Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Strange looking Winlogon.exe and Csrss.exe Processes...Malware?


  • This topic is locked This topic is locked
14 replies to this topic

#1 mred27

mred27

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 25 August 2013 - 08:37 AM

Hello,

 

In Glarysoft 3 Process Manager I noticed these two processes running as high priority with an odd looking executable path. I could not delete them. In Windows Task Manager, they are critical system files that cannot be deleted either.

 

winlogon.exe          \\??\E:\WINDOWS\system32\winlogon.exe

csrss.exe                \\??\E:\WINDOWS\system32\csrss.exe

 

I realize these are normally critical system processes but winlogon.exe only runs for a minute or less at startup not continuously. A trojan that disguises itself as this file has been around for years so I was wondering if these might be it.

 

Quick Background: I attempted to restore my registry a few weeks ago with a Glarysoft backup which nuked my Windows boot up into a continuous loop. I then reinstalled XP Pro on my E partition. It used to be on the C partition. I just ran a MBAM Pro with latest updates, full scan and it was clean.

 

"Mr.C" in your MBAM sister forum was helping me and had me run the following which all were clean. He didn't see anything but those processes are still running so I would like to know if they are the trojans or not?

dds 

RogueKiller

Malwarebytes Anti-Rootkit

Combofix

 

I tried to attach screen shots of the Process screens but they would not attach because a 641 kb file was too large which seems odd. I ran the dds.com and attached those two requested files.

 

Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,703 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:09 PM

Posted 30 August 2013 - 08:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/505551 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 01 September 2013 - 09:18 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===
Search and delete the AdWare, PUP (Potentially Unwanted Program) installed on your computer.

Please download AdwCleaner by Xplode onto your Desktop.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Click the Report button and the report will open in Notepad.
IMPORTANT
  • If you click the Clean button all items listed in the report will be removed.
If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.
  • Close all open programs and internet browsers.
  • Double click on AdwCleaner.exe to run the tool.
  • Click the Scan button and wait for the process to complete.
  • Check off the element(s) you wish to keep.
  • Click on the Clean button follow the prompts.
  • A log file will automatically open after the scan has finished.
  • Please post the content of that log file with your next answer.
  • You can find the log file at C:\AdwCleaner[Sn].txt (n is a number).
===

thisisujrt.gif Please download
Junkware Removal Tool to your Desktop.
  • Please close your security software to avoid potential conflicts.
  • Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete, depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your Desktop and will automatically open.
  • Please post the contents of JRT.txt into your reply.
===

Please download ComboFix from one of these locations:
Link 1
Link 2
IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.
===

Please paste the logs in your next reply, DO NOT ATTACH THEM
Let me know what problem persists.

#4 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 01 September 2013 - 09:43 PM

Thanks....

=======================

# AdwCleaner v3.002 - Report created 01/09/2013 at 21:35:35
# Updated 01/09/2013 by Xplode
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)
# Username : Justin - NA
# Running from : E:\Documents and Settings\Justin\Desktop\adwcleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\jetpack
Folder Found E:\Documents and Settings\Justin\IECompatCache

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}

***** [ Browsers ] *****

-\\ Internet Explorer v8.0.6001.18702


-\\ Mozilla Firefox v23.0.1 (en-US)

[ File : E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\prefs.js ]


-\\ Google Chrome v

[ File : E:\Documents and Settings\Justin\Local Settings\Application Data\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1095 octets] - [01/09/2013 21:35:35]

########## EOF - E:\AdwCleaner\AdwCleaner[R0].txt - [1155 octets] ##########
 

=========================================================

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 5.5.7 (09.01.2013:1)
OS: Microsoft Windows XP x86
Ran by Justin on Sun 09/01/2013 at 21:53:47.46
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services

Failed to stop: [Service] hshld
Successfully stopped: [Service] hsstrayservice
Successfully deleted: [Service] hsstrayservice
Failed to stop: [Service] hsswd



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-448539723-1454471165-1644491937-1004\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\DisplayName
Successfully repaired: [Registry Value] HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\\URL



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\anchorfree
Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\hotspotshield
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\hotspotshield



