  usbser - ok
15:41:53.0859 1348  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:41:54.0109 1348  USBSTOR - ok
15:41:54.0140 1348  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:41:54.0312 1348  usbuhci - ok
15:41:54.0375 1348  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
15:41:54.0765 1348  VgaSave - ok
15:41:54.0781 1348  ViaIde - ok
15:41:54.0796 1348  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
15:41:55.0187 1348  VolSnap - ok
15:41:55.0234 1348  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             C:\WINDOWS\System32\vssvc.exe
15:41:55.0359 1348  VSS - ok
15:41:55.0390 1348  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         C:\WINDOWS\system32\w32time.dll
15:41:55.0640 1348  W32Time - ok
15:41:55.0671 1348  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:41:55.0890 1348  Wanarp - ok
15:41:55.0890 1348  WDICA - ok
15:41:55.0937 1348  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
15:41:56.0234 1348  wdmaud - ok
15:41:56.0265 1348  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       C:\WINDOWS\System32\webclnt.dll
15:41:56.0468 1348  WebClient - ok
15:41:56.0531 1348  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
15:41:56.0718 1348  winmgmt - ok
15:41:56.0765 1348  [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
15:41:56.0875 1348  WmdmPmSN - ok
15:41:56.0921 1348  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             C:\WINDOWS\System32\advapi32.dll
15:41:57.0015 1348  Wmi - ok
15:41:57.0062 1348  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:41:57.0265 1348  WmiApSrv - ok
15:41:57.0359 1348  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
15:41:57.0437 1348  WMPNetworkSvc - ok
15:41:57.0468 1348  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:41:57.0671 1348  WS2IFSL - ok
15:41:57.0718 1348  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
15:41:57.0937 1348  wscsvc - ok
15:41:57.0968 1348  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
15:41:58.0171 1348  wuauserv - ok
15:41:58.0203 1348  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:41:58.0281 1348  WudfPf - ok
15:41:58.0296 1348  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:41:58.0328 1348  WudfRd - ok
15:41:58.0343 1348  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
15:41:58.0406 1348  WudfSvc - ok
15:41:58.0468 1348  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
15:41:58.0703 1348  WZCSVC - ok
15:41:58.0734 1348  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
15:41:58.0937 1348  xmlprov - ok
15:41:58.0968 1348  ================ Scan global ===============================
15:41:59.0015 1348  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:41:59.0046 1348  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
15:41:59.0078 1348  [ 69AE2B2E6968C316536E5B10B9702E63 ] C:\WINDOWS\system32\winsrv.dll
15:41:59.0109 1348  [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:41:59.0109 1348  [Global] - ok
15:41:59.0109 1348  ================ Scan MBR ==================================
15:41:59.0140 1348  [ B8219E126CCFCA2511CA3F82E8C3CEDF ] \Device\Harddisk0\DR0
15:41:59.0140 1348  Suspicious mbr (Forged): \Device\Harddisk0\DR0
15:41:59.0203 1348  \Device\Harddisk0\DR0 ( Rootkit.Boot.Harbinger.a ) - infected
15:41:59.0203 1348  \Device\Harddisk0\DR0 - detected Rootkit.Boot.Harbinger.a (0)
15:41:59.0281 1348  ================ Scan VBR ==================================
15:41:59.0281 1348  [ E4E5CDF68AF66572B16C5A37AC54DC49 ] \Device\Harddisk0\DR0\Partition1
15:41:59.0281 1348  \Device\Harddisk0\DR0\Partition1 - ok
15:41:59.0296 1348  ============================================================
15:41:59.0296 1348  Scan finished
15:41:59.0296 1348  ============================================================
15:41:59.0421 2792  Detected object count: 20
15:41:59.0421 2792  Actual detected object count: 20
15:44:58.0156 2792  AdobeActiveFileMonitor ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0156 2792  AdobeActiveFileMonitor ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0156 2792  arusb(Atheros) ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0156 2792  arusb(Atheros) ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0171 2792  BCM42RLY ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0171 2792  BCM42RLY ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0281 2792  CCALib8 ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0281 2792  CCALib8 ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0281 2792  Cdr4_xp ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0281 2792  Cdr4_xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0281 2792  Cdralw2k ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0281 2792  Cdralw2k ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0296 2792  cdudf_xp ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0296 2792  cdudf_xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0296 2792  dvd_2K ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0296 2792  dvd_2K ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0296 2792  GTNDIS5 ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0296 2792  GTNDIS5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0390 2792  IDriverT ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0390 2792  IDriverT ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0406 2792  iPodService ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0406 2792  iPodService ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0406 2792  MCSTRM ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0406 2792  MCSTRM ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0406 2792  mmc_2K ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0406 2792  mmc_2K ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0406 2792  OMCI ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0406 2792  OMCI ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0406 2792  PhotoshopElementsDeviceConnect ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0406 2792  PhotoshopElementsDeviceConnect ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0500 2792  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0500 2792  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0500 2792  pwd_2k ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0500 2792  pwd_2k ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0500 2792  PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0500 2792  PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:44:58.0515 2792  UdfReadr_xp ( UnsignedFile.Multi.Generic ) - skipped by user
15:44:58.0515 2792  UdfReadr_xp ( UnsignedFile.Multi.Generic ) - User select action: Skip
15:45:08.0781 2792  \Device\Harddisk0\DR0\# - copied to quarantine
15:45:08.0937 2792  \Device\Harddisk0\DR0 - copied to quarantine
15:45:10.0437 2792  \Device\Harddisk0\DR0 ( Rootkit.Boot.Harbinger.a ) - will be cured on reboot
15:45:10.0546 2792  \Device\Harddisk0\DR0 - ok
15:45:17.0468 2792  \Device\Harddisk0\DR0 ( Rootkit.Boot.Harbinger.a ) - User select action: Cure
15:45:40.0078 2836  Deinitialize success

