Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Botnet Activity detected by Time Warner


  • Please log in to reply
18 replies to this topic

#1 hakuri

hakuri

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 31 March 2016 - 08:53 AM

I've uploaded the scan logs of my clients computer, from the farbar recovery tool. 

The client contacted me regarding an email sent to him by time warner stating that botnet activity was detected on the network, the message looked like spam with a typical scam fishing layout "click here to download our tool" so I told him to hold on, I'll make an emergency visit. My wife works at time warner, so the feeling on the email was shoddy, that and the client made sure to have vipre internet security which had been blacklisted at the last convention.

Turns out the email was legit, so I ran 6 different scanning tools including rootkit scanners, most from bleepingcomputer. Found nothing, aswmbr.exe found unknown code in the MBR, another mbr checking tool found that code as illegitimate with more detail.

I used the command prompt in recovery mode to rewrite the MBR. A recheck with aswmbr found no more bad code. Used ccleaner to clear all temp cache.

The client is still getting notifications that botnet activity is being detected. I have no traces with scanning, this is the first time I've posted for help on an infection. This is the only unit attached to the network, the client has no wireless network. desktop unit is a lenovo thinkcentre.

Attached Files



BC AdBot (Login to Remove)

 


#2 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 02 April 2016 - 01:54 AM

Nothing on this yet? Should I be looking to use some other infection specialist website to resolve my client's issue?



#3 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 02 April 2016 - 11:57 AM

Maybe the user has pulled a previous blacklisted ip thats being flagged? Might try a ipconfig /release then shut down the machine, router and modem overnight, then reboot everything back up. Worth  a try anyway.


How Can I Reduce My Risk to Malware?


#4 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 02 April 2016 - 02:22 PM

Maybe the user has pulled a previous blacklisted ip thats being flagged? Might try a ipconfig /release then shut down the machine, router and modem overnight, then reboot everything back up. Worth  a try anyway.

I had him pull the power on his modem for 30 seconds because he has a standard dynamic ip setup, I looked at the logs I posted, there is something there that isn't being picked up by the scanners I used, if I had to venture a guess, something is using google chrome in an illicit manner.

Can I get an actual fix for this, that involves the deletion of related registry keys, since the infection is clearly using the registry to manipulate chrome? The fact that I had to re-write the MBR shows this isn't a normal infection, and botnet activity is still being detected on his network.



#5 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 03 April 2016 - 08:56 AM

I have a dynamic ip also, but it could actually be months before Iam assigned a new one,Varies from one isp to another. It could easily be checked if they are actually pulling a new ip on every modem reset or are assigned the same one.

 

I dont see anything in the logs that looks out of place or needs "fixing."  You said you already ran 6 different scanning tools?

There are online scanners you could try also, like ESET or others. Kaspersky can check a ip for a certain botnet activity:

 

https://blog.kaspersky.com/simda-botnet-check/8304/

 


How Can I Reduce My Risk to Malware?


#6 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 03 April 2016 - 03:44 PM

"You said you already ran 6 different scanning tools?" yes a majority of them were from bleeping computer's DB. If the logs are clean, why does the search for hxxp://www.google.com immediately pop with dozens of results for virus removal for google redirect virus? Why is there a registry entry restricting chrome? I also worked for an ISP for 3 years, setting up networks, climbing cell towers to mount rocket dishes and mimo stations, maintain the web, dns, and mail servers, I don't recall a blacklisted IP address being able to leave the blacklist and be reassigned while still carrying a flag. Don't forget that I already had to rewrite the MBR to remove an MBR infection. The kaspersky site you linked revealed his IP was not part of the SIMDA botnet, One botnet type does not invalidate Time Warners botnet detection servers, that occasionally scan and ping the user network with a notification that botnet activity was detected, before going on its merry was across Time Warners IP address range. They do not monitor the pinged network, they come back to it through rotation, scan, then ping the user again if the activity is detected.



#7 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 03 April 2016 - 05:08 PM

Copy/paste whats below into notepad.

Save it as fixlist.txt in the same location that you have FRST. Start FRST like before except this time click on the Fix button once and wait. Machine may reboot to finish the process. Upon reboot it will display a fixlog.txt which you can copy/paste in your reply. The reg entry could have been put in place by the computer admin.

SearchScopes: HKU\S-1-5-21-175890325-3461059449-2437460600-1001 -> DefaultScope {035E279F-7422-4CC8-A626-125636AE55D6} URL =
SearchScopes: HKU\S-1-5-21-175890325-3461059449-2437460600-1001 -> {035E279F-7422-4CC8-A626-125636AE55D6} URL =
CHR HKLM\SOFTWARE\Policies\Google: Restriction <======= ATTENTION

​ Using explorer navigate to: C:\WINDOWS\system32\Drivers\6FD7266A.sys

then ​navigate to

https://virusscan.jotti.org/

​using the browse button locate the file again on the machine and upload it to the website to get checked out. Once its done scanning the file you can copy paste the URL in your reply.

​If you dont see the driver folder you may have to change the option to show all files/folders:

http://www.tenforums.com/tutorials/9168-hidden-files-folders-drives-show-windows-10-a.html


How Can I Reduce My Risk to Malware?


#8 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 04 April 2016 - 02:27 PM

"The reg entry could have been put in place by the computer admin" - I am his admin.... At around 6:30 EST he should be home so I can run the FRST remotely and post our results then. He got another message from time warner this morning about the activity being detected.


*edit

He only gets notifications when his unit is on. I had him keep the unit off for the past 3 days and he received nothing from time warner during those days when he checked his emails at work. Last night I had him turn on his unit and leave it on. In the morning he received the ping from time warner.


Edited by hakuri, 04 April 2016 - 02:51 PM.


#9 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 04 April 2016 - 04:41 PM

Ok. Interested to see results on that .sys process. Did you run Roguekiller? If not you can download it and run it, or rerun it.

 

http://www.bleepingcomputer.com/download/roguekiller/

 

    Close all windows and browsers
    Right-click the program and select 'Run as Administrator'
    A prescan will start automatically. When the prescan is done: press the Scan button.
    When the scan is done press the Report button.
    Please copy and past the results in your next reply.

    Dont fix anything yet, not everything it flags is malware.

    File>Quit to exit Roguekiller

 

Also in the W10 start search field you can type in msconfig to bring up Windows system config. Under the StartUp tab look and see if anything out of the ordinary is in there listed under startup item and Command. Just a quick way to check, may be useful may not.
 


How Can I Reduce My Risk to Malware?


#10 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 04 April 2016 - 06:59 PM

Alright I ran the fixlist, the log is attached.

The virus scan results on the file are below
https://virusscan.jotti.org/en-US/filescanjob/17uufjfchz

Ccleaner and msconfig don't have anything in startup or scheduled tasks that aren't recognized.

Ran roguekiller as requested, log is attached. Reports unknown code in the physical disk drive MBR, reinfected? aswmbr.exe and mbrcheck.exe both report normal mbr code....
 

Attached Files



#11 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 04 April 2016 - 08:09 PM

Looks like the .sys turned out to be nothing. Ive seen unknown MBR in roguekiller logs a lot. I would go with aswmbr results.  Have you run MBAM anti-rootkit?  Wont be back on line for 16 hrs or so.

​Download Malwarebytes Anti-Rootkit to your desktop.  BETA

http://www.malwarebytes.org/antirootkit/

    Double-click the icon to start the tool.
    It will ask you where to extract it, then it will start.
    Warning! Malwarebytes Anti-Rootkit needs to be run from an account with administrator rights.
    Click in the introduction screen "next" to continue.
    Click in the following screen "Update" to obtain the latest malware definitions.
    Once the update is complete select "Next" and click "Scan".
    When the scan is finished and no malware has been found select "Exit".
    If malware was detected, make sure to check all the items and click "Cleanup". Reboot your computer.
    Open the MBAR folder and paste the content of the following files in your next reply:

    "mbar-log-{date} (xx-xx-xx).txt"
    "system-log.txt"


How Can I Reduce My Risk to Malware?


#12 shelf life

shelf life

  • Malware Response Team
  • 2,679 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:@localhost
  • Local time:06:00 AM

Posted 05 April 2016 - 08:17 PM

You can run these two also: TDSSkiller and Gmer for general rootkit activity:

​Please download TDSSkiller  and save it to your Desktop.

    http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

    Right click on tdsskiller.exe select run as admin.
    Accept the EULA and the KSN Statement.
    Click on Change parameters link
    Make sure everything under Objects to scan are checked (except "Loaded modules") And everything under Additional Options are checked.
    Click Ok, then click on Start scan.
    If any threats are found don't delete them but choose the Skip option for all of them.
    Click on Report to open the log file. (It is also saved at C:\TDSSKiller.<version_date_time>_log.txt).
    Copy and paste its contents in your next reply.