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "E:\Documents and Settings\All Users\application data\hotspot shield"
Successfully deleted: [Folder] "E:\Documents and Settings\Justin\Application Data\hotspot shield"
Successfully deleted: [Folder] "E:\Program Files\hotspot shield"



~~~ FireFox

Successfully deleted: [Folder] E:\Documents and Settings\Justin\Application Data\mozilla\firefox\profiles\s9exjmvz.default-1376154624703\extensions\staged





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 09/01/2013 at 22:07:17.40
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

==================================================

 

ComboFix 13-09-01.02 - Justin 09/01/2013  22:11:36.2.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1024.569 [GMT -4:00]
Running from: E:\Documents and Settings\Justin\Desktop\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}


(((((((((((((((((((((((((   Files Created from 2013-08-02 to 2013-09-02  )))))))))))))))))))))))))))))))


2013-09-02 01:35:11 . 2013-09-02 01:37:24    --------    d-----w-    E:\AdwCleaner
2013-08-31 02:06:04 . 2013-08-31 02:06:04    --------    d-----w-    E:\Samsung Camera Backup 8-12-12
2013-08-29 22:57:09 . 2013-08-29 05:41:41    23802760    ----a-w-    E:\ML-2160_Series_PD.exe
2013-08-05 18:23:20 . 2013-08-05 18:23:24    --------    d-----w-    E:\Google
.


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2013-08-03 18:18:38 . 2006-10-19 01:47:22    1543680    ------w-    E:\WINDOWS\system32\wmvdecod.dll
2013-07-26 02:47:17 . 2008-04-14 10:42:10    920064    ----a-w-    E:\WINDOWS\system32\wininet.dll
2013-07-26 02:47:13 . 2008-04-14 10:41:58    43520    ------w-    E:\WINDOWS\system32\licmgr10.dll
2013-07-26 02:47:12 . 2008-04-14 10:42:42    1469440    ------w-    E:\WINDOWS\system32\inetcpl.cpl
2013-07-25 15:52:59 . 2008-04-14 05:07:10    385024    ------w-    E:\WINDOWS\system32\html.iec
2013-07-24 02:10:56 . 2013-06-21 01:05:38    44744    ----a-w-    E:\WINDOWS\system32\drivers\hssdrv.sys
2013-07-10 10:37:53 . 2008-04-14 10:42:10    406016    ----a-w-    E:\WINDOWS\system32\usp10.dll
2013-07-04 02:59:11 . 2008-04-14 05:57:54    2193536    ----a-w-    E:\WINDOWS\system32\ntoskrnl.exe
2013-07-04 02:08:30 . 2008-04-14 00:01:22    2070144    ----a-w-    E:\WINDOWS\system32\ntkrnlpa.exe
2013-06-21 00:19:10 . 2013-06-21 00:19:10    33512    ----a-w-    E:\WINDOWS\system32\drivers\taphss.sys
2013-06-17 16:35:16 . 2013-06-17 16:35:16    200384    ----a-w-    E:\WINDOWS\system32\klogon.dll
2013-06-06 21:38:20 . 2013-06-06 21:38:20    145120    ----a-w-    E:\WINDOWS\system32\drivers\kneps.sys
2013-06-04 07:23:02 . 2008-04-14 10:42:04    562688    ----a-w-    E:\WINDOWS\system32\qedit.dll


------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.

[-] 2011-12-26 22:58:49 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512 (xpsp.080413-2111)] . . E:\WINDOWS\system32\sfcfiles.dll

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalwareBytes Pro 8-23-13"="E:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2013-04-04 18:50:32 887432]
"RoboForm"="E:\Program Files\Roboform 8-5-13\RoboTaskBarIcon.exe" [2013-08-05 14:22:35 144448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "E:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 02:41:34 304128]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk * \0BootDefrag.exe

[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=E:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-05-11 10:37:26    958576    ----a-w-    E:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32:50    253816    ----a-w-    E:\Program Files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\WINDOWS\\system32\\sessmgr.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"E:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

R0 BootDefragDriver;BootDefragDriver;E:\WINDOWS\system32\drivers\BootDefragDriver.sys [8/25/2013 3:54:44 PM 13056]
R1 klpd;klpd;E:\WINDOWS\system32\drivers\klpd.sys [4/12/2013 3:34:48 PM 14432]
R1 kltdi;kltdi;E:\WINDOWS\system32\drivers\kltdi.sys [5/14/2013 5:34:44 PM 45024]
R1 kneps;kneps;E:\WINDOWS\system32\drivers\kneps.sys [6/6/2013 5:38:20 PM 145120]
R2 SonyFKC;FAN and Keyboard Control Service;E:\WINDOWS\system32\drivers\SonyFKC.sys [12/6/2001 9:49:44 AM 12032]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;E:\WINDOWS\system32\drivers\klim5.sys [3/10/2011 6:34:46 PM 36448]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;E:\WINDOWS\system32\drivers\klkbdflt.sys [5/5/2013 10:42:10 PM 24160]
R3 klmouflt;Kaspersky Lab KLMOUFLT;E:\WINDOWS\system32\drivers\klmouflt.sys [11/2/2009 8:27:24 PM 24672]
R3 MBAMProtector;MBAMProtector;E:\WINDOWS\system32\drivers\mbam.sys [8/5/2013 3:06:20 PM 22856]
S2 hshld;Hotspot Shield Service;E:\Program Files\Hotspot Shield\bin\cmw_srv.exe --> E:\Program Files\Hotspot Shield\bin\cmw_srv.exe [?]
S2 HssWd;Hotspot Shield Monitoring Service;E:\Program Files\Hotspot Shield\bin\hsswd.exe --> E:\Program Files\Hotspot Shield\bin\hsswd.exe [?]

Contents of the 'Scheduled Tasks' folder

2013-08-30 E:\WINDOWS\Tasks\Adobe Flash Player Updater.job
- E:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-05 15:43:33 . 2013-08-23 04:49:38]

2013-08-30 E:\WINDOWS\Tasks\GlaryInitialize 3.job
- E:\Program Files\Glary Utilities 3\Initialize.exe [2013-08-20 09:02:34 . 2013-08-20 09:02:34]


------- Supplementary Scan -------

uStart Page = hxxp://www.google.com
IE: Add to Anti-Banner - E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
IE: Customize Menu - file://E:\Program Files\Roboform 8-5-13\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://E:\Program Files\Roboform 8-5-13\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://E:\Program Files\Roboform 8-5-13\RoboFormComShowToolbar.html
IE: Save Forms - file://E:\Program Files\Roboform 8-5-13\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2013-08-06 17:12; {20a82645-c095-46ed-80e3-08825760534b}; E:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-08-11 04:01; clearConsole@penzil.com; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\clearConsole@penzil.com.xpi
FF - ExtSQL: 2013-08-11 05:31; {0b457cAA-602d-484a-8fe7-c1d894a011ba}; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - ExtSQL: 2013-08-11 05:47; yesscript@userstyles.org; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\yesscript@userstyles.org.xpi
FF - ExtSQL: 2013-08-13 10:09; idme@abine.com; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\idme@abine.com
FF - ExtSQL: 2013-08-13 10:38; donottrackplus@abine.com; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\donottrackplus@abine.com
FF - ExtSQL: 2013-08-20 03:56; {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - ExtSQL: 2013-08-28 13:54; anti_banner@kaspersky.com; E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\anti_banner@kaspersky.com
FF - ExtSQL: 2013-08-28 13:54; content_blocker@kaspersky.com; E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\content_blocker@kaspersky.com
FF - ExtSQL: 2013-08-28 13:54; online_banking@kaspersky.com; E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\online_banking@kaspersky.com
FF - ExtSQL: 2013-08-28 13:55; url_advisor@kaspersky.com; E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\url_advisor@kaspersky.com
FF - ExtSQL: 2013-08-28 13:55; virtual_keyboard@kaspersky.com; E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\virtual_keyboard@kaspersky.com
FF - ExtSQL: 2013-08-29 05:15; {fe272bd1-5f76-4ea4-8501-a05d35d823fc}; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi
FF - ExtSQL: 2013-08-31 06:05; https-everywhere@eff.org; E:\Documents and Settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\https-everywhere@eff.org

- - - - ORPHANS REMOVED - - - -

AddRemove-HotspotShield - E:\Program Files\Hotspot Shield\Uninstall.exe

 



#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 02 September 2013 - 07:53 AM



Open notepad and copy/paste the text in the quote box below into it:


Driver::
hshld
HssWd

ClearJavaCache::
Save this as CFScript.txt on your desktop.

CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.

Let me know what issues you are having with this computer..
===

Third party programs if not up to date can be an open door for an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

#6 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 02 September 2013 - 07:39 PM

Done. Also ran a full Malware Bytes Professional scan overnight which was clean. Logs below. BTW....the initial post issues still remains:

 

In Glarysoft 3 Process Manager I noticed these two processes running as high priority with an odd looking executable path. I could not delete them. In Windows Task Manager, they are critical system files that cannot be deleted either.

 

winlogon.exe          \\??\E:\WINDOWS\system32\winlogon.exe

csrss.exe                \\??\E:\WINDOWS\system32\csrss.exe

 

 

 

==============

 

ComboFix 13-09-02.02 - Justin 09/02/2013  19:41:05.3.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.1024.493 [GMT -4:00]
Running from: e:\documents and settings\Justin\Desktop\ComboFix.exe
Command switches used :: e:\documents and settings\Justin\Desktop\CFScript.txt
AV: Kaspersky Internet Security *Disabled/Updated* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
FW: Kaspersky Internet Security *Disabled* {2C4D4BC6-0793-4956-A9F9-E252435469C0}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_HSHLD
-------\Legacy_HSSWD
.
.
(((((((((((((((((((((((((   Files Created from 2013-08-02 to 2013-09-02  )))))))))))))))))))))))))))))))
.
.
2013-09-02 01:35 . 2013-09-02 01:37    --------    d-----w-    E:\AdwCleaner
2013-08-31 02:06 . 2013-08-31 02:06    --------    d-----w-    E:\Samsung Camera Backup 8-12-12
2013-08-29 22:57 . 2013-08-29 05:41    23802760    ----a-w-    E:\ML-2160_Series_PD.exe
2013-08-05 18:23 . 2013-08-05 18:23    --------    d-----w-    E:\Google
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-08-03 18:18 . 2006-10-19 01:47    1543680    ------w-    e:\windows\system32\wmvdecod.dll
2013-07-26 02:47 . 2008-04-14 10:42    920064    ----a-w-    e:\windows\system32\wininet.dll
2013-07-26 02:47 . 2008-04-14 10:41    43520    ------w-    e:\windows\system32\licmgr10.dll
2013-07-26 02:47 . 2008-04-14 10:42    1469440    ------w-    e:\windows\system32\inetcpl.cpl
2013-07-25 15:52 . 2008-04-14 05:07    385024    ------w-    e:\windows\system32\html.iec
