View Full Version : Troj/ZbotMem-B
plooploo
2012-04-29, 06:33
Hello, I am looking for assistance with my parents' computer which seems to be infected with a virus Troj/ZbotMem-B. According to Sophos, which detected the virus, only manual removal is possible (no quarantine or other action was performed by Sophos to the best of my knowledge). Scrolling up in the Sophos log, it appears that Troj/EncProc-B was also detected and removed, Mal/Generic-S was detected once and quarantined. All of these positive findings appear in the logs from 4/22/12, prior to that there were no known issues with this computer.
Symptoms: some random redirects in IE e.g. Happilli, difficulty accessing this forum, difficulty accessing Sophos websites - intermittently
Spybot - no detected issues, Teatimer disabled.
Registry backed up with ERUNT
No known attempt at further removal other than what Sophos tried to do automatically.
Thank you so much for your time and your help!
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Mom and Dad at 22:27:33 on 2012-04-28
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1765 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Updated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Updated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Users\Mom and Dad\AppData\Local\dplaysvr.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\mom and dad\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [opcfg] rundll32.exe "c:\users\momand~1\appdata\local\temp\opcfg.dll",SaveMeshHierarchyToFileW
uRun: [MFADTSHandler] rundll32.exe "c:\users\mom and dad\appdata\local\mf\MFADTSHandler.dll",wmain
uRun: [Ufzeufpafo] "c:\users\mom and dad\appdata\roaming\buluas\ynas.exe"
uRun: [rtogbs] rundll32.exe "c:\users\momand~1\appdata\local\temp\rtogbs.dll",D3D10ResourceGetMappedPitch
uRun: [dplaysvr] c:\users\mom and dad\appdata\local\dplaysvr.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [LFS-SnapShot] c:\program files\lifescan\onetouchdmspro\bin\SnapShot.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\momand~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\programdata\sophos web intelligence\swi_lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://utswra.swmed.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{214D11F4-7E50-41CD-9503-3907EC4F40AA} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{460FCA68-077C-4CA1-B7FB-A8FDBD8E5A0C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{823D521D-5484-41F1-8A1D-DEC6D3DFD6D9} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{9736988B-7442-414B-A74F-E9452DED24CA} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9A4C7A79-523F-4C81-94D1-12B9D2B624BE} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BF61424D-8977-4C7A-BCB3-81FC26A7ED74} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB7A7CD2-4993-48B4-A06A-3B1A2B4FF34C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D}\97F6378696 : DhcpNameServer = 192.168.2.1 68.94.156.1 151.164.8.201
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mom and dad\appdata\roaming\mozilla\firefox\profiles\7pnbjaan.default\
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\users\mom and dad\appdata\local\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\users\mom and dad\appdata\roaming\mozilla\plugins\npicaN.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2011-7-2 122360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-12-14 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-7-2 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-7-2 97520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-22 1153368]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-7-2 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-7-2 806912]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2012-4-8 1543704]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-12-14 273960]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2010-1-15 841504]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 253088]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-7-30 21744]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-7-2 23928]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-13 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-22 1343400]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-7-2 22536]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-04-27 11:48:51 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{5c4a6faf-053f-4cb5-9a01-a91656a8cdc4}\mpengine.dll
2012-04-22 14:05:45 43616 --sh--w- c:\users\mom and dad\appdata\local\dplayx.dll
2012-04-22 14:05:44 84064 --sh--w- c:\users\mom and dad\appdata\local\dplaysvr.exe
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Fine
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Domii
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Buluas
2012-04-22 13:58:28 -------- d-----w- c:\users\mom and dad\appdata\local\MF
2012-04-12 08:01:30 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 08:01:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 08:01:30 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 08:01:30 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 08:00:41 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 08:00:41 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-08 23:55:55 418464 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-04-08 23:42:30 -------- d-----w- c:\program files\iPod
2012-04-08 23:42:29 -------- d-----w- c:\program files\iTunes
.
==================== Find3M ====================
.
2012-04-19 13:35:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 15:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-10 05:38:43 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-02-03 03:54:27 2343424 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 22:28:51.35 ===============
shelf life
2012-05-02, 23:38
hi,
Based on the log you posted you do have malware on the machine. Your log is several days old. If you still need help simply reply back. You shouldnt use the computer until its clean and it shouldn't have any network connectivity. If your not sure how to stop this then just power it off.
plooploo
2012-05-03, 02:53
Thank you for your reply. Yes, I do need help cleaning the malware from this system. It has been off since I posted the log; I was awaiting my turn. Thanks for any assistance you can provide, I will await further instructions.
shelf life
2012-05-03, 04:26
Ok we can start with combofix. There is a guide to read first. Read through the guide then download combofix to the compromised machine and apply the directions from the guide. Post the combofix log and we will go from there. I will not be back on line for 16-18 hrs.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
plooploo
2012-05-03, 14:51
Thanks for your help. I will not be able to get to this machine until this weekend, will run Combofix and post the log as soon as I can. Thanks for your patience and please do not close this thread, thanks!
shelf life
2012-05-04, 00:39
ok. No problem.
plooploo
2012-05-11, 06:17
I have run ComboFix per instructions, here is the log. Apologies for the delay, I was not able to make it to the machine until now. It has been powered off since my initial post.
Thanks again for all your time and help!
-----------------------
ComboFix 12-05-10.05 - Mom and Dad 05/10/2012 21:57:55.1.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.2031 [GMT -5:00]
Running from: c:\users\Mom and Dad\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Enabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mom and Dad\AppData\Local\dplaysvr.exe
c:\users\Mom and Dad\AppData\Local\MF\MFADTSHandler.dll
c:\users\Mom and Dad\AppData\Roaming\Buluas
c:\users\Mom and Dad\AppData\Roaming\Buluas\ynas.exe
c:\users\MOMAND~1\AppData\Local\Temp\opcfg.dll
c:\users\MOMAND~1\AppData\Local\Temp\rtogbs.dll
c:\windows\security\Database\tmp.edb
.
.
((((((((((((((((((((((((( Files Created from 2012-04-11 to 2012-05-11 )))))))))))))))))))))))))))))))
.
.
2012-05-11 03:08 . 2012-05-11 03:09 -------- d-----w- c:\users\Mom and Dad\AppData\Local\temp
2012-05-11 03:08 . 2012-05-11 03:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-05 12:10 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{3DC24D6F-5CE4-4C5B-8109-555FA67192C7}\mpengine.dll
2012-04-29 02:27 . 2012-04-29 02:27 -------- d-----w- c:\program files\ERUNT
2012-04-22 13:59 . 2012-04-22 13:59 -------- d-----w- c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:59 . 2012-04-22 13:59 -------- d-----w- c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:58 . 2012-05-11 02:38 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Domii
2012-04-22 13:58 . 2012-04-22 13:58 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Fine
2012-04-22 13:58 . 2012-05-11 03:07 -------- d-----w- c:\users\Mom and Dad\AppData\Local\MF
2012-04-12 08:01 . 2012-03-01 05:46 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 08:01 . 2012-03-01 05:37 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 08:01 . 2012-03-01 05:33 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-04-12 08:01 . 2012-03-01 05:29 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 08:00 . 2012-03-06 05:59 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-12 08:00 . 2012-03-06 05:59 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 22:43 . 2012-04-08 23:55 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 22:43 . 2011-06-17 11:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 15:18 . 2010-12-22 19:37 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34 . 2012-03-14 12:13 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-14 12:13 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-14 12:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01 . 2012-02-15 16:01 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01 . 2012-02-15 16:01 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2012-02-15 09:02 . 2012-02-15 09:02 86528 ----a-w- c:\windows\system32\iesysprep.dll
2012-02-15 09:02 . 2012-02-15 09:02 76800 ----a-w- c:\windows\system32\SetIEInstalledDate.exe
2012-02-15 09:02 . 2012-02-15 09:02 74752 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe
2012-02-15 09:02 . 2012-02-15 09:02 48640 ----a-w- c:\windows\system32\mshtmler.dll
2012-02-15 09:02 . 2012-02-15 09:02 161792 ----a-w- c:\windows\system32\msls31.dll
2012-02-15 09:02 . 2012-02-15 09:02 110592 ----a-w- c:\windows\system32\IEAdvpack.dll
2012-02-15 09:02 . 2012-02-15 09:02 74752 ----a-w- c:\windows\system32\iesetup.dll
2012-02-15 09:02 . 2012-02-15 09:02 63488 ----a-w- c:\windows\system32\tdc.ocx
2012-02-15 09:02 . 2012-02-15 09:02 367104 ----a-w- c:\windows\system32\html.iec
2012-02-15 09:02 . 2012-02-15 09:02 23552 ----a-w- c:\windows\system32\licmgr10.dll
2012-02-15 09:02 . 2012-02-15 09:02 152064 ----a-w- c:\windows\system32\wextract.exe
2012-02-15 09:02 . 2012-02-15 09:02 420864 ----a-w- c:\windows\system32\vbscript.dll
2012-02-15 09:02 . 2012-02-15 09:02 35840 ----a-w- c:\windows\system32\imgutil.dll
2012-02-15 09:02 . 2012-02-15 09:02 150528 ----a-w- c:\windows\system32\iexpress.exe
2012-02-15 09:02 . 2012-02-15 09:02 142848 ----a-w- c:\windows\system32\ieUnatt.exe
2012-02-15 09:02 . 2012-02-15 09:02 11776 ----a-w- c:\windows\system32\mshta.exe
2012-02-15 09:02 . 2012-02-15 09:02 101888 ----a-w- c:\windows\system32\admparse.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 1808784]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"LFS-SnapShot"="c:\program files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe" [2010-09-16 6635571]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
c:\users\Mom and Dad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-07-27 23:17 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-07-02 23928]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-23 1343400]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-07-02 22536]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2011-07-02 122360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-07-02 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2011-07-02 97520]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-04-08 1543704]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-04-12 45464]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2010-12-26 841504]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-07-30 21744]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-11 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:43]
.