 

Here is the log for Avast! aswMBR:

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-05 16:25:41
-----------------------------
16:25:41.562    OS Version: Windows 5.1.2600 Service Pack 3
16:25:41.562    Number of processors: 1 586 0x209
16:25:41.562    ComputerName: OWNER-510F5D3C7  UserName: Main Account
16:25:42.015    Initialize success
16:26:17.406    AVAST engine defs: 13060501
16:26:35.656    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:26:35.656    Disk 0 Vendor: WDC_WD800BB-75CAA0 16.06V16 Size: 76293MB BusType: 3
16:26:35.750    Disk 0 MBR read successfully
16:26:35.750    Disk 0 MBR scan
16:26:35.781    Disk 0 Windows XP default MBR code
16:26:35.781    Disk 0 Partition 1 00     DE Dell Utility Dell 4.1       31 MB offset 63
16:26:35.828    Disk 0 Partition 2 80 (A) 07    HPFS/NTFS NTFS        76253 MB offset 64260
16:26:35.828    Disk 0 scanning sectors +156232125
16:26:36.046    Disk 0 scanning C:\WINDOWS\system32\drivers
16:26:50.734    Service scanning
16:27:09.218    Modules scanning
16:27:20.750    Disk 0 trace - called modules:
16:27:20.765    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
16:27:21.265    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a608ab8]
16:27:21.265    3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a653b00]
16:27:21.828    AVAST engine scan C:\WINDOWS
16:27:32.609    AVAST engine scan C:\WINDOWS\system32
16:31:11.062    AVAST engine scan C:\WINDOWS\system32\drivers
16:31:37.859    AVAST engine scan C:\Documents and Settings\Main Account
16:36:53.203    AVAST engine scan C:\Documents and Settings\All Users
16:39:31.375    Scan finished successfully
16:39:49.906    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Main Account\Desktop\MBR.dat"
16:39:49.906    The log file has been saved successfully to "C:\Documents and Settings\Main Account\Desktop\aswMBR.txt"

And attached please find the compressed aswMBR.DAT file

 

Attached File  MBR.zip   513bytes   0 downloads

 



#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:27 PM

Posted 06 June 2013 - 08:39 AM

Is it that the rootkit was hiding in a partition?

Yes.
===

Can you please run the ComboFix again and post a fresh log for my review.

===

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Yes, install McAfee Security Scan Plus - optional" this is not required if you are not a McAfee subscriber. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Let me know what problem persists.

