PDA

View Full Version : in need of help with malware removal


mla34
2012-04-12, 21:30
I am trying to fix my husband's laptop and I have been lucky enough to have benefitted from wonderful help here in the past for another computer in the house so I am looking forward to delving into another "adventure"!
I have run Microsoft Security Essentials, Spybot, and Malwarebytes AntiMalware scans and have deleted what I could but I am sure there is something lurking in the deep here so I turn to the experts! I ran ERUNT and am including the DDS log here but I'm not sure if I zipped the "attach.txt" file correctly. Please let me know if I need to fix it. Many thanks in advance for your expertise. Any help would be much appreciated!

DDS txt
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Home at 14:58:43 on 2012-04-12
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.73 [GMT -4:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\home\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.shockwave.com/content/insaniquarium/sis/popcaploader_v10.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{6F3861E7-6528-4210-A9A9-EE79613318EF} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
LSA: Notification Packages = scecli scecli
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-04-11 23:55:48 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\offreg.dll
2012-04-11 23:55:47 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\MpKsl1d15e7b3.sys
2012-04-11 21:37:23 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{38e91212-b480-4e13-9ae4-f7ed7becc7c4}\mpengine.dll
2012-04-10 18:41:25 -------- d-----w- c:\documents and settings\home\application data\Malwarebytes
2012-04-10 18:38:38 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-04-10 18:38:34 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 18:38:33 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-09 21:44:02 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-09 21:44:02 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-04-09 21:36:19 -------- d-----w- c:\documents and settings\all users\application data\NortonInstaller
.
==================== Find3M ====================
.
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:05 237072 ------w- c:\windows\system32\MpSigStub.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST94813AS rev.8.04 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8699549F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8699c740]; MOV EAX, [0x8699c8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86D7AAB8]
3 CLASSPNP[0xF757EFD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000074[0x86CEC3B8]
5 ACPI[0xF7415620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x86CEB940]
\Driver\atapi[0x86BAC518] -> IRP_MJ_CREATE -> 0x8699549F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x869952C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:00:59.31 ===============
oldman960
2012-04-13, 12:24
Hi mla34, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.





Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.



Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.
mla34
2012-04-13, 15:10
Thanks so much for your help. Here is the log from the scan. Want to also mention that after the scan was completed, Microsoft Security Essentials popped up with finding 6 threats, all of which were trojans and wanted to clean. I did not do that since I want to check with you first to see what I should do next. Please let me know if I should ignore the request to clean for now. Thanks again. Maureen