​-----------------------------------------------------------------------------------

​Please download GMER  and save it to your desktop:

the GMER file is a randomly named .exe

http://www2.gmer.net/download.php

Disconnect from the Internet and close all running programs
Temporarily disable any real-time active protection that might be running.
Please do not use your computer while GMER is running
Right click on the randomly named exe and select "run as admin"
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan of memory only.
If you receive a warning about rootkit activity and are asked to fully scan your system click NO

Please uncheck the following boxes

    IAT/EAT
    Drives/Partitions other than the System drive (typically C:\)
    Show All <<<<(Important!)

Click Scan
If you see a rootkit warning window click OK
When the scan is finished, Click Save and save the results to your desktop as gmer.log
Copy/paste in the gmer.log results in your reply.
Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled
 


How Can I Reduce My Risk to Malware?


#13 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 06 April 2016 - 07:29 PM

I had run the malwarebytes anti-rootkit beta while the MBR infection was present, but not after I rewrote the MBR. It didn't detect anything while the MBR infection was there, like the other tools I had run.

I'll run the list you've given me and post the logs during an onsite I've set for 4/7/2016.



#14 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 07 April 2016 - 08:54 AM

Re-ran mbar, no malware detected. logs attached.

tdsskiller found nothing with the settings you requested. log pasted(getting an error when uploading?"Upload Skipped (No file was selected for upload)").

 