#15 A_Late_Fall

A_Late_Fall
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:08:27 PM

Posted 06 June 2013 - 02:25 PM

Here are the results of the 2nd ComboFix scan:

 

ComboFix 13-06-06.03 - Main Account 06/06/2013  12:58:56.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.2047.1451 [GMT -4:00]
Running from: c:\documents and settings\Main Account\Desktop\ComboFix.exe
AV: Norton Security Suite *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Security Suite *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((   Files Created from 2013-05-06 to 2013-06-06  )))))))))))))))))))))))))))))))
.
.
2013-06-05 19:44 . 2013-06-05 19:44 -------- d-----w- C:\TDSSKiller_Quarantine
2013-06-03 19:46 . 2013-06-03 20:24 -------- d-----w- c:\documents and settings\Main Account\Local Settings\Application Data\NPE
2013-06-03 02:32 . 2013-06-03 02:32 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2013-06-03 02:20 . 2013-06-03 02:20 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-03 02:20 . 2013-06-03 02:20 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-06-03 02:15 . 2013-06-03 02:15 -------- d-----w- c:\program files\Common Files\Java
2013-06-03 02:15 . 2013-06-03 02:15 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-06-03 02:15 . 2013-06-03 02:15 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-06-03 02:14 . 2013-06-03 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2013-06-01 14:45 . 2013-06-01 14:45 -------- d-----w- c:\program files\ESET
2013-05-23 08:47 . 2013-05-23 08:47 -------- d-----w- c:\documents and settings\Main Account\Local Settings\Application Data\Power2Go
2013-05-22 23:52 . 2006-02-17 18:19 16384 ----a-w- c:\windows\system32\lgfwunis.exe
2013-05-22 23:52 . 2001-08-30 01:00 59904 ----a-w- c:\windows\system32\wbemdisp.tlb
2013-05-22 23:52 . 1998-07-22 04:00 102912 ----a-w- c:\windows\system32\Vb6stkit.dll
2013-05-22 23:52 . 1998-07-22 04:00 102160 ----a-w- c:\windows\system32\VB6KO.DLL
2013-05-22 23:52 . 1998-06-24 04:00 115016 ----a-w- c:\windows\system32\MSINET.OCX
2013-05-22 23:52 . 2013-06-06 10:38 -------- d-----w- c:\program files\lg_fwupdate
2013-05-22 23:50 . 2013-05-23 00:34 -------- d-----w- c:\documents and settings\Main Account\Application Data\CyberLink
2013-05-22 23:45 . 2013-05-22 23:54 -------- d-----w- c:\documents and settings\All Users\Application Data\CyberLink
2013-05-20 09:39 . 2013-05-20 09:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-05-20 09:39 . 2013-04-04 18:50 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-05-17 15:10 . 2013-05-17 15:10 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Apple
2013-05-17 06:37 . 2013-05-17 06:37 -------- d-----w- c:\program files\ACW
2013-05-15 08:19 . 2012-07-27 02:02 257928 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2013-05-15 07:56 . 2013-05-15 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2013-05-15 07:56 . 2013-05-15 07:56 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Temp
2013-05-14 06:30 . 2013-05-14 06:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2013-05-14 05:25 . 2013-05-14 05:25 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2013-05-14 05:02 . 2013-05-14 05:02 -------- d-----w- c:\documents and settings\Main Account\Application Data\Windows Search
2013-05-13 09:53 . 2013-05-13 09:53 -------- d-----w- c:\documents and settings\Main Account\Application Data\ElevatedDiagnostics
2013-05-13 09:50 . 2013-05-13 09:50 -------- d-----w- c:\program files\Microsoft ATS
2013-05-13 08:43 . 2013-05-13 08:43 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2013-05-13 05:35 . 2013-05-15 01:07 -------- d-----w- c:\windows\system32\XPSViewer
2013-05-13 05:34 . 2013-05-13 05:34 -------- d-----w- c:\program files\MSBuild
2013-05-13 05:33 . 2013-05-13 05:33 -------- d-----w- c:\program files\Reference Assemblies
2013-05-13 05:30 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-05-13 05:25 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2013-05-13 05:25 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2013-05-13 05:25 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2013-05-13 05:25 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2013-05-13 05:25 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2013-05-13 05:25 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2013-05-13 05:25 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2013-05-13 05:25 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2013-05-13 05:25 . 2013-05-13 05:30 -------- d-----w- C:\5fcc5aeb41332ec0193c7601819fc7c6
2013-05-13 04:38 . 2013-05-30 08:56 -------- d-----w- c:\program files\Windows Desktop Search