07:57:34.0453 0860 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
07:57:44.0812 0860 ============================================================
07:57:44.0812 0860 Current date / time: 2012/04/13 07:57:44.0812
07:57:44.0812 0860 SystemInfo:
07:57:44.0812 0860
07:57:44.0812 0860 OS Version: 5.1.2600 ServicePack: 3.0
07:57:44.0812 0860 Product type: Workstation
07:57:44.0906 0860 ComputerName: 8G77SC1
07:57:44.0968 0860 UserName: Home
07:57:44.0968 0860 Windows directory: C:\WINDOWS
07:57:44.0968 0860 System windows directory: C:\WINDOWS
07:57:44.0968 0860 Processor architecture: Intel x86
07:57:44.0968 0860 Number of processors: 2
07:57:44.0968 0860 Page size: 0x1000
07:57:44.0968 0860 Boot type: Normal boot
07:57:44.0968 0860 ============================================================
07:58:59.0375 0860 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
07:58:59.0828 0860 \Device\Harddisk0\DR0:
07:59:00.0078 0860 MBR used
07:59:00.0078 0860 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
07:59:00.0671 0860 Initialize success
07:59:00.0671 0860 ============================================================
08:00:59.0843 1624 ============================================================
08:00:59.0968 1624 Scan started
08:00:59.0968 1624 Mode: Manual; SigCheck; TDLFS;
08:00:59.0968 1624 ============================================================
08:01:22.0843 1624 Abiosdsk - ok
08:01:23.0375 1624 abp480n5 - ok
08:01:23.0687 1624 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
08:03:32.0890 1624 ACPI - ok
08:03:34.0343 1624 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
08:05:33.0015 1624 ACPIEC - ok
08:05:37.0203 1624 adpu160m - ok
08:05:37.0828 1624 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
08:06:38.0203 1624 aec - ok
08:06:41.0781 1624 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
08:06:52.0984 1624 AFD - ok
08:06:56.0718 1624 Aha154x - ok
08:07:00.0234 1624 aic78u2 - ok
08:07:01.0765 1624 aic78xx - ok
08:07:04.0750 1624 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
08:07:37.0968 1624 Alerter - ok
08:07:38.0968 1624 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
08:08:06.0015 1624 ALG - ok
08:08:06.0640 1624 AliIde - ok
08:08:07.0031 1624 amsint - ok
08:08:07.0421 1624 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
08:08:14.0390 1624 Apple Mobile Device - ok
08:08:17.0000 1624 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
08:08:19.0484 1624 AppMgmt - ok
08:08:19.0875 1624 asc - ok
08:08:20.0078 1624 asc3350p - ok
08:08:21.0093 1624 asc3550 - ok
08:08:21.0890 1624 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
08:08:23.0078 1624 AsyncMac - ok
08:08:24.0156 1624 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
08:08:25.0343 1624 atapi - ok
08:08:26.0093 1624 Atdisk - ok
08:08:26.0406 1624 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
08:08:26.0828 1624 Atmarpc - ok
08:08:27.0421 1624 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
08:08:28.0734 1624 AudioSrv - ok
08:08:29.0406 1624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
08:08:29.0625 1624 audstub - ok
08:08:31.0265 1624 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
08:08:33.0234 1624 b57w2k - ok
08:08:35.0109 1624 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
08:08:37.0468 1624 BCM43XX - ok
08:08:39.0671 1624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
08:08:40.0421 1624 Beep - ok
08:08:40.0890 1624 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
08:08:43.0906 1624 BITS - ok
08:08:46.0890 1624 Bonjour Service (1c87705ccb2f60172b0fc86b5d82f00d) C:\Program Files\Bonjour\mDNSResponder.exe
08:08:54.0343 1624 Bonjour Service - ok
08:08:54.0796 1624 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
08:08:56.0187 1624 Browser - ok
08:08:57.0328 1624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
08:08:57.0671 1624 cbidf2k - ok
08:08:58.0921 1624 cd20xrnt - ok
08:08:59.0046 1624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
08:08:59.0312 1624 Cdaudio - ok
08:08:59.0421 1624 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
08:09:00.0000 1624 Cdfs - ok
08:09:00.0187 1624 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
08:09:00.0453 1624 Cdrom - ok
08:09:01.0281 1624 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
08:09:01.0406 1624 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
08:09:01.0468 1624 cercsr6 - detected UnsignedFile.Multi.Generic (1)
08:09:02.0156 1624 Changer - ok
08:09:02.0984 1624 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
08:09:21.0046 1624 CiSvc - ok
08:09:22.0234 1624 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
08:13:42.0937 1624 ClipSrv - ok
08:14:41.0890 1624 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
08:14:54.0421 1624 CmBatt - ok
08:14:56.0281 1624 CmdIde - ok
08:14:58.0531 1624 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
08:14:59.0078 1624 Compbatt - ok
08:15:01.0843 1624 COMSysApp - ok
08:15:02.0109 1624 Cpqarray - ok
08:15:02.0437 1624 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
08:15:04.0656 1624 CryptSvc - ok
08:15:04.0812 1624 dac2w2k - ok
08:15:04.0984 1624 dac960nt - ok
08:15:05.0375 1624 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
08:15:07.0312 1624 DcomLaunch - ok
08:15:07.0968 1624 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
08:15:08.0937 1624 Dhcp - ok
08:15:09.0500 1624 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
08:15:09.0843 1624 Disk - ok
08:15:10.0031 1624 dmadmin - ok
08:15:34.0343 1624 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
08:18:09.0953 1624 dmboot - ok
08:18:29.0750 1624 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
08:20:54.0031 1624 dmio - ok
08:21:03.0921 1624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
08:21:27.0828 1624 dmload - ok
08:21:33.0093 1624 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
08:21:35.0203 1624 dmserver - ok
08:21:59.0437 1624 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
08:21:59.0750 1624 DMusic - ok
08:22:00.0531 1624 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
08:22:02.0546 1624 Dnscache - ok
08:22:03.0171 1624 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
08:22:05.0265 1624 Dot3svc - ok
08:22:05.0843 1624 dpti2o - ok
08:22:06.0171 1624 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
08:22:06.0468 1624 drmkaud - ok
08:22:06.0890 1624 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
08:22:07.0890 1624 EapHost - ok
08:22:08.0765 1624 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
08:22:09.0187 1624 ERSvc - ok
08:22:10.0984 1624 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
08:22:12.0656 1624 Eventlog - ok
08:22:12.0984 1624 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
08:22:14.0234 1624 EventSystem - ok
08:22:16.0218 1624 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
08:22:16.0609 1624 Fastfat - ok
08:22:17.0093 1624 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:22:17.0562 1624 FastUserSwitchingCompatibility - ok
08:22:18.0218 1624 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
08:22:18.0687 1624 Fdc - ok
08:22:20.0031 1624 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
08:22:20.0296 1624 Fips - ok
08:22:20.0984 1624 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
08:22:21.0343 1624 Flpydisk - ok
08:22:22.0656 1624 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
08:22:22.0937 1624 FltMgr - ok
08:22:23.0812 1624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
08:22:24.0031 1624 Fs_Rec - ok
08:22:24.0984 1624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
08:22:25.0421 1624 Ftdisk - ok
08:22:26.0328 1624 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
08:22:26.0656 1624 GEARAspiWDM - ok
08:22:27.0156 1624 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
08:22:27.0671 1624 Gpc - ok
08:22:28.0453 1624 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
08:22:28.0796 1624 HDAudBus - ok
08:22:29.0203 1624 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
08:22:29.0609 1624 helpsvc - ok
08:22:29.0984 1624 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
08:22:30.0296 1624 HidServ - ok
08:22:30.0953 1624 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
08:22:31.0218 1624 HidUsb - ok
08:22:33.0578 1624 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
08:22:34.0125 1624 hkmsvc - ok
08:22:35.0781 1624 hpn - ok
08:22:36.0750 1624 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
08:22:38.0171 1624 HSF_DPV - ok
08:22:39.0531 1624 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
08:22:40.0062 1624 HSXHWAZL - ok
08:22:42.0046 1624 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
08:22:42.0750 1624 HTTP - ok
08:22:43.0734 1624 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
08:22:44.0015 1624 HTTPFilter - ok
08:22:44.0750 1624 i2omgmt - ok
08:22:45.0781 1624 i2omp - ok
08:22:46.0171 1624 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
08:22:46.0671 1624 i8042prt - ok
08:22:48.0171 1624 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
08:22:50.0015 1624 ialm - ok
08:22:51.0906 1624 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
08:22:52.0125 1624 Imapi - ok
08:22:52.0812 1624 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
08:22:53.0421 1624 ImapiService - ok
08:22:54.0203 1624 ini910u - ok
08:22:54.0984 1624 IntelIde - ok
08:22:56.0515 1624 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
08:22:56.0750 1624 intelppm - ok
08:22:58.0328 1624 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
08:22:58.0578 1624 Ip6Fw - ok
08:22:59.0125 1624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
08:22:59.0484 1624 IpFilterDriver - ok
08:23:00.0500 1624 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
08:23:00.0843 1624 IpInIp - ok
08:23:01.0156 1624 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
08:23:01.0328 1624 IpNat - ok
08:23:02.0781 1624 iPod Service (f62c69376a95795fe7cdb1c778edaca4) C:\Program Files\iPod\bin\iPodService.exe
08:23:06.0000 1624 iPod Service - ok
08:23:06.0734 1624 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
08:23:07.0140 1624 IPSec - ok
08:23:08.0890 1624 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
08:23:09.0093 1624 IRENUM - ok
08:23:10.0578 1624 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
08:23:10.0921 1624 isapnp - ok
08:23:17.0640 1624 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
08:23:20.0359 1624 JavaQuickStarterService - ok
08:23:21.0281 1624 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
08:23:21.0484 1624 Kbdclass - ok
08:23:25.0484 1624 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
08:23:25.0953 1624 kmixer - ok
08:23:33.0625 1624 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
08:23:34.0093 1624 KSecDD - ok
08:23:35.0343 1624 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
08:23:35.0765 1624 lanmanserver - ok
08:23:37.0250 1624 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
08:23:37.0656 1624 lanmanworkstation - ok
08:23:38.0703 1624 lbrtfdc - ok
08:23:40.0484 1624 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
08:23:54.0187 1624 LmHosts - ok
08:23:55.0671 1624 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
08:23:55.0843 1624 mdmxsdk - ok
08:23:55.0937 1624 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
08:23:56.0125 1624 Messenger - ok
08:23:56.0171 1624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
08:23:56.0390 1624 mnmdd - ok
08:23:56.0437 1624 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
08:23:57.0078 1624 mnmsrvc - ok
08:23:57.0203 1624 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
08:23:57.0453 1624 Modem - ok
08:23:57.0515 1624 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
08:23:57.0718 1624 Mouclass - ok
08:23:58.0000 1624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
08:23:58.0171 1624 mouhid - ok
08:23:58.0296 1624 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
08:23:58.0468 1624 MountMgr - ok
08:23:58.0593 1624 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
08:23:58.0875 1624 MpFilter - ok
08:23:59.0109 1624 MpKslfe37dca4 (a69630d039c38018689190234f866d77) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{563D876A-1A9B-458C-8DC3-1C982277ED9D}\MpKslfe37dca4.sys
08:23:59.0406 1624 MpKslfe37dca4 - ok
08:23:59.0500 1624 mraid35x - ok
08:23:59.0640 1624 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
08:23:59.0828 1624 MRxDAV - ok
08:24:00.0015 1624 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
08:24:00.0359 1624 MRxSmb - ok
08:24:00.0718 1624 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
08:24:01.0812 1624 MSDTC - ok
08:24:02.0890 1624 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
08:24:03.0062 1624 Msfs - ok
08:24:03.0625 1624 MSIServer - ok
08:24:04.0062 1624 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
08:24:04.0328 1624 MSKSSRV - ok
08:24:05.0250 1624 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
08:24:05.0500 1624 MsMpSvc - ok
08:24:06.0687 1624 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
08:24:07.0265 1624 MSPCLOCK - ok
08:24:09.0375 1624 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
08:24:09.0687 1624 MSPQM - ok
08:24:10.0500 1624 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
08:24:10.0687 1624 mssmbios - ok
08:24:10.0968 1624 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
08:24:11.0390 1624 Mup - ok
08:24:12.0046 1624 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
08:24:13.0796 1624 napagent - ok
08:24:14.0187 1624 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
08:24:15.0390 1624 NDIS - ok
08:24:17.0187 1624 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
08:24:17.0343 1624 NdisTapi - ok
08:24:18.0984 1624 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
08:24:29.0187 1624 Ndisuio - ok
08:24:30.0593 1624 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
08:24:36.0390 1624 NdisWan - ok
08:24:40.0250 1624 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
08:24:44.0328 1624 NDProxy - ok
08:24:53.0734 1624 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
08:25:11.0265 1624 NetBIOS - ok
08:25:14.0265 1624 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
08:25:15.0984 1624 NetBT - ok
08:25:16.0218 1624 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
08:25:23.0546 1624 NetDDE - ok
08:25:23.0609 1624 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
08:25:23.0843 1624 NetDDEdsdm - ok
08:25:23.0937 1624 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:25:24.0140 1624 Netlogon - ok
08:25:24.0250 1624 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
08:25:25.0046 1624 Netman - ok
08:25:25.0171 1624 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
08:25:25.0578 1624 Nla - ok
08:25:25.0781 1624 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
08:25:25.0984 1624 Npfs - ok
08:25:26.0171 1624 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
08:25:26.0406 1624 Ntfs - ok
08:25:26.0515 1624 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:25:26.0656 1624 NtLmSsp - ok
08:25:26.0890 1624 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
08:25:27.0796 1624 NtmsSvc - ok
08:25:27.0906 1624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
08:25:28.0140 1624 Null - ok
08:25:28.0250 1624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
08:25:28.0453 1624 NwlnkFlt - ok
08:25:28.0531 1624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
08:25:28.0781 1624 NwlnkFwd - ok
08:25:28.0968 1624 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
08:25:29.0609 1624 odserv - ok
08:25:29.0796 1624 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
08:25:29.0921 1624 OMCI ( UnsignedFile.Multi.Generic ) - warning
08:25:29.0968 1624 OMCI - detected UnsignedFile.Multi.Generic (1)
08:25:30.0109 1624 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
08:25:30.0453 1624 ose - ok
08:25:30.0578 1624 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
08:25:30.0828 1624 Parport - ok
08:25:30.0859 1624 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
08:25:31.0015 1624 PartMgr - ok
08:25:31.0156 1624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
08:25:31.0312 1624 ParVdm - ok
08:25:31.0359 1624 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
08:25:31.0546 1624 PCI - ok
08:25:31.0562 1624 PCIDump - ok
08:25:31.0593 1624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
08:25:31.0765 1624 PCIIde - ok
08:25:31.0921 1624 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
08:25:32.0156 1624 Pcmcia - ok
08:25:32.0218 1624 PDCOMP - ok
08:25:32.0234 1624 PDFRAME - ok
08:25:32.0250 1624 PDRELI - ok
08:25:32.0265 1624 PDRFRAME - ok
08:25:32.0281 1624 perc2 - ok
08:25:32.0296 1624 perc2hib - ok
08:25:32.0359 1624 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
08:25:32.0656 1624 PlugPlay - ok
08:25:32.0750 1624 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:25:32.0968 1624 PolicyAgent - ok
08:25:33.0078 1624 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
08:25:33.0218 1624 PptpMiniport - ok
08:25:33.0421 1624 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:25:33.0546 1624 ProtectedStorage - ok
08:25:33.0750 1624 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
08:25:34.0000 1624 PSched - ok
08:25:34.0140 1624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
08:25:34.0343 1624 Ptilink - ok
08:25:34.0375 1624 ql1080 - ok
08:25:34.0437 1624 Ql10wnt - ok
08:25:34.0453 1624 ql12160 - ok
08:25:34.0515 1624 ql1240 - ok
08:25:34.0531 1624 ql1280 - ok
08:25:34.0578 1624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
08:25:34.0859 1624 RasAcd - ok
08:25:34.0921 1624 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
08:25:35.0750 1624 RasAuto - ok
08:25:36.0265 1624 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
08:25:36.0546 1624 Rasl2tp - ok
08:25:37.0093 1624 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
08:25:37.0515 1624 RasMan - ok
08:25:37.0640 1624 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
08:25:37.0921 1624 RasPppoe - ok
08:25:39.0312 1624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
08:25:39.0500 1624 Raspti - ok
08:25:40.0203 1624 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
08:25:40.0906 1624 Rdbss - ok
08:25:41.0687 1624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
08:25:41.0859 1624 RDPCDD - ok
08:25:41.0953 1624 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
08:25:42.0156 1624 rdpdr - ok
08:25:42.0218 1624 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
08:25:42.0390 1624 RDPWD - ok
08:25:42.0640 1624 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
08:25:43.0531 1624 RDSessMgr - ok
08:25:43.0953 1624 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
08:25:44.0218 1624 redbook - ok
08:25:44.0296 1624 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
08:25:44.0515 1624 RemoteAccess - ok
08:25:44.0640 1624 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
08:25:44.0812 1624 RemoteRegistry - ok
08:25:44.0843 1624 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
08:25:45.0109 1624 RpcLocator - ok
08:25:45.0265 1624 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
08:25:45.0421 1624 RpcSs - ok
08:25:45.0484 1624 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
08:25:45.0734 1624 RSVP - ok
08:25:45.0765 1624 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
08:25:45.0906 1624 SamSs - ok
08:25:46.0093 1624 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
08:25:46.0343 1624 SCardSvr - ok
08:25:46.0453 1624 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
08:25:46.0718 1624 Schedule - ok
08:25:46.0843 1624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
08:25:47.0015 1624 Secdrv - ok
08:25:47.0406 1624 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
08:25:48.0265 1624 seclogon - ok
08:25:48.0453 1624 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
08:25:48.0640 1624 SENS - ok
08:25:48.0796 1624 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
08:25:48.0937 1624 serenum - ok
08:25:49.0390 1624 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
08:25:49.0593 1624 Serial - ok
08:25:49.0718 1624 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
08:25:49.0921 1624 Sfloppy - ok
08:25:50.0328 1624 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
08:25:52.0125 1624 SharedAccess - ok
08:25:52.0953 1624 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:25:53.0156 1624 ShellHWDetection - ok
08:25:55.0156 1624 Simbad - ok
08:25:56.0296 1624 Sparrow - ok
08:25:57.0687 1624 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
08:25:57.0937 1624 splitter - ok
08:25:58.0250 1624 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
08:25:58.0453 1624 Spooler - ok
08:25:59.0140 1624 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
08:25:59.0500 1624 sr - ok
08:26:00.0093 1624 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
08:26:00.0656 1624 srservice - ok
08:26:01.0218 1624 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
08:26:01.0968 1624 Srv - ok
08:26:02.0171 1624 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
08:26:02.0562 1624 SSDPSRV - ok
08:26:03.0093 1624 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
08:26:03.0390 1624 STHDA - ok
08:26:03.0875 1624 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
08:26:04.0593 1624 stisvc - ok
08:26:04.0718 1624 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
08:26:05.0687 1624 swenum - ok
08:26:06.0156 1624 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
08:26:06.0328 1624 swmidi - ok
08:26:06.0546 1624 SwPrv - ok
08:26:06.0718 1624 symc810 - ok
08:26:06.0765 1624 symc8xx - ok
08:26:06.0781 1624 sym_hi - ok
08:26:06.0906 1624 sym_u3 - ok
08:26:07.0031 1624 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
08:26:07.0250 1624 sysaudio - ok
08:26:07.0281 1624 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
08:26:07.0671 1624 SysmonLog - ok
08:26:07.0859 1624 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
08:26:08.0156 1624 TapiSrv - ok
08:26:08.0625 1624 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
08:26:08.0859 1624 Tcpip - ok
08:26:08.0953 1624 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
08:26:09.0125 1624 TDPIPE - ok
08:26:09.0203 1624 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
08:26:09.0437 1624 TDTCP - ok
08:26:09.0515 1624 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
08:26:09.0687 1624 TermDD - ok
08:26:09.0796 1624 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
08:26:10.0046 1624 TermService - ok
08:26:10.0140 1624 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
08:26:10.0234 1624 Themes - ok
08:26:10.0281 1624 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
08:26:10.0609 1624 TlntSvr - ok
08:26:10.0625 1624 TosIde - ok
08:26:10.0703 1624 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
08:26:10.0843 1624 TrkWks - ok
08:26:10.0890 1624 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
08:26:11.0093 1624 Udfs - ok
08:26:11.0125 1624 UIUSys - ok
08:26:11.0140 1624 ultra - ok
08:26:11.0218 1624 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
08:26:11.0421 1624 Update - ok
08:26:11.0531 1624 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
08:26:11.0750 1624 upnphost - ok
08:26:11.0843 1624 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
08:26:12.0093 1624 UPS - ok
08:26:12.0250 1624 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
08:26:12.0375 1624 USBAAPL - ok
08:26:12.0453 1624 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
08:26:12.0546 1624 USBCCID - ok
08:26:12.0593 1624 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
08:26:12.0765 1624 usbehci - ok
08:26:12.0812 1624 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
08:26:13.0000 1624 usbhub - ok
08:26:13.0078 1624 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
08:26:13.0234 1624 usbscan - ok
08:26:13.0296 1624 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
08:26:13.0453 1624 USBSTOR - ok
08:26:13.0546 1624 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
08:26:13.0718 1624 usbuhci - ok
08:26:14.0468 1624 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
08:26:14.0640 1624 VgaSave - ok
08:26:14.0703 1624 ViaIde - ok
08:26:14.0781 1624 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
08:26:15.0062 1624 VolSnap - ok
08:26:15.0265 1624 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
08:26:16.0468 1624 VSS - ok
08:26:17.0031 1624 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
08:26:17.0375 1624 W32Time - ok
08:26:20.0484 1624 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
08:26:20.0687 1624 Wanarp - ok
08:26:21.0140 1624 WDICA - ok
08:26:21.0390 1624 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
08:26:21.0640 1624 wdmaud - ok
08:26:21.0828 1624 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
08:26:22.0093 1624 WebClient - ok
08:26:22.0671 1624 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
08:26:22.0843 1624 winachsf - ok
08:26:23.0000 1624 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
08:26:23.0296 1624 winmgmt - ok
08:26:23.0406 1624 wltrysvc - ok
08:26:23.0468 1624 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
08:26:23.0671 1624 WmdmPmSN - ok
08:26:23.0765 1624 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
08:26:24.0234 1624 Wmi - ok
08:26:24.0359 1624 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
08:26:24.0500 1624 WmiAcpi - ok
08:26:24.0609 1624 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
08:26:24.0906 1624 WmiApSrv - ok
08:26:25.0031 1624 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
08:26:25.0281 1624 wscsvc - ok
08:26:25.0343 1624 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
08:26:25.0500 1624 wuauserv - ok
08:26:25.0593 1624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
08:26:25.0796 1624 WudfPf - ok
08:26:25.0875 1624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
08:26:26.0000 1624 WudfRd - ok
08:26:26.0078 1624 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
08:26:26.0218 1624 WudfSvc - ok
08:26:26.0296 1624 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
08:26:26.0656 1624 WZCSVC - ok
08:26:26.0984 1624 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
08:26:27.0156 1624 xmlprov - ok
08:26:27.0218 1624 MBR (0x1B8) (faee7e40dfb0440ad2cfc39befa1f4c2) \Device\Harddisk0\DR0
08:26:27.0265 1624 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
08:26:27.0281 1624 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
08:26:27.0375 1624 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
08:26:27.0375 1624 \Device\Harddisk0\DR0 - detected TDSS File System (1)
08:26:27.0375 1624 Boot (0x1200) (c54b50610ab89d8fbf934a77ccb25f96) \Device\Harddisk0\DR0\Partition0
08:26:27.0390 1624 \Device\Harddisk0\DR0\Partition0 - ok
08:26:27.0390 1624 ============================================================
08:26:27.0390 1624 Scan finished
08:26:27.0390 1624 ============================================================
08:26:28.0953 3044 Detected object count: 4
08:26:28.0968 3044 Actual detected object count: 4
08:35:06.0890 3044 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
08:35:07.0062 3044 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:35:07.0062 3044 OMCI ( UnsignedFile.Multi.Generic ) - skipped by user
08:35:07.0062 3044 OMCI ( UnsignedFile.Multi.Generic ) - User select action: Skip
08:35:35.0296 3044 \Device\Harddisk0\DR0\# - copied to quarantine
08:35:41.0234 3044 \Device\Harddisk0\DR0 - copied to quarantine
08:36:06.0015 3044 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
08:36:07.0140 3044 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
08:36:24.0750 3044 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
08:36:26.0937 3044 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
08:36:27.0250 3044 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
08:36:28.0234 3044 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
08:36:31.0484 3044 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
08:36:32.0109 3044 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
08:36:32.0187 3044 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
08:36:32.0218 3044 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
08:36:32.0593 3044 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
08:36:33.0156 3044 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
08:36:33.0406 3044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
08:36:33.0406 3044 \Device\Harddisk0\DR0 - ok
08:36:33.0515 3044 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
08:36:33.0515 3044 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
08:36:33.0515 3044 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
08:40:21.0843 3212 Deinitialize success
oldman960
2012-04-13, 17:19
Hi mla34,