09:43:25.0339 0x0d54  TDSS rootkit removing tool 3.1.0.9 Dec 11 2015 22:49:12
09:43:25.0339 0x0d54  UEFI system
09:43:35.0513 0x0d54  ============================================================
09:43:35.0513 0x0d54  Current date / time: 2016/04/07 09:43:35.0513
09:43:35.0513 0x0d54  SystemInfo:
09:43:35.0516 0x0d54  
09:43:35.0516 0x0d54  OS Version: 10.0.10586 ServicePack: 0.0
09:43:35.0516 0x0d54  Product type: Workstation
09:43:35.0516 0x0d54  ComputerName: DESKTOP-FVCNHC4
09:43:35.0516 0x0d54  UserName: loffa
09:43:35.0516 0x0d54  Windows directory: C:\WINDOWS
09:43:35.0516 0x0d54  System windows directory: C:\WINDOWS
09:43:35.0516 0x0d54  Running under WOW64
09:43:35.0516 0x0d54  Processor architecture: Intel x64
09:43:35.0516 0x0d54  Number of processors: 4
09:43:35.0516 0x0d54  Page size: 0x1000
09:43:35.0516 0x0d54  Boot type: Normal boot
09:43:35.0516 0x0d54  ============================================================
09:43:35.0581 0x0d54  KLMD registered as C:\WINDOWS\system32\drivers\54797740.sys
09:43:35.0635 0x0d54  System UUID: {D65B1CD7-8500-588C-CB93-0D4F7D655E78}
09:43:35.0856 0x0d54  Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 ( 111.79 Gb ), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
09:43:35.0919 0x0d54  ============================================================
09:43:35.0919 0x0d54  \Device\Harddisk0\DR0:
09:43:35.0919 0x0d54  GPT partitions:
09:43:35.0919 0x0d54  \Device\Harddisk0\DR0\Partition1: GPT, TypeGUID: {C12A7328-F81F-11D2-BA4B-00A0C93EC93B}, UniqueGUID: {A47C0B47-3C1D-4698-AE14-FADC49DD5665}, Name: EFI system partition, StartLBA 0x800, BlocksNum 0x82000
09:43:35.0919 0x0d54  \Device\Harddisk0\DR0\Partition2: GPT, TypeGUID: {E3C9E316-0B5C-4DB8-817D-F92DF00215AE}, UniqueGUID: {BF12FF89-C63B-4EF6-ACFB-ACA9694FD8AB}, Name: Microsoft reserved partition, StartLBA 0x82800, BlocksNum 0x8000
09:43:35.0919 0x0d54  \Device\Harddisk0\DR0\Partition3: GPT, TypeGUID: {EBD0A0A2-B9E5-4433-87C0-68B6B72699C7}, UniqueGUID: {C9A9383D-F194-4FA9-AF31-D32B32066EA7}, Name: Basic data partition, StartLBA 0x8A800, BlocksNum 0xDD16000
09:43:35.0919 0x0d54  \Device\Harddisk0\DR0\Partition4: GPT, TypeGUID: {DE94BBA4-06D1-4D40-A16A-BFD50179D6AC}, UniqueGUID: {D99BCCA6-A2E4-4EB0-9DBD-57853415B743}, Name: Basic data partition, StartLBA 0xDDA0800, BlocksNum 0x1F4000
09:43:35.0919 0x0d54  MBR partitions:
09:43:35.0919 0x0d54  ============================================================
09:43:35.0935 0x0d54  C: <-> \Device\Harddisk0\DR0\Partition3
09:43:35.0935 0x0d54  ============================================================
09:43:35.0935 0x0d54  Initialize success
09:43:35.0935 0x0d54  ============================================================
09:44:08.0810 0x1a30  ============================================================
09:44:08.0810 0x1a30  Scan started
09:44:08.0810 0x1a30  Mode: Manual; SigCheck; TDLFS; 
09:44:08.0810 0x1a30  ============================================================
09:44:08.0810 0x1a30  KSN ping started
09:44:11.0182 0x1a30  KSN ping finished: true
09:44:11.0516 0x1a30  ================ Scan system memory ========================
09:44:11.0516 0x1a30  System memory - ok
09:44:11.0516 0x1a30  ================ Scan services =============================
09:44:11.0547 0x1a30  1394ohci - ok
09:44:11.0563 0x1a30  3ware - ok
09:44:11.0567 0x1a30  ACPI - ok
09:44:11.0569 0x1a30  acpiex - ok
09:44:11.0569 0x1a30  acpipagr - ok
09:44:11.0569 0x1a30  AcpiPmi - ok
09:44:11.0569 0x1a30  acpitime - ok
09:44:11.0569 0x1a30  [ F2CEEE9ABBCEF207ACB103215AC28BC2, F8F8B8AF6317926D7AC0CA2CA23628B2C69327A2792D58D3328443C5ED9514E9 ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
09:44:11.0585 0x1a30  AdobeARMservice - ok
09:44:11.0601 0x1a30  ADP80XX - ok
09:44:11.0601 0x1a30  AFD - ok
09:44:11.0601 0x1a30  agp440 - ok
09:44:11.0601 0x1a30  ahcache - ok
09:44:11.0616 0x1a30  AJRouter - ok
09:44:11.0616 0x1a30  ALG - ok
09:44:11.0616 0x1a30  AmdK8 - ok
09:44:11.0616 0x1a30  AmdPPM - ok
09:44:11.0616 0x1a30  amdsata - ok
09:44:11.0616 0x1a30  amdsbs - ok
09:44:11.0632 0x1a30  amdxata - ok
09:44:11.0632 0x1a30  AppID - ok
09:44:11.0632 0x1a30  AppIDSvc - ok
09:44:11.0632 0x1a30  Appinfo - ok
09:44:11.0632 0x1a30  [ 2D564BB1C4559A517B390A031955714D, 3048C187FD107C958D43DD8B954AB55FDD1BC538D3E0066CBFCB428C7A8A87E1 ] Apple Mobile Device Service C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
09:44:11.0648 0x1a30  Apple Mobile Device Service - ok
09:44:11.0648 0x1a30  AppMgmt - ok
09:44:11.0648 0x1a30  AppReadiness - ok
09:44:11.0648 0x1a30  AppXSvc - ok
09:44:11.0648 0x1a30  arcsas - ok
09:44:11.0664 0x1a30  AsyncMac - ok
09:44:11.0668 0x1a30  atapi - ok
09:44:11.0670 0x1a30  AudioEndpointBuilder - ok
09:44:11.0670 0x1a30  Audiosrv - ok
09:44:11.0670 0x1a30  AxInstSV - ok
09:44:11.0670 0x1a30  b06bdrv - ok
09:44:11.0670 0x1a30  BasicDisplay - ok
09:44:11.0670 0x1a30  BasicRender - ok
09:44:11.0686 0x1a30  bcmfn - ok
09:44:11.0686 0x1a30  bcmfn2 - ok
09:44:11.0686 0x1a30  BDESVC - ok
09:44:11.0686 0x1a30  Beep - ok
09:44:11.0686 0x1a30  BFE - ok
09:44:11.0686 0x1a30  BITS - ok
09:44:11.0701 0x1a30  [ B5C2F92EE1106DFE7BB1CCE4D35B6037, E399C390687589194D8AAD385055F0CFA7D52AD9E837D8FF95008B8EB2B34E50 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
09:44:11.0717 0x1a30  Bonjour Service - ok
09:44:11.0717 0x1a30  bowser - ok
09:44:11.0717 0x1a30  BrokerInfrastructure - ok
09:44:11.0717 0x1a30  Browser - ok
09:44:11.0717 0x1a30  [ 63A00CDBEB300522C49EC7CA77324060, 99CB6D37C7D898982A192AAA8DE5CE255E6FA482E19FE9032BAA7069E652F6F5 ] BrSerIb         C:\WINDOWS\system32\DRIVERS\BrSerIb.sys
09:44:11.0732 0x1a30  BrSerIb - ok
09:44:11.0732 0x1a30  [ BBCFD6C6EF66449F55AF1BFDB08C9B12, D6D5D408FCFFF9ED69D095948E786C08EEECD5F55905A3D8FE2BB08944C5E1F2 ] BrUsbSIb        C:\WINDOWS\system32\DRIVERS\BrUsbSIb.sys
09:44:11.0732 0x1a30  BrUsbSIb - ok
09:44:11.0748 0x1a30  BthAvrcpTg - ok
09:44:11.0748 0x1a30  BthHFEnum - ok
09:44:11.0748 0x1a30  bthhfhid - ok
09:44:11.0748 0x1a30  BthHFSrv - ok
09:44:11.0748 0x1a30  BTHMODEM - ok
09:44:11.0764 0x1a30  bthserv - ok
09:44:11.0767 0x1a30  buttonconverter - ok
09:44:11.0770 0x1a30  CapImg - ok
09:44:11.0770 0x1a30  cdfs - ok
09:44:11.0770 0x1a30  CDPSvc - ok
09:44:11.0770 0x1a30  cdrom - ok