2012-05-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000Core.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000UA.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-06 c:\windows\Tasks\Nightly 2AM.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-07-02 20:28]
.
2012-04-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-05-11 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\programdata\Sophos Web Intelligence\swi_lsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mom and Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7pnbjaan.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
HKCU-Run-MFADTSHandler - c:\users\Mom and Dad\AppData\Local\MF\MFADTSHandler.dll
HKCU-Run-Ufzeufpafo - c:\users\Mom and Dad\AppData\Roaming\Buluas\ynas.exe
HKCU-Run-dplaysvr - c:\users\Mom and Dad\AppData\Local\dplaysvr.exe
MSConfigStartUp-OfficeScanNT Monitor - c:\program files\Trend Micro\Client Server Security Agent\pccntmon.exe
AddRemove-LFSVCOMM&10C4&85A7 - c:\program files\Silabs\MCU\CP210x\DriverUninstaller.exe VCP CP210x Cardinal\LFSVCOMM&10C4&85A7
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-10 22:13:05
ComboFix-quarantined-files.txt 2012-05-11 03:13
.
Pre-Run: 424,232,325,120 bytes free
Post-Run: 424,761,094,144 bytes free
.
- - End Of File - - 2D1B40383F55E0C1BB04FA9AA908D149
shelf life
2012-05-11, 22:44
ok your back. We will do two things. First you can download, install and run Malwarebytes and post its log. Last, post a new DDS log since its been awhile.
Please download the free version of Malwarebytes (http://www.malwarebytes.org/products/malwarebytes_free) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything listed is checked, and then click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
Rescan and post a new DDS log after you run Malwarebytes.
plooploo
2012-05-12, 01:17
Thanks for your help. Malwarebytes log followed by new DDS log:
----------------
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.11.08
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Mom and Dad :: MOMANDDAD-PC [administrator]
Protection: Enabled
5/11/2012 4:17:38 PM
mbam-log-2012-05-11 (16-17-38).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 324818
Time elapsed: 43 minute(s), 39 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 3
C:\Users\Mom and Dad\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\33\611df761-11822790 (Trojan.FakeMS) -> Quarantined and deleted successfully.
C:\Users\Mom and Dad\Desktop\Old Comp My Documents\Downloads\WinRAR.v3.70.Incl.Keymaker.And.Patch-CORE_CRP\CORE10k.EXE (Dont.Steal.Our.Software) -> Quarantined and deleted successfully.
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\~!#FAD9.tmp.000 (Trojan.Zbot) -> Quarantined and deleted successfully.
(end)
--------------------DDS run after Malwarebytes-------------
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Mom and Dad at 17:12:55 on 2012-05-11
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1783 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\dell\DBRM\Reminder\DbrmTrayicon.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\conhost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Ufzeufpafo] "c:\users\mom and dad\appdata\roaming\buluas\ynas.exe"
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [LFS-SnapShot] c:\program files\lifescan\onetouchdmspro\bin\SnapShot.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
StartupFolder: c:\users\momand~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\programdata\sophos web intelligence\swi_lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://utswra.swmed.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{214D11F4-7E50-41CD-9503-3907EC4F40AA} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{460FCA68-077C-4CA1-B7FB-A8FDBD8E5A0C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{823D521D-5484-41F1-8A1D-DEC6D3DFD6D9} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{9736988B-7442-414B-A74F-E9452DED24CA} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9A4C7A79-523F-4C81-94D1-12B9D2B624BE} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BF61424D-8977-4C7A-BCB3-81FC26A7ED74} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB7A7CD2-4993-48B4-A06A-3B1A2B4FF34C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D}\97F6378696 : DhcpNameServer = 192.168.2.1 68.94.156.1 151.164.8.201
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mom and dad\appdata\roaming\mozilla\firefox\profiles\7pnbjaan.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2011-7-2 122360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-12-14 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-11 654408]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-7-2 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-7-2 97520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-22 1153368]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-7-2 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-7-2 806912]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2012-4-8 1543704]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-12-14 273960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-11 22344]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2010-1-15 841504]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 257696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-7-30 21744]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-7-2 23928]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-13 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-22 1343400]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-7-2 22536]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-11 21:16:27 -------- d-----w- c:\users\mom and dad\appdata\roaming\Malwarebytes
2012-05-11 21:15:55 -------- d-----w- c:\programdata\Malwarebytes
2012-05-11 21:15:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-11 21:15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 13:35:12 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 13:35:11 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-11 13:35:10 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-11 13:35:10 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-11 13:35:10 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-11 13:35:06 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 13:35:06 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 13:35:06 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 13:34:47 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 13:34:46 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 03:13:13 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-11 03:13:11 -------- d-----w- c:\users\mom and dad\appdata\local\temp
2012-05-11 02:55:12 256000 ----a-w- c:\windows\PEV.exe
2012-05-11 02:55:12 208896 ----a-w- c:\windows\MBR.exe
2012-05-11 02:55:11 98816 ----a-w- c:\windows\sed.exe
2012-05-11 02:55:11 518144 ----a-w- c:\windows\SWREG.exe
2012-05-05 12:10:11 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{3dc24d6f-5ce4-4c5b-8109-555fa67192c7}\mpengine.dll
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Fine
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Domii
2012-04-22 13:58:28 -------- d-----w- c:\users\mom and dad\appdata\local\MF
2012-04-12 08:01:30 5120 ----a-w- c:\windows\system32\wmi.dll
2012-04-12 08:01:30 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-04-12 08:01:30 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-04-12 08:01:30 159232 ----a-w- c:\windows\system32\imagehlp.dll
.
==================== Find3M ====================
.
2012-05-05 22:43:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 22:43:23 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 15:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 17:14:03.85 ===============
shelf life
2012-05-12, 04:13
Looks like Combofix removed the malware. You can keep Malwarebytes as a antimalware app. Note that the free version must be updated manually and scans started manually.
You can remove combofix by clicking on the start button and in the search field enter: combofix /uninstall
note the space after the x and before the /
then click enter. Combofix will uninstall
You see this item:WinRAR.v3.70.Incl.Keymaker.And.Patch
This type of modified software to disable features is very popular for carrying all kinds of malware payloads.
We will get one more dowload to use, then we can call it quits;
Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as: TDSSKiller.2.7.9.0_05.02.2012_17.32.21_log (name, version#, date, time)
Please post the log report
plooploo
2012-05-13, 22:28
Thank you so much for your help. Here is the TDSSKiller log. I uninstalled ComboFix. What is the best protocol to run Malwarebytes, does it actively reside in memory or does it need to be updated and run manually every time by the user?
Should I re-enable the Spybot resident now?