AVs are notorious for detecting things after the fact. :banghead:

Please rerun TDSKiller. This time when presented with these lines


08:26:27.0375 1624 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
08:26:27.0375 1624 \Device\Harddisk0\DR0 - detected TDSS File System (1)
use the dropdown menu and select delete.

MSE still detecting anything?


Next


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it. If asked to download Avast's database please do so.

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.


Please post back with
TDSK log
aswMBR log
MBR.zip (attached)
How's the computer?
mla34
2012-04-13, 18:23
Should I change the parameters this time, like I did the last time, before I run the scan?
oldman960
2012-04-13, 23:54
Hi mla34,

Yes set it up like you did before.
mla34
2012-04-14, 13:54
Sorry for nit-picking here but I want to be sure I do things correctly. The scan says there are 3 threats detected, all of which have medium risk. Two "unassigned files" (Service:cercsr6 and Service:OMCI) and "TDSS File System"(Physical Drive: \Device\Harddisk0\DR0). If I am understanding you correctly, I am to delete this last threat but what do I do with the first two?
Thanks for your patience!
oldman960
2012-04-14, 16:21
Hi mla34,

Just delete the "TDSS File System"(Physical Drive: \Device\Harddisk0\DR0). line. Use skip on the other 2.
mla34
2012-04-14, 17:41
Ok, see results of scans below. MSE popped up with 5 potential threats and has "suspended" them. I just closed it and then while I was downloading aswMBR MSE popped up and said the computer has been cleaned. I did not prompt it to do anything....not sure if that is due to the infection or if the automatic cleaning is set in preferences. I didn't even think to check that and I hope it is not a problem. I am also attaching the MBR file zipped.
Anyway, I will close up and spend a bit of time on the computer and see how it is and let you know. In the meantime if there is something else you want me to do, let me know. Thanks so much!