09:44:11.0770 0x1a30  CertPropSvc - ok
09:44:11.0770 0x1a30  circlass - ok
09:44:11.0770 0x1a30  CLFS - ok
09:44:11.0786 0x1a30  ClipSVC - ok
09:44:11.0786 0x1a30  CmBatt - ok
09:44:11.0786 0x1a30  CNG - ok
09:44:11.0786 0x1a30  cnghwassist - ok
09:44:11.0817 0x1a30  CompositeBus - ok
09:44:11.0817 0x1a30  COMSysApp - ok
09:44:11.0817 0x1a30  condrv - ok
09:44:11.0817 0x1a30  CoreMessagingRegistrar - ok
09:44:11.0848 0x1a30  [ 670DB641D18DE6AC19E7F2FA6D5C6D15, 7E24ABC31E7E66DD0CDEC1FA4F59A9BE91657E9F02E3430E04A34F3DDF1C1E1A ] cphs            C:\WINDOWS\SysWow64\IntelCpHeciSvc.exe
09:44:11.0870 0x1a30  cphs - ok
09:44:11.0870 0x1a30  CryptSvc - ok
09:44:11.0870 0x1a30  CSC - ok
09:44:11.0870 0x1a30  CscService - ok
09:44:11.0870 0x1a30  dam - ok
09:44:11.0886 0x1a30  [ A1F58FFF448E4099297D6EE0641D4D0E, 47839789332AAF8861F7731BF2D3FBB5E0991EA0D0B457BB4C8C1784F76C73DC ] dbupdate        C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
09:44:11.0886 0x1a30  dbupdate - ok
09:44:11.0902 0x1a30  [ A1F58FFF448E4099297D6EE0641D4D0E, 47839789332AAF8861F7731BF2D3FBB5E0991EA0D0B457BB4C8C1784F76C73DC ] dbupdatem       C:\Program Files (x86)\Dropbox\Update\DropboxUpdate.exe
09:44:11.0902 0x1a30  dbupdatem - ok
09:44:11.0902 0x1a30  DcomLaunch - ok
09:44:11.0902 0x1a30  DcpSvc - ok
09:44:11.0917 0x1a30  defragsvc - ok
09:44:11.0917 0x1a30  DeviceAssociationService - ok
09:44:11.0917 0x1a30  DeviceInstall - ok
09:44:11.0917 0x1a30  DevQueryBroker - ok
09:44:11.0917 0x1a30  Dfsc - ok
09:44:11.0917 0x1a30  Dhcp - ok
09:44:11.0933 0x1a30  diagnosticshub.standardcollector.service - ok
09:44:11.0933 0x1a30  DiagTrack - ok
09:44:11.0933 0x1a30  disk - ok
09:44:11.0933 0x1a30  DmEnrollmentSvc - ok
09:44:11.0933 0x1a30  dmvsc - ok
09:44:11.0933 0x1a30  dmwappushservice - ok
09:44:11.0949 0x1a30  Dnscache - ok
09:44:11.0949 0x1a30  dot3svc - ok
09:44:11.0949 0x1a30  DPS - ok
09:44:11.0949 0x1a30  drmkaud - ok
09:44:11.0949 0x1a30  DsmSvc - ok
09:44:11.0949 0x1a30  DsSvc - ok
09:44:11.0965 0x1a30  DXGKrnl - ok
09:44:11.0968 0x1a30  Eaphost - ok
09:44:11.0970 0x1a30  ebdrv - ok
09:44:11.0971 0x1a30  EFS - ok
09:44:11.0971 0x1a30  EhStorClass - ok
09:44:11.0971 0x1a30  EhStorTcgDrv - ok
09:44:11.0971 0x1a30  embeddedmode - ok
09:44:11.0971 0x1a30  EntAppSvc - ok
09:44:11.0986 0x1a30  ErrDev - ok
09:44:11.0986 0x1a30  EventSystem - ok
09:44:11.0986 0x1a30  exfat - ok
09:44:11.0986 0x1a30  fastfat - ok
09:44:11.0986 0x1a30  Fax - ok
09:44:11.0986 0x1a30  fdc - ok
09:44:12.0002 0x1a30  fdPHost - ok
09:44:12.0002 0x1a30  FDResPub - ok
09:44:12.0002 0x1a30  fhsvc - ok
09:44:12.0002 0x1a30  FileCrypt - ok
09:44:12.0002 0x1a30  FileInfo - ok
09:44:12.0002 0x1a30  Filetrace - ok
09:44:12.0018 0x1a30  flpydisk - ok
09:44:12.0018 0x1a30  FltMgr - ok
09:44:12.0018 0x1a30  FontCache - ok
09:44:12.0018 0x1a30  FontCache3.0.0.0 - ok
09:44:12.0018 0x1a30  FsDepends - ok
09:44:12.0018 0x1a30  Fs_Rec - ok
09:44:12.0033 0x1a30  fvevol - ok
09:44:12.0033 0x1a30  gagp30kx - ok
09:44:12.0033 0x1a30  gencounter - ok
09:44:12.0033 0x1a30  genericusbfn - ok
09:44:12.0033 0x1a30  [ CF0B4FD1C219AD2F9A610866A94B2A4B, A0D3569B58D45DE7A05A15E7125BD86FCC4E87B81D8383E3621090B7F0CC8B3A ] gfiark          C:\WINDOWS\system32\drivers\gfiark.sys
09:44:12.0049 0x1a30  gfiark - ok
09:44:12.0049 0x1a30  [ 16A23FF8621929ADC5B18DCCD5E206EE, 6204E3110503F76DC5970FDBD7340CE1265EE57196759E4D4DB187BAF119FF22 ] gfiutil         C:\WINDOWS\system32\drivers\gfiutil.sys
09:44:12.0049 0x1a30  gfiutil - ok
09:44:12.0049 0x1a30  GPIOClx0101 - ok
09:44:12.0066 0x1a30  gpsvc - ok
09:44:12.0068 0x1a30  GpuEnergyDrv - ok
09:44:12.0071 0x1a30  [ 053EEEE1ABAE53F044F1E386E22AE525, 195C8B78C0CF68F3DC1C08E58CE2A7146764F9273C39EF369194A366FA8EE1AD ] gupdate         C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
09:44:12.0071 0x1a30  gupdate - ok
09:44:12.0086 0x1a30  [ 053EEEE1ABAE53F044F1E386E22AE525, 195C8B78C0CF68F3DC1C08E58CE2A7146764F9273C39EF369194A366FA8EE1AD ] gupdatem        C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
09:44:12.0086 0x1a30  gupdatem - ok
09:44:12.0086 0x1a30  HDAudBus - ok
09:44:12.0086 0x1a30  HidBatt - ok
09:44:12.0086 0x1a30  HidBth - ok
09:44:12.0102 0x1a30  hidi2c - ok
09:44:12.0102 0x1a30  hidinterrupt - ok
09:44:12.0102 0x1a30  HidIr - ok
09:44:12.0102 0x1a30  hidserv - ok
09:44:12.0102 0x1a30  HidUsb - ok
09:44:12.0102 0x1a30  HomeGroupListener - ok
09:44:12.0118 0x1a30  HomeGroupProvider - ok
09:44:12.0118 0x1a30  HpSAMD - ok
09:44:12.0118 0x1a30  HTTP - ok
09:44:12.0118 0x1a30  hwpolicy - ok
09:44:12.0118 0x1a30  hyperkbd - ok
09:44:12.0118 0x1a30  i8042prt - ok
09:44:12.0133 0x1a30  iai2c - ok
09:44:12.0133 0x1a30  iaLPSS2i_I2C - ok
09:44:12.0133 0x1a30  iaLPSSi_GPIO - ok
09:44:12.0133 0x1a30  iaLPSSi_I2C - ok
09:44:12.0166 0x1a30  [ 12859E1215AA083A42E7ADCDE5C061D1, 262F9C65C3FA7EB69C4FA7C6547E1C79DB49697A083309909BC78726A116557F ] iaStorA         C:\WINDOWS\system32\drivers\iaStorA.sys
09:44:12.0187 0x1a30  iaStorA - ok
09:44:12.0187 0x1a30  iaStorAV - ok
09:44:12.0202 0x1a30  [ 14E3DB5ADA7E2187A404129F4E5CE336, 5925C8E9DC00A6C682D6A3B37C6EBF2C325D37C8E4BF584F0B5AAC5A7B666E47 ] IAStorDataMgrSvc C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
09:44:12.0202 0x1a30  IAStorDataMgrSvc - ok
09:44:12.0202 0x1a30  iaStorV - ok
09:44:12.0202 0x1a30  ibbus - ok
09:44:12.0202 0x1a30  icssvc - ok
09:44:12.0218 0x1a30  IEEtwCollectorService - ok
09:44:12.0302 0x1a30  [ 243A1CC37824CF3539BA6E6AEA3E7459, 6BE3CF7C0EF4083A982D0B1B1ABEB07468BB7DB6345CD26012793CDF49314A44 ] igfx            C:\WINDOWS\system32\DRIVERS\igdkmd64.sys
09:44:12.0418 0x1a30  igfx - ok
09:44:12.0434 0x1a30  [ 7AA9622CC24D7CE824BC7DE771EDB257, 85A80DE58DF4C9E1FFCF66D51563D688D7A29A9784AD0877A483CBD418893376 ] igfxCUIService2.0.0.0 C:\WINDOWS\system32\igfxCUIService.exe
09:44:12.0450 0x1a30  igfxCUIService2.0.0.0 - ok
09:44:12.0465 0x1a30  IKEEXT - ok
09:44:12.0534 0x1a30  [ E0AB51937979C57300AB38E2F202E1D6, 79DA3576B3EFA4F578EC6EFE15A2057CAA0E801BBCDAF278E9A902F5C81484E7 ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RTKVHD64.sys
09:44:12.0619 0x1a30  IntcAzAudAddService - ok
09:44:12.0635 0x1a30  [ 907C8FE6894710604AD1F1F92324A7D6, F210D74B94BA55E0222C497F5C91EF4F95E346A46A1BF968404B62BEA8EA3035 ] IntcDAud        C:\WINDOWS\system32\DRIVERS\IntcDAud.sys