Finally, what antivirus/antimalware software do you personally recommend, there is Sophos running on this computer but I would be willing to update all our machines with a better software. This is my parent's computer so I am not sure how that risky piece of software made it on here but I will teach them to be more vigilant, thank you.
14:23:42.0259 4736 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
14:23:42.0774 4736 ============================================================
14:23:42.0774 4736 Current date / time: 2012/05/13 14:23:42.0774
14:23:42.0774 4736 SystemInfo:
14:23:42.0774 4736
14:23:42.0774 4736 OS Version: 6.1.7601 ServicePack: 1.0
14:23:42.0774 4736 Product type: Workstation
14:23:42.0774 4736 ComputerName: MOMANDDAD-PC
14:23:42.0774 4736 UserName: Mom and Dad
14:23:42.0774 4736 Windows directory: C:\Windows
14:23:42.0774 4736 System windows directory: C:\Windows
14:23:42.0774 4736 Processor architecture: Intel x86
14:23:42.0774 4736 Number of processors: 2
14:23:42.0774 4736 Page size: 0x1000
14:23:42.0774 4736 Boot type: Normal boot
14:23:42.0774 4736 ============================================================
14:23:43.0492 4736 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
14:23:43.0492 4736 ============================================================
14:23:43.0492 4736 \Device\Harddisk0\DR0:
14:23:43.0492 4736 MBR partitions:
14:23:43.0492 4736 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x14000, BlocksNum 0x164D000
14:23:43.0492 4736 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1661000, BlocksNum 0x38D24800
14:23:43.0492 4736 ============================================================
14:23:43.0524 4736 C: <-> \Device\Harddisk0\DR0\Partition1
14:23:43.0524 4736 ============================================================
14:23:43.0524 4736 Initialize success
14:23:43.0524 4736 ============================================================
14:23:47.0814 4888 ============================================================
14:23:47.0814 4888 Scan started
14:23:47.0814 4888 Mode: Manual;
14:23:47.0814 4888 ============================================================
14:23:48.0422 4888 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\drivers\1394ohci.sys
14:23:48.0422 4888 1394ohci - ok
14:23:48.0453 4888 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys
14:23:48.0453 4888 ACPI - ok
14:23:48.0453 4888 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys
14:23:48.0469 4888 AcpiPmi - ok
14:23:48.0516 4888 AdobeFlashPlayerUpdateSvc (76d5a3d2a50402a0b9b6ed13c4371e79) C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
14:23:48.0516 4888 AdobeFlashPlayerUpdateSvc - ok
14:23:48.0547 4888 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys
14:23:48.0547 4888 adp94xx - ok
14:23:48.0562 4888 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys
14:23:48.0562 4888 adpahci - ok
14:23:48.0562 4888 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys
14:23:48.0562 4888 adpu320 - ok
14:23:48.0594 4888 AeLookupSvc (8b5eefeec1e6d1a72a06c526628ad161) C:\Windows\System32\aelupsvc.dll
14:23:48.0594 4888 AeLookupSvc - ok
14:23:48.0625 4888 AERTFilters (7a841462ad4749f8a07b27ae8e8947b8) C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
14:23:48.0640 4888 AERTFilters - ok
14:23:48.0687 4888 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys
14:23:48.0687 4888 AFD - ok
14:23:48.0703 4888 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys
14:23:48.0703 4888 agp440 - ok
14:23:48.0734 4888 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys
14:23:48.0734 4888 aic78xx - ok
14:23:48.0750 4888 ALG (18a54e132947cd98fea9accc57f98f13) C:\Windows\System32\alg.exe
14:23:48.0750 4888 ALG - ok
14:23:48.0765 4888 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys
14:23:48.0765 4888 aliide - ok
14:23:48.0781 4888 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys
14:23:48.0796 4888 amdagp - ok
14:23:48.0796 4888 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys
14:23:48.0796 4888 amdide - ok
14:23:48.0812 4888 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys
14:23:48.0812 4888 AmdK8 - ok
14:23:48.0828 4888 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys
14:23:48.0828 4888 AmdPPM - ok
14:23:48.0843 4888 amdsata (d320bf87125326f996d4904fe24300fc) C:\Windows\system32\drivers\amdsata.sys
14:23:48.0843 4888 amdsata - ok
14:23:48.0859 4888 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys
14:23:48.0859 4888 amdsbs - ok
14:23:48.0874 4888 amdxata (46387fb17b086d16dea267d5be23a2f2) C:\Windows\system32\drivers\amdxata.sys
14:23:48.0874 4888 amdxata - ok
14:23:48.0906 4888 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys
14:23:48.0906 4888 AppID - ok
14:23:48.0921 4888 AppIDSvc (62a9c86cb6085e20db4823e4e97826f5) C:\Windows\System32\appidsvc.dll
14:23:48.0921 4888 AppIDSvc - ok
14:23:48.0952 4888 Appinfo (fb1959012294d6ad43e5304df65e3c26) C:\Windows\System32\appinfo.dll
14:23:48.0968 4888 Appinfo - ok
14:23:49.0046 4888 Apple Mobile Device (7ef47644b74ebe721cc32211d3c35e76) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
14:23:49.0046 4888 Apple Mobile Device - ok
14:23:49.0077 4888 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys
14:23:49.0077 4888 arc - ok
14:23:49.0093 4888 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys
14:23:49.0093 4888 arcsas - ok
14:23:49.0108 4888 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys
14:23:49.0108 4888 AsyncMac - ok
14:23:49.0124 4888 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys
14:23:49.0124 4888 atapi - ok
14:23:49.0171 4888 AudioEndpointBuilder (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
14:23:49.0171 4888 AudioEndpointBuilder - ok
14:23:49.0171 4888 Audiosrv (ce3b4e731638d2ef62fcb419be0d39f0) C:\Windows\System32\Audiosrv.dll
14:23:49.0171 4888 Audiosrv - ok
14:23:49.0202 4888 AxInstSV (6e30d02aac9cac84f421622e3a2f6178) C:\Windows\System32\AxInstSV.dll
14:23:49.0202 4888 AxInstSV - ok
14:23:49.0233 4888 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys
14:23:49.0233 4888 b06bdrv - ok
14:23:49.0249 4888 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys
14:23:49.0264 4888 b57nd60x - ok
14:23:49.0280 4888 BDESVC (ee1e9c3bb8228ae423dd38db69128e71) C:\Windows\System32\bdesvc.dll
14:23:49.0280 4888 BDESVC - ok
14:23:49.0296 4888 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys
14:23:49.0296 4888 Beep - ok
14:23:49.0342 4888 BFE (1e2bac209d184bb851e1a187d8a29136) C:\Windows\System32\bfe.dll
14:23:49.0342 4888 BFE - ok
14:23:49.0374 4888 BITS (e585445d5021971fae10393f0f1c3961) C:\Windows\system32\qmgr.dll
14:23:49.0389 4888 BITS - ok
14:23:49.0389 4888 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys
14:23:49.0389 4888 blbdrive - ok
14:23:49.0467 4888 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
14:23:49.0467 4888 Bonjour Service - ok
14:23:49.0498 4888 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys
14:23:49.0498 4888 bowser - ok
14:23:49.0545 4888 BPowMon (104c980400850ea84f86cd31ae2eeece) C:\Program Files\Broadcom\BPowMon\BPowMon.exe
14:23:49.0545 4888 BPowMon - ok
14:23:49.0561 4888 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys
14:23:49.0561 4888 BrFiltLo - ok
14:23:49.0576 4888 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys
14:23:49.0576 4888 BrFiltUp - ok
14:23:49.0623 4888 BridgeMP (77361d72a04f18809d0efb6cceb74d4b) C:\Windows\system32\DRIVERS\bridge.sys
14:23:49.0623 4888 BridgeMP - ok
14:23:49.0654 4888 Browser (6e11f33d14d020f58d5e02e4d67dfa19) C:\Windows\System32\browser.dll
14:23:49.0654 4888 Browser - ok
14:23:49.0654 4888 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys
14:23:49.0670 4888 Brserid - ok
14:23:49.0670 4888 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys
14:23:49.0670 4888 BrSerWdm - ok
14:23:49.0686 4888 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys
14:23:49.0686 4888 BrUsbMdm - ok
14:23:49.0686 4888 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys
14:23:49.0686 4888 BrUsbSer - ok
14:23:49.0701 4888 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys
14:23:49.0701 4888 BTHMODEM - ok
14:23:49.0732 4888 bthserv (1df19c96eef6c29d1c3e1a8678e07190) C:\Windows\system32\bthserv.dll
14:23:49.0732 4888 bthserv - ok
14:23:49.0826 4888 catchme - ok
14:23:49.0857 4888 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys
14:23:49.0857 4888 cdfs - ok
14:23:49.0904 4888 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys
14:23:49.0904 4888 cdrom - ok
14:23:49.0935 4888 CertPropSvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
14:23:49.0935 4888 CertPropSvc - ok
14:23:49.0951 4888 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys
14:23:49.0951 4888 circlass - ok
14:23:49.0982 4888 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys
14:23:49.0982 4888 CLFS - ok
14:23:50.0029 4888 clr_optimization_v2.0.50727_32 (d88040f816fda31c3b466f0fa0918f29) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:23:50.0029 4888 clr_optimization_v2.0.50727_32 - ok
14:23:50.0076 4888 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:23:50.0076 4888 clr_optimization_v4.0.30319_32 - ok
14:23:50.0091 4888 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys
14:23:50.0107 4888 CmBatt - ok
14:23:50.0138 4888 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys
14:23:50.0154 4888 cmdide - ok
14:23:50.0185 4888 CNG (6427525d76f61d0c519b008d3680e8e7) C:\Windows\system32\Drivers\cng.sys
14:23:50.0185 4888 CNG - ok
14:23:50.0200 4888 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys
14:23:50.0200 4888 Compbatt - ok
14:23:50.0216 4888 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys
14:23:50.0232 4888 CompositeBus - ok
14:23:50.0247 4888 COMSysApp - ok
14:23:50.0263 4888 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys
14:23:50.0278 4888 crcdisk - ok
14:23:50.0310 4888 CryptSvc (a585bebf7d054bd9618eda0922d5484a) C:\Windows\system32\cryptsvc.dll
14:23:50.0325 4888 CryptSvc - ok
14:23:50.0403 4888 cvhsvc (72794d112cbaff3bc0c29bf7350d4741) C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
14:23:50.0403 4888 cvhsvc - ok
14:23:50.0434 4888 dc3d (734bbe7c66e6fd6047a1bd29b9343b30) C:\Windows\system32\DRIVERS\dc3d.sys
14:23:50.0466 4888 dc3d - ok
14:23:50.0497 4888 DcomLaunch (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
14:23:50.0497 4888 DcomLaunch - ok
14:23:50.0528 4888 defragsvc (8d6e10a2d9a5eed59562d9b82cf804e1) C:\Windows\System32\defragsvc.dll
14:23:50.0528 4888 defragsvc - ok
14:23:50.0559 4888 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys
14:23:50.0575 4888 DfsC - ok
14:23:50.0590 4888 Dhcp (e9e01eb683c132f7fa27cd607b8a2b63) C:\Windows\system32\dhcpcore.dll
14:23:50.0590 4888 Dhcp - ok
14:23:50.0622 4888 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys
14:23:50.0622 4888 discache - ok
14:23:50.0637 4888 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys
14:23:50.0637 4888 Disk - ok
14:23:50.0668 4888 Dnscache (33ef4861f19a0736b11314aad9ae28d0) C:\Windows\System32\dnsrslvr.dll
14:23:50.0668 4888 Dnscache - ok
14:23:50.0700 4888 dot3svc (366ba8fb4b7bb7435e3b9eacb3843f67) C:\Windows\System32\dot3svc.dll
14:23:50.0715 4888 dot3svc - ok
14:23:50.0746 4888 DPS (8ec04ca86f1d68da9e11952eb85973d6) C:\Windows\system32\dps.dll
14:23:50.0746 4888 DPS - ok
14:23:50.0778 4888 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys
14:23:50.0778 4888 drmkaud - ok
14:23:50.0824 4888 dsNcAdpt (e6b6dd5a355c432045219fad8512fb70) C:\Windows\system32\DRIVERS\dsNcAdpt.sys
14:23:50.0824 4888 dsNcAdpt - ok
14:23:50.0887 4888 dsNcService (f383b60e7468d613990f8aca59269573) C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
14:23:50.0887 4888 dsNcService - ok
14:23:50.0934 4888 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys
14:23:50.0949 4888 DXGKrnl - ok
14:23:50.0980 4888 EapHost (8600142fa91c1b96367d3300ad0f3f3a) C:\Windows\System32\eapsvc.dll
14:23:50.0980 4888 EapHost - ok
14:23:51.0074 4888 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys
14:23:51.0121 4888 ebdrv - ok
14:23:51.0183 4888 EFS (81951f51e318aecc2d68559e47485cc4) C:\Windows\System32\lsass.exe
14:23:51.0183 4888 EFS - ok
14:23:51.0246 4888 ehRecvr (a8c362018efc87beb013ee28f29c0863) C:\Windows\ehome\ehRecvr.exe
14:23:51.0246 4888 ehRecvr - ok
14:23:51.0261 4888 ehSched (d389bff34f80caede417bf9d1507996a) C:\Windows\ehome\ehsched.exe
14:23:51.0277 4888 ehSched - ok
14:23:51.0308 4888 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys
14:23:51.0324 4888 elxstor - ok
14:23:51.0355 4888 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys
14:23:51.0370 4888 ErrDev - ok
14:23:51.0417 4888 EventSystem (f6916efc29d9953d5d0df06882ae8e16) C:\Windows\system32\es.dll
14:23:51.0417 4888 EventSystem - ok
14:23:51.0433 4888 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys
14:23:51.0433 4888 exfat - ok
14:23:51.0448 4888 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys
14:23:51.0448 4888 fastfat - ok
14:23:51.0495 4888 Fax (967ea5b213e9984cbe270205df37755b) C:\Windows\system32\fxssvc.exe
14:23:51.0511 4888 Fax - ok
14:23:51.0511 4888 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys
14:23:51.0526 4888 fdc - ok
14:23:51.0542 4888 fdPHost (f3222c893bd2f5821a0179e5c71e88fb) C:\Windows\system32\fdPHost.dll
14:23:51.0542 4888 fdPHost - ok
14:23:51.0542 4888 FDResPub (7dbe8cbfe79efbdeb98c9fb08d3a9a5b) C:\Windows\system32\fdrespub.dll
14:23:51.0542 4888 FDResPub - ok
14:23:51.0558 4888 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys
14:23:51.0558 4888 FileInfo - ok
14:23:51.0573 4888 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys
14:23:51.0573 4888 Filetrace - ok
14:23:51.0589 4888 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys
14:23:51.0604 4888 flpydisk - ok
14:23:51.0620 4888 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys
14:23:51.0620 4888 FltMgr - ok
14:23:51.0667 4888 FontCache (b3a5ec6b6b6673db7e87c2bcdbddc074) C:\Windows\system32\FntCache.dll
14:23:51.0682 4888 FontCache - ok
14:23:51.0729 4888 FontCache3.0.0.0 (e56f39f6b7fda0ac77a79b0fd3de1a2f) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
14:23:51.0729 4888 FontCache3.0.0.0 - ok
14:23:51.0745 4888 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys
14:23:51.0760 4888 FsDepends - ok
14:23:51.0792 4888 Fs_Rec (7dae5ebcc80e45d3253f4923dc424d05) C:\Windows\system32\drivers\Fs_Rec.sys
14:23:51.0792 4888 Fs_Rec - ok