2013-07-24 02:10 . 2013-06-21 01:05    44744    ----a-w-    e:\windows\system32\drivers\hssdrv.sys
2013-07-10 10:37 . 2008-04-14 10:42    406016    ----a-w-    e:\windows\system32\usp10.dll
2013-07-04 02:59 . 2008-04-14 05:57    2193536    ----a-w-    e:\windows\system32\ntoskrnl.exe
2013-07-04 02:08 . 2008-04-14 00:01    2070144    ----a-w-    e:\windows\system32\ntkrnlpa.exe
2013-06-21 00:19 . 2013-06-21 00:19    33512    ----a-w-    e:\windows\system32\drivers\taphss.sys
2013-06-17 16:35 . 2013-06-17 16:35    200384    ----a-w-    e:\windows\system32\klogon.dll
2013-06-06 21:38 . 2013-06-06 21:38    145120    ----a-w-    e:\windows\system32\drivers\kneps.sys
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2011-12-26 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . e:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MalwareBytes Pro 8-23-13"="e:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2013-04-04 887432]
"RoboForm"="e:\program files\Roboform 8-5-13\RoboTaskBarIcon.exe" [2013-08-05 144448]
"ctfmon.exe"="e:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" [X]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "e:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute    REG_MULTI_SZ       autocheck autochk * \0BootDefrag.exe
.
[HKLM\~\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=e:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=e:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2013-05-11 10:37    958576    ----a-w-    e:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2013-03-12 11:32    253816    ----a-w-    e:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"e:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"e:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
.
R0 BootDefragDriver;BootDefragDriver;e:\windows\system32\drivers\BootDefragDriver.sys [8/25/2013 3:54 PM 13056]
R1 klpd;klpd;e:\windows\system32\drivers\klpd.sys [4/12/2013 3:34 PM 14432]
R1 kltdi;kltdi;e:\windows\system32\drivers\kltdi.sys [5/14/2013 5:34 PM 45024]
R1 kneps;kneps;e:\windows\system32\drivers\kneps.sys [6/6/2013 5:38 PM 145120]
R2 SonyFKC;FAN and Keyboard Control Service;e:\windows\system32\drivers\SonyFKC.sys [12/6/2001 9:49 AM 12032]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;e:\windows\system32\drivers\klim5.sys [3/10/2011 6:34 PM 36448]
R3 klkbdflt;Kaspersky Lab KLKBDFLT;e:\windows\system32\drivers\klkbdflt.sys [5/5/2013 10:42 PM 24160]
R3 klmouflt;Kaspersky Lab KLMOUFLT;e:\windows\system32\drivers\klmouflt.sys [11/2/2009 8:27 PM 24672]
S3 MBAMProtector;MBAMProtector;e:\windows\system32\drivers\mbam.sys [8/5/2013 3:06 PM 22856]
.
Contents of the 'Scheduled Tasks' folder
.
2013-08-30 e:\windows\Tasks\Adobe Flash Player Updater.job
- e:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2013-08-05 04:49]
.
2013-09-02 e:\windows\Tasks\GlaryInitialize 3.job
- e:\program files\Glary Utilities 3\Initialize.exe [2013-08-20 09:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
IE: Add to Anti-Banner - e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\ie_banner_deny.htm
IE: Customize Menu - file://e:\program files\Roboform 8-5-13\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - e:\progra~1\MICROS~3\Office10\EXCEL.EXE/3000
IE: Fill Forms - file://e:\program files\Roboform 8-5-13\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://e:\program files\Roboform 8-5-13\RoboFormComShowToolbar.html
IE: Save Forms - file://e:\program files\Roboform 8-5-13\RoboFormComSavePass.html
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\
FF - prefs.js: network.proxy.type - 4
FF - ExtSQL: 2013-08-06 17:12; {20a82645-c095-46ed-80e3-08825760534b}; e:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - ExtSQL: 2013-08-11 04:01; clearConsole@penzil.com; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\clearConsole@penzil.com.xpi
FF - ExtSQL: 2013-08-11 05:31; {0b457cAA-602d-484a-8fe7-c1d894a011ba}; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{0b457cAA-602d-484a-8fe7-c1d894a011ba}
FF - ExtSQL: 2013-08-11 05:47; yesscript@userstyles.org; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\yesscript@userstyles.org.xpi
FF - ExtSQL: 2013-08-13 10:09; idme@abine.com; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\idme@abine.com
FF - ExtSQL: 2013-08-13 10:38; donottrackplus@abine.com; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\donottrackplus@abine.com
FF - ExtSQL: 2013-08-20 03:56; {81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{81BF1D23-5F17-408D-AC6B-BD6DF7CAF670}
FF - ExtSQL: 2013-08-28 13:54; anti_banner@kaspersky.com; e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\anti_banner@kaspersky.com
FF - ExtSQL: 2013-08-28 13:54; content_blocker@kaspersky.com; e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\content_blocker@kaspersky.com
FF - ExtSQL: 2013-08-28 13:54; online_banking@kaspersky.com; e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\online_banking@kaspersky.com
FF - ExtSQL: 2013-08-28 13:55; url_advisor@kaspersky.com; e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\url_advisor@kaspersky.com
FF - ExtSQL: 2013-08-28 13:55; virtual_keyboard@kaspersky.com; e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\FFExt\virtual_keyboard@kaspersky.com
FF - ExtSQL: 2013-08-29 05:15; {fe272bd1-5f76-4ea4-8501-a05d35d823fc}; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi
FF - ExtSQL: 2013-08-31 06:05; https-everywhere@eff.org; e:\documents and settings\Justin\Application Data\Mozilla\Firefox\Profiles\s9exjmvz.default-1376154624703\extensions\https-everywhere@eff.org
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-09-02 19:54
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="e:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_8_800_94_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4928)
e:\windows\system32\WININET.dll
e:\windows\system32\ieframe.dll
e:\windows\system32\webcheck.dll
e:\windows\system32\WPDShServiceObj.dll
e:\windows\system32\PortableDeviceTypes.dll
e:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
e:\program files\Java\jre7\bin\jqs.exe
e:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
e:\windows\system32\nvsvc32.exe
e:\windows\system32\HPZipm12.exe
e:\windows\system32\dllhost.exe
e:\windows\system32\SearchIndexer.exe
e:\windows\system32\wscntfy.exe
e:\program files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avpui.exe
e:\windows\system32\dllhost.exe
e:\windows\system32\msdtc.exe
e:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
.
**************************************************************************
.
Completion time: 2013-09-02  20:00:08 - machine was rebooted
ComboFix-quarantined-files.txt  2013-09-03 00:00
.
Pre-Run: 4,545,445,888 bytes free
Post-Run: 4,450,226,176 bytes free
.
- - End Of File - - 9D7210D7C183ED15D05FC7D0D11AA5F3
8F558EB6672622401DA993E1E865C861
 

=======================================

 

 Results of screen317's Security Check version 0.99.73  
 Windows XP Service Pack 3 x86   
 Internet Explorer 8  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
Kaspersky Internet Security   
 Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
 Malwarebytes Anti-Malware version 1.75.0.1300  
 CCleaner     
 Java 7 Update 25  
 Adobe Flash Player     11.8.800.94  
 Adobe Reader XI  
 Mozilla Firefox (23.0.1)
````````Process Check: objlist.exe by Laurent````````  
 Kaspersky Lab Kaspersky Internet Security 14.0.0 avp.exe  
 Kaspersky Lab Kaspersky Internet Security 14.0.0 avpui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive E::  
````````````````````End of Log``````````````````````
 

===================================

 

Malwarebytes Anti-Malware (PRO) 1.75.0.1300
www.malwarebytes.org

Database version: v2013.09.02.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Justin :: NA [administrator]

Protection: Disabled

9/2/2013 8:18:00 AM
mbam-log-2013-09-02 (08-18-00).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 494947
Time elapsed: 5 hour(s), 18 minute(s), 26 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
 



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 03 September 2013 - 08:15 AM



Read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Double-click on TDSSKiller.exe to run the application.
    tdss1.png
  • Click Change parameters
    settings20121003115955.png
  • Check the boxes next to Verify Driver Digital Signature and Detect TDLFS file system, then click OK
    tdss3.png
  • Click on the Start Scan button to begin the scan and wait for it to finish.
    NOTE: Do not use the computer during the scan!
  • During the scan it will look similar to the image below:
    tdss4.jpg
  • When it finishes, you will either see a report that no threats were found like below:
    tdss5.jpg
    If no threats are found at this point, just click the Report selection on the top right of the form to generate a log. A log file report will pop which you can just close since the report file is already saved.
  • If any infection or suspected items are found, you will see a window similar to below:
    tdss7.jpg
    • If you have files that are shown to fail signature check do not take any action on these. Make sure you select Skip. I will tell you what to do with these later. They may not be issues at all.
    • If Suspicious objects are detected, the default action will be Skip. Leave the default set to Skip.
    • If Malicious objects are detected, they will show in the Scan results. TDSSKiller automatically selects an action (Cure or Delete) for malicious objects
    • Make sure that Cure is selected. Important! - If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed to do so.
  • Click Continue to apply selected actions.
  • A reboot may be required to complete disinfection. A window like the below will appear:
    tdss6.jpg
    Reboot immediately if TDSSKiller states that one is needed.
  • Whether an infection is found or not, a log file should have already been created on your C: drive (or whatever drive you boot from) in the root folder named something like TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt which is based on the program version # and date and time run.
  • Paste the log to your next reply, DO NOT ATTACH IT.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it.
  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please paste the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