09:44:12.0650 0x1a30  IntcDAud - ok
09:44:12.0671 0x1a30  [ B63CF22D1AD2ABDC39D85851B2BEAA6D, 37E9043BABB5895BFD2B59AFB60C438B992C6EAA1B5FDE5B3445314343F4C406 ] Intel® Capability Licensing Service TCP IP Interface C:\Program Files\Intel\iCLS Client\SocketHeciServer.exe
09:44:12.0688 0x1a30  Intel® Capability Licensing Service TCP IP Interface - ok
09:44:12.0688 0x1a30  [ 8213094EA736A9C575AB0E22AD09B0BA, 12670A466B5AA37283BD4CB481D000DE3AE2A8D1BD159F67A41703A6FE5675EC ] Intel® Security Assist C:\Program Files (x86)\Intel\Intel® Security Assist\isa.exe
09:44:12.0719 0x1a30  Intel® Security Assist - detected UnsignedFile.Multi.Generic ( 1 )
09:44:15.0125 0x1a30  Detect skipped due to KSN trusted
09:44:15.0125 0x1a30  Intel® Security Assist - ok
09:44:15.0143 0x1a30  intelide - ok
09:44:15.0145 0x1a30  intelpep - ok
09:44:15.0148 0x1a30  intelppm - ok
09:44:15.0148 0x1a30  IoQos - ok
09:44:15.0148 0x1a30  IpFilterDriver - ok
09:44:15.0148 0x1a30  iphlpsvc - ok
09:44:15.0148 0x1a30  IPMIDRV - ok
09:44:15.0148 0x1a30  IPNAT - ok
09:44:15.0163 0x1a30  [ BD713ED20CFD71C32C4BE1928423AE9A, E0EE95FEA3930EA335D9B1FF74EEFAA61ECEC89AEBB1D0E43A1E1088F9990273 ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
09:44:15.0179 0x1a30  iPod Service - ok
09:44:15.0179 0x1a30  IRENUM - ok
09:44:15.0195 0x1a30  [ 1DFC3CCA51785254C5604238BB1A5467, 31451A90A91AEE14C6B24F84CB9816E5C77179D411B8B3E8547F538235BEEFB0 ] isaHelperSvc    C:\Program Files (x86)\Intel\Intel® Security Assist\isaHelperService.exe
09:44:15.0195 0x1a30  isaHelperSvc - detected UnsignedFile.Multi.Generic ( 1 )
09:44:17.0615 0x1a30  Detect skipped due to KSN trusted
09:44:17.0615 0x1a30  isaHelperSvc - ok
09:44:17.0615 0x1a30  isapnp - ok
09:44:17.0615 0x1a30  iScsiPrt - ok
09:44:17.0630 0x1a30  [ DE70C5C10803C700DC1CFDE2D5CF207A, 4D11DE8B986C6966B66E1D6E931A72A1E9FA8D0B5B9EF57EF3EEDD09D0BE0B4E ] jhi_service     C:\Program Files (x86)\Intel\Intel® Management Engine Components\DAL\jhi_service.exe
09:44:17.0630 0x1a30  jhi_service - ok
09:44:17.0630 0x1a30  kbdclass - ok
09:44:17.0630 0x1a30  kbdhid - ok
09:44:17.0646 0x1a30  kdnic - ok
09:44:17.0646 0x1a30  KeyIso - ok
09:44:17.0646 0x1a30  KSecDD - ok
09:44:17.0646 0x1a30  KSecPkg - ok
09:44:17.0646 0x1a30  ksthunk - ok
09:44:17.0646 0x1a30  KtmRm - ok
09:44:17.0662 0x1a30  LanmanServer - ok
09:44:17.0662 0x1a30  LanmanWorkstation - ok
09:44:17.0662 0x1a30  lfsvc - ok
09:44:17.0662 0x1a30  LicenseManager - ok
09:44:17.0662 0x1a30  lltdio - ok
09:44:17.0662 0x1a30  lltdsvc - ok
09:44:17.0677 0x1a30  lmhosts - ok
09:44:17.0677 0x1a30  [ 1CE3A27B6B0658F4242AB2DECE69704E, FB705D43554478FA438CE600DAD65C5885858ABF9FCB5D9CC6E5F7C87FD6A853 ] LMS             C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
09:44:17.0693 0x1a30  LMS - ok
09:44:17.0693 0x1a30  LSI_SAS - ok
09:44:17.0693 0x1a30  LSI_SAS2i - ok
09:44:17.0693 0x1a30  LSI_SAS3i - ok
09:44:17.0710 0x1a30  LSI_SSS - ok
09:44:17.0713 0x1a30  LSM - ok
09:44:17.0715 0x1a30  luafv - ok
09:44:17.0716 0x1a30  MapsBroker - ok
09:44:17.0716 0x1a30  [ 7CF1B716372B89568AE4C0FE769F5869, 0D70A7A594BCFBB26D7249C0F4B0AF9EF874F2318B3FDCE44648CC61279594ED ] MDM             C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
09:44:17.0731 0x1a30  MDM - detected UnsignedFile.Multi.Generic ( 1 )
09:44:20.0030 0x2a2c  Object required for P2P: [ A1F58FFF448E4099297D6EE0641D4D0E ] dbupdate
09:44:20.0146 0x1a30  Detect skipped due to KSN trusted
09:44:20.0146 0x1a30  MDM - ok
09:44:20.0146 0x1a30  megasas - ok
09:44:20.0162 0x1a30  megasr - ok
09:44:20.0162 0x1a30  [ 48F64A35BA9F2E4AC0587DDA555FF951, 77FE2BE86ADCE103F4220A641139C42B1407CF8EFFEB66F841ABF9CFC3621558 ] MEIx64          C:\WINDOWS\System32\drivers\TeeDriverW8x64.sys
09:44:20.0162 0x1a30  MEIx64 - ok
09:44:20.0177 0x1a30  MessagingService - ok
09:44:20.0177 0x1a30  [ 123271BD5237AB991DC5C21FDF8835EB, 004F8F9228EE291A0E36CE33078D572D61733516F9AA5CFC832AF204C6869E89 ] Microsoft Office Groove Audit Service C:\Program Files (x86)\Microsoft Office\Office12\GrooveAuditService.exe
09:44:20.0200 0x1a30  Microsoft Office Groove Audit Service - ok
09:44:20.0200 0x1a30  mlx4_bus - ok
09:44:20.0200 0x1a30  MMCSS - ok
09:44:20.0200 0x1a30  Modem - ok
09:44:20.0200 0x1a30  monitor - ok
09:44:20.0200 0x1a30  mouclass - ok
09:44:20.0200 0x1a30  mouhid - ok
09:44:20.0215 0x1a30  mountmgr - ok
09:44:20.0215 0x1a30  mpsdrv - ok
09:44:20.0215 0x1a30  MpsSvc - ok
09:44:20.0215 0x1a30  MRxDAV - ok
09:44:20.0215 0x1a30  mrxsmb - ok
09:44:20.0215 0x1a30  mrxsmb10 - ok
09:44:20.0231 0x1a30  mrxsmb20 - ok
09:44:20.0231 0x1a30  MsBridge - ok
09:44:20.0231 0x1a30  MSDTC - ok
09:44:20.0231 0x1a30  Msfs - ok
09:44:20.0231 0x1a30  msgpiowin32 - ok
09:44:20.0231 0x1a30  mshidkmdf - ok
09:44:20.0246 0x1a30  mshidumdf - ok
09:44:20.0246 0x1a30  msisadrv - ok
09:44:20.0246 0x1a30  MSiSCSI - ok
09:44:20.0246 0x1a30  msiserver - ok
09:44:20.0246 0x1a30  MSKSSRV - ok
09:44:20.0246 0x1a30  MsLldp - ok
09:44:20.0262 0x1a30  MSPCLOCK - ok
09:44:20.0262 0x1a30  MSPQM - ok
09:44:20.0262 0x1a30  MsRPC - ok
09:44:20.0262 0x1a30  mssmbios - ok
09:44:20.0262 0x1a30  MSTEE - ok
09:44:20.0262 0x1a30  MTConfig - ok
09:44:20.0278 0x1a30  Mup - ok
09:44:20.0278 0x1a30  mvumis - ok
09:44:20.0278 0x1a30  NativeWifiP - ok
09:44:20.0278 0x1a30  NcaSvc - ok
09:44:20.0278 0x1a30  NcbService - ok
09:44:20.0278 0x1a30  NcdAutoSetup - ok
09:44:20.0293 0x1a30  ndfltr - ok
09:44:20.0297 0x1a30  NDIS - ok
09:44:20.0300 0x1a30  NdisCap - ok
09:44:20.0300 0x1a30  NdisImPlatform - ok
09:44:20.0300 0x1a30  NdisTapi - ok
09:44:20.0300 0x1a30  Ndisuio - ok
09:44:20.0300 0x1a30  NdisVirtualBus - ok
09:44:20.0300 0x1a30  NdisWan - ok
09:44:20.0300 0x1a30  ndiswanlegacy - ok
09:44:20.0315 0x1a30  ndproxy - ok
09:44:20.0315 0x1a30  Ndu - ok
09:44:20.0315 0x1a30  NetBIOS - ok
09:44:20.0315 0x1a30  NetBT - ok
09:44:20.0315 0x1a30  Netlogon - ok
09:44:20.0315 0x1a30  Netman - ok
09:44:20.0331 0x1a30  netprofm - ok
09:44:20.0331 0x1a30  NetSetupSvc - ok
09:44:20.0331 0x1a30  NetTcpPortSharing - ok
09:44:20.0400 0x1a30  [ 0F76FA3A3F8D169B1CA6F54DC7561CD5, F6C49E5D4F627FD539670DFCBC20C69F627A90CBA473873640D4DD378EE34ED5 ] NETwNe64        C:\WINDOWS\System32\drivers\NETwew01.sys
09:44:20.0463 0x1a30  NETwNe64 - ok