14:23:51.0823 4888 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys
14:23:51.0823 4888 fvevol - ok
14:23:51.0838 4888 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys
14:23:51.0854 4888 gagp30kx - ok
14:23:51.0870 4888 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
14:23:51.0885 4888 GEARAspiWDM - ok
14:23:51.0963 4888 GoToAssist (8f6ae606eb0cc884ee12c41948424422) C:\Program Files\Citrix\GoToAssist\615\g2aservice.exe
14:23:52.0416 4888 GoToAssist - ok
14:23:52.0447 4888 gpsvc (e897eaf5ed6ba41e081060c9b447a673) C:\Windows\System32\gpsvc.dll
14:23:52.0447 4888 gpsvc - ok
14:23:52.0478 4888 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys
14:23:52.0478 4888 hcw85cir - ok
14:23:52.0509 4888 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys
14:23:52.0525 4888 HDAudBus - ok
14:23:52.0525 4888 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys
14:23:52.0540 4888 HidBatt - ok
14:23:52.0556 4888 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys
14:23:52.0556 4888 HidBth - ok
14:23:52.0572 4888 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys
14:23:52.0587 4888 HidIr - ok
14:23:52.0618 4888 hidserv (2bc6f6a1992b3a77f5f41432ca6b3b6b) C:\Windows\System32\hidserv.dll
14:23:52.0618 4888 hidserv - ok
14:23:52.0665 4888 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\DRIVERS\hidusb.sys
14:23:52.0665 4888 HidUsb - ok
14:23:52.0696 4888 hkmsvc (196b4e3f4cccc24af836ce58facbb699) C:\Windows\system32\kmsvc.dll
14:23:52.0696 4888 hkmsvc - ok
14:23:52.0712 4888 HomeGroupListener (6658f4404de03d75fe3ba09f7aba6a30) C:\Windows\system32\ListSvc.dll
14:23:52.0728 4888 HomeGroupListener - ok
14:23:52.0728 4888 HomeGroupProvider (dbc02d918fff1cad628acbe0c0eaa8e8) C:\Windows\system32\provsvc.dll
14:23:52.0728 4888 HomeGroupProvider - ok
14:23:52.0743 4888 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys
14:23:52.0759 4888 HpSAMD - ok
14:23:52.0806 4888 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys
14:23:52.0806 4888 HTTP - ok
14:23:52.0821 4888 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys
14:23:52.0821 4888 hwpolicy - ok
14:23:52.0852 4888 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys
14:23:52.0868 4888 i8042prt - ok
14:23:52.0899 4888 iaStorV (5cd5f9a5444e6cdcb0ac89bd62d8b76e) C:\Windows\system32\drivers\iaStorV.sys
14:23:52.0915 4888 iaStorV - ok
14:23:53.0008 4888 idsvc (c521d7eb6497bb1af6afa89e322fb43c) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:23:53.0071 4888 idsvc - ok
14:23:53.0274 4888 igfx (dce0b53570703cce580d066f89ef58cd) C:\Windows\system32\DRIVERS\igdkmd32.sys
14:23:53.0430 4888 igfx - ok
14:23:53.0508 4888 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys
14:23:53.0523 4888 iirsp - ok
14:23:53.0570 4888 IKEEXT (f95622f161474511b8d80d6b093aa610) C:\Windows\System32\ikeext.dll
14:23:53.0570 4888 IKEEXT - ok
14:23:53.0648 4888 IntcAzAudAddService (94b1ff5d243d34b31380a2f79fc48959) C:\Windows\system32\drivers\RTKVHDA.sys
14:23:53.0913 4888 IntcAzAudAddService - ok
14:23:53.0991 4888 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys
14:23:53.0991 4888 intelide - ok
14:23:54.0007 4888 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys
14:23:54.0007 4888 intelppm - ok
14:23:54.0038 4888 IPBusEnum (acb364b9075a45c0736e5c47be5cae19) C:\Windows\system32\ipbusenum.dll
14:23:54.0038 4888 IPBusEnum - ok
14:23:54.0038 4888 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:23:54.0054 4888 IpFilterDriver - ok
14:23:54.0100 4888 iphlpsvc (4d65a07b795d6674312f879d09aa7663) C:\Windows\System32\iphlpsvc.dll
14:23:54.0100 4888 iphlpsvc - ok
14:23:54.0116 4888 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys
14:23:54.0116 4888 IPMIDRV - ok
14:23:54.0132 4888 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys
14:23:54.0147 4888 IPNAT - ok
14:23:54.0194 4888 iPod Service (57edb35ea2feca88f8b17c0c095c9a56) C:\Program Files\iPod\bin\iPodService.exe
14:23:54.0194 4888 iPod Service - ok
14:23:54.0210 4888 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys
14:23:54.0225 4888 IRENUM - ok
14:23:54.0241 4888 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys
14:23:54.0256 4888 isapnp - ok
14:23:54.0272 4888 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys
14:23:54.0288 4888 iScsiPrt - ok
14:23:54.0319 4888 k57nd60x (7ea81534e80570bdf6ee4a4248bba4d6) C:\Windows\system32\DRIVERS\k57nd60x.sys
14:23:54.0334 4888 k57nd60x - ok
14:23:54.0350 4888 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys
14:23:54.0350 4888 kbdclass - ok
14:23:54.0366 4888 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys
14:23:54.0366 4888 kbdhid - ok
14:23:54.0397 4888 KeyIso (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:23:54.0397 4888 KeyIso - ok
14:23:54.0397 4888 KSecDD (f4647bb23db9038a7536cf6b68f4207f) C:\Windows\system32\Drivers\ksecdd.sys
14:23:54.0412 4888 KSecDD - ok
14:23:54.0428 4888 KSecPkg (e73cae53bbb72ba26918492c6b4c229d) C:\Windows\system32\Drivers\ksecpkg.sys
14:23:54.0428 4888 KSecPkg - ok
14:23:54.0444 4888 KtmRm (89a7b9cc98d0d80c6f31b91c0a310fcd) C:\Windows\system32\msdtckrm.dll
14:23:54.0459 4888 KtmRm - ok
14:23:54.0490 4888 LanmanServer (d64af876d53eca3668bb97b51b4e70ab) C:\Windows\System32\srvsvc.dll
14:23:54.0506 4888 LanmanServer - ok
14:23:54.0537 4888 LanmanWorkstation (58405e4f68ba8e4057c6e914f326aba2) C:\Windows\System32\wkssvc.dll
14:23:54.0537 4888 LanmanWorkstation - ok
14:23:54.0568 4888 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys
14:23:54.0568 4888 lltdio - ok
14:23:54.0584 4888 lltdsvc (5700673e13a2117fa3b9020c852c01e2) C:\Windows\System32\lltdsvc.dll
14:23:54.0600 4888 lltdsvc - ok
14:23:54.0600 4888 lmhosts (55ca01ba19d0006c8f2639b6c045e08b) C:\Windows\System32\lmhsvc.dll
14:23:54.0615 4888 lmhosts - ok
14:23:54.0631 4888 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys
14:23:54.0631 4888 LSI_FC - ok
14:23:54.0646 4888 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys
14:23:54.0662 4888 LSI_SAS - ok
14:23:54.0678 4888 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys
14:23:54.0693 4888 LSI_SAS2 - ok
14:23:54.0693 4888 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys
14:23:54.0709 4888 LSI_SCSI - ok
14:23:54.0740 4888 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys
14:23:54.0740 4888 luafv - ok
14:23:54.0787 4888 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\Windows\system32\drivers\mbam.sys
14:23:54.0787 4888 MBAMProtector - ok
14:23:54.0834 4888 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
14:23:54.0834 4888 MBAMService - ok
14:23:54.0865 4888 Mcx2Svc (bfb9ee8ee977efe85d1a3105abef6dd1) C:\Windows\system32\Mcx2Svc.dll
14:23:54.0880 4888 Mcx2Svc - ok
14:23:54.0896 4888 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys
14:23:54.0912 4888 megasas - ok
14:23:54.0943 4888 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys
14:23:54.0958 4888 MegaSR - ok
14:23:54.0974 4888 MMCSS (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
14:23:54.0974 4888 MMCSS - ok
14:23:54.0990 4888 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys
14:23:54.0990 4888 Modem - ok
14:23:55.0021 4888 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys
14:23:55.0021 4888 monitor - ok