#8 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 03 September 2013 - 07:38 PM

17:41:50.0421 5592  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
17:41:52.0015 5592  ============================================================
17:41:52.0015 5592  Current date / time: 2013/09/03 17:41:52.0015
17:41:52.0015 5592  SystemInfo:
17:41:52.0015 5592  
17:41:52.0015 5592  OS Version: 5.1.2600 ServicePack: 3.0
17:41:52.0015 5592  Product type: Workstation
17:41:52.0015 5592  ComputerName: NA
17:41:52.0031 5592  UserName: Justin
17:41:52.0031 5592  Windows directory: E:\WINDOWS
17:41:52.0031 5592  System windows directory: E:\WINDOWS
17:41:52.0031 5592  Processor architecture: Intel x86
17:41:52.0031 5592  Number of processors: 1
17:41:52.0031 5592  Page size: 0x1000
17:41:52.0031 5592  Boot type: Normal boot
17:41:52.0031 5592  ============================================================
17:41:56.0078 5592  Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:41:56.0125 5592  Drive \Device\Harddisk1\DR1 - Size: 0x3A38B2E000 (232.89 Gb), SectorSize: 0x200, Cylinders: 0x76C1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
17:41:56.0125 5592  ============================================================
17:41:56.0125 5592  \Device\Harddisk0\DR0:
17:41:56.0265 5592  MBR partitions:
17:41:56.0265 5592  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4E1EDEC
17:41:56.0343 5592  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x4E1EE6A, BlocksNum 0x46EB796
17:41:56.0343 5592  \Device\Harddisk1\DR1:
17:41:56.0375 5592  MBR partitions:
17:41:56.0375 5592  \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x105B98BC
17:41:56.0375 5592  \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x105B993A, BlocksNum 0xCC06D86
17:41:56.0375 5592  ============================================================
17:41:56.0421 5592  C: <-> \Device\Harddisk0\DR0\Partition1
17:41:56.0437 5592  D: <-> \Device\Harddisk1\DR1\Partition1
17:41:56.0484 5592  E: <-> \Device\Harddisk0\DR0\Partition2
17:41:56.0531 5592  F: <-> \Device\Harddisk1\DR1\Partition2
17:41:56.0531 5592  ============================================================
17:41:56.0531 5592  Initialize success
17:41:56.0531 5592  ============================================================
19:06:37.0687 3272  ============================================================
19:06:37.0687 3272  Scan started
19:06:37.0703 3272  Mode: Manual; SigCheck; TDLFS;
19:06:37.0703 3272  ============================================================
19:06:40.0500 3272  ================ Scan system memory ========================
19:06:40.0703 3272  System memory - ok
19:06:40.0718 3272  ================ Scan services =============================
19:06:40.0984 3272  Abiosdsk - ok
19:06:41.0000 3272  abp480n5 - ok
19:06:41.0093 3272  [ 8FD99680A539792A30E97944FDAECF17 ] ACPI            E:\WINDOWS\system32\DRIVERS\ACPI.sys
19:06:44.0125 3272  ACPI - ok
19:06:44.0187 3272  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          E:\WINDOWS\system32\drivers\ACPIEC.sys
19:06:44.0515 3272  ACPIEC - ok
19:06:44.0734 3272  [ 476BB014F3F68C0C15EDDD5B444DA8FF ] AdobeFlashPlayerUpdateSvc E:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:06:44.0859 3272  AdobeFlashPlayerUpdateSvc - ok
19:06:44.0875 3272  adpu160m - ok
19:06:44.0921 3272  [ 8BED39E3C35D6A489438B8141717A557 ] aec             E:\WINDOWS\system32\drivers\aec.sys
19:06:45.0250 3272  aec - ok
19:06:45.0312 3272  [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD             E:\WINDOWS\System32\drivers\afd.sys
19:06:45.0484 3272  AFD - ok
19:06:45.0515 3272  [ 08FD04AA961BDC77FB983F328334E3D7 ] agp440          E:\WINDOWS\system32\DRIVERS\agp440.sys
19:06:45.0812 3272  agp440 - ok
19:06:45.0812 3272  Aha154x - ok
19:06:45.0828 3272  aic78u2 - ok
19:06:45.0843 3272  aic78xx - ok
19:06:45.0906 3272  [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter         E:\WINDOWS\system32\alrsvc.dll
19:06:46.0187 3272  Alerter - ok
19:06:46.0203 3272  [ 8C515081584A38AA007909CD02020B3D ] ALG             E:\WINDOWS\System32\alg.exe
19:06:46.0343 3272  ALG - ok
19:06:46.0375 3272  AliIde - ok
19:06:46.0390 3272  amsint - ok
19:06:46.0437 3272  [ D8849F77C0B66226335A59D26CB4EDC6 ] AppMgmt         E:\WINDOWS\System32\appmgmts.dll
19:06:46.0593 3272  AppMgmt - ok
19:06:46.0609 3272  [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394         E:\WINDOWS\system32\DRIVERS\arp1394.sys
19:06:46.0890 3272  Arp1394 - ok
19:06:46.0921 3272  asc - ok
19:06:46.0937 3272  asc3350p - ok
19:06:46.0953 3272  asc3550 - ok
19:06:47.0281 3272  [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state    E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:07:03.0734 3272  aspnet_state - ok
19:07:03.0781 3272  [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac        E:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:07:04.0062 3272  AsyncMac - ok
19:07:04.0109 3272  [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi           E:\WINDOWS\system32\DRIVERS\atapi.sys
19:07:04.0406 3272  atapi - ok
19:07:04.0406 3272  Atdisk - ok
19:07:04.0437 3272  [ 9916C1225104BA14794209CFA8012159 ] Atmarpc         E:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:07:04.0718 3272  Atmarpc - ok
19:07:04.0734 3272  [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv        E:\WINDOWS\System32\audiosrv.dll
19:07:05.0015 3272  AudioSrv - ok
19:07:05.0062 3272  [ D9F724AA26C010A217C97606B160ED68 ] audstub         E:\WINDOWS\system32\DRIVERS\audstub.sys
19:07:05.0343 3272  audstub - ok
19:07:05.0625 3272  [ E26D04CECD6C7C71CFBB3F335875BC31 ] AVP             E:\Program Files\Kaspersky Lab\Kaspersky Internet Security 14.0.0\avp.exe
19:07:06.0312 3272  AVP - ok
19:07:06.0359 3272  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            E:\WINDOWS\system32\drivers\Beep.sys
19:07:06.0656 3272  Beep - ok
19:07:06.0734 3272  [ 574738F61FCA2935F5265DC4E5691314 ] BITS            E:\WINDOWS\system32\qmgr.dll
19:07:07.0140 3272  BITS - ok
19:07:07.0203 3272  [ 396670CCEA999A0598E80D390C3E8BD0 ] BootDefragDriver E:\WINDOWS\system32\drivers\BootDefragDriver.sys
19:07:07.0250 3272  BootDefragDriver - ok
19:07:07.0296 3272  [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser         E:\WINDOWS\System32\browser.dll
19:07:07.0421 3272  Browser - ok
19:07:07.0468 3272  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         E:\WINDOWS\system32\drivers\cbidf2k.sys
19:07:07.0781 3272  cbidf2k - ok
19:07:07.0781 3272  cd20xrnt - ok
19:07:07.0812 3272  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         E:\WINDOWS\system32\drivers\Cdaudio.sys
19:07:08.0093 3272  Cdaudio - ok
19:07:08.0140 3272  [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs            E:\WINDOWS\system32\drivers\Cdfs.sys
19:07:08.0484 3272  Cdfs - ok
19:07:08.0578 3272  [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom           E:\WINDOWS\system32\DRIVERS\cdrom.sys
19:07:08.0890 3272  Cdrom - ok
19:07:08.0906 3272  Changer - ok
19:07:08.0953 3272  [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc           E:\WINDOWS\system32\cisvc.exe
19:07:09.0234 3272  CiSvc - ok
19:07:09.0265 3272  [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv         E:\WINDOWS\system32\clipsrv.exe
19:07:09.0562 3272  ClipSrv - ok
19:07:09.0625 3272  [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 E:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:07:13.0140 3272  clr_optimization_v2.0.50727_32 - ok
19:07:13.0234 3272  [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:07:13.0296 3272  clr_optimization_v4.0.30319_32 - ok
19:07:13.0312 3272  CmdIde - ok
19:07:13.0343 3272  COMSysApp - ok
19:07:13.0375 3272  Cpqarray - ok
19:07:13.0437 3272  [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc        E:\WINDOWS\System32\cryptsvc.dll
19:07:13.0750 3272  CryptSvc - ok
19:07:13.0765 3272  dac2w2k - ok
19:07:13.0781 3272  dac960nt - ok
19:07:13.0859 3272  [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch      E:\WINDOWS\system32\rpcss.dll
19:07:14.0000 3272  DcomLaunch - ok
19:07:14.0062 3272  [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp            E:\WINDOWS\System32\dhcpcsvc.dll
19:07:14.0328 3272  Dhcp - ok
19:07:14.0390 3272  [ 044452051F3E02E7963599FC8F4F3E25 ] Disk            E:\WINDOWS\system32\DRIVERS\disk.sys
19:07:14.0703 3272  Disk - ok
19:07:14.0703 3272  dmadmin - ok
19:07:14.0765 3272  [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot          E:\WINDOWS\system32\drivers\dmboot.sys
19:07:15.0171 3272  dmboot - ok
19:07:15.0250 3272  [ 3D108B07786A7707F8EC47561247C2C0 ] DMICall         E:\WINDOWS\system32\DRIVERS\DMICall.sys
19:07:15.0296 3272  DMICall ( UnsignedFile.Multi.Generic ) - warning
19:07:15.0296 3272  DMICall - detected UnsignedFile.Multi.Generic (1)
19:07:15.0328 3272  [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio            E:\WINDOWS\system32\drivers\dmio.sys
19:07:15.0640 3272  dmio - ok
19:07:15.0703 3272  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          E:\WINDOWS\system32\drivers\dmload.sys
19:07:16.0000 3272  dmload - ok
19:07:16.0031 3272  [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver        E:\WINDOWS\System32\dmserver.dll
19:07:16.0343 3272  dmserver - ok
19:07:16.0375 3272  [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic          E:\WINDOWS\system32\drivers\DMusic.sys
19:07:16.0796 3272  DMusic - ok
19:07:16.0843 3272  [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache        E:\WINDOWS\System32\dnsrslvr.dll
19:07:16.0937 3272  Dnscache - ok
19:07:16.0984 3272  [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc         E:\WINDOWS\System32\dot3svc.dll
19:07:17.0281 3272  Dot3svc - ok
19:07:17.0296 3272  dpti2o - ok
19:07:17.0343 3272  [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud         E:\WINDOWS\system32\drivers\drmkaud.sys
19:07:17.0656 3272  drmkaud - ok
19:07:17.0703 3272  [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost         E:\WINDOWS\System32\eapsvc.dll
19:07:18.0046 3272  EapHost - ok
19:07:18.0093 3272  [ BC93B4A066477954555966D77FEC9ECB ] ERSvc           E:\WINDOWS\System32\ersvc.dll
19:07:18.0390 3272  ERSvc - ok
19:07:18.0421 3272  [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog        E:\WINDOWS\system32\services.exe
19:07:18.0468 3272  Eventlog - ok