09:44:20.0478 0x1a30  NgcCtnrSvc - ok
09:44:20.0478 0x1a30  NgcSvc - ok
09:44:20.0478 0x1a30  NlaSvc - ok
09:44:20.0478 0x1a30  Npfs - ok
09:44:20.0478 0x1a30  npsvctrig - ok
09:44:20.0494 0x1a30  nsi - ok
09:44:20.0496 0x1a30  nsiproxy - ok
09:44:20.0500 0x1a30  NTFS - ok
09:44:20.0500 0x1a30  Null - ok
09:44:20.0500 0x1a30  nvraid - ok
09:44:20.0500 0x1a30  nvstor - ok
09:44:20.0500 0x1a30  nv_agp - ok
09:44:20.0516 0x1a30  [ 785F487A64950F3CB8E9F16253BA3B7B, 02445344BD214370A6D48B1CA04921D8EFCB13E676B5648266DD0E076C0822B6 ] odserv          C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
09:44:20.0532 0x1a30  odserv - ok
09:44:20.0532 0x1a30  OneSyncSvc - ok
09:44:20.0532 0x1a30  [ 5A432A042DAE460ABE7199B758E8606C, 6E5D1F477D290905BE27CEBF9572BAC6B05FFEF2FAD901D3C8E11F665F8B9A71 ] ose             C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
09:44:20.0547 0x1a30  ose - ok
09:44:20.0547 0x1a30  p2pimsvc - ok
09:44:20.0547 0x1a30  p2psvc - ok
09:44:20.0547 0x1a30  Parport - ok
09:44:20.0563 0x1a30  partmgr - ok
09:44:20.0563 0x1a30  PcaSvc - ok
09:44:20.0563 0x1a30  pci - ok
09:44:20.0563 0x1a30  pciide - ok
09:44:20.0563 0x1a30  pcmcia - ok
09:44:20.0563 0x1a30  pcw - ok
09:44:20.0578 0x1a30  pdc - ok
09:44:20.0578 0x1a30  PEAUTH - ok
09:44:20.0578 0x1a30  PeerDistSvc - ok
09:44:20.0578 0x1a30  percsas2i - ok
09:44:20.0578 0x1a30  percsas3i - ok
09:44:20.0616 0x1a30  PerfHost - ok
09:44:20.0616 0x1a30  PhoneSvc - ok
09:44:20.0616 0x1a30  PimIndexMaintenanceSvc - ok
09:44:20.0631 0x1a30  pla - ok
09:44:20.0631 0x1a30  PlugPlay - ok
09:44:20.0631 0x1a30  PNRPAutoReg - ok
09:44:20.0631 0x1a30  PNRPsvc - ok
09:44:20.0631 0x1a30  PolicyAgent - ok
09:44:20.0631 0x1a30  Power - ok
09:44:20.0647 0x1a30  PptpMiniport - ok
09:44:20.0716 0x1a30  [ 959F94AD1255BC749884EDDD14EC29C4, 2CD6DA9778EA36FA0B4080F6DB1C634712238E014E47546403CD3CDB35A1DCA8 ] PrintNotify     C:\WINDOWS\system32\spool\drivers\x64\3\PrintConfig.dll
09:44:20.0816 0x1a30  PrintNotify - ok
09:44:20.0816 0x1a30  Processor - ok
09:44:20.0832 0x1a30  ProfSvc - ok
09:44:20.0832 0x1a30  Psched - ok
09:44:20.0832 0x1a30  QWAVE - ok
09:44:20.0832 0x1a30  QWAVEdrv - ok
09:44:20.0832 0x1a30  RasAcd - ok
09:44:20.0832 0x1a30  RasAgileVpn - ok
09:44:20.0832 0x1a30  RasAuto - ok
09:44:20.0847 0x1a30  Rasl2tp - ok
09:44:20.0847 0x1a30  RasMan - ok
09:44:20.0847 0x1a30  RasPppoe - ok
09:44:20.0847 0x1a30  RasSstp - ok
09:44:20.0847 0x1a30  rdbss - ok
09:44:20.0847 0x1a30  rdpbus - ok
09:44:20.0863 0x1a30  RDPDR - ok
09:44:20.0863 0x1a30  RdpVideoMiniport - ok
09:44:20.0863 0x1a30  rdyboost - ok
09:44:20.0863 0x1a30  ReFSv1 - ok
09:44:20.0863 0x1a30  RemoteAccess - ok
09:44:20.0878 0x1a30  RemoteRegistry - ok
09:44:20.0878 0x1a30  RetailDemo - ok
09:44:20.0878 0x1a30  RpcEptMapper - ok
09:44:20.0878 0x1a30  RpcLocator - ok
09:44:20.0878 0x1a30  RpcSs - ok
09:44:20.0878 0x1a30  rspndr - ok
09:44:20.0901 0x1a30  [ FA00B16D06217288AFD700223DA131BA, 90688C3A8403FEF2A90550781CBA932A522125B47D71F3F0AF73E21E43BC5564 ] rt640x64        C:\WINDOWS\System32\drivers\rt640x64.sys
09:44:20.0916 0x1a30  rt640x64 - ok
09:44:20.0932 0x1a30  s3cap - ok
09:44:20.0932 0x1a30  SamSs - ok
09:44:21.0001 0x1a30  [ CB852CB9C17F20D3EDDFBF5873F6AC8B, 31FE2A24E1D62B2A46A9DAFF843CAD2EE119E76CF170C834414D9AB09DCBE123 ] SBAMSvc         C:\Program Files (x86)\VIPRE\SBAMSvc.exe
09:44:21.0063 0x1a30  SBAMSvc - ok
09:44:21.0079 0x1a30  [ 5DC482A70471C6C36BB515736EFD8300, 8E2250A7061BF40257CB97984DEBC1897E23CAB6A6F1908ACBE712817228E264 ] sbapifs         C:\WINDOWS\system32\DRIVERS\sbapifs.sys
09:44:21.0097 0x1a30  sbapifs - ok
09:44:21.0101 0x1a30  [ CDB7E06B43189D5904314889416189FB, E40415C803EE535D72957366144ADF8B084365A596C9E3AD699B737D786C49F7 ] sbhips          C:\WINDOWS\system32\drivers\sbhips.sys
09:44:21.0101 0x1a30  sbhips - ok
09:44:21.0101 0x1a30  sbp2port - ok
09:44:21.0101 0x1a30  [ C7448AE3E05B4F552ED094AFBF6FC719, 10DBF1A646625ADB711392303E15ACEE82974D0B46BD875381978D5355F421A4 ] SBPIMSvc        C:\Program Files (x86)\VIPRE\SBPIMSvc.exe
09:44:21.0116 0x1a30  SBPIMSvc - ok
09:44:21.0116 0x1a30  [ 44EF30530BF3BFF60C134D189E372FCA, 9A9648332976C17DE7F9F369530094968E0C71A806260B04A7E0406DBF21A381 ] sbwfw           C:\WINDOWS\system32\DRIVERS\sbwfw.sys
09:44:21.0132 0x1a30  sbwfw - ok
09:44:21.0132 0x1a30  [ 62BD702DA5C16A71E992FF75EC981A3C, 594ABFCF48868C6814D76754EC7EFE6A57976A65E5027FEABCE03F4E6EC9535F ] sbwtis          C:\WINDOWS\system32\DRIVERS\sbwtis.sys
09:44:21.0148 0x1a30  sbwtis - ok
09:44:21.0148 0x1a30  SCardSvr - ok
09:44:21.0148 0x1a30  ScDeviceEnum - ok
09:44:21.0148 0x1a30  scfilter - ok
09:44:21.0163 0x1a30  Schedule - ok
09:44:21.0163 0x1a30  SCPolicySvc - ok
09:44:21.0163 0x1a30  sdbus - ok
09:44:21.0163 0x1a30  SDRSVC - ok
09:44:21.0163 0x1a30  sdstor - ok
09:44:21.0163 0x1a30  seclogon - ok
09:44:21.0163 0x1a30  SENS - ok
09:44:21.0179 0x1a30  SensorDataService - ok
09:44:21.0179 0x1a30  SensorService - ok
09:44:21.0179 0x1a30  SensrSvc - ok
09:44:21.0179 0x1a30  SerCx - ok
09:44:21.0179 0x1a30  SerCx2 - ok
09:44:21.0179 0x1a30  Serenum - ok
09:44:21.0196 0x1a30  Serial - ok
09:44:21.0198 0x1a30  sermouse - ok
09:44:21.0201 0x1a30  SessionEnv - ok
09:44:21.0201 0x1a30  sfloppy - ok
09:44:21.0201 0x1a30  SharedAccess - ok
09:44:21.0201 0x1a30  ShellHWDetection - ok
09:44:21.0201 0x1a30  SiSRaid2 - ok
09:44:21.0201 0x1a30  SiSRaid4 - ok
09:44:21.0217 0x1a30  smphost - ok
09:44:21.0217 0x1a30  SmsRouter - ok
09:44:21.0217 0x1a30  SNMPTRAP - ok
09:44:21.0217 0x1a30  spaceport - ok
09:44:21.0217 0x1a30  SpbCx - ok
09:44:21.0232 0x1a30  Spooler - ok
09:44:21.0232 0x1a30  sppsvc - ok
09:44:21.0232 0x1a30  srv - ok
09:44:21.0232 0x1a30  srv2 - ok
09:44:21.0232 0x1a30  srvnet - ok
09:44:21.0232 0x1a30  SSDPSRV - ok
09:44:21.0232 0x1a30  SstpSvc - ok
09:44:21.0248 0x1a30  StateRepository - ok
09:44:21.0248 0x1a30  stexstor - ok
09:44:21.0248 0x1a30  stisvc - ok
09:44:21.0248 0x1a30  storahci - ok
09:44:21.0248 0x1a30  storflt - ok
09:44:21.0248 0x1a30  stornvme - ok
09:44:21.0264 0x1a30  storqosflt - ok
09:44:21.0264 0x1a30  StorSvc - ok
09:44:21.0264 0x1a30  storufs - ok
09:44:21.0264 0x1a30  storvsc - ok
09:44:21.0264 0x1a30  svsvc - ok
09:44:21.0264 0x1a30  swenum - ok
09:44:21.0279 0x1a30  swprv - ok