2013-05-13 04:09 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2013-05-13 04:09 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2013-05-13 04:09 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2013-05-11 15:46 . 2013-05-11 15:46 -------- d-----w- c:\documents and settings\Main Account\Application Data\Malwarebytes
2013-05-11 15:45 . 2013-05-11 15:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2013-05-11 10:37 . 2013-05-11 10:37 209472 ----a-w- c:\program files\Mozilla Firefox\plugins\nppdf32.dll
2013-05-11 10:37 . 2013-05-11 10:37 209472 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
2013-05-10 21:54 . 2013-05-10 21:54 -------- d-----w- c:\program files\WinDirStat
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-03 02:15 . 2012-07-01 03:59 866720 ----a-w- c:\windows\system32\npdeployJava1.dll
2013-06-03 02:15 . 2010-06-28 04:33 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-04-29 20:07 . 2013-04-29 17:31 4126720 ----a-w- c:\program files\GUT6.tmp
2013-04-27 02:53 . 2013-04-26 22:18 4126720 ----a-w- c:\program files\GUT5D.tmp
2013-04-27 02:52 . 2013-04-27 00:43 4126720 ----a-w- c:\program files\GUT63.tmp
2013-04-16 22:17 . 2004-08-12 13:33 920064 ----a-w- c:\windows\system32\wininet.dll
2013-04-16 22:17 . 2004-08-12 13:21 43520 ----a-w- c:\windows\system32\licmgr10.dll
2013-04-16 22:17 . 2004-08-12 13:20 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2013-04-12 23:28 . 2004-08-12 13:19 385024 ----a-w- c:\windows\system32\html.iec
2013-04-10 01:31 . 2004-08-12 13:33 1876352 ----a-w- c:\windows\system32\win32k.sys
2010-06-08 20:00 . 2010-06-08 20:00 55088 -c--a-w- c:\program files\MFInstall.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-11 53248]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-17 28672]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2005-07-23 172032]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-12-15 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-05-20 222504]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2008-10-01 548864]
"UpdatePSTShortCut"="c:\program files\CyberLink\Media Suite\MUITransfer\MUIStartMenu.exe" [2011-12-15 222504]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2013-03-12 253816]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-05-11 958576]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2004-10-4 113664]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\N360\0502020.003\symds.sys [7/16/2012 3:52 PM 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0502020.003\symefa.sys [7/16/2012 3:52 PM 744568]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\BASHDefs\20130531.001\BHDrvx86.sys [5/31/2013 12:58 PM 1002072]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\N360\0502020.003\ironx86.sys [7/16/2012 3:52 PM 136312]
R2 N360;Norton Security Suite;c:\program files\Norton Security Suite\Engine\5.2.2.3\ccsvchst.exe [7/16/2012 3:52 PM 130008]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [5/10/2013 8:25 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\N360_5.0.0.125\Definitions\IPSDefs\20130605.001\IDSXpx86.sys [6/6/2013 6:50 AM 373728]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows\system32\drivers\AE2500xp.sys [3/22/2012 7:22 PM 1034240]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [10/4/2004 3:40 AM 118784]
S3 arusb(Atheros);D-Link Wireless Network Adapter Service;c:\windows\system32\drivers\dwarusb.sys [9/11/2010 10:39 AM 457728]
S3 ssmirrdr;ssmirrdr;c:\windows\system32\drivers\ssmirrdr.sys [6/11/2011 2:52 AM 10112]
.
Contents of the 'Scheduled Tasks' folder
.
2013-06-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-06-03 02:20]
.
2013-05-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
.
------- Supplementary Scan -------
.
Trusted Zone: internet
Trusted Zone: mcafee.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
SafeBoot-23868836.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-06-06 13:10
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton Security Suite\Engine\5.2.2.3\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton Security Suite\Engine\5.2.2.3\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_7_700_202_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2013-06-06  13:13:58
ComboFix-quarantined-files.txt  2013-06-06 17:13
ComboFix2.txt  2013-05-31 22:45
.
Pre-Run: 50,826,604,544 bytes free
Post-Run: 51,523,538,944 bytes free
.
- - End Of File - - 8564E4D541F2F70E6204C371D98EE927
8F558EB6672622401DA993E1E865C861

I will reinstall Adobe Reader again.

A_Late_Fall






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users