07:36:57.0609 1700 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05
07:36:57.0906 1700 ============================================================
07:36:57.0906 1700 Current date / time: 2012/04/14 07:36:57.0906
07:36:57.0906 1700 SystemInfo:
07:36:57.0906 1700
07:36:57.0906 1700 OS Version: 5.1.2600 ServicePack: 3.0
07:36:57.0906 1700 Product type: Workstation
07:36:57.0906 1700 ComputerName: 8G77SC1
07:36:57.0906 1700 UserName: Home
07:36:57.0906 1700 Windows directory: C:\WINDOWS
07:36:57.0906 1700 System windows directory: C:\WINDOWS
07:36:57.0906 1700 Processor architecture: Intel x86
07:36:57.0906 1700 Number of processors: 2
07:36:57.0906 1700 Page size: 0x1000
07:36:57.0906 1700 Boot type: Normal boot
07:36:57.0906 1700 ============================================================
07:37:01.0093 1700 Drive \Device\Harddisk0\DR0 - Size: 0x950A60000 (37.26 Gb), SectorSize: 0x200, Cylinders: 0x1300, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
07:37:01.0093 1700 \Device\Harddisk0\DR0:
07:37:01.0093 1700 MBR used
07:37:01.0093 1700 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x4A852C1
07:37:01.0140 1700 Initialize success
07:37:01.0140 1700 ============================================================
07:37:08.0921 3132 ============================================================
07:37:08.0921 3132 Scan started
07:37:08.0921 3132 Mode: Manual; SigCheck; TDLFS;
07:37:08.0921 3132 ============================================================
07:37:09.0328 3132 Abiosdsk - ok
07:37:09.0343 3132 abp480n5 - ok
07:37:09.0421 3132 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
07:37:10.0578 3132 ACPI - ok
07:37:10.0750 3132 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
07:37:10.0890 3132 ACPIEC - ok
07:37:10.0953 3132 adpu160m - ok
07:37:11.0015 3132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
07:37:11.0218 3132 aec - ok
07:37:11.0296 3132 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
07:37:11.0468 3132 AFD - ok
07:37:11.0468 3132 Aha154x - ok
07:37:11.0484 3132 aic78u2 - ok
07:37:11.0500 3132 aic78xx - ok
07:37:11.0531 3132 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
07:37:11.0750 3132 Alerter - ok
07:37:11.0859 3132 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
07:37:12.0078 3132 ALG - ok
07:37:12.0156 3132 AliIde - ok
07:37:12.0187 3132 amsint - ok
07:37:12.0328 3132 Apple Mobile Device (20f6f19fe9e753f2780dc2fa083ad597) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
07:37:12.0578 3132 Apple Mobile Device - ok
07:37:12.0703 3132 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
07:37:12.0984 3132 AppMgmt - ok
07:37:13.0015 3132 asc - ok
07:37:13.0046 3132 asc3350p - ok
07:37:13.0062 3132 asc3550 - ok
07:37:13.0140 3132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
07:37:13.0296 3132 AsyncMac - ok
07:37:13.0343 3132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
07:37:13.0562 3132 atapi - ok
07:37:13.0625 3132 Atdisk - ok
07:37:13.0656 3132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
07:37:13.0859 3132 Atmarpc - ok
07:37:14.0078 3132 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
07:37:14.0250 3132 AudioSrv - ok
07:37:14.0328 3132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
07:37:14.0468 3132 audstub - ok
07:37:14.0578 3132 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
07:37:14.0687 3132 b57w2k - ok
07:37:14.0796 3132 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
07:37:14.0890 3132 BCM43XX - ok
07:37:15.0046 3132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
07:37:15.0218 3132 Beep - ok
07:37:15.0281 3132 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
07:37:15.0515 3132 BITS - ok
07:37:15.0656 3132 Bonjour Service (1c87705ccb2f60172b0fc86b5d82f00d) C:\Program Files\Bonjour\mDNSResponder.exe
07:37:15.0734 3132 Bonjour Service - ok
07:37:15.0890 3132 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
07:37:16.0031 3132 Browser - ok
07:37:16.0125 3132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
07:37:16.0265 3132 cbidf2k - ok
07:37:16.0328 3132 cd20xrnt - ok
07:37:16.0390 3132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
07:37:16.0562 3132 Cdaudio - ok
07:37:16.0609 3132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
07:37:16.0765 3132 Cdfs - ok
07:37:16.0828 3132 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
07:37:16.0984 3132 Cdrom - ok
07:37:17.0031 3132 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
07:37:17.0093 3132 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
07:37:17.0093 3132 cercsr6 - detected UnsignedFile.Multi.Generic (1)
07:37:17.0109 3132 Changer - ok
07:37:17.0140 3132 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
07:37:17.0390 3132 CiSvc - ok
07:37:17.0421 3132 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
07:37:17.0609 3132 ClipSrv - ok
07:37:17.0656 3132 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
07:37:17.0796 3132 CmBatt - ok
07:37:17.0796 3132 CmdIde - ok
07:37:17.0828 3132 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
07:37:17.0968 3132 Compbatt - ok
07:37:17.0984 3132 COMSysApp - ok
07:37:18.0000 3132 Cpqarray - ok
07:37:18.0031 3132 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
07:37:18.0203 3132 CryptSvc - ok
07:37:18.0218 3132 dac2w2k - ok
07:37:18.0218 3132 dac960nt - ok
07:37:18.0281 3132 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
07:37:18.0468 3132 DcomLaunch - ok
07:37:18.0531 3132 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
07:37:18.0687 3132 Dhcp - ok
07:37:18.0750 3132 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
07:37:18.0890 3132 Disk - ok
07:37:18.0890 3132 dmadmin - ok
07:37:18.0953 3132 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
07:37:19.0156 3132 dmboot - ok
07:37:19.0203 3132 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
07:37:19.0359 3132 dmio - ok
07:37:19.0406 3132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
07:37:19.0531 3132 dmload - ok
07:37:19.0562 3132 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
07:37:19.0703 3132 dmserver - ok
07:37:19.0750 3132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
07:37:19.0906 3132 DMusic - ok
07:37:19.0953 3132 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
07:37:20.0078 3132 Dnscache - ok
07:37:20.0171 3132 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
07:37:20.0375 3132 Dot3svc - ok
07:37:20.0406 3132 dpti2o - ok
07:37:20.0671 3132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
07:37:20.0812 3132 drmkaud - ok
07:37:21.0234 3132 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
07:37:21.0375 3132 EapHost - ok
07:37:21.0515 3132 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
07:37:21.0671 3132 ERSvc - ok
07:37:21.0781 3132 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
07:37:21.0890 3132 Eventlog - ok
07:37:22.0312 3132 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
07:37:22.0562 3132 EventSystem - ok
07:37:23.0187 3132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
07:37:23.0796 3132 Fastfat - ok
07:37:23.0921 3132 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:37:24.0031 3132 FastUserSwitchingCompatibility - ok
07:37:24.0109 3132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
07:37:24.0312 3132 Fdc - ok
07:37:24.0468 3132 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
07:37:24.0609 3132 Fips - ok
07:37:24.0625 3132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
07:37:24.0765 3132 Flpydisk - ok
07:37:24.0812 3132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
07:37:24.0984 3132 FltMgr - ok
07:37:25.0046 3132 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
07:37:25.0187 3132 Fs_Rec - ok
07:37:25.0187 3132 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
07:37:25.0390 3132 Ftdisk - ok
07:37:25.0437 3132 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
07:37:25.0500 3132 GEARAspiWDM - ok
07:37:25.0531 3132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
07:37:25.0656 3132 Gpc - ok
07:37:25.0703 3132 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
07:37:25.0859 3132 HDAudBus - ok
07:37:25.0937 3132 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
07:37:26.0109 3132 helpsvc - ok
07:37:26.0250 3132 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
07:37:26.0515 3132 HidServ - ok
07:37:26.0609 3132 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
07:37:26.0812 3132 HidUsb - ok
07:37:26.0890 3132 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
07:37:27.0062 3132 hkmsvc - ok
07:37:27.0093 3132 hpn - ok
07:37:27.0234 3132 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
07:37:27.0390 3132 HSF_DPV - ok
07:37:27.0468 3132 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
07:37:27.0531 3132 HSXHWAZL - ok
07:37:27.0640 3132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
07:37:27.0734 3132 HTTP - ok
07:37:27.0812 3132 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
07:37:28.0000 3132 HTTPFilter - ok
07:37:28.0093 3132 i2omgmt - ok
07:37:28.0125 3132 i2omp - ok
07:37:28.0218 3132 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
07:37:28.0375 3132 i8042prt - ok
07:37:28.0531 3132 ialm (cc449157474d5e43daea7e20f52c635a) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
07:37:28.0968 3132 ialm - ok
07:37:29.0078 3132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
07:37:29.0281 3132 Imapi - ok
07:37:29.0421 3132 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
07:37:29.0609 3132 ImapiService - ok
07:37:29.0656 3132 ini910u - ok
07:37:29.0703 3132 IntelIde - ok
07:37:29.0765 3132 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
07:37:29.0968 3132 intelppm - ok
07:37:30.0046 3132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
07:37:30.0203 3132 Ip6Fw - ok
07:37:30.0250 3132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
07:37:30.0390 3132 IpFilterDriver - ok
07:37:30.0484 3132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
07:37:30.0656 3132 IpInIp - ok
07:37:30.0687 3132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
07:37:30.0828 3132 IpNat - ok
07:37:30.0984 3132 iPod Service (f62c69376a95795fe7cdb1c778edaca4) C:\Program Files\iPod\bin\iPodService.exe
07:37:31.0140 3132 iPod Service - ok
07:37:31.0281 3132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
07:37:31.0468 3132 IPSec - ok
07:37:31.0562 3132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
07:37:31.0734 3132 IRENUM - ok
07:37:31.0859 3132 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
07:37:32.0062 3132 isapnp - ok
07:37:32.0234 3132 JavaQuickStarterService (9aa67569d5257462e230767510b0c815) C:\Program Files\Java\jre6\bin\jqs.exe
07:37:32.0390 3132 JavaQuickStarterService - ok
07:37:32.0500 3132 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
07:37:32.0656 3132 Kbdclass - ok
07:37:32.0765 3132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
07:37:33.0015 3132 kmixer - ok
07:37:33.0093 3132 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
07:37:33.0250 3132 KSecDD - ok
07:37:33.0312 3132 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
07:37:33.0390 3132 lanmanserver - ok
07:37:33.0437 3132 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
07:37:33.0562 3132 lanmanworkstation - ok
07:37:33.0562 3132 lbrtfdc - ok
07:37:33.0609 3132 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
07:37:33.0812 3132 LmHosts - ok
07:37:33.0843 3132 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
07:37:33.0890 3132 mdmxsdk - ok
07:37:33.0906 3132 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
07:37:34.0062 3132 Messenger - ok
07:37:34.0093 3132 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
07:37:34.0234 3132 mnmdd - ok
07:37:34.0312 3132 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
07:37:34.0468 3132 mnmsrvc - ok
07:37:34.0593 3132 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
07:37:34.0750 3132 Modem - ok
07:37:34.0843 3132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
07:37:34.0968 3132 Mouclass - ok
07:37:35.0046 3132 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
07:37:35.0218 3132 mouhid - ok
07:37:35.0312 3132 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
07:37:35.0484 3132 MountMgr - ok
07:37:35.0531 3132 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
07:37:35.0609 3132 MpFilter - ok
07:37:35.0625 3132 mraid35x - ok
07:37:35.0656 3132 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
07:37:35.0843 3132 MRxDAV - ok
07:37:35.0890 3132 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
07:37:36.0031 3132 MRxSmb - ok
07:37:36.0171 3132 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
07:37:36.0312 3132 MSDTC - ok
07:37:36.0390 3132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
07:37:36.0515 3132 Msfs - ok
07:37:36.0562 3132 MSIServer - ok
07:37:36.0640 3132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
07:37:36.0765 3132 MSKSSRV - ok
07:37:36.0890 3132 MsMpSvc (cfce43b70ca0cc4dcc8adb62b792b173) c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
07:37:36.0937 3132 MsMpSvc - ok
07:37:36.0937 3132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
07:37:37.0078 3132 MSPCLOCK - ok
07:37:37.0078 3132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
07:37:37.0203 3132 MSPQM - ok
07:37:37.0250 3132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
07:37:37.0390 3132 mssmbios - ok
07:37:37.0437 3132 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
07:37:37.0515 3132 Mup - ok
07:37:37.0593 3132 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
07:37:37.0765 3132 napagent - ok
07:37:37.0875 3132 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
07:37:38.0140 3132 NDIS - ok
07:37:38.0187 3132 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
07:37:38.0296 3132 NdisTapi - ok
07:37:38.0343 3132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
07:37:38.0546 3132 Ndisuio - ok
07:37:38.0640 3132 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
07:37:38.0796 3132 NdisWan - ok
07:37:38.0890 3132 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
07:37:38.0984 3132 NDProxy - ok
07:37:39.0062 3132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
07:37:39.0265 3132 NetBIOS - ok
07:37:39.0312 3132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
07:37:39.0484 3132 NetBT - ok
07:37:39.0515 3132 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
07:37:39.0750 3132 NetDDE - ok
07:37:39.0750 3132 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
07:37:39.0921 3132 NetDDEdsdm - ok
07:37:40.0109 3132 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:37:40.0250 3132 Netlogon - ok
07:37:40.0328 3132 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
07:37:40.0562 3132 Netman - ok
07:37:40.0656 3132 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
07:37:40.0781 3132 Nla - ok
07:37:40.0859 3132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
07:37:41.0031 3132 Npfs - ok
07:37:41.0171 3132 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
07:37:41.0375 3132 Ntfs - ok
07:37:41.0421 3132 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:37:41.0531 3132 NtLmSsp - ok
07:37:41.0578 3132 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
07:37:41.0812 3132 NtmsSvc - ok
07:37:41.0921 3132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
07:37:42.0078 3132 Null - ok
07:37:42.0171 3132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
07:37:42.0375 3132 NwlnkFlt - ok
07:37:42.0453 3132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
07:37:42.0578 3132 NwlnkFwd - ok
07:37:42.0781 3132 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
07:37:42.0875 3132 odserv - ok
07:37:43.0000 3132 OMCI (cec7e2c6c1fa00c7ab2f5434f848ae51) C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
07:37:43.0062 3132 OMCI ( UnsignedFile.Multi.Generic ) - warning
07:37:43.0062 3132 OMCI - detected UnsignedFile.Multi.Generic (1)
07:37:43.0171 3132 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
07:37:43.0281 3132 ose - ok
07:37:43.0328 3132 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
07:37:43.0546 3132 Parport - ok
07:37:43.0562 3132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
07:37:43.0687 3132 PartMgr - ok
07:37:43.0750 3132 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
07:37:43.0890 3132 ParVdm - ok
07:37:43.0921 3132 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
07:37:44.0078 3132 PCI - ok
07:37:44.0109 3132 PCIDump - ok
07:37:44.0140 3132 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
07:37:44.0281 3132 PCIIde - ok
07:37:44.0312 3132 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
07:37:44.0437 3132 Pcmcia - ok
07:37:44.0453 3132 PDCOMP - ok
07:37:44.0500 3132 PDFRAME - ok
07:37:44.0515 3132 PDRELI - ok
07:37:44.0531 3132 PDRFRAME - ok
07:37:44.0546 3132 perc2 - ok
07:37:44.0546 3132 perc2hib - ok
07:37:44.0609 3132 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
07:37:44.0718 3132 PlugPlay - ok
07:37:44.0750 3132 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:37:44.0859 3132 PolicyAgent - ok
07:37:44.0906 3132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
07:37:45.0109 3132 PptpMiniport - ok
07:37:45.0125 3132 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:37:45.0296 3132 ProtectedStorage - ok
07:37:45.0390 3132 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
07:37:45.0531 3132 PSched - ok
07:37:45.0562 3132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
07:37:45.0703 3132 Ptilink - ok
07:37:45.0718 3132 ql1080 - ok
07:37:45.0734 3132 Ql10wnt - ok
07:37:45.0750 3132 ql12160 - ok
07:37:45.0765 3132 ql1240 - ok
07:37:45.0781 3132 ql1280 - ok
07:37:45.0796 3132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
07:37:45.0968 3132 RasAcd - ok
07:37:46.0015 3132 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
07:37:46.0250 3132 RasAuto - ok
07:37:46.0359 3132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
07:37:46.0531 3132 Rasl2tp - ok
07:37:46.0593 3132 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
07:37:46.0796 3132 RasMan - ok
07:37:46.0921 3132 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
07:37:47.0109 3132 RasPppoe - ok
07:37:47.0156 3132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
07:37:47.0312 3132 Raspti - ok
07:37:47.0375 3132 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
07:37:47.0546 3132 Rdbss - ok
07:37:47.0562 3132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
07:37:47.0703 3132 RDPCDD - ok
07:37:47.0796 3132 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
07:37:48.0000 3132 rdpdr - ok
07:37:48.0093 3132 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS\system32\drivers\RDPWD.sys
07:37:48.0203 3132 RDPWD - ok
07:37:48.0250 3132 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
07:37:48.0609 3132 RDSessMgr - ok
07:37:48.0765 3132 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
07:37:48.0921 3132 redbook - ok
07:37:49.0000 3132 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
07:37:49.0265 3132 RemoteAccess - ok
07:37:49.0375 3132 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
07:37:49.0578 3132 RemoteRegistry - ok
07:37:49.0671 3132 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
07:37:49.0828 3132 RpcLocator - ok
07:37:49.0906 3132 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
07:37:49.0984 3132 RpcSs - ok
07:37:50.0031 3132 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
07:37:50.0218 3132 RSVP - ok
07:37:50.0343 3132 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
07:37:50.0484 3132 SamSs - ok
07:37:50.0546 3132 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
07:37:50.0750 3132 SCardSvr - ok
07:37:50.0828 3132 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
07:37:51.0046 3132 Schedule - ok
07:37:51.0171 3132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
07:37:51.0296 3132 Secdrv - ok
07:37:51.0375 3132 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
07:37:51.0515 3132 seclogon - ok
07:37:51.0562 3132 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
07:37:51.0718 3132 SENS - ok
07:37:51.0812 3132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
07:37:51.0937 3132 serenum - ok
07:37:52.0046 3132 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
07:37:52.0218 3132 Serial - ok
07:37:52.0312 3132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
07:37:52.0453 3132 Sfloppy - ok
07:37:52.0531 3132 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
07:37:52.0734 3132 SharedAccess - ok
07:37:52.0796 3132 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:37:52.0859 3132 ShellHWDetection - ok
07:37:52.0875 3132 Simbad - ok
07:37:52.0890 3132 Sparrow - ok
07:37:52.0953 3132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
07:37:53.0109 3132 splitter - ok
07:37:53.0187 3132 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
07:37:53.0359 3132 Spooler - ok
07:37:53.0375 3132 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
07:37:53.0625 3132 sr - ok
07:37:53.0750 3132 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
07:37:53.0906 3132 srservice - ok
07:37:54.0046 3132 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
07:37:54.0140 3132 Srv - ok
07:37:54.0171 3132 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
07:37:54.0375 3132 SSDPSRV - ok
07:37:54.0531 3132 STHDA (3ad78e22210d3fbd9f76de84a8df19b5) C:\WINDOWS\system32\drivers\sthda.sys
07:37:54.0656 3132 STHDA - ok
07:37:54.0718 3132 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
07:37:54.0953 3132 stisvc - ok
07:37:55.0000 3132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
07:37:55.0187 3132 swenum - ok
07:37:55.0265 3132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
07:37:55.0406 3132 swmidi - ok
07:37:55.0437 3132 SwPrv - ok
07:37:55.0453 3132 symc810 - ok
07:37:55.0468 3132 symc8xx - ok
07:37:55.0484 3132 sym_hi - ok
07:37:55.0484 3132 sym_u3 - ok
07:37:55.0546 3132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
07:37:55.0703 3132 sysaudio - ok
07:37:55.0765 3132 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
07:37:55.0953 3132 SysmonLog - ok
07:37:56.0062 3132 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
07:37:56.0234 3132 TapiSrv - ok
07:37:56.0359 3132 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
07:37:56.0468 3132 Tcpip - ok
07:37:56.0515 3132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
07:37:56.0718 3132 TDPIPE - ok
07:37:56.0796 3132 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
07:37:56.0937 3132 TDTCP - ok
07:37:56.0984 3132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
07:37:57.0125 3132 TermDD - ok
07:37:57.0218 3132 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
07:37:57.0390 3132 TermService - ok
07:37:57.0500 3132 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
07:37:57.0562 3132 Themes - ok
07:37:57.0609 3132 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
07:37:57.0890 3132 TlntSvr - ok
07:37:57.0890 3132 TosIde - ok
07:37:57.0937 3132 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
07:37:58.0156 3132 TrkWks - ok
07:37:58.0250 3132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
07:37:58.0406 3132 Udfs - ok
07:37:58.0484 3132 UIUSys - ok
07:37:58.0500 3132 ultra - ok
07:37:58.0562 3132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
07:37:58.0734 3132 Update - ok
07:37:58.0781 3132 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
07:37:58.0953 3132 upnphost - ok
07:37:59.0046 3132 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
07:37:59.0250 3132 UPS - ok
07:37:59.0375 3132 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
07:37:59.0484 3132 USBAAPL - ok
07:37:59.0546 3132 USBCCID (6b5e4d5e6e5ecd6acd14aed59768ce5c) C:\WINDOWS\system32\DRIVERS\usbccid.sys
07:37:59.0640 3132 USBCCID - ok
07:37:59.0671 3132 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
07:37:59.0859 3132 usbehci - ok
07:37:59.0968 3132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
07:38:00.0187 3132 usbhub - ok
07:38:00.0281 3132 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
07:38:00.0421 3132 usbscan - ok
07:38:00.0468 3132 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
07:38:00.0593 3132 USBSTOR - ok
07:38:00.0625 3132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
07:38:00.0750 3132 usbuhci - ok
07:38:00.0796 3132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
07:38:00.0937 3132 VgaSave - ok
07:38:00.0937 3132 ViaIde - ok
07:38:00.0984 3132 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
07:38:01.0140 3132 VolSnap - ok
07:38:01.0250 3132 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
07:38:01.0437 3132 VSS - ok
07:38:01.0484 3132 W32Time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
07:38:01.0625 3132 W32Time - ok
07:38:01.0671 3132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
07:38:01.0859 3132 Wanarp - ok
07:38:01.0859 3132 WDICA - ok
07:38:01.0984 3132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
07:38:02.0156 3132 wdmaud - ok
07:38:02.0265 3132 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
07:38:02.0437 3132 WebClient - ok
07:38:02.0578 3132 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
07:38:02.0703 3132 winachsf - ok
07:38:02.0812 3132 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
07:38:03.0031 3132 winmgmt - ok
07:38:03.0125 3132 wltrysvc - ok
07:38:03.0203 3132 WmdmPmSN (c7e39ea41233e9f5b86c8da3a9f1e4a8) C:\WINDOWS\system32\mspmsnsv.dll
07:38:03.0359 3132 WmdmPmSN - ok
07:38:03.0500 3132 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
07:38:03.0765 3132 Wmi - ok
07:38:03.0828 3132 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
07:38:03.0953 3132 WmiAcpi - ok
07:38:04.0062 3132 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
07:38:04.0250 3132 WmiApSrv - ok
07:38:04.0343 3132 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
07:38:04.0578 3132 wscsvc - ok
07:38:04.0609 3132 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
07:38:04.0765 3132 wuauserv - ok
07:38:04.0828 3132 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
07:38:05.0000 3132 WudfPf - ok
07:38:05.0078 3132 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
07:38:05.0218 3132 WudfRd - ok
07:38:05.0265 3132 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
07:38:05.0328 3132 WudfSvc - ok
07:38:05.0406 3132 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
07:38:05.0625 3132 WZCSVC - ok
07:38:05.0656 3132 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
07:38:05.0812 3132 xmlprov - ok
07:38:05.0859 3132 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
07:38:06.0062 3132 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
07:38:06.0062 3132 \Device\Harddisk0\DR0 - detected TDSS File System (1)
07:38:06.0062 3132 Boot (0x1200) (c54b50610ab89d8fbf934a77ccb25f96) \Device\Harddisk0\DR0\Partition0
07:38:06.0062 3132 \Device\Harddisk0\DR0\Partition0 - ok
07:38:06.0062 3132 ============================================================
07:38:06.0062 3132 Scan finished
07:38:06.0062 3132 ============================================================
07:38:06.0171 3124 Detected object count: 3
07:38:06.0171 3124 Actual detected object count: 3
10:53:08.0859 3124 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
10:53:08.0859 3124 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:53:08.0859 3124 OMCI ( UnsignedFile.Multi.Generic ) - skipped by user
10:53:08.0859 3124 OMCI ( UnsignedFile.Multi.Generic ) - User select action: Skip
10:53:08.0953 3124 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
10:53:08.0984 3124 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
10:53:09.0125 3124 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
10:53:09.0187 3124 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
10:53:09.0265 3124 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
10:53:09.0640 3124 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
10:53:10.0765 3124 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
10:53:10.0859 3124 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
10:53:10.0859 3124 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
10:53:10.0859 3124 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
10:53:10.0875 3124 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
10:53:10.0937 3124 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
10:53:10.0953 3124 \Device\Harddisk0\DR0\TDLFS - deleted
10:53:10.0953 3124 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Delete



aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-14 11:02:50
-----------------------------
11:02:50.156 OS Version: Windows 5.1.2600 Service Pack 3
11:02:50.156 Number of processors: 2 586 0xF02
11:02:50.156 ComputerName: 8G77SC1 UserName: Home
11:02:51.203 Initialize success
11:09:07.015 AVAST engine defs: 12041400
11:09:38.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
11:09:38.875 Disk 0 Vendor: ST94813AS 8.04 Size: 38154MB BusType: 3
11:09:38.875 Disk 0 MBR read successfully
11:09:38.890 Disk 0 MBR scan
11:09:38.937 Disk 0 Windows XP default MBR code
11:09:38.937 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
11:09:38.953 Disk 0 scanning sectors +78140160
11:09:39.484 Disk 0 scanning C:\WINDOWS\system32\drivers
11:09:58.734 Service scanning
11:10:07.765 Service MpKsl55bf86fb c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8048613-029B-4390-895E-4C11811277FD}\MpKsl55bf86fb.sys **LOCKED** 32
11:10:21.796 Modules scanning
11:10:28.156 Disk 0 trace - called modules:
11:10:28.171 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
11:10:28.171 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d57ab8]
11:10:28.187 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000073[0x86d5df18]
11:10:28.187 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86ceb940]
11:10:28.546 AVAST engine scan C:\WINDOWS
11:10:43.859 AVAST engine scan C:\WINDOWS\system32
11:13:41.312 AVAST engine scan C:\WINDOWS\system32\drivers
11:14:02.546 AVAST engine scan C:\Documents and Settings\Home
11:14:26.546 File: C:\Documents and Settings\Home\Application Data\Office Genuine Advantage\Office Genuine Advantage\afxjahc.dll **INFECTED** Win32:Trojan-gen
11:27:30.765 AVAST engine scan C:\Documents and Settings\All Users
11:28:01.281 Scan finished successfully
11:28:46.093 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
11:28:46.156 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR.txt"
oldman960
2012-04-14, 20:32
Hi mla34,

This looks pretty good. How is the computer?

Please go to Virustotal (www.virustotal.com) Please submit these files for analysis

copy and paste (or use the choose file button to browse to the files)the following into the choose file box (one at a time if more than one file is listed)

C:\Documents and Settings\Home\Application Data\Office Genuine Advantage\Office Genuine Advantage\afxjahc.dll



click the Scan it button. Wait for the results and post them in your next reply.

If it says the file has all ready been analysed click reanalyse.

Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
mla34
2012-04-14, 22:16
The header reads:


SHA256: f9aeb5cfc9309c05d8500698d707a5c3bafa3b3c923df69a194f423e61a8fab7
SHA1: 25ce04e2f462c2d5ff3c8f63e9c11f9fb4f19551
MD5: bc7db327547d1e7599161e1015f2324f
File size: 343.8 KB ( 352064 bytes )
File name: afxjahc.dll
File type: Win32 DLL
Detection ratio: 4 / 41
Analysis date: 2012-04-14 20:01:36 UTC ( 1 minute ago )

The four detections are as follows:

Avast - Win32:Trojan-gen
AVG - Generic5_c.BPSU
GData - Win32:Trojan-gen
Panda - Suspicious file

Do you want all that is under the Additional Information tab? Don'twant to assume to include it since there is lots of stuff. If you need it I will be happy to send it. There is a list of 3 files at the end of that...not sure what to include here for you. Let me know. Thanks so much!
Maureen
oldman960
2012-04-14, 23:49
Hi mla34,

That's ok I got all the information from VirusTotal. It may be a fase positve.

How's the computer?
mla34
2012-04-15, 00:10
Ok, so we have been on the computer for awhile now and things seem to be going smoothly. The searches seem to be going through without getting hijacked to other sites and the browsing is not hesitating at all. Are we good?? lol If so, for now anyway, this was not as involved as the last time I had to work on the other computer!
Let me know if there is anything else I should do or look for. Thank you so very much for your time and help. I do appreciate it very much! : )
oldman960
2012-04-15, 01:19
Hi mla34,

We'll do a couple of more scans to see if anything turns up.

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean


You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

One more,

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.


After the ESET scan plase rerun DDS and post the DDS.txt along with the logs from MBAM and ESET.
mla34
2012-04-15, 03:27
Hi, "OM",

I ran TFC and am including the scan info from MBAM and ESET here. I tried twice to run DDS but the computer froze both times after only a minute. The cursor in the box just stopped blinking and I also lost the ID tag on my spybot icon on the desktop - weird. I ended up having to hit the "kill" switch in order to reboot the computer both times. Any suggestions?
I am calling it a day as my eyes have had enough! I'm sure you too...lol. Thanks for your help and I'll check back tomorrow. Have a great night!

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.04.14.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Home :: 8G77SC1 [administrator]

4/14/2012 8:14:57 PM
mbam-log-2012-04-14 (20-14-57).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 176653
Time elapsed: 3 minute(s), 9 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Documents and Settings\Home\Favorites\Antivirus scan for at UTC - VirusTotal.url (Rogue.Link) -> Quarantined and deleted successfully.

(end)


C:\TDSSKiller_Quarantine\13.04.2012_07.57.36\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\13.04.2012_07.57.36\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\13.04.2012_07.57.36\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan
C:\TDSSKiller_Quarantine\14.04.2012_07.36.57\tdlfs0000\tsk0002.dta Win64/Olmarik.AD trojan
C:\TDSSKiller_Quarantine\14.04.2012_07.36.57\tdlfs0000\tsk0004.dta Win64/Olmarik.AG trojan
C:\TDSSKiller_Quarantine\14.04.2012_07.36.57\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.KS trojan
mla34
2012-04-15, 16:48
Good morning! Thought I'd just let you know that I tried running DDS again today and it just stayed as is...flashing cursor but no progress...left it going about 15 minutes with no results. Tried to close it and then it froze. The mouse continued to work but I could not access my start button to shut things down. Had to hit the kill button again....just thought maybe this was a significant issue? I don't remember it taking so long the last time...should I just leave it for an hour or so?
Thanks!
oldman960
2012-04-15, 17:38
Hi mla34,

Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.

Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output
Check the boxes beside LOP Check and Purity Check.
In the window under Custom Scans/Fixes copy and paste the following


netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.līk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
%USERPROFILE%\..|smtmp;true;true;true /FP
%temp%\smtmp\*.* /s >
/md5start
iexplore.*
explorer.*
winlogon.*
dll
zx.dll
hlp.dat
consrv.dll
/md5stop



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.
mla34
2012-04-15, 19:00
Here are the results of the scan

OTL logfile created on: 4/15/2012 12:51:58 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Home\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 577.56 Mb Available Physical Memory | 56.96% Memory free
2.38 Gb Paging File | 2.07 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.40 Gb Free Space | 52.06% Space Free | Partition Type: NTFS

Computer Name: 8G77SC1 | User Name: Home | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Home\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)


========== Modules (No Company Name) ==========

MOD - C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll ()
MOD - C:\WINDOWS\system32\bcm1xsup.dll ()


========== Win32 Services (SafeList) ==========

SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe (Microsoft Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (UIUSys) -- system32\DRIVERS\UIUSYS.SYS File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (MpKsl55bf86fb) -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D8048613-029B-4390-895E-4C11811277FD}\MpKsl55bf86fb.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (STHDA) -- C:\WINDOWS\system32\drivers\sthda.sys (SigmaTel, Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (USBCCID) -- C:\WINDOWS\system32\drivers\usbccid.sys (Microsoft Corporation)
DRV - (OMCI) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
IE - HKCU\..\SearchScopes,DefaultScope = {87DBF564-C81D-4F5E-B38F-3C0C0D1567C2}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{87DBF564-C81D-4F5E-B38F-3C0C0D1567C2}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLJ_en
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)



O1 HOSTS File: ([2012/04/10 08:30:26 | 000,442,034 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 15191 more lines...
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\WINDOWS\stsystra.exe (SigmaTel, Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_30-windows-i586.cab (Java Plug-in 1.6.0_30)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} http://www.shockwave.com/content/insaniquarium/sis/popcaploader_v10.cab (PopCapLoader Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6F3861E7-6528-4210-A9A9-EE79613318EF}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Home\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/04/08 15:30:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{3f98c47e-9374-11de-a755-00188bc33c34}\Shell\AutoRun\command - "" = E:\WD_Windows_Tools\Setup.exe
O33 - MountPoints2\{8e95e311-2474-11de-b99e-b92f39c325d0}\Shell - "" = AutoRun
O33 - MountPoints2\{8e95e311-2474-11de-b99e-b92f39c325d0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{8e95e311-2474-11de-b99e-b92f39c325d0}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O33 - MountPoints2\{db9e0f0d-4892-11de-a6a8-00188bc33c34}\Shell - "" = AutoRun
O33 - MountPoints2\{db9e0f0d-4892-11de-a6a8-00188bc33c34}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{db9e0f0d-4892-11de-a6a8-00188bc33c34}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -a
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point

========== Files/Folders - Created Within 30 Days ==========

[2012/04/15 12:48:42 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\OTL.exe
[2012/04/14 20:27:24 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2012/04/14 19:56:33 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\TFC.exe
[2012/04/14 11:02:08 | 004,731,392 | ---- | C] (AVAST Software) -- C:\Documents and Settings\Home\Desktop\aswMBR.exe
[2012/04/13 08:35:07 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/04/13 07:54:44 | 002,071,600 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Home\Desktop\tdsskiller.exe
[2012/04/13 03:12:35 | 000,000,000 | -HSD | C] -- C:\found.000
[2012/04/12 16:14:10 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Application Data\MSNInstaller
[2012/04/12 14:58:44 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Home\My Documents\My Videos
[2012/04/12 14:58:24 | 000,607,260 | R--- | C] (Swearware) -- C:\Documents and Settings\Home\Desktop\dds.com
[2012/04/12 14:56:45 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2012/04/12 14:53:47 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Desktop\ERUNT
[2012/04/10 14:41:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Home\Application Data\Malwarebytes
[2012/04/10 14:38:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/04/10 14:38:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2012/04/10 14:38:34 | 000,022,344 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/04/10 14:38:33 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/04/09 17:44:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/04/09 17:44:02 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/04/09 17:44:02 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/04/09 17:36:19 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NortonInstaller
[2012/04/09 11:40:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Identities
[2012/04/09 11:12:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2012/04/04 14:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2012/04/04 14:04:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2012/04/02 12:34:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Microsoft Silverlight
[2012/04/02 12:34:18 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Silverlight

========== Files - Modified Within 30 Days ==========

[2012/04/15 12:48:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\OTL.exe
[2012/04/15 10:43:40 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2012/04/15 10:39:22 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/04/15 10:38:01 | 000,000,236 | ---- | M] () -- C:\WINDOWS\tasks\OGALogon.job
[2012/04/15 10:37:53 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/04/14 19:57:20 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\TFC.exe
[2012/04/14 11:32:32 | 000,000,499 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\MBR.zip
[2012/04/14 11:28:46 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\MBR.dat
[2012/04/14 11:02:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Home\Desktop\aswMBR.exe
[2012/04/14 08:37:57 | 001,025,334 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\scan results.bmp
[2012/04/14 03:01:37 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2012/04/13 08:27:44 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/04/13 07:55:06 | 002,071,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Home\Desktop\tdsskiller.exe
[2012/04/12 15:25:56 | 000,003,233 | ---- | M] () -- C:\attach.zip
[2012/04/12 14:58:31 | 000,607,260 | R--- | M] (Swearware) -- C:\Documents and Settings\Home\Desktop\dds.com
[2012/04/10 14:38:44 | 000,000,802 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/04/10 14:38:44 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/10 08:30:26 | 000,442,034 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/04/09 17:44:33 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Home\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/04/09 17:44:33 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Home\Desktop\Spybot - Search & Destroy.lnk
[2012/04/06 23:33:37 | 000,312,172 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/04/06 23:33:37 | 000,040,394 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/04/06 14:25:36 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/04/04 15:56:40 | 000,022,344 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys

========== Files Created - No Company Name ==========

[2012/04/14 11:32:32 | 000,000,499 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\MBR.zip
[2012/04/14 11:28:46 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\MBR.dat
[2012/04/14 08:37:57 | 001,025,334 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\scan results.bmp
[2012/04/12 15:25:01 | 000,003,233 | ---- | C] () -- C:\attach.zip
[2012/04/10 14:38:44 | 000,000,802 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\Microsoft\Internet Explorer\Quick Launch\Malwarebytes Anti-Malware.lnk
[2012/04/10 14:38:44 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/04/09 17:44:33 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Home\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/04/09 17:44:33 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Home\Desktop\Spybot - Search & Destroy.lnk
[2012/04/04 14:04:39 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/02/15 19:43:37 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/09/18 03:27:06 | 000,037,256 | -H-- | C] () -- C:\WINDOWS\System32\mlfcache.dat

========== LOP Check ==========

[2009/07/08 17:24:30 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\PopCap
[2011/09/09 16:34:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
[2009/09/23 15:17:09 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\GetRightToGo
[2012/04/12 16:14:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Home\Application Data\MSNInstaller
[2012/04/15 10:43:40 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\Tasks\MP Scheduled Scan.job
[2012/04/15 10:38:01 | 000,000,236 | ---- | M] () -- C:\WINDOWS\Tasks\OGALogon.job

========== Purity Check ==========



========== Custom Scans ==========

< %SYSTEMDRIVE%\*.* >
[2012/04/12 15:25:56 | 000,003,233 | ---- | M] () -- C:\attach.zip
[2009/04/08 15:30:46 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2009/04/08 15:25:40 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2009/04/08 15:30:46 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/04/08 15:30:46 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2009/04/08 15:30:46 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2004/08/04 08:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2010/04/07 07:43:21 | 000,250,048 | ---- | M] () -- C:\ntldr
[2012/04/15 10:37:51 | 1598,029,824 | -HS- | M] () -- C:\pagefile.sys
[2012/04/13 08:40:21 | 000,074,224 | ---- | M] () -- C:\TDSSKiller.2.7.28.0_13.04.2012_07.57.34_log.txt
[2012/04/13 12:22:02 | 000,002,714 | ---- | M] () -- C:\TDSSKiller.2.7.28.0_13.04.2012_12.21.25_log.txt
[2012/04/14 11:01:36 | 000,072,594 | ---- | M] () -- C:\TDSSKiller.2.7.28.0_14.04.2012_07.36.57_log.txt