14:23:55.0036 4888 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\DRIVERS\mouclass.sys
14:23:55.0052 4888 mouclass - ok
14:23:55.0052 4888 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys
14:23:55.0068 4888 mouhid - ok
14:23:55.0099 4888 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys
14:23:55.0099 4888 mountmgr - ok
14:23:55.0130 4888 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys
14:23:55.0130 4888 mpio - ok
14:23:55.0146 4888 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys
14:23:55.0146 4888 mpsdrv - ok
14:23:55.0192 4888 MpsSvc (9835584e999d25004e1ee8e5f3e3b881) C:\Windows\system32\mpssvc.dll
14:23:55.0192 4888 MpsSvc - ok
14:23:55.0208 4888 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys
14:23:55.0224 4888 MRxDAV - ok
14:23:55.0270 4888 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:23:55.0270 4888 mrxsmb - ok
14:23:55.0302 4888 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:23:55.0302 4888 mrxsmb10 - ok
14:23:55.0317 4888 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:23:55.0317 4888 mrxsmb20 - ok
14:23:55.0348 4888 msahci (012c5f4e9349e711e11e0f19a8589f0a) C:\Windows\system32\drivers\msahci.sys
14:23:55.0348 4888 msahci - ok
14:23:55.0380 4888 msdsm (55055f8ad8be27a64c831322a780a228) C:\Windows\system32\drivers\msdsm.sys
14:23:55.0395 4888 msdsm - ok
14:23:55.0411 4888 MSDTC (e1bce74a3bd9902b72599c0192a07e27) C:\Windows\System32\msdtc.exe
14:23:55.0426 4888 MSDTC - ok
14:23:55.0489 4888 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys
14:23:55.0489 4888 Msfs - ok
14:23:55.0504 4888 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys
14:23:55.0504 4888 mshidkmdf - ok
14:23:55.0536 4888 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys
14:23:55.0536 4888 msisadrv - ok
14:23:55.0551 4888 MSiSCSI (90f7d9e6b6f27e1a707d4a297f077828) C:\Windows\system32\iscsiexe.dll
14:23:55.0567 4888 MSiSCSI - ok
14:23:55.0567 4888 msiserver - ok
14:23:55.0582 4888 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys
14:23:55.0598 4888 MSKSSRV - ok
14:23:55.0614 4888 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys
14:23:55.0629 4888 MSPCLOCK - ok
14:23:55.0629 4888 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys
14:23:55.0645 4888 MSPQM - ok
14:23:55.0660 4888 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys
14:23:55.0660 4888 MsRPC - ok
14:23:55.0660 4888 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys
14:23:55.0660 4888 mssmbios - ok
14:23:55.0676 4888 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys
14:23:55.0676 4888 MSTEE - ok
14:23:55.0707 4888 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys
14:23:55.0707 4888 MTConfig - ok
14:23:55.0723 4888 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys
14:23:55.0723 4888 Mup - ok
14:23:55.0754 4888 napagent (61d57a5d7c6d9afe10e77dae6e1b445e) C:\Windows\system32\qagentRT.dll
14:23:55.0754 4888 napagent - ok
14:23:55.0785 4888 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys
14:23:55.0785 4888 NativeWifiP - ok
14:23:55.0816 4888 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys
14:23:55.0816 4888 NDIS - ok
14:23:55.0848 4888 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys
14:23:55.0848 4888 NdisCap - ok
14:23:55.0863 4888 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys
14:23:55.0863 4888 NdisTapi - ok
14:23:55.0910 4888 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys
14:23:55.0910 4888 Ndisuio - ok
14:23:55.0910 4888 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys
14:23:55.0926 4888 NdisWan - ok
14:23:55.0957 4888 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys
14:23:55.0957 4888 NDProxy - ok
14:23:55.0972 4888 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys
14:23:55.0988 4888 NetBIOS - ok
14:23:56.0004 4888 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys
14:23:56.0004 4888 NetBT - ok
14:23:56.0019 4888 Netlogon (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:23:56.0019 4888 Netlogon - ok
14:23:56.0050 4888 Netman (7cccfca7510684768da22092d1fa4db2) C:\Windows\System32\netman.dll
14:23:56.0066 4888 Netman - ok
14:23:56.0066 4888 netprofm (8c338238c16777a802d6a9211eb2ba50) C:\Windows\System32\netprofm.dll
14:23:56.0082 4888 netprofm - ok
14:23:56.0113 4888 netr28u (9067a7689d108c4f15ed2fcf2c572b5c) C:\Windows\system32\DRIVERS\netr28u.sys
14:23:56.0113 4888 netr28u - ok
14:23:56.0191 4888 NetTcpPortSharing (f476ec40033cdb91efbe73eb99b8362d) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:23:56.0238 4888 NetTcpPortSharing - ok
14:23:56.0269 4888 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys
14:23:56.0284 4888 nfrd960 - ok
14:23:56.0316 4888 NlaSvc (912084381d30d8b89ec4e293053f4710) C:\Windows\System32\nlasvc.dll
14:23:56.0316 4888 NlaSvc - ok
14:23:56.0394 4888 nmservice (cd569fa91ec6f59d045c19d0d3850f44) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
14:23:56.0394 4888 nmservice - ok
14:23:56.0409 4888 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys
14:23:56.0409 4888 Npfs - ok
14:23:56.0440 4888 nsi (ba387e955e890c8a88306d9b8d06bf17) C:\Windows\system32\nsisvc.dll
14:23:56.0440 4888 nsi - ok
14:23:56.0456 4888 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys
14:23:56.0456 4888 nsiproxy - ok
14:23:56.0503 4888 Ntfs (81189c3d7763838e55c397759d49007a) C:\Windows\system32\drivers\Ntfs.sys
14:23:56.0518 4888 Ntfs - ok
14:23:56.0534 4888 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys
14:23:56.0550 4888 Null - ok
14:23:56.0581 4888 nvraid (b3e25ee28883877076e0e1ff877d02e0) C:\Windows\system32\drivers\nvraid.sys
14:23:56.0596 4888 nvraid - ok
14:23:56.0596 4888 nvstor (4380e59a170d88c4f1022eff6719a8a4) C:\Windows\system32\drivers\nvstor.sys
14:23:56.0628 4888 nvstor - ok
14:23:56.0628 4888 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys
14:23:56.0643 4888 nv_agp - ok
14:23:56.0659 4888 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys
14:23:56.0674 4888 ohci1394 - ok
14:23:56.0706 4888 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
14:23:56.0706 4888 ose - ok
14:23:56.0846 4888 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
14:23:56.0862 4888 osppsvc - ok
14:23:56.0924 4888 p2pimsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
14:23:56.0924 4888 p2pimsvc - ok
14:23:56.0955 4888 p2psvc (59c3ddd501e39e006dac31bf55150d91) C:\Windows\system32\p2psvc.dll
14:23:56.0955 4888 p2psvc - ok
14:23:56.0986 4888 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys
14:23:56.0986 4888 Parport - ok
14:23:57.0018 4888 partmgr (3f34a1b4c5f6475f320c275e63afce9b) C:\Windows\system32\drivers\partmgr.sys
14:23:57.0018 4888 partmgr - ok
14:23:57.0033 4888 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys
14:23:57.0033 4888 Parvdm - ok
14:23:57.0049 4888 PcaSvc (358ab7956d3160000726574083dfc8a6) C:\Windows\System32\pcasvc.dll
14:23:57.0049 4888 PcaSvc - ok
14:23:57.0127 4888 PCDSRVC{E9D79540-57D5953E-06020101}_0 (92fddbed716bf5c3cb766101563cfce5) c:\program files\dell support center\pcdsrvc.pkms
14:23:57.0142 4888 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok
14:23:57.0174 4888 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys
14:23:57.0174 4888 pci - ok