19:07:18.0531 3272  [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem     E:\WINDOWS\system32\es.dll
19:07:18.0640 3272  EventSystem - ok
19:07:18.0671 3272  [ 38D332A6D56AF32635675F132548343E ] Fastfat         E:\WINDOWS\system32\drivers\Fastfat.sys
19:07:18.0968 3272  Fastfat - ok
19:07:19.0031 3272  [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility E:\WINDOWS\System32\shsvcs.dll
19:07:19.0125 3272  FastUserSwitchingCompatibility - ok
19:07:19.0171 3272  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc             E:\WINDOWS\system32\DRIVERS\fdc.sys
19:07:19.0468 3272  Fdc - ok
19:07:19.0515 3272  [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips            E:\WINDOWS\system32\drivers\Fips.sys
19:07:19.0812 3272  Fips - ok
19:07:19.0875 3272  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk        E:\WINDOWS\system32\DRIVERS\flpydisk.sys
19:07:20.0187 3272  Flpydisk - ok
19:07:20.0250 3272  [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr          E:\WINDOWS\system32\DRIVERS\fltMgr.sys
19:07:20.0546 3272  FltMgr - ok
19:07:20.0640 3272  [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 E:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:07:22.0656 3272  FontCache3.0.0.0 - ok
19:07:22.0687 3272  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          E:\WINDOWS\system32\drivers\Fs_Rec.sys
19:07:23.0000 3272  Fs_Rec - ok
19:07:23.0062 3272  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          E:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:07:23.0359 3272  Ftdisk - ok
19:07:23.0390 3272  [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc             E:\WINDOWS\system32\DRIVERS\msgpc.sys
19:07:23.0734 3272  Gpc - ok
19:07:23.0812 3272  [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc         E:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:07:24.0109 3272  helpsvc - ok
19:07:24.0156 3272  [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ         E:\WINDOWS\System32\hidserv.dll
19:07:24.0453 3272  HidServ - ok
19:07:24.0484 3272  [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb          E:\WINDOWS\system32\DRIVERS\hidusb.sys
19:07:24.0796 3272  hidusb - ok
19:07:24.0828 3272  [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc          E:\WINDOWS\System32\kmsvc.dll
19:07:25.0281 3272  hkmsvc - ok
19:07:25.0296 3272  hpn - ok
19:07:25.0359 3272  [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412        E:\WINDOWS\system32\DRIVERS\HPZid412.sys
19:07:25.0515 3272  HPZid412 - ok
19:07:25.0531 3272  [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12        E:\WINDOWS\system32\DRIVERS\HPZipr12.sys
19:07:25.0671 3272  HPZipr12 - ok
19:07:25.0703 3272  [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12        E:\WINDOWS\system32\DRIVERS\HPZius12.sys
19:07:25.0906 3272  HPZius12 - ok
19:07:25.0953 3272  [ F1E4B23C0CCF4FC310FB873811DC0EE8 ] HssDrv          E:\WINDOWS\system32\DRIVERS\HssDrv.sys
19:07:26.0000 3272  HssDrv - ok
19:07:26.0078 3272  [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP            E:\WINDOWS\system32\Drivers\HTTP.sys
19:07:26.0203 3272  HTTP - ok
19:07:26.0250 3272  [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter      E:\WINDOWS\System32\w3ssl.dll
19:07:26.0578 3272  HTTPFilter - ok
19:07:26.0593 3272  i2omgmt - ok
19:07:26.0609 3272  i2omp - ok
19:07:26.0656 3272  [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt        E:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:07:26.0953 3272  i8042prt - ok
19:07:27.0218 3272  [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc           E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:07:28.0515 3272  idsvc - ok
19:07:28.0531 3272  [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi           E:\WINDOWS\system32\DRIVERS\imapi.sys
19:07:28.0812 3272  Imapi - ok
19:07:28.0843 3272  [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService    E:\WINDOWS\system32\imapi.exe
19:07:29.0171 3272  ImapiService - ok
19:07:29.0187 3272  ini910u - ok
19:07:29.0250 3272  [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde        E:\WINDOWS\system32\DRIVERS\intelide.sys
19:07:29.0546 3272  IntelIde - ok
19:07:29.0609 3272  [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw           E:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
19:07:29.0937 3272  Ip6Fw - ok
19:07:29.0984 3272  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  E:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:07:30.0281 3272  IpFilterDriver - ok
19:07:30.0312 3272  [ B87AB476DCF76E72010632B5550955F5 ] IpInIp          E:\WINDOWS\system32\DRIVERS\ipinip.sys
19:07:30.0609 3272  IpInIp - ok
19:07:30.0703 3272  [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat           E:\WINDOWS\system32\DRIVERS\ipnat.sys
19:07:31.0015 3272  IpNat - ok
19:07:31.0062 3272  [ 23C74D75E36E7158768DD63D92789A91 ] IPSec           E:\WINDOWS\system32\DRIVERS\ipsec.sys
19:07:31.0343 3272  IPSec - ok
19:07:31.0390 3272  [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM          E:\WINDOWS\system32\DRIVERS\irenum.sys
19:07:31.0515 3272  IRENUM - ok
19:07:31.0546 3272  [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp          E:\WINDOWS\system32\DRIVERS\isapnp.sys
19:07:31.0843 3272  isapnp - ok
19:07:31.0937 3272  [ 9ECF00E19736054E019C532AED8228FC ] JavaQuickStarterService E:\Program Files\Java\jre7\bin\jqs.exe
19:07:31.0984 3272  JavaQuickStarterService - ok
19:07:32.0031 3272  [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass        E:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:07:32.0343 3272  Kbdclass - ok
19:07:32.0390 3272  [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid          E:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:07:32.0671 3272  kbdhid - ok
19:07:32.0718 3272  [ 6392454F9C30A027F38CC1D71D87B7BC ] KL1             E:\WINDOWS\system32\DRIVERS\kl1.sys
19:07:32.0781 3272  KL1 - ok
19:07:32.0906 3272  [ 6F54450C6FBCEF611356716269F88C4D ] KLIF            E:\WINDOWS\system32\DRIVERS\klif.sys
19:07:33.0171 3272  KLIF - ok
19:07:33.0265 3272  [ 2C85E9963B1F71E3B631B61F00790512 ] klim5           E:\WINDOWS\system32\DRIVERS\klim5.sys
19:07:33.0296 3272  klim5 - ok
19:07:33.0328 3272  [ 627ADEC66AF6B7E43740BDB5342F433F ] klkbdflt        E:\WINDOWS\system32\DRIVERS\klkbdflt.sys
19:07:33.0359 3272  klkbdflt - ok
19:07:33.0406 3272  [ ED2CEBA0D5C61133DE63CA1122DF62E6 ] klmouflt        E:\WINDOWS\system32\DRIVERS\klmouflt.sys
19:07:33.0437 3272  klmouflt - ok
19:07:33.0500 3272  [ EB0D72D2844C57F5F146D7A15B04FBF9 ] klpd            E:\WINDOWS\system32\DRIVERS\klpd.sys
19:07:33.0546 3272  klpd - ok
19:07:33.0578 3272  [ 040A3BC4AF5A0430A1D9A758F076465E ] kltdi           E:\WINDOWS\system32\DRIVERS\kltdi.sys
19:07:33.0609 3272  kltdi - ok
19:07:33.0656 3272  [ 692BCF44383D056AED41B045A323D378 ] kmixer          E:\WINDOWS\system32\drivers\kmixer.sys
19:07:33.0921 3272  kmixer - ok
19:07:33.0984 3272  [ AE46F121AAB18E1C98126D3C79DE8395 ] kneps           E:\WINDOWS\system32\DRIVERS\kneps.sys
19:07:34.0031 3272  kneps - ok
19:07:34.0078 3272  [ B467646C54CC746128904E1654C750C1 ] KSecDD          E:\WINDOWS\system32\drivers\KSecDD.sys
19:07:34.0203 3272  KSecDD - ok
19:07:34.0265 3272  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] LanmanServer    E:\WINDOWS\System32\srvsvc.dll
19:07:34.0406 3272  LanmanServer - ok
19:07:34.0468 3272  [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation E:\WINDOWS\System32\wkssvc.dll
19:07:34.0562 3272  lanmanworkstation - ok
19:07:34.0593 3272  lbrtfdc - ok
19:07:34.0656 3272  [ A7DB739AE99A796D91580147E919CC59 ] LmHosts         E:\WINDOWS\System32\lmhsvc.dll
19:07:34.0953 3272  LmHosts - ok
19:07:35.0015 3272  [ 9EE18A5A45552673A67532EA37370377 ] ltmodem5        E:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
19:07:35.0375 3272  ltmodem5 - ok
19:07:35.0437 3272  [ 4470E3C1E0C3378E4CAB137893C12C3A ] MBAMProtector   E:\WINDOWS\system32\drivers\mbam.sys
19:07:35.0500 3272  MBAMProtector - ok
19:07:35.0718 3272  [ E0D7732F2D2E24B2DB3F67B6750295B8 ] MBAMService     E:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
19:07:35.0812 3272  MBAMService - ok
19:07:36.0000 3272  [ 11F714F85530A2BD134074DC30E99FCA ] MDM             E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
19:07:36.0062 3272  MDM - ok
19:07:36.0078 3272  [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger       E:\WINDOWS\System32\msgsvc.dll
19:07:36.0390 3272  Messenger - ok
19:07:36.0437 3272  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           E:\WINDOWS\system32\drivers\mnmdd.sys
19:07:36.0718 3272  mnmdd - ok
19:07:36.0765 3272  [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc         E:\WINDOWS\system32\mnmsrvc.exe
19:07:37.0046 3272  mnmsrvc - ok
19:07:37.0093 3272  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem           E:\WINDOWS\system32\drivers\Modem.sys
19:07:37.0375 3272  Modem - ok
19:07:37.0437 3272  [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass        E:\WINDOWS\system32\DRIVERS\mouclass.sys
19:07:37.0718 3272  Mouclass - ok
19:07:37.0765 3272  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          E:\WINDOWS\system32\DRIVERS\mouhid.sys
19:07:38.0046 3272  mouhid - ok
19:07:38.0078 3272  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr        E:\WINDOWS\system32\drivers\MountMgr.sys
19:07:38.0359 3272  MountMgr - ok
19:07:38.0375 3272  mraid35x - ok
19:07:38.0421 3272  [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV          E:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:07:38.0703 3272  MRxDAV - ok
19:07:38.0765 3272  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb          E:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:07:38.0875 3272  MRxSmb - ok
19:07:38.0921 3272  [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC           E:\WINDOWS\system32\msdtc.exe
19:07:39.0203 3272  MSDTC - ok
19:07:39.0281 3272  [ C941EA2454BA8350021D774DAF0F1027 ] Msfs            E:\WINDOWS\system32\drivers\Msfs.sys
19:07:39.0578 3272  Msfs - ok
19:07:39.0593 3272  MSIServer - ok
19:07:39.0625 3272  [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV         E:\WINDOWS\system32\drivers\MSKSSRV.sys
19:07:39.0906 3272  MSKSSRV - ok
19:07:39.0921 3272  [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK        E:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:07:40.0203 3272  MSPCLOCK - ok