< %systemroot%\Fonts\*.com >

< %systemroot%\Fonts\*.dll >

< %systemroot%\Fonts\*.ini >
[2009/04/08 15:30:23 | 000,000,067 | -HS- | M] () -- C:\WINDOWS\Fonts\desktop.ini

< %systemroot%\Fonts\*.ini2 >

< %systemroot%\Fonts\*.exe >

< %systemroot%\system32\spool\prtprocs\w32x86\*.* >
[2006/10/26 19:56:12 | 000,033,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\spool\prtprocs\w32x86\msonpppr.dll

< %systemroot%\REPAIR\*.bak1 >

< %systemroot%\REPAIR\*.ini >

< %systemroot%\system32\*.jpg >

< %systemroot%\*.jpg >

< %systemroot%\*.png >

< %systemroot%\*.scr >

< %systemroot%\*._sy >

< %APPDATA%\Adobe\Update\*.* >

< %ALLUSERSPROFILE%\Favorites\*.* >

< %APPDATA%\Microsoft\*.* >

< %PROGRAMFILES%\*.* >

< %APPDATA%\Update\*.* >

< %systemroot%\*. /mp /s >

< %systemroot%\System32\config\*.sav >
[2009/04/08 10:32:14 | 000,094,208 | ---- | M] () -- C:\WINDOWS\System32\config\default.sav
[2009/04/08 10:32:14 | 000,659,456 | ---- | M] () -- C:\WINDOWS\System32\config\software.sav
[2009/04/08 10:32:14 | 000,905,216 | ---- | M] () -- C:\WINDOWS\System32\config\system.sav

< %PROGRAMFILES%\bak. /s >

< %systemroot%\system32\bak. /s >

< %ALLUSERSPROFILE%\Start Menu\*.līk /x >
[2010/04/07 07:54:36 | 000,000,272 | -HS- | M] () -- C:\Documents and Settings\All Users\Start Menu\desktop.ini
[2010/04/07 07:54:36 | 000,001,563 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Set Program Access and Defaults.lnk
[2009/04/08 15:30:49 | 000,000,398 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Catalog.lnk
[2010/10/28 21:33:56 | 000,001,507 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Windows Update.lnk

< %systemroot%\system32\config\systemprofile\*.dat /x >

< %systemroot%\*.config >

< %systemroot%\system32\*.db >

< %PROGRAMFILES%\Internet Explorer\*.dat >

< %APPDATA%\Mikzosoft\Internet Explorer\Quick Launch\*.lnk /x >

< %USERPROFILE%\Desktop\*.exe >
[2012/04/14 11:02:17 | 004,731,392 | ---- | M] (AVAST Software) -- C:\Documents and Settings\Home\Desktop\aswMBR.exe
[2012/04/15 12:48:51 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\OTL.exe
[2012/04/13 07:55:06 | 002,071,600 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Home\Desktop\tdsskiller.exe
[2012/04/14 19:57:20 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Home\Desktop\TFC.exe

< %PROGRAMFILES%\Common Files\*.* >

< %systemroot%\*.src >

< %systemroot%\install\*.* >

< %systemroot%\system32\DLL\*.* >

< %systemroot%\system32\HelpFiles\*.* >

< %systemroot%\system32\rundll\*.* >

< %systemroot%\winn32\*.* >

< %systemroot%\Java\*.* >

< %systemroot%\system32\test\*.* >

< %systemroot%\system32\Rundll32\*.* >

< HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU >

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install\\LastSuccessTime: 2012-04-14 07:02:36

< %USERPROFILE%\..|smtmp;true;true;true /FP >

< %temp%\smtmp\*.* /s > >

< MD5 for: EXPLORER.EXE >
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\explorer.exe
[2008/04/13 20:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) MD5=12896823FB95BFB3DC9B46BCAEDC9923 -- C:\WINDOWS\ServicePackFiles\i386\explorer.exe
[2004/08/04 08:00:00 | 001,032,192 | ---- | M] (Microsoft Corporation) MD5=A0732187050030AE399B241436565E64 -- C:\WINDOWS\$NtServicePackUninstall$\explorer.exe

< MD5 for: EXPLORER.SCF >
[2004/08/04 08:00:00 | 000,000,080 | ---- | M] () MD5=A3975A7D2C98B30A2AE010754FFB9392 -- C:\WINDOWS\explorer.scf

< MD5 for: IEXPLORE.CHM >
[2009/02/21 01:21:24 | 000,529,818 | ---- | M] () MD5=1435F4731719DF5F57D17DC38196245D -- C:\WINDOWS\Help\iexplore.chm
[2004/08/04 08:00:00 | 000,204,810 | ---- | M] () MD5=60858526AAD1CC55F5F0055B8E3B66FE -- C:\WINDOWS\ie8\iexplore.chm

< MD5 for: IEXPLORE.EXE >
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\iexplore.exe
[2008/04/13 20:12:22 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=55794B97A7FAABD2910873C85274F409 -- C:\WINDOWS\ServicePackFiles\i386\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\Program Files\Internet Explorer\iexplore.exe
[2009/03/08 14:09:26 | 000,638,816 | ---- | M] (Microsoft Corporation) MD5=B60DDDD2D63CE41CB8C487FCFBB6419E -- C:\WINDOWS\system32\dllcache\iexplore.exe
[2004/08/04 08:00:00 | 000,093,184 | ---- | M] (Microsoft Corporation) MD5=E7484514C0464642BE7B4DC2689354C8 -- C:\WINDOWS\ie8\iexplore.exe

< MD5 for: IEXPLORE.EXE.MUI >
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui
[2009/03/08 14:21:44 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=943030B55FDB56FB8B8FCC086071E119 -- C:\Program Files\Internet Explorer\iexplore.exe.mui

< MD5 for: IEXPLORE.EXE-27122324.PF >
[2012/04/15 12:47:13 | 000,103,924 | ---- | M] () MD5=346AAC5EB2394923FF12C1417A176390 -- C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf

< MD5 for: IEXPLORE.HLP >
[2004/08/04 08:00:00 | 000,180,335 | ---- | M] () MD5=3F19AF1B745140DAFAC6F78F561A3C62 -- C:\WINDOWS\Help\iexplore.hlp

< MD5 for: WINLOGON.EXE >
[2004/08/04 08:00:00 | 000,502,272 | ---- | M] (Microsoft Corporation) MD5=01C3346C241652F43AED8E2149881BFE -- C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
[2012/04/04 15:56:38 | 000,199,240 | ---- | M] () MD5=097D0E812D7A9A3101CE46CB2BE0474D -- C:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
[2008/04/13 20:12:39 | 000,507,904 | ---- | M] (Microsoft Corporation) MD5=ED0EF0A136DEC83DF69F04118870003E -- C:\WINDOWS\system32\winlogon.exe

< >

< End of report >

OTL Extras logfile created on: 4/15/2012 12:51:58 PM - Run 1
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Documents and Settings\Home\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1014.05 Mb Total Physical Memory | 577.56 Mb Available Physical Memory | 56.96% Memory free
2.38 Gb Paging File | 2.07 Gb Available in Paging File | 86.73% Paging File free
Paging file location(s): C:\pagefile.sys 1524 3048 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 19.40 Gb Free Space | 52.06% Space Free | Partition Type: NTFS

Computer Name: 8G77SC1 | User Name: Home | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe" = C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{04410044-9149-45C6-A806-F2BF9CFCE762}" = Microsoft Encarta Encyclopedia Standard 2004
"{05BFB060-4F22-4710-B0A2-2801A1B606C5}" = Microsoft Antimalware
"{26A24AE4-039D-4CA4-87B4-2F83216014FF}" = Java(TM) 6 Update 30
"{33BEE6F3-9987-4F98-A069-97A64EC8321A}" = Microsoft Works Suite Add-in for Microsoft Word
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{54B6DC7D-8C5B-4DFB-BC15-C010A3326B2B}" = Microsoft Security Client
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{69995C7A-062A-4A90-A4DF-8C22895DF522}" = iTunes
"{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}" = Apple Software Update
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver
"{90120000-0010-0409-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (English) 12
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{1FF96026-A04A-4C3E-B50A-BB7022654D0F}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{71F055E8-E2C6-4214-BB3D-BFE03561B89E}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{2314F9A1-126F-45CC-8A5E-DFAF866F3FBC}" = Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{AAA19365-932B-49BD-8138-BE28CEE9C4B4}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{98333358-268C-4164-B6D4-C96DF5153727}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}" = Microsoft Office 2007 Service Pack 3 (SP3)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = SigmaTel Audio
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.1
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7F54262-AB66-44B3-88BF-9FC69941B643}" = Broadcom Gigabit Integrated Controller
"{B9966F27-9678-4620-9579-925E3084647E}" = Microsoft Works
"{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support
"{C9E14402-3631-4182-B377-6B0DFB1C0339}" = QuickTime
"{D03482C5-9AD8-496D-B388-692AE04C93AF}" = Bonjour
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_14F100C3" = Conexant HDA D110 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"ESET Online Scanner" = ESET Online Scanner v3
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"ie8" = Windows Internet Explorer 8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400
"Microsoft Security Client" = Microsoft Security Essentials
"Shockwave" = Shockwave
"Windows XP Service Pack" = Windows XP Service Pack 3
"Works2004Setup" = Microsoft Works 2004 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/7/2012 5:09:57 PM | Computer Name = 8G77SC1 | Source = EventSystem | ID = 4612
Description = The COM+ Event System ran out of memory during its internal processing,
at line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cp

Error - 4/7/2012 5:09:57 PM | Computer Name = 8G77SC1 | Source = EventSystem | ID = 4612
Description = The COM+ Event System ran out of memory during its internal processing,
at line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cp

Error - 4/10/2012 11:31:42 AM | Computer Name = 8G77SC1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BB from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 4/10/2012 11:32:08 AM | Computer Name = 8G77SC1 | Source = EventSystem | ID = 4609
Description = The COM+ Event System detected a bad return code during its internal
processing. HRESULT was 800706BB from line 44 of d:\comxp_sp3\com\com1x\src\events\tier1\eventsystemobj.cpp.
Please contact Microsoft Product Support Services to report this erro

Error - 4/11/2012 7:51:33 PM | Computer Name = 8G77SC1 | Source = Application Hang | ID = 1002
Description = Hanging application mbam.exe, version 1.60.0.80, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 4/12/2012 4:55:51 PM | Computer Name = 8G77SC1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 2 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/12/2012 5:03:55 PM | Computer Name = 8G77SC1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 2 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/12/2012 5:16:42 PM | Computer Name = 8G77SC1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 2 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/13/2012 8:20:39 AM | Computer Name = 8G77SC1 | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 3.0.8402.0, P3 timeout, P4 1.1.8202.0, P5 fixed, P6 2 _ 1024, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

Error - 4/13/2012 8:41:11 AM | Computer Name = 8G77SC1 | Source = EventSystem | ID = 4613
Description = The COM+ Event System detected an unexpected error from a Win32 API
call at line 819 of d:\comxp_sp3\com\com1x\src\events\tier2\notify.cpp. A call
to CreateThread failed with error code 8: "Not enough storage is available to process
this command. " Please contact Microsoft Product Support Services to report this
erro

[ OSession Events ]
Error - 1/12/2012 3:52:50 PM | Computer Name = 8G77SC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6545.5000, Microsoft Office Version: 12.0.6425.1000. This session lasted 29
seconds with 0 seconds of active time. This session ended with a crash.