09:44:21.0279 0x1a30  Synth3dVsc - ok
09:44:21.0279 0x1a30  SysMain - ok
09:44:21.0279 0x1a30  SystemEventsBroker - ok
09:44:21.0279 0x1a30  TabletInputService - ok
09:44:21.0279 0x1a30  TapiSrv - ok
09:44:21.0279 0x1a30  Tcpip - ok
09:44:21.0297 0x1a30  Tcpip6 - ok
09:44:21.0301 0x1a30  tcpipreg - ok
09:44:21.0301 0x1a30  tdx - ok
09:44:21.0401 0x1a30  [ 2AA61246A5B813C1B12BCCFAA6F23DD8, 74EE3DB839A0F4BC781294803281DB2248D013B8808FF05F2EE9597C14C6FEED ] TeamViewer      C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
09:44:21.0480 0x1a30  TeamViewer - ok
09:44:21.0501 0x1a30  terminpt - ok
09:44:21.0501 0x1a30  TermService - ok
09:44:21.0501 0x1a30  Themes - ok
09:44:21.0501 0x1a30  TieringEngineService - ok
09:44:21.0501 0x1a30  tiledatamodelsvc - ok
09:44:21.0501 0x1a30  TimeBroker - ok
09:44:21.0517 0x1a30  TPM - ok
09:44:21.0517 0x1a30  TrkWks - ok
09:44:21.0517 0x1a30  [ 0C997B061E3C66BD9E927C1288EB1CC7, 3807E9A1BC159B9E8FC0C7CAAD10D7213FF8ED8AD1CEA9EA552B093C81BF624B ] TrueSight       C:\Windows\System32\drivers\TrueSight.sys
09:44:21.0517 0x1a30  TrueSight - ok
09:44:21.0533 0x1a30  TrustedInstaller - ok
09:44:21.0533 0x1a30  tsusbflt - ok
09:44:21.0533 0x1a30  TsUsbGD - ok
09:44:21.0533 0x1a30  tunnel - ok
09:44:21.0533 0x1a30  tzautoupdate - ok
09:44:21.0533 0x1a30  uagp35 - ok
09:44:21.0533 0x1a30  UASPStor - ok
09:44:21.0549 0x1a30  UcmCx0101 - ok
09:44:21.0549 0x1a30  UcmUcsi - ok
09:44:21.0549 0x1a30  Ucx01000 - ok
09:44:21.0549 0x1a30  UdeCx - ok
09:44:21.0549 0x1a30  udfs - ok
09:44:21.0549 0x1a30  UEFI - ok
09:44:21.0564 0x1a30  Ufx01000 - ok
09:44:21.0564 0x1a30  UfxChipidea - ok
09:44:21.0564 0x1a30  ufxsynopsys - ok
09:44:21.0564 0x1a30  UI0Detect - ok
09:44:21.0564 0x1a30  uliagpkx - ok
09:44:21.0564 0x1a30  umbus - ok
09:44:21.0580 0x1a30  UmPass - ok
09:44:21.0580 0x1a30  UmRdpService - ok
09:44:21.0580 0x1a30  UnistoreSvc - ok
09:44:21.0580 0x1a30  upnphost - ok
09:44:21.0595 0x1a30  UrsChipidea - ok
09:44:21.0598 0x1a30  UrsCx01000 - ok
09:44:21.0601 0x1a30  UrsSynopsys - ok
09:44:21.0602 0x1a30  [ F957092C63CD71D85903CA0D8370F473, 4DEC2FC20329F248135DA24CB6694FD972DCCE8B1BBEA8D872FDE41939E96AAF ] USBAAPL64       C:\WINDOWS\System32\Drivers\usbaapl64.sys
09:44:21.0602 0x1a30  USBAAPL64 - detected UnsignedFile.Multi.Generic ( 1 )
09:44:22.0694 0x2a2c  Object send P2P result: true
09:44:22.0694 0x2a2c  Object required for P2P: [ A1F58FFF448E4099297D6EE0641D4D0E ] dbupdatem
09:44:24.0026 0x1a30  Detect skipped due to KSN trusted
09:44:24.0026 0x1a30  USBAAPL64 - ok
09:44:24.0026 0x1a30  usbccgp - ok
09:44:24.0026 0x1a30  usbcir - ok
09:44:24.0041 0x1a30  usbehci - ok
09:44:24.0041 0x1a30  usbhub - ok
09:44:24.0041 0x1a30  USBHUB3 - ok
09:44:24.0041 0x1a30  usbohci - ok
09:44:24.0041 0x1a30  usbprint - ok
09:44:24.0041 0x1a30  [ D67B6A4A6FB99D29444C2DBA2B636799, 62BC778D60593B2AB0DA13C4DB3EA5971895AE09DA06E8AB2D03973C940C890C ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
09:44:24.0057 0x1a30  usbscan - ok
09:44:24.0057 0x1a30  usbser - ok
09:44:24.0074 0x1a30  USBSTOR - ok
09:44:24.0076 0x1a30  usbuhci - ok
09:44:24.0079 0x1a30  USBXHCI - ok
09:44:24.0079 0x1a30  UserDataSvc - ok
09:44:24.0079 0x1a30  UserManager - ok
09:44:24.0079 0x1a30  UsoSvc - ok
09:44:24.0079 0x1a30  VaultSvc - ok
09:44:24.0094 0x1a30  vdrvroot - ok
09:44:24.0094 0x1a30  vds - ok
09:44:24.0094 0x1a30  VerifierExt - ok
09:44:24.0094 0x1a30  vhdmp - ok
09:44:24.0094 0x1a30  vhf - ok
09:44:24.0094 0x1a30  vmbus - ok
09:44:24.0094 0x1a30  VMBusHID - ok
09:44:24.0110 0x1a30  vmicguestinterface - ok
09:44:24.0110 0x1a30  vmicheartbeat - ok
09:44:24.0110 0x1a30  vmickvpexchange - ok
09:44:24.0110 0x1a30  vmicrdv - ok
09:44:24.0110 0x1a30  vmicshutdown - ok
09:44:24.0110 0x1a30  vmictimesync - ok
09:44:24.0126 0x1a30  vmicvmsession - ok
09:44:24.0126 0x1a30  vmicvss - ok
09:44:24.0126 0x1a30  volmgr - ok
09:44:24.0126 0x1a30  volmgrx - ok
09:44:24.0126 0x1a30  volsnap - ok
09:44:24.0126 0x1a30  vpci - ok
09:44:24.0126 0x1a30  vsmraid - ok
09:44:24.0141 0x1a30  VSS - ok
09:44:24.0141 0x1a30  VSTXRAID - ok
09:44:24.0141 0x1a30  vwifibus - ok
09:44:24.0141 0x1a30  vwififlt - ok
09:44:24.0141 0x1a30  W32Time - ok
09:44:24.0141 0x1a30  WacomPen - ok
09:44:24.0157 0x1a30  WalletService - ok
09:44:24.0157 0x1a30  wanarp - ok
09:44:24.0157 0x1a30  wanarpv6 - ok
09:44:24.0157 0x1a30  wbengine - ok
09:44:24.0157 0x1a30  WbioSrvc - ok
09:44:24.0157 0x1a30  Wcmsvc - ok
09:44:24.0173 0x1a30  wcncsvc - ok
09:44:24.0177 0x1a30  WcsPlugInService - ok
09:44:24.0179 0x1a30  WdBoot - ok
09:44:24.0179 0x1a30  Wdf01000 - ok
09:44:24.0179 0x1a30  WdFilter - ok
09:44:24.0179 0x1a30  WdiServiceHost - ok
09:44:24.0179 0x1a30  WdiSystemHost - ok
09:44:24.0179 0x1a30  wdiwifi - ok
09:44:24.0179 0x1a30  WdNisDrv - ok
09:44:24.0195 0x1a30  WdNisSvc - ok
09:44:24.0195 0x1a30  WebClient - ok
09:44:24.0195 0x1a30  [ 4474B941D14BB63622A44BDE4491C0C9, 489B210C8CFCF89A5AD030C0F282CD6B3905A0C82E9EB3208090C01C0A5B07E7 ] WebExaminer     C:\Windows\system32\Drivers\WebExaminer64.sys
09:44:24.0195 0x1a30  WebExaminer - ok
09:44:24.0295 0x1a30  [ 1088ACE9862139C9F8F8499E1D43A256, E46523CB9EE1D254EF7ABC117189806FC042FD2ED2E56083D92B18CF5CEF9A28 ] WebProxy        C:\Program Files (x86)\VIPRE\WebProxy.exe
09:44:24.0407 0x1a30  WebProxy - ok
09:44:24.0419 0x1a30  Wecsvc - ok
09:44:24.0422 0x1a30  WEPHOSTSVC - ok
09:44:24.0424 0x1a30  wercplsupport - ok
09:44:24.0427 0x1a30  WerSvc - ok
09:44:24.0429 0x1a30  WFPLWFS - ok
09:44:24.0430 0x1a30  WiaRpc - ok
09:44:24.0430 0x1a30  WIMMount - ok
09:44:24.0430 0x1a30  WinDefend - ok
09:44:24.0430 0x1a30  WindowsTrustedRT - ok
09:44:24.0430 0x1a30  WindowsTrustedRTProxy - ok
09:44:24.0445 0x1a30  WinHttpAutoProxySvc - ok
09:44:24.0445 0x1a30  WinMad - ok
09:44:24.0445 0x1a30  Winmgmt - ok
09:44:24.0445 0x1a30  WinRM - ok
09:44:24.0461 0x1a30  WINUSB - ok
09:44:24.0461 0x1a30  WinVerbs - ok
09:44:24.0461 0x1a30  WlanSvc - ok
09:44:24.0461 0x1a30  wlidsvc - ok
09:44:24.0461 0x1a30  WmiAcpi - ok
09:44:24.0477 0x1a30  wmiApSrv - ok
09:44:24.0477 0x1a30  WMPNetworkSvc - ok
09:44:24.0477 0x1a30  [ 2A9650FCC696DB28E45EA8B33B99B8E6, FBEBC6C05D50F578C6EEE0A7285EBE1DEADB08DD21FA3232630FD8D5A68FC3FB ] Wof             C:\WINDOWS\system32\drivers\Wof.sys
09:44:24.0492 0x1a30  Wof - ok