19:07:40.0218 3272  [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM           E:\WINDOWS\system32\drivers\MSPQM.sys
19:07:40.0531 3272  MSPQM - ok
19:07:40.0578 3272  [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios        E:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:07:40.0843 3272  mssmbios - ok
19:07:40.0890 3272  [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup             E:\WINDOWS\system32\drivers\Mup.sys
19:07:40.0984 3272  Mup - ok
19:07:41.0031 3272  [ 0102140028FAD045756796E1C685D695 ] napagent        E:\WINDOWS\System32\qagentrt.dll
19:07:41.0328 3272  napagent - ok
19:07:41.0390 3272  [ 1DF7F42665C94B825322FAE71721130D ] NDIS            E:\WINDOWS\system32\drivers\NDIS.sys
19:07:41.0687 3272  NDIS - ok
19:07:41.0734 3272  [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi        E:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:07:41.0812 3272  NdisTapi - ok
19:07:41.0828 3272  [ F927A4434C5028758A842943EF1A3849 ] Ndisuio         E:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:07:42.0125 3272  Ndisuio - ok
19:07:42.0156 3272  [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan         E:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:07:42.0421 3272  NdisWan - ok
19:07:42.0484 3272  [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy         E:\WINDOWS\system32\drivers\NDProxy.sys
19:07:42.0562 3272  NDProxy - ok
19:07:42.0593 3272  [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS         E:\WINDOWS\system32\DRIVERS\netbios.sys
19:07:42.0906 3272  NetBIOS - ok
19:07:42.0953 3272  [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT           E:\WINDOWS\system32\DRIVERS\netbt.sys
19:07:43.0218 3272  NetBT - ok
19:07:43.0250 3272  [ B857BA82860D7FF85AE29B095645563B ] NetDDE          E:\WINDOWS\system32\netdde.exe
19:07:43.0531 3272  NetDDE - ok
19:07:43.0531 3272  [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm      E:\WINDOWS\system32\netdde.exe
19:07:43.0812 3272  NetDDEdsdm - ok
19:07:43.0859 3272  [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon        E:\WINDOWS\system32\lsass.exe
19:07:44.0125 3272  Netlogon - ok
19:07:44.0171 3272  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman          E:\WINDOWS\System32\netman.dll
19:07:44.0468 3272  Netman - ok
19:07:44.0515 3272  [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing E:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:07:45.0687 3272  NetTcpPortSharing - ok
19:07:45.0718 3272  [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394         E:\WINDOWS\system32\DRIVERS\nic1394.sys
19:07:46.0000 3272  NIC1394 - ok
19:07:46.0125 3272  [ D10C1F16AAA5EBE1616C9DB7EEF022BA ] NitroDriverReadSpool8 E:\Program Files\Nitro\Pro 8\NitroPDFDriverService8.exe
19:07:47.0234 3272  NitroDriverReadSpool8 - ok
19:07:47.0375 3272  [ C09C9E59DB51BB2921C8C38799359A80 ] NitroReaderDriverReadSpool3 E:\Program Files\Nitro\Reader 3\NitroPDFReaderDriverService3.exe
19:07:48.0093 3272  NitroReaderDriverReadSpool3 - ok
19:07:48.0140 3272  [ 943337D786A56729263071623BBB9DE5 ] Nla             E:\WINDOWS\System32\mswsock.dll
19:07:48.0203 3272  Nla - ok
19:07:48.0234 3272  [ 43436B5756A45EA11D274B3983204095 ] nlsX86cc        E:\WINDOWS\system32\NLSSRV32.EXE
19:07:48.0812 3272  nlsX86cc - ok
19:07:48.0843 3272  [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs            E:\WINDOWS\system32\drivers\Npfs.sys
19:07:49.0140 3272  Npfs - ok
19:07:49.0187 3272  [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs            E:\WINDOWS\system32\drivers\Ntfs.sys
19:07:49.0515 3272  Ntfs - ok
19:07:49.0562 3272  [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp         E:\WINDOWS\system32\lsass.exe
19:07:49.0828 3272  NtLmSsp - ok
19:07:49.0875 3272  [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc         E:\WINDOWS\system32\ntmssvc.dll
19:07:50.0171 3272  NtmsSvc - ok
19:07:50.0218 3272  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            E:\WINDOWS\system32\drivers\Null.sys
19:07:50.0515 3272  Null - ok
19:07:50.0593 3272  [ 93BC57E29035AA43BC536D581C317751 ] nv              E:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:07:50.0750 3272  nv - ok
19:07:50.0796 3272  [ 62E68BEBE5547E0084B2933298108F21 ] NVSvc           E:\WINDOWS\system32\nvsvc32.exe
19:07:50.0859 3272  NVSvc - ok
19:07:50.0906 3272  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        E:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:07:51.0171 3272  NwlnkFlt - ok
19:07:51.0218 3272  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        E:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:07:51.0546 3272  NwlnkFwd - ok
19:07:51.0593 3272  [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394        E:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:07:51.0859 3272  ohci1394 - ok
19:07:51.0890 3272  [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport         E:\WINDOWS\system32\DRIVERS\parport.sys
19:07:52.0187 3272  Parport - ok
19:07:52.0234 3272  [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr         E:\WINDOWS\system32\drivers\PartMgr.sys
19:07:52.0546 3272  PartMgr - ok
19:07:52.0609 3272  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          E:\WINDOWS\system32\drivers\ParVdm.sys
19:07:52.0906 3272  ParVdm - ok
19:07:52.0937 3272  [ A219903CCF74233761D92BEF471A07B1 ] PCI             E:\WINDOWS\system32\DRIVERS\pci.sys
19:07:53.0203 3272  PCI - ok
19:07:53.0250 3272  PCIDump - ok
19:07:53.0265 3272  PCIIde - ok
19:07:53.0312 3272  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia          E:\WINDOWS\system32\drivers\Pcmcia.sys
19:07:53.0578 3272  Pcmcia - ok
19:07:53.0593 3272  PDCOMP - ok
19:07:53.0609 3272  PDFRAME - ok
19:07:53.0625 3272  PDRELI - ok
19:07:53.0640 3272  PDRFRAME - ok
19:07:53.0656 3272  perc2 - ok
19:07:53.0687 3272  perc2hib - ok
19:07:53.0765 3272  [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay        E:\WINDOWS\system32\services.exe
19:07:53.0812 3272  PlugPlay - ok
19:07:53.0875 3272  [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 E:\WINDOWS\system32\HPZipm12.exe
19:07:53.0906 3272  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
19:07:53.0906 3272  Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
19:07:53.0953 3272  [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent     E:\WINDOWS\system32\lsass.exe
19:07:54.0218 3272  PolicyAgent - ok
19:07:54.0281 3272  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport    E:\WINDOWS\system32\DRIVERS\raspptp.sys
19:07:54.0593 3272  PptpMiniport - ok
19:07:54.0625 3272  [ A32BEBAF723557681BFC6BD93E98BD26 ] Processor       E:\WINDOWS\system32\DRIVERS\processr.sys
19:07:54.0906 3272  Processor - ok
19:07:55.0093 3272  [ 3D98831E9274076F7520304DF99DA022 ] ProcObsrv       D:\Program Files\Glary Utilities Pro 2.41\Glary Utilities 3\ProcObsrv.sys
19:07:55.0250 3272  ProcObsrv - ok
19:07:55.0281 3272  [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage E:\WINDOWS\system32\lsass.exe
19:07:55.0546 3272  ProtectedStorage - ok
19:07:55.0578 3272  [ 09298EC810B07E5D582CB3A3F9255424 ] PSched          E:\WINDOWS\system32\DRIVERS\psched.sys
19:07:55.0843 3272  PSched - ok
19:07:55.0906 3272  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         E:\WINDOWS\system32\DRIVERS\ptilink.sys
19:07:56.0187 3272  Ptilink - ok
19:07:56.0203 3272  ql1080 - ok
19:07:56.0218 3272  Ql10wnt - ok
19:07:56.0234 3272  ql12160 - ok
19:07:56.0265 3272  ql1240 - ok
19:07:56.0281 3272  ql1280 - ok
19:07:56.0312 3272  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          E:\WINDOWS\system32\DRIVERS\rasacd.sys
19:07:56.0578 3272  RasAcd - ok
19:07:56.0609 3272  [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto         E:\WINDOWS\System32\rasauto.dll
19:07:56.0875 3272  RasAuto - ok
19:07:56.0921 3272  [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp         E:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:07:57.0187 3272  Rasl2tp - ok
19:07:57.0218 3272  [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan          E:\WINDOWS\System32\rasmans.dll
19:07:57.0515 3272  RasMan - ok
19:07:57.0546 3272  [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe        E:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:07:57.0828 3272  RasPppoe - ok
19:07:57.0859 3272  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          E:\WINDOWS\system32\DRIVERS\raspti.sys
19:07:58.0125 3272  Raspti - ok
19:07:58.0140 3272  [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss           E:\WINDOWS\system32\DRIVERS\rdbss.sys
19:07:58.0437 3272  Rdbss - ok
19:07:58.0468 3272  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          E:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:07:58.0734 3272  RDPCDD - ok
19:07:58.0781 3272  [ 15CABD0F7C00C47C70124907916AF3F1 ] rdpdr           E:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:07:59.0062 3272  rdpdr - ok
19:07:59.0125 3272  [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD           E:\WINDOWS\system32\drivers\RDPWD.sys
19:07:59.0250 3272  RDPWD - ok
19:07:59.0296 3272  [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr       E:\WINDOWS\system32\sessmgr.exe
19:07:59.0578 3272  RDSessMgr - ok
19:07:59.0609 3272  [ F828DD7E1419B6653894A8F97A0094C5 ] redbook         E:\WINDOWS\system32\DRIVERS\redbook.sys
19:07:59.0921 3272  redbook - ok
19:07:59.0953 3272  [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess    E:\WINDOWS\System32\mprdim.dll
19:08:00.0250 3272  RemoteAccess - ok
19:08:00.0281 3272  [ 5B19B557B0C188210A56A6B699D90B8F ] RemoteRegistry  E:\WINDOWS\system32\regsvc.dll
19:08:00.0578 3272  RemoteRegistry - ok
19:08:00.0625 3272  [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator      E:\WINDOWS\system32\locator.exe
19:08:00.0890 3272  RpcLocator - ok
19:08:00.0937 3272  [ 6B27A5C03DFB94B4245739065431322C ] RpcSs           E:\WINDOWS\System32\rpcss.dll
19:08:01.0000 3272  RpcSs - ok
19:08:01.0031 3272  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            E:\WINDOWS\system32\rsvp.exe
19:08:01.0296 3272  RSVP - ok
19:08:01.0343 3272  [ D507C1400284176573224903819FFDA3 ] rtl8139         E:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:08:01.0625 3272  rtl8139 - ok