Error - 2/3/2012 4:38:19 PM | Computer Name = 8G77SC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 1, Application Name: Microsoft Office Excel, Application Version:
12.0.6654.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 4977
seconds with 0 seconds of active time. This session ended with a crash.

Error - 3/4/2012 8:59:04 PM | Computer Name = 8G77SC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6612.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 92
seconds with 60 seconds of active time. This session ended with a crash.

Error - 3/4/2012 8:59:33 PM | Computer Name = 8G77SC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.6612.1000, Microsoft Office Version: 12.0.6612.1000. This session lasted 9
seconds with 0 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 4/14/2012 7:57:42 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7031
Description = The Microsoft Antimalware Service service terminated unexpectedly.
It has done this 1 time(s). The following corrective action will be taken in
15000 milliseconds: Restart the service.

Error - 4/14/2012 7:57:42 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7031
Description = The Apple Mobile Device service terminated unexpectedly. It has done
this 1 time(s). The following corrective action will be taken in 60000 milliseconds:
Restart the service.

Error - 4/14/2012 7:57:42 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7034
Description = The Bonjour Service service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/14/2012 7:57:42 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7034
Description = The Java Quick Starter service terminated unexpectedly. It has done
this 1 time(s).

Error - 4/14/2012 7:57:43 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7034
Description = The iPod Service service terminated unexpectedly. It has done this
1 time(s).

Error - 4/14/2012 8:08:55 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 4/14/2012 9:06:53 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 4/14/2012 9:17:56 PM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 4/15/2012 7:29:40 AM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058

Error - 4/15/2012 10:37:58 AM | Computer Name = 8G77SC1 | Source = Service Control Manager | ID = 7000
Description = The Parallel port driver service failed to start due to the following
error: %%1058


< End of report >
oldman960
2012-04-16, 18:06
Hi mla34,

I don't see anything that should cause a problem with DDS. Let's have a look with another tool.

Please read through these instructions to familarize yourself with what to expect when this tool runs

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.infospyware.net/antimalware/combofix/)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3 CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
mla34
2012-04-16, 22:38
Hi, OM
Downloaded Combofix and followed instructions....ran it and it stalled, the clock stopped working, even though the cursor in the text box was flashing. After 20 minutes I tried to close it and everything froze, couldn't access my start button so had to hit the off switch. Rebooted and tried again, now the same thing. It has been "running" for 20 minutes but there is no progress in the text box, nothing that shows that anything is happening....not sure what to do from here....what do you suggest? Am I not waiting long enough, even though it says the scan usually runs no more than 10 minutes?
Thanks your your input!
oldman960
2012-04-17, 00:27
Hi mla34,

Try running it this way. Make sure combofix is on your desktop.

Click start > run. Copy and paste this into the run box and click ok

combofix /nombr
mla34
2012-04-17, 23:24
Ok, OM...this time it worked...not sure why there was a problem doing it the other way. Here are the results....the only fyi is that I had to reconnect to the internet and got a msg telling me that IE was not the default browser and did I want to make it so....not sure why that would have changed...
Anyway, let me know what you think the next step should be...thanks!

ComboFix 12-04-16.02 - Home 04/17/2012 16:34:32.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.469 [GMT -4:00]
Running from: c:\documents and settings\Home\Desktop\ComboFix.exe
Command switches used :: /nombr
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\EventSystem.log
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-03-17 to 2012-04-17 )))))))))))))))))))))))))))))))
.
.
2012-04-17 20:32 . 2012-04-17 20:32 29904 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys
2012-04-17 19:45 . 2012-04-17 19:45 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\offreg.dll
2012-04-17 17:00 . 2012-03-14 02:15 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\mpengine.dll
2012-04-10 18:41 . 2012-04-10 18:41 -------- d-----w- c:\documents and settings\Home\Application Data\Malwarebytes
2012-04-10 18:38 . 2012-04-10 18:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-04-10 18:38 . 2012-04-04 19:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-04-10 18:38 . 2012-04-10 18:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-04-09 21:44 . 2012-04-10 08:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-04-09 21:44 . 2012-04-09 21:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-04-09 21:36 . 2012-04-09 21:36 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2012-04-02 16:34 . 2012-04-02 16:34 -------- d-----w- c:\program files\Microsoft Silverlight
2012-03-26 15:41 . 2012-03-26 15:41 103864 ----a-w- c:\program files\Internet Explorer\PLUGINS\nppdf32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-12 19:25 . 2012-04-12 19:25 3233 ----a-w- C:\attach.zip
2012-03-14 02:15 . 2011-11-23 14:35 6582328 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-03-01 11:01 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-03-01 11:01 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-03-01 11:01 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-29 14:10 . 2010-04-05 19:57 177664 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 14:10 . 2010-04-05 19:57 148480 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 12:17 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2012-02-07 15:02 . 2012-02-07 15:02 1070352 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2012-02-03 09:22 . 2010-04-05 19:57 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44 . 2010-04-05 21:27 237072 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-12-13 118784]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2005-12-19 1347584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-05 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-08-19 421736]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-27 434080]
.
c:\documents and settings\Home\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R1 MpKsl942fd50b;MpKsl942fd50b;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{949E2741-E44F-419E-8A8D-798E5612DD0C}\MpKsl942fd50b.sys [4/17/2012 4:32 PM 29904]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL942FD50B
.
Contents of the 'Scheduled Tasks' folder
.
2012-04-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 21:57]
.
2012-04-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 19:39]
.
2012-04-17 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAEXEC.exe [2009-08-03 19:07]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.comcast.net/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_70C5B381380DB17F.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-04-17 16:41
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(880)
c:\windows\System32\BCMLogon.dll
.
Completion time: 2012-04-17 16:43:54
ComboFix-quarantined-files.txt 2012-04-17 20:43
.
Pre-Run: 20,608,397,312 bytes free
Post-Run: 21,029,093,376 bytes free
.
- - End Of File - - 1DEBB42C02E02C2FC825EEC0BC63AD7E
oldman960
2012-04-18, 03:27
Hi mla34,

When combofix runs it sets a few things back to default so what you saw was normal. Combofix and DDs seem to have had a problem with the MBR. That happens some times.

Let's have another look with aswMBR. Run it like you did last time and post the log along with the mbr.dat that will be produced. The mbr.dat will need to be attached.
mla34
2012-04-18, 16:41
Here you go....
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-18 10:04:43
-----------------------------
10:04:43.984 OS Version: Windows 5.1.2600 Service Pack 3
10:04:43.984 Number of processors: 2 586 0xF02
10:04:43.984 ComputerName: 8G77SC1 UserName: Home
10:04:44.875 Initialize success
10:08:35.062 AVAST engine defs: 12041800
10:10:26.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:10:26.484 Disk 0 Vendor: ST94813AS 8.04 Size: 38154MB BusType: 3
10:10:26.484 Disk 0 MBR read successfully
10:10:26.484 Disk 0 MBR scan
10:10:26.562 Disk 0 Windows XP default MBR code
10:10:26.578 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 38154 MB offset 63
10:10:26.578 Disk 0 scanning sectors +78140160
10:10:27.093 Disk 0 scanning C:\WINDOWS\system32\drivers
10:10:49.609 Service scanning
10:10:59.453 Service MpKsl9982ab46 c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B4B1E6A6-FAD5-4857-9A60-E4BCF22CA4D5}\MpKsl9982ab46.sys **LOCKED** 32
10:11:11.250 Modules scanning
10:11:17.703 Disk 0 trace - called modules:
10:11:17.734 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:11:17.734 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86d44030]
10:11:17.750 3 CLASSPNP.SYS[f757efd7] -> nt!IofCallDriver -> \Device\00000074[0x86d0b9e8]
10:11:17.750 5 ACPI.sys[f7415620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x86d0bd98]
10:11:18.140 AVAST engine scan C:\WINDOWS
10:11:37.921 AVAST engine scan C:\WINDOWS\system32
10:14:33.500 AVAST engine scan C:\WINDOWS\system32\drivers
10:14:54.937 AVAST engine scan C:\Documents and Settings\Home
10:15:18.890 File: C:\Documents and Settings\Home\Application Data\Office Genuine Advantage\Office Genuine Advantage\afxjahc.dll **INFECTED** Win32:Trojan-gen
10:21:56.375 AVAST engine scan C:\Documents and Settings\All Users
10:22:28.437 Scan finished successfully
10:37:39.968 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Home\Desktop\MBR.dat"
10:37:39.984 The log file has been saved successfully to "C:\Documents and Settings\Home\Desktop\aswMBR2.txt"
oldman960
2012-04-19, 01:03
Hi mla34,

I think we can clean up the tools as your computer appears to be clean.

From your desktop, please delete, if present
any notepads/logs that we created
TDSSKiller
aswMBR.exe
mbr.dat
mbr.zip
DDS.scr
You can also delete this file C:\TDSSKiller.[Version]_[Date]_[Time]_log.txt along with this folder C:\TDSSKiller_Quarantine

Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK

Combofix /uninstall

Next

Open OTL then click the Clean Up button. You may get prompted by your firewall that OTL wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

You can keep TFC, use it occasionally to clean out the temp files.

I suggest you keep MBAM. Keep it updated and use it regularly.

Updates and upgrades

Your java is out of date. Click your start button, open Control panel.
Locate the Java icon (it looks like a coffee cup)
double click it to open it
click the Update tab
Click update now
Decline the Ask Tool bar when it's offered during the update.

After the java is updated, reboot your computer if not prompted to.

Next, clear the java cache

To clear the Java Plug-in cache: Click Start > Control Panel.
Double-click the Java icon in the control panel.
On the General tab, Click Settings under Temporary Internet Files.
On the Temporary Files Settings screen, Click Delete Files.
check all boxes
Click OK


Adobe Reader

You have an older version of Adobe Reader. You can download the current version HERE (http://www.adobe.com/products/acrobat/readstep2.html)

You may want to consider Foxit Reader (http://www.foxitsoftware.com/downloads/index.php) instead. It may be a bit lighter on resources. If you chose to use FoxIt decline the Foxit Toolbar offered during the install.

Visit their support forum
Foxit Forum (http://www.foxitsoftware.com/bbs/forumdisplay.php?f=3)

In either case you should uninstall Adobe Reader 9.5.0 first. Be sure to move any PDF documents to another folder first though.

Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. Just add a firewall to what you have.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL (http://www.bleepingcomputer.com/forums/tutorial60.html) for links and tutorials to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)

You should also use Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS (http://www.mvps.org/winhelp2002/hosts.htm)

Please read the info on disabling the DNS Client before installing a custom hosts file.

-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (http://www.update.microsoft.com/windowsupdate/v6/default.aspx?ln=en-us)(using Internet Explorer) and download and install all critical updates on a regular basis

- Make sure you have reset Automatic Updates to your chosen option Click your start button > Control Panel > System > Automatic updates tab

- Keep your antivirus program updated, as well as any other security programs you have.

-More tips and programs can be found HERE (http://forums.whatthetech.com/Preventing_Malware_Tools_Practices_Safe_Computing_t98700.html)

Please post back if you have any problems.

Take care
mla34
2012-04-20, 00:40
Hi, OM,
You gave me quite a bit of homework...lol...but it's all done. I can't thank you enough for your professional help and guidance with the issues on this laptop and I certainly could not have done all of this without your help! All seems to be fine now! I will be making another donation to show my appreciation! Thanks again!:thanks:
oldman960
2012-04-20, 01:56
Hi mla34,

You are more than welcome. And Thank You!

Take care, keep safe.
oldman960
2012-04-21, 00:09
Since this issue appears to be resolved ... this Topic has been closed.