09:44:24.0492 0x1a30  workfolderssvc - ok
09:44:24.0492 0x1a30  wpcfltr - ok
09:44:24.0492 0x1a30  WPDBusEnum - ok
09:44:24.0508 0x1a30  WpdUpFltr - ok
09:44:24.0508 0x1a30  WpnService - ok
09:44:24.0508 0x1a30  ws2ifsl - ok
09:44:24.0508 0x1a30  wscsvc - ok
09:44:24.0508 0x1a30  WSearch - ok
09:44:24.0508 0x1a30  WSService - ok
09:44:24.0525 0x1a30  wuauserv - ok
09:44:24.0528 0x1a30  WudfPf - ok
09:44:24.0530 0x1a30  WUDFRd - ok
09:44:24.0530 0x1a30  wudfsvc - ok
09:44:24.0530 0x1a30  WUDFWpdFs - ok
09:44:24.0530 0x1a30  WwanSvc - ok
09:44:24.0530 0x1a30  XblAuthManager - ok
09:44:24.0530 0x1a30  XblGameSave - ok
09:44:24.0546 0x1a30  xboxgip - ok
09:44:24.0546 0x1a30  XboxNetApiSvc - ok
09:44:24.0546 0x1a30  xinputhid - ok
09:44:24.0546 0x1a30  ================ Scan global ===============================
09:44:24.0561 0x1a30  [ Global ] - ok
09:44:24.0561 0x1a30  ================ Scan MBR ==================================
09:44:24.0561 0x1a30  [ A36C5E4F47E84449FF07ED3517B43A31 ] \Device\Harddisk0\DR0
09:44:24.0592 0x1a30  \Device\Harddisk0\DR0 - ok
09:44:24.0592 0x1a30  ================ Scan VBR ==================================
09:44:24.0592 0x1a30  [ 8D6B7E1C5E97B7EB0B9C828A8B70A476 ] \Device\Harddisk0\DR0\Partition1
09:44:24.0592 0x1a30  \Device\Harddisk0\DR0\Partition1 - ok
09:44:24.0592 0x1a30  [ E7112CB6EF165433FE31CD428D60A852 ] \Device\Harddisk0\DR0\Partition2
09:44:24.0592 0x1a30  \Device\Harddisk0\DR0\Partition2 - ok
09:44:24.0592 0x1a30  [ 8C97862EC9E3CF699472D6DD1F19B9C2 ] \Device\Harddisk0\DR0\Partition3
09:44:24.0592 0x1a30  \Device\Harddisk0\DR0\Partition3 - ok
09:44:24.0592 0x1a30  [ 868736F641EAFEC30B0E5DBDD8DF54FE ] \Device\Harddisk0\DR0\Partition4
09:44:24.0592 0x1a30  \Device\Harddisk0\DR0\Partition4 - ok
09:44:24.0592 0x1a30  ================ Scan generic autorun ======================
09:44:24.0661 0x1a30  [ 5CA53785B469303CC02CDB44E7410F12, 2302D64E1ECB3592DD83C3E74425F273A2628589C1FD1B0269DC319256D75E76 ] C:\Program Files\Lenovo\USB Enhanced Performance Keyboard\SKDaemon.exe
09:44:24.0777 0x1a30  Enhanced Performance Keyboard - detected UnsignedFile.Multi.Generic ( 1 )
09:44:25.0366 0x2a2c  Object send P2P result: true
09:44:27.0206 0x1a30  Detect skipped due to KSN trusted
09:44:27.0206 0x1a30  Enhanced Performance Keyboard - ok
09:44:27.0206 0x1a30  [ BAEDADCD6509201F82CE5B404AB14814, 8C39C18CE00DB254F370D9C4AA80E88BF67C457240F3D30A58E39DBF9B96F44B ] C:\Program Files\Intel\Intel® Rapid Storage Technology\IAStorIconLaunch.exe
09:44:27.0206 0x1a30  IAStorIcon - detected UnsignedFile.Multi.Generic ( 1 )
09:44:29.0647 0x1a30  Detect skipped due to KSN trusted
09:44:29.0647 0x1a30  IAStorIcon - ok
09:44:29.0663 0x1a30  [ C7F017C9B163E7DAB864649E8241F683, F007F107FCA0E3A12D7E900101EBF02C2453D4AA56BE18769E86B592C88C5106 ] C:\Program Files\iTunes\iTunesHelper.exe
09:44:29.0669 0x1a30  iTunesHelper - ok
09:44:29.0669 0x1a30  [ FCEC6F664FA7E5FE323165FBC9314470, 4E5AB1E6C3D2881D95E74F2F28649A7DBC4919CA249829A0E4CD9804E401A025 ] C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
09:44:29.0685 0x1a30  SunJavaUpdateSched - ok
09:44:29.0747 0x1a30  [ 8A64661F5380C9D685DC717DDDE3F6E1, 4A12384D139571E3F6F19FA65562CC440BC8A30C9A8D57D738639F6D736205F2 ] C:\Program Files (x86)\VIPRE\SBAMTray.exe
09:44:29.0800 0x1a30  SBAMTray - ok
09:44:29.0800 0x1a30  [ 0E34B7BB1FCF22BCC1E394D16F9E992B, 382CA8E6BAC301E2F277F8EDA03D263FF71272796A8EED582C36294EEE9191F9 ] C:\Program Files (x86)\Microsoft Office\Office12\GrooveMonitor.exe
09:44:29.0816 0x1a30  GrooveMonitor - ok
09:44:29.0816 0x1a30  Dropbox - ok
09:44:29.0847 0x1a30  OneDriveSetup - ok
09:44:29.0847 0x1a30  OneDriveSetup - ok
09:44:29.0847 0x1a30  [ C2D2FFD27F46815951C9562F0A2EC864, 892A5DC5C3D797E3FD36230710BA9AF43ADA5CDFD19A03268D20D5A9DA3CCB3A ] C:\Users\loffa\AppData\Local\Microsoft\OneDrive\OneDrive.exe
09:44:29.0869 0x1a30  OneDrive - ok
09:44:29.0869 0x1a30  Waiting for KSN requests completion. In queue: 9
09:44:30.0889 0x1a30  Waiting for KSN requests completion. In queue: 5
09:44:31.0893 0x1a30  Waiting for KSN requests completion. In queue: 5
09:44:32.0924 0x1a30  AV detected via SS2: ThreatTrack Security VIPRE, C:\Program Files (x86)\VIPRE\SBAMWSC.EXE ( 9.0.1.4 ), 0x41000 ( enabled : updated )
09:44:32.0924 0x1a30  AV detected via SS2: Windows Defender, C:\Program Files\Windows Defender\MSASCui.exe ( 4.9.10586.0 ), 0x60100 ( disabled : updated )
09:44:32.0924 0x1a30  FW detected via SS2: ThreatTrack Security VIPRE, C:\Program Files (x86)\VIPRE\SBAMWSC.EXE ( 9.0.1.4 ), 0x41010 ( enabled )
09:44:35.0446 0x1a30  ============================================================
09:44:35.0446 0x1a30  Scan finished
09:44:35.0446 0x1a30  ============================================================
09:44:35.0446 0x10b0  Detected object count: 0
09:44:35.0446 0x10b0  Actual detected object count: 0
09:45:06.0053 0x213c  Deinitialize success



I also tried renaming it, still got the error. It isn't a read only file and has permissions set for the user profile.

Running gmer after posting this reply, will post the log once gmer is done.

Attached Files



#15 hakuri

hakuri
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 07 April 2016 - 09:15 AM

Disabled the ethernet port through the network and sharing center access route. Shut down Vipre internet security. Ran gmer with admin rights, was prompted by windows 10 if I really wanted to run the executable because windows security screen could not be reached because the computer could not access the internet. Clicked run anyway, it's startup scan found rootkits. Set the settings as requested, ran the scan, saved the log, closed gmer, went through network and sharing center route to enable the ethernet port and the action crashed?

It sat there enabling the ethernet port with no activity, spinning wheel. Activity LED on the unit showed a constant and stable blink pattern, indicating a crash.

tried to use the start menu to restart the unit, the unit stayed stuck on "restarting" with the same LED blink pattern. Had to hard power off the unit to restart it, the ethernet port is functioning again.

Thought it would be pertinent to report this.

GMER log attached.

Attached Files






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users