19:08:01.0656 3272  [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs           E:\WINDOWS\system32\lsass.exe
19:08:01.0921 3272  SamSs - ok
19:08:01.0937 3272  [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr        E:\WINDOWS\System32\SCardSvr.exe
19:08:02.0234 3272  SCardSvr - ok
19:08:02.0328 3272  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule        E:\WINDOWS\system32\schedsvc.dll
19:08:02.0625 3272  Schedule - ok
19:08:02.0671 3272  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          E:\WINDOWS\system32\DRIVERS\secdrv.sys
19:08:02.0796 3272  Secdrv - ok
19:08:02.0828 3272  [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon        E:\WINDOWS\System32\seclogon.dll
19:08:03.0093 3272  seclogon - ok
19:08:03.0125 3272  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS            E:\WINDOWS\system32\sens.dll
19:08:03.0406 3272  SENS - ok
19:08:03.0437 3272  [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum         E:\WINDOWS\system32\DRIVERS\serenum.sys
19:08:03.0718 3272  serenum - ok
19:08:03.0734 3272  [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial          E:\WINDOWS\system32\DRIVERS\serial.sys
19:08:04.0000 3272  Serial - ok
19:08:04.0109 3272  [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy         E:\WINDOWS\system32\drivers\Sfloppy.sys
19:08:04.0406 3272  Sfloppy - ok
19:08:04.0515 3272  [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess    E:\WINDOWS\System32\ipnathlp.dll
19:08:04.0875 3272  SharedAccess - ok
19:08:04.0906 3272  [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection E:\WINDOWS\System32\shsvcs.dll
19:08:04.0937 3272  ShellHWDetection - ok
19:08:04.0953 3272  Simbad - ok
19:08:05.0031 3272  [ C1EB9C15EE63888F257CED669B9D36D4 ] smwdm           E:\WINDOWS\system32\drivers\smwdm.sys
19:08:05.0125 3272  smwdm - ok
19:08:05.0187 3272  [ 630CA955DDED41E309F5D0AD15A7A5D4 ] SonyFKC         E:\WINDOWS\system32\Drivers\SonyFKC.sys
19:08:05.0218 3272  SonyFKC ( UnsignedFile.Multi.Generic ) - warning
19:08:05.0218 3272  SonyFKC - detected UnsignedFile.Multi.Generic (1)
19:08:05.0250 3272  [ 073457B2D8B919FA7BDCF3FD9226E30C ] SONYWBMS        E:\WINDOWS\system32\DRIVERS\SonyWBMS.SYS
19:08:05.0265 3272  SONYWBMS ( UnsignedFile.Multi.Generic ) - warning
19:08:05.0265 3272  SONYWBMS - detected UnsignedFile.Multi.Generic (1)
19:08:05.0281 3272  Sparrow - ok
19:08:05.0328 3272  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter        E:\WINDOWS\system32\drivers\splitter.sys
19:08:05.0609 3272  splitter - ok
19:08:05.0640 3272  [ 60784F891563FB1B767F70117FC2428F ] Spooler         E:\WINDOWS\system32\spoolsv.exe
19:08:05.0734 3272  Spooler - ok
19:08:05.0781 3272  [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr              E:\WINDOWS\system32\DRIVERS\sr.sys
19:08:05.0906 3272  sr - ok
19:08:05.0937 3272  [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice       E:\WINDOWS\system32\srsvc.dll
19:08:06.0078 3272  srservice - ok
19:08:06.0140 3272  [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv             E:\WINDOWS\system32\DRIVERS\srv.sys
19:08:06.0281 3272  Srv - ok
19:08:06.0328 3272  [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV         E:\WINDOWS\System32\ssdpsrv.dll
19:08:06.0484 3272  SSDPSRV - ok
19:08:06.0531 3272  [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc          E:\WINDOWS\system32\wiaservc.dll
19:08:06.0875 3272  stisvc - ok
19:08:06.0921 3272  [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum          E:\WINDOWS\system32\DRIVERS\swenum.sys
19:08:07.0218 3272  swenum - ok
19:08:07.0250 3272  [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi          E:\WINDOWS\system32\drivers\swmidi.sys
19:08:07.0531 3272  swmidi - ok
19:08:07.0531 3272  SwPrv - ok
19:08:07.0562 3272  symc810 - ok
19:08:07.0578 3272  symc8xx - ok
19:08:07.0593 3272  sym_hi - ok
19:08:07.0625 3272  sym_u3 - ok
19:08:07.0656 3272  [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio        E:\WINDOWS\system32\drivers\sysaudio.sys
19:08:07.0921 3272  sysaudio - ok
19:08:07.0968 3272  [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog       E:\WINDOWS\system32\smlogsvc.exe
19:08:08.0265 3272  SysmonLog - ok
19:08:08.0312 3272  [ FD90A16CEB10D4FDAA00AAF39B8FF58F ] taphss          E:\WINDOWS\system32\DRIVERS\taphss.sys
19:08:08.0359 3272  taphss - ok
19:08:08.0421 3272  [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv         E:\WINDOWS\System32\tapisrv.dll
19:08:08.0687 3272  TapiSrv - ok
19:08:08.0781 3272  [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip           E:\WINDOWS\system32\DRIVERS\tcpip.sys
19:08:08.0843 3272  Tcpip - ok
19:08:08.0890 3272  [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE          E:\WINDOWS\system32\drivers\TDPIPE.sys
19:08:09.0187 3272  TDPIPE - ok
19:08:09.0218 3272  [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP           E:\WINDOWS\system32\drivers\TDTCP.sys
19:08:09.0500 3272  TDTCP - ok
19:08:09.0546 3272  [ 88155247177638048422893737429D9E ] TermDD          E:\WINDOWS\system32\DRIVERS\termdd.sys
19:08:09.0828 3272  TermDD - ok
19:08:09.0890 3272  [ FF3477C03BE7201C294C35F684B3479F ] TermService     E:\WINDOWS\System32\termsrv.dll
19:08:10.0171 3272  TermService - ok
19:08:10.0234 3272  [ 99BC0B50F511924348BE19C7C7313BBF ] Themes          E:\WINDOWS\System32\shsvcs.dll
19:08:10.0265 3272  Themes - ok
19:08:10.0312 3272  [ DB7205804759FF62C34E3EFD8A4CC76A ] TlntSvr         E:\WINDOWS\system32\tlntsvr.exe
19:08:10.0437 3272  TlntSvr - ok
19:08:10.0468 3272  TosIde - ok
19:08:10.0500 3272  [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks          E:\WINDOWS\system32\trkwks.dll
19:08:10.0781 3272  TrkWks - ok
19:08:10.0828 3272  [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs            E:\WINDOWS\system32\drivers\Udfs.sys
19:08:11.0093 3272  Udfs - ok
19:08:11.0156 3272  ultra - ok
19:08:11.0218 3272  [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update          E:\WINDOWS\system32\DRIVERS\update.sys
19:08:11.0500 3272  Update - ok
19:08:11.0531 3272  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost        E:\WINDOWS\System32\upnphost.dll
19:08:11.0687 3272  upnphost - ok
19:08:11.0718 3272  [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS             E:\WINDOWS\System32\ups.exe
19:08:12.0015 3272  UPS - ok
19:08:12.0078 3272  [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp         E:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:08:12.0390 3272  usbccgp - ok
19:08:12.0421 3272  [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci         E:\WINDOWS\system32\DRIVERS\usbehci.sys
19:08:12.0703 3272  usbehci - ok
19:08:12.0765 3272  [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub          E:\WINDOWS\system32\DRIVERS\usbhub.sys
19:08:13.0046 3272  usbhub - ok
19:08:13.0062 3272  [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci         E:\WINDOWS\system32\DRIVERS\usbohci.sys
19:08:13.0312 3272  usbohci - ok
19:08:13.0390 3272  [ A717C8721046828520C9EDF31288FC00 ] usbprint        E:\WINDOWS\system32\DRIVERS\usbprint.sys
19:08:13.0687 3272  usbprint - ok
19:08:13.0718 3272  [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan         E:\WINDOWS\system32\DRIVERS\usbscan.sys
19:08:14.0015 3272  usbscan - ok
19:08:14.0062 3272  [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR         E:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:08:14.0359 3272  USBSTOR - ok
19:08:14.0375 3272  [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci         E:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:08:14.0656 3272  usbuhci - ok
19:08:14.0703 3272  [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave         E:\WINDOWS\System32\drivers\vga.sys
19:08:14.0968 3272  VgaSave - ok
19:08:15.0000 3272  ViaIde - ok
19:08:15.0031 3272  [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap         E:\WINDOWS\system32\drivers\VolSnap.sys
19:08:15.0328 3272  VolSnap - ok
19:08:15.0375 3272  [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS             E:\WINDOWS\System32\vssvc.exe
19:08:15.0531 3272  VSS - ok
19:08:15.0562 3272  [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time         E:\WINDOWS\system32\w32time.dll
19:08:15.0843 3272  W32Time - ok
19:08:15.0875 3272  [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp          E:\WINDOWS\system32\DRIVERS\wanarp.sys
19:08:16.0156 3272  Wanarp - ok
19:08:16.0171 3272  WDICA - ok
19:08:16.0203 3272  [ 6768ACF64B18196494413695F0C3A00F ] wdmaud          E:\WINDOWS\system32\drivers\wdmaud.sys
19:08:16.0484 3272  wdmaud - ok
19:08:16.0500 3272  [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient       E:\WINDOWS\System32\webclnt.dll
19:08:16.0781 3272  WebClient - ok
19:08:17.0015 3272  [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt         E:\WINDOWS\system32\wbem\WMIsvc.dll
19:08:17.0359 3272  winmgmt - ok
19:08:17.0437 3272  [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN        E:\WINDOWS\system32\MsPMSNSv.dll
19:08:17.0625 3272  WmdmPmSN - ok
19:08:17.0671 3272  [ E76F8807070ED04E7408A86D6D3A6137 ] Wmi             E:\WINDOWS\System32\advapi32.dll
19:08:17.0781 3272  Wmi - ok
19:08:17.0843 3272  [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv        E:\WINDOWS\system32\wbem\wmiapsrv.exe
19:08:18.0125 3272  WmiApSrv - ok
19:08:18.0187 3272  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc   E:\Program Files\Windows Media Player\WMPNetwk.exe
19:08:20.0281 3272  WMPNetworkSvc - ok
19:08:20.0406 3272  [ B800EEC15851597405784126C407188C ] WPFFontCache_v0400 E:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:08:20.0531 3272  WPFFontCache_v0400 - ok
19:08:20.0562 3272  [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL         E:\WINDOWS\System32\drivers\ws2ifsl.sys
19:08:20.0890 3272  WS2IFSL - ok
19:08:20.0921 3272  [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc          E:\WINDOWS\system32\wscsvc.dll
19:08:21.0187 3272  wscsvc - ok
19:08:21.0203 3272  WSearch - ok
19:08:21.0265 3272  [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv        E:\WINDOWS\system32\wuauserv.dll
19:08:21.0546 3272  wuauserv - ok
19:08:21.0593 3272  [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf          E:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:08:21.0656 3272  WudfPf - ok
19:08:21.0671 3272  [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd          E:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:08:21.0734 3272  WudfRd - ok
19:08:21.0765 3272  [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc         E:\WINDOWS\System32\WUDFSvc.dll
19:08:21.0812 3272  WudfSvc - ok
19:08:21.0859 3272  [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC          E:\WINDOWS\System32\wzcsvc.dll
19:08:22.0187 3272  WZCSVC - ok
19:08:22.0218 3272  [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov         E:\WINDOWS\System32\xmlprov.dll
19:08:22.0531 3272  xmlprov - ok
19:08:22.0546 3272  ================ Scan global ===============================
19:08:22.0671 3272  [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] E:\WINDOWS\system32\basesrv.dll
19:08:22.0796 3272  [ 69AE2B2E6968C316536E5B10B9702E63 ] E:\WINDOWS\system32\winsrv.dll
19:08:22.0875 3272  [ 69AE2B2E6968C316536E5B10B9702E63 ] E:\WINDOWS\system32\winsrv.dll
19:08:22.0906 3272  [ 65DF52F5B8B6E9BBD183505225C37315 ] E:\WINDOWS\system32\services.exe
19:08:22.0921 3272  [Global] - ok
19:08:22.0921 3272  ================ Scan MBR ==================================
19:08:22.0953 3272  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
19:08:23.0562 3272  \Device\Harddisk0\DR0 - ok
19:08:23.0578 3272  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk1\DR1
19:08:23.0640 3272  \Device\Harddisk1\DR1 - ok
19:08:23.0656 3272  ================ Scan VBR ==================================
19:08:23.0656 3272  [ 8F7AA306E566BD40AEC179F694B98C8C ] \Device\Harddisk0\DR0\Partition1
19:08:23.0687 3272  \Device\Harddisk0\DR0\Partition1 - ok
19:08:23.0718 3272  [ A806BDDD5DF1EF85FF712F3B0A5C82CB ] \Device\Harddisk0\DR0\Partition2
19:08:23.0718 3272  \Device\Harddisk0\DR0\Partition2 - ok
19:08:23.0734 3272  [ 060E2DA7283840BE672CF3D0E8D0B1F7 ] \Device\Harddisk1\DR1\Partition1
19:08:23.0734 3272  \Device\Harddisk1\DR1\Partition1 - ok
19:08:23.0765 3272  [ 94E560E42CDD7AE8467485BAF1F36A9E ] \Device\Harddisk1\DR1\Partition2
19:08:23.0765 3272  \Device\Harddisk1\DR1\Partition2 - ok
19:08:23.0781 3272  ============================================================
19:08:23.0781 3272  Scan finished
19:08:23.0781 3272  ============================================================
19:08:23.0937 5120  Detected object count: 4
19:08:23.0937 5120  Actual detected object count: 4
20:00:49.0515 5120  DMICall ( UnsignedFile.Multi.Generic ) - skipped by user
20:00:49.0515 5120  DMICall ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:00:49.0515 5120  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
20:00:49.0515 5120  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:00:49.0515 5120  SonyFKC ( UnsignedFile.Multi.Generic ) - skipped by user
20:00:49.0515 5120  SonyFKC ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:00:49.0515 5120  SONYWBMS ( UnsignedFile.Multi.Generic ) - skipped by user
20:00:49.0515 5120  SONYWBMS ( UnsignedFile.Multi.Generic ) - User select action: Skip
20:00:56.0890 4804  Deinitialize success
 

=================================

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-09-03 20:18:16
-----------------------------
20:18:16.593    OS Version: Windows 5.1.2600 Service Pack 3
20:18:16.593    Number of processors: 1 586 0x102
20:18:16.593    ComputerName: NA  UserName:
20:18:23.203    Initialize success
20:18:53.265    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
20:18:53.265    Disk 0 Vendor: ST380013A 3.54 Size: 76319MB BusType: 3
20:18:53.281    Disk 1  \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c
20:18:53.281    Disk 1 Vendor: WDC_WD2500JB-00GVC0 08.02D08 Size: 238475MB BusType: 3
20:18:53.281    Disk 2  \Device\Harddisk2\DR6 -> \Device\00000072
20:18:53.281    Disk 2 Vendor: Sony 0000 Size: 238475MB BusType: 0
20:18:53.500    Disk 0 MBR read successfully
20:18:53.500    Disk 0 MBR scan
20:18:53.500    Disk 0 Windows XP default MBR code
20:18:53.500    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS        39997 MB offset 63
20:18:53.500    Disk 0 Partition - 00     0F Extended LBA             36310 MB offset 81915435
20:18:53.515    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS        36310 MB offset 81915498
20:18:53.515    Disk 0 scanning sectors +156280320
20:18:53.578    Disk 0 scanning E:\WINDOWS\system32\drivers
20:19:00.125    Service scanning
20:19:04.562    Service KL1 E:\WINDOWS\system32\DRIVERS\kl1.sys **LOCKED** 5
20:19:04.718    Service klim5 E:\WINDOWS\system32\DRIVERS\klim5.sys **LOCKED** 5
20:19:04.765    Service klkbdflt E:\WINDOWS\system32\DRIVERS\klkbdflt.sys **LOCKED** 5
20:19:04.796    Service klmouflt E:\WINDOWS\system32\DRIVERS\klmouflt.sys **LOCKED** 5
20:19:04.828    Service klpd E:\WINDOWS\system32\DRIVERS\klpd.sys **LOCKED** 5
20:19:04.859    Service kltdi E:\WINDOWS\system32\DRIVERS\kltdi.sys **LOCKED** 5
20:19:04.937    Service kneps E:\WINDOWS\system32\DRIVERS\kneps.sys **LOCKED** 5
20:19:12.046    Modules scanning
20:19:18.781    Disk 0 trace - called modules:
20:19:18.812    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
20:19:18.812    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f66ab8]
20:19:18.812    3 CLASSPNP.SYS[f776cfd7] -> nt!IofCallDriver -> \Device\00000066[0x86fcced0]
20:19:18.812    5 ACPI.sys[f76c3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-4[0x86fdb940]
20:19:18.812    Scan finished successfully
20:19:55.390    Disk 0 MBR has been saved successfully to "E:\Documents and Settings\Justin\Desktop\MBR.dat"
20:19:55.390    The log file has been saved successfully to "E:\Documents and Settings\Justin\Desktop\aswMBR.txt"

 

 

Attached Files

  • Attached File  MBR.zip   511bytes   0 downloads


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 04 September 2013 - 09:45 AM


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:
    :filefind
    winlogon.exe
    csrss.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.Note: The log can also be found on your Desktop entitled SystemLook.txt
  • [/list]
    Do an other scan with this script.

    :regfind
    winlogon.exe
    csrss.exe


    Post the logs for my review.


#10 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 04 September 2013 - 11:13 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 00:07 on 05/09/2013 by Justin
Administrator - Elevation successful

========== regfind ==========

Searching for "winlogon.exe"
[HKEY_CURRENT_USER\Software\GlarySoft\Glary Utilities 3\TasksManager\Blocked]
"winlogon.exe"="1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_USERS\S-1-5-21-448539723-1454471165-1644491937-1004\Software\GlarySoft\Glary Utilities 3\TasksManager\Blocked]
"winlogon.exe"="1"

Searching for "csrss.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

-= EOF =-

SystemLook 30.07.11 by jpshortstuff
Log created at 00:07 on 05/09/2013 by Justin
Administrator - Elevation successful

========== regfind ==========

Searching for "winlogon.exe"
[HKEY_CURRENT_USER\Software\GlarySoft\Glary Utilities 3\TasksManager\Blocked]
"winlogon.exe"="1"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\winlogon.exe]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Autochk]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\Winlogon]
"EventMessageFile"="%SystemRoot%\System32\winlogon.exe"
[HKEY_USERS\S-1-5-21-448539723-1454471165-1644491937-1004\Software\GlarySoft\Glary Utilities 3\TasksManager\Blocked]
"winlogon.exe"="1"

Searching for "csrss.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems]
"Windows"="%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

-= EOF =-



#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 05 September 2013 - 07:55 AM

You posted the Regfind log twice.

Please post the FindFile log.

#12 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 05 September 2013 - 05:27 PM

You posted the Regfind log twice.

Please post the FindFile log.

 

My apolgies....here you go...Thanks!

 

SystemLook 30.07.11 by jpshortstuff
Log created at 18:23 on 05/09/2013 by Justin
Administrator - Elevation successful

========== filefind ==========

Searching for "winlogon.exe"
E:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe    --a---- 218184 bytes    [19:06 05/08/2013]    [18:50 04/04/2013] B4C6E3889BB310CA7E974A04EC6E46AC
E:\WINDOWS\erdnt\cache\winlogon.exe    --a---- 507904 bytes    [20:30 24/08/2013]    [10:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
E:\WINDOWS\system32\winlogon.exe    --a---- 507904 bytes    [10:42 14/04/2008]    [10:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
E:\WINDOWS\system32\dllcache\winlogon.exe    --a--c- 507904 bytes    [10:42 14/04/2008]    [10:42 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

Searching for "csrss.exe"
E:\WINDOWS\system32\csrss.exe    --a---- 6144 bytes    [10:42 14/04/2008]    [10:42 14/04/2008] 44F275C64738EA2056E3D9580C23B60F
E:\WINDOWS\system32\dllcache\csrss.exe    --a--c- 6144 bytes    [10:42 14/04/2008]    [10:42 14/04/2008] 44F275C64738EA2056E3D9580C23B60F

-= EOF =-



#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 06 September 2013 - 08:16 AM

From what I can see your registry settings and files are good.

I wish I could check further with an XP computer the settings but I do not have access to an XP computer.

I suggest you start a new topic in the Windows XP forum
http://www.bleepingcomputer.com/forums/forum56.html

See is someone can check the settings against a trouble free computer.

Keep me posted.

p.s.
I will keep this topic open for 6 days. If you need to return please do.

#14 mred27

mred27
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:09 PM

Posted 06 September 2013 - 10:16 AM

 

From what I can see your registry settings and files are good.

 

Thanks for the help.

 

I wish I could check further with an XP computer the settings but I do not have access to an XP computer.

I suggest you start a new topic in the Windows XP forum
http://www.bleepingcomputer.com/forums/forum56.html

See is someone can check the settings against a trouble free computer.

 

Yes, I know that XP is a dinosaur...lol.

 

p.s.
I will keep this topic open for 6 days. If you need to return please do.

 

You can close out this thread. Thanks for all your help!



#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,578 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:05:09 PM

Posted 12 September 2013 - 09:05 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users