14:23:57.0174 4888 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys
14:23:57.0174 4888 pciide - ok
14:23:57.0205 4888 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys
14:23:57.0220 4888 pcmcia - ok
14:23:57.0220 4888 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys
14:23:57.0220 4888 pcw - ok
14:23:57.0252 4888 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys
14:23:57.0267 4888 PEAUTH - ok
14:23:57.0330 4888 pla (414bba67a3ded1d28437eb66aeb8a720) C:\Windows\system32\pla.dll
14:23:57.0330 4888 pla - ok
14:23:57.0408 4888 PlugPlay (ec7bc28d207da09e79b3e9faf8b232ca) C:\Windows\system32\umpnpmgr.dll
14:23:57.0408 4888 PlugPlay - ok
14:23:57.0439 4888 pnarp (8092d881311b313c99099870f663f888) C:\Windows\system32\DRIVERS\pnarp.sys
14:23:57.0439 4888 pnarp - ok
14:23:57.0454 4888 PNRPAutoReg (63ff8572611249931eb16bb8eed6afc8) C:\Windows\system32\pnrpauto.dll
14:23:57.0454 4888 PNRPAutoReg - ok
14:23:57.0470 4888 PNRPsvc (82a8521ddc60710c3d3d3e7325209bec) C:\Windows\system32\pnrpsvc.dll
14:23:57.0470 4888 PNRPsvc - ok
14:23:57.0517 4888 Point32 (7d7a9c17d5455203dea11e5ef886cc59) C:\Windows\system32\DRIVERS\point32.sys
14:23:57.0532 4888 Point32 - ok
14:23:57.0548 4888 PolicyAgent (53946b69ba0836bd95b03759530c81ec) C:\Windows\System32\ipsecsvc.dll
14:23:57.0564 4888 PolicyAgent - ok
14:23:57.0595 4888 Power (f87d30e72e03d579a5199ccb3831d6ea) C:\Windows\system32\umpo.dll
14:23:57.0595 4888 Power - ok
14:23:57.0626 4888 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys
14:23:57.0626 4888 PptpMiniport - ok
14:23:57.0642 4888 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys
14:23:57.0657 4888 Processor - ok
14:23:57.0673 4888 ProfSvc (43ca4ccc22d52fb58e8988f0198851d0) C:\Windows\system32\profsvc.dll
14:23:57.0673 4888 ProfSvc - ok
14:23:57.0704 4888 ProtectedStorage (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:23:57.0704 4888 ProtectedStorage - ok
14:23:57.0720 4888 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys
14:23:57.0720 4888 Psched - ok
14:23:57.0751 4888 purendis (9715050608550825b23507213cae0208) C:\Windows\system32\DRIVERS\purendis.sys
14:23:57.0751 4888 purendis - ok
14:23:57.0782 4888 PxHelp20 (40fedd328f98245ad201cf5f9f311724) C:\Windows\system32\Drivers\PxHelp20.sys
14:23:57.0782 4888 PxHelp20 - ok
14:23:57.0813 4888 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys
14:23:57.0860 4888 ql2300 - ok
14:23:57.0922 4888 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys
14:23:57.0938 4888 ql40xx - ok
14:23:57.0954 4888 QWAVE (31ac809e7707eb580b2bdb760390765a) C:\Windows\system32\qwave.dll
14:23:57.0969 4888 QWAVE - ok
14:23:57.0969 4888 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys
14:23:57.0985 4888 QWAVEdrv - ok
14:23:58.0000 4888 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys
14:23:58.0000 4888 RasAcd - ok
14:23:58.0016 4888 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys
14:23:58.0032 4888 RasAgileVpn - ok
14:23:58.0032 4888 RasAuto (a60f1839849c0c00739787fd5ec03f13) C:\Windows\System32\rasauto.dll
14:23:58.0047 4888 RasAuto - ok
14:23:58.0063 4888 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:23:58.0078 4888 Rasl2tp - ok
14:23:58.0125 4888 RasMan (cb9e04dc05eacf5b9a36ca276d475006) C:\Windows\System32\rasmans.dll
14:23:58.0125 4888 RasMan - ok
14:23:58.0141 4888 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys
14:23:58.0141 4888 RasPppoe - ok
14:23:58.0156 4888 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys
14:23:58.0156 4888 RasSstp - ok
14:23:58.0188 4888 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys
14:23:58.0203 4888 rdbss - ok
14:23:58.0219 4888 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys
14:23:58.0219 4888 rdpbus - ok
14:23:58.0250 4888 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:23:58.0250 4888 RDPCDD - ok
14:23:58.0297 4888 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys
14:23:58.0297 4888 RDPENCDD - ok
14:23:58.0312 4888 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys
14:23:58.0312 4888 RDPREFMP - ok
14:23:58.0344 4888 RDPWD (244c83332f44589ae98fc347f11b2693) C:\Windows\system32\drivers\RDPWD.sys
14:23:58.0344 4888 RDPWD - ok
14:23:58.0390 4888 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys
14:23:58.0390 4888 rdyboost - ok
14:23:58.0422 4888 RemoteAccess (7b5e1419717fac363a31cc302895217a) C:\Windows\System32\mprdim.dll
14:23:58.0422 4888 RemoteAccess - ok
14:23:58.0437 4888 RemoteRegistry (cb9a8683f4ef2bf99e123d79950d7935) C:\Windows\system32\regsvc.dll
14:23:58.0437 4888 RemoteRegistry - ok
14:23:58.0468 4888 RpcEptMapper (78d072f35bc45d9e4e1b61895c152234) C:\Windows\System32\RpcEpMap.dll
14:23:58.0468 4888 RpcEptMapper - ok
14:23:58.0484 4888 RpcLocator (94d36c0e44677dd26981d2bfeef2a29d) C:\Windows\system32\locator.exe
14:23:58.0484 4888 RpcLocator - ok
14:23:58.0515 4888 RpcSs (7660f01d3b38aca1747e397d21d790af) C:\Windows\system32\rpcss.dll
14:23:58.0515 4888 RpcSs - ok
14:23:58.0546 4888 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys
14:23:58.0546 4888 rspndr - ok
14:23:58.0578 4888 SamSs (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:23:58.0578 4888 SamSs - ok
14:23:58.0656 4888 SAVAdminService (bd57b12fa4c21b1ce7da3570410bf12d) C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
14:23:58.0656 4888 SAVAdminService - ok
14:23:58.0671 4888 SAVOnAccess (ae668d3f43fc90bc17f62e08ff82a446) C:\Windows\system32\DRIVERS\savonaccess.sys
14:23:58.0687 4888 SAVOnAccess - ok
14:23:58.0702 4888 SAVService (836aec603665f6db83965ee57b3dcf57) C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
14:23:58.0702 4888 SAVService - ok
14:23:58.0734 4888 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys
14:23:58.0749 4888 sbp2port - ok
14:23:58.0812 4888 SBSDWSCService (794d4b48dfb6e999537c7c3947863463) C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
14:23:58.0812 4888 SBSDWSCService - ok
14:23:58.0843 4888 SCardSvr (8fc518ffe9519c2631d37515a68009c4) C:\Windows\System32\SCardSvr.dll
14:23:58.0843 4888 SCardSvr - ok
14:23:58.0874 4888 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys
14:23:58.0890 4888 scfilter - ok
14:23:58.0936 4888 Schedule (a04bb13f8a72f8b6e8b4071723e4e336) C:\Windows\system32\schedsvc.dll
14:23:58.0936 4888 Schedule - ok
14:23:58.0936 4888 SCPolicySvc (319c6b309773d063541d01df8ac6f55f) C:\Windows\System32\certprop.dll
14:23:58.0936 4888 SCPolicySvc - ok
14:23:58.0968 4888 sdcfilter (a957fd57a6ae1597943e4590de10669b) C:\Windows\system32\DRIVERS\sdcfilter.sys
14:23:58.0983 4888 sdcfilter - ok
14:23:58.0983 4888 SDRSVC (08236c4bce5edd0a0318a438af28e0f7) C:\Windows\System32\SDRSVC.dll
14:23:58.0999 4888 SDRSVC - ok
14:23:59.0030 4888 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
14:23:59.0030 4888 secdrv - ok
14:23:59.0046 4888 seclogon (a59b3a4442c52060cc7a85293aa3546f) C:\Windows\system32\seclogon.dll
14:23:59.0046 4888 seclogon - ok
14:23:59.0077 4888 SENS (dcb7fcdcc97f87360f75d77425b81737) C:\Windows\system32\sens.dll
14:23:59.0077 4888 SENS - ok
14:23:59.0092 4888 SensrSvc (50087fe1ee447009c9cc2997b90de53f) C:\Windows\system32\sensrsvc.dll
14:23:59.0108 4888 SensrSvc - ok
14:23:59.0108 4888 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys
14:23:59.0108 4888 Serenum - ok
14:23:59.0124 4888 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys
14:23:59.0139 4888 Serial - ok
14:23:59.0170 4888 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys
14:23:59.0186 4888 sermouse - ok
14:23:59.0217 4888 SessionEnv (4ae380f39a0032eab7dd953030b26d28) C:\Windows\system32\sessenv.dll
14:23:59.0217 4888 SessionEnv - ok
14:23:59.0217 4888 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys
14:23:59.0217 4888 sffdisk - ok
14:23:59.0233 4888 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys
14:23:59.0233 4888 sffp_mmc - ok
14:23:59.0248 4888 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys
14:23:59.0248 4888 sffp_sd - ok
14:23:59.0264 4888 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys
14:23:59.0264 4888 sfloppy - ok
14:23:59.0295 4888 Sftfs (d9b734638dd8dba9d59aad3189cd0fad) C:\Windows\system32\DRIVERS\Sftfslh.sys
14:23:59.0295 4888 Sftfs - ok
14:23:59.0373 4888 sftlist (cb73bc422c07fb611f194da18d1e7f36) C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
14:23:59.0373 4888 sftlist - ok
14:23:59.0389 4888 Sftplay (2f61bd46c0bff4eb36e1e359ca17bfc5) C:\Windows\system32\DRIVERS\Sftplaylh.sys
14:23:59.0389 4888 Sftplay - ok
14:23:59.0404 4888 Sftredir (518bac0179f94304f422696b47c0ec12) C:\Windows\system32\DRIVERS\Sftredirlh.sys
14:23:59.0404 4888 Sftredir - ok
14:23:59.0404 4888 Sftvol (747325236d88b3f05ffd27ff9ec711c5) C:\Windows\system32\DRIVERS\Sftvollh.sys
14:23:59.0420 4888 Sftvol - ok
14:23:59.0420 4888 sftvsa (a5812f0281ca5081bf696626f9bf324d) C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
14:23:59.0420 4888 sftvsa - ok
14:23:59.0451 4888 SharedAccess (d1a079a0de2ea524513b6930c24527a2) C:\Windows\System32\ipnathlp.dll
14:23:59.0451 4888 SharedAccess - ok
14:23:59.0498 4888 ShellHWDetection (414da952a35bf5d50192e28263b40577) C:\Windows\System32\shsvcs.dll
14:23:59.0498 4888 ShellHWDetection - ok
14:23:59.0529 4888 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys
14:23:59.0545 4888 sisagp - ok
14:23:59.0560 4888 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys
14:23:59.0576 4888 SiSRaid2 - ok
14:23:59.0592 4888 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys
14:23:59.0592 4888 SiSRaid4 - ok
14:23:59.0623 4888 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys
14:23:59.0623 4888 Smb - ok
14:23:59.0670 4888 SNMPTRAP (6a984831644eca1a33ffeae4126f4f37) C:\Windows\System32\snmptrap.exe
14:23:59.0670 4888 SNMPTRAP - ok
14:23:59.0701 4888 Sophos Agent (85dd2d3a8e67aa75d03b74deffe4bc87) C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
14:23:59.0701 4888 Sophos Agent - ok
14:23:59.0748 4888 Sophos AutoUpdate Service (e4a3cffd81b4169128f187729e137417) C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
14:23:59.0748 4888 Sophos AutoUpdate Service - ok
14:23:59.0779 4888 Sophos Message Router (fe03582de80740d22fe428f3351adb16) C:\Program Files\Sophos\Remote Management System\RouterNT.exe
14:23:59.0779 4888 Sophos Message Router - ok
14:23:59.0857 4888 SophosBootDriver (f2b7bd04146b3e6a895a1919e1f5da89) C:\Windows\system32\DRIVERS\SophosBootDriver.sys
14:23:59.0872 4888 SophosBootDriver - ok
14:23:59.0904 4888 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys
14:23:59.0904 4888 spldr - ok
14:23:59.0935 4888 Spooler (866a43013535dc8587c258e43579c764) C:\Windows\System32\spoolsv.exe
14:23:59.0935 4888 Spooler - ok
14:24:00.0028 4888 sppsvc (cf87a1de791347e75b98885214ced2b8) C:\Windows\system32\sppsvc.exe
14:24:00.0075 4888 sppsvc - ok
14:24:00.0122 4888 sppuinotify (b0180b20b065d89232a78a40fe56eaa6) C:\Windows\system32\sppuinotify.dll
14:24:00.0138 4888 sppuinotify - ok
14:24:00.0184 4888 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys
14:24:00.0184 4888 srv - ok
14:24:00.0200 4888 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys
14:24:00.0200 4888 srv2 - ok
14:24:00.0200 4888 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys
14:24:00.0216 4888 srvnet - ok
14:24:00.0231 4888 SSDPSRV (d887c9fd02ac9fa880f6e5027a43e118) C:\Windows\System32\ssdpsrv.dll
14:24:00.0231 4888 SSDPSRV - ok
14:24:00.0247 4888 SstpSvc (d318f23be45d5e3a107469eb64815b50) C:\Windows\system32\sstpsvc.dll
14:24:00.0247 4888 SstpSvc - ok
14:24:00.0262 4888 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys
14:24:00.0278 4888 stexstor - ok
14:24:00.0325 4888 StiSvc (e1fb3706030fb4578a0d72c2fc3689e4) C:\Windows\System32\wiaservc.dll
14:24:00.0325 4888 StiSvc - ok
14:24:00.0372 4888 stllssvr (e476c66713c842f58e61a95826ed1d57) C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
14:24:00.0372 4888 stllssvr - ok
14:24:00.0387 4888 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys
14:24:00.0403 4888 swenum - ok
14:24:00.0496 4888 swi_service (aa5ca4a5f87c1576ff550a0372b3ed84) C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
14:24:00.0528 4888 swi_service - ok
14:24:00.0574 4888 swprv (a28bd92df340e57b024ba433165d34d7) C:\Windows\System32\swprv.dll
14:24:00.0574 4888 swprv - ok
14:24:00.0621 4888 SysMain (36650d618ca34c9d357dfd3d89b2c56f) C:\Windows\system32\sysmain.dll
14:24:00.0637 4888 SysMain - ok
14:24:00.0668 4888 TabletInputService (763fecdc3d30c815fe72dd57936c6cd1) C:\Windows\System32\TabSvc.dll
14:24:00.0684 4888 TabletInputService - ok
14:24:00.0699 4888 TapiSrv (613bf4820361543956909043a265c6ac) C:\Windows\System32\tapisrv.dll
14:24:00.0699 4888 TapiSrv - ok
14:24:00.0715 4888 TBS (b799d9fdb26111737f58288d8dc172d9) C:\Windows\System32\tbssvc.dll
14:24:00.0715 4888 TBS - ok
14:24:00.0793 4888 Tcpip (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\drivers\tcpip.sys
14:24:00.0793 4888 Tcpip - ok
14:24:00.0808 4888 TCPIP6 (7fa2e0f8b072bd04b77b421480b6cc22) C:\Windows\system32\DRIVERS\tcpip.sys
14:24:00.0824 4888 TCPIP6 - ok
14:24:00.0855 4888 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys
14:24:00.0855 4888 tcpipreg - ok
14:24:00.0886 4888 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys
14:24:00.0886 4888 TDPIPE - ok
14:24:00.0918 4888 TDTCP (2c2c5afe7ee4f620d69c23c0617651a8) C:\Windows\system32\drivers\tdtcp.sys
14:24:00.0933 4888 TDTCP - ok
14:24:00.0964 4888 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys
14:24:00.0964 4888 tdx - ok
14:24:00.0996 4888 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys
14:24:00.0996 4888 TermDD - ok
14:24:01.0042 4888 TermService (382c804c92811be57829d8e550a900e2) C:\Windows\System32\termsrv.dll
14:24:01.0042 4888 TermService - ok
14:24:01.0058 4888 Themes (42fb6afd6b79d9fe07381609172e7ca4) C:\Windows\system32\themeservice.dll
14:24:01.0074 4888 Themes - ok
14:24:01.0089 4888 THREADORDER (146b6f43a673379a3c670e86d89be5ea) C:\Windows\system32\mmcss.dll
14:24:01.0089 4888 THREADORDER - ok
14:24:01.0120 4888 TrkWks (4792c0378db99a9bc2ae2de6cfff0c3a) C:\Windows\System32\trkwks.dll
14:24:01.0120 4888 TrkWks - ok
14:24:01.0152 4888 TrustedInstaller (2c49b175aee1d4364b91b531417fe583) C:\Windows\servicing\TrustedInstaller.exe
14:24:01.0152 4888 TrustedInstaller - ok
14:24:01.0167 4888 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:24:01.0167 4888 tssecsrv - ok
14:24:01.0214 4888 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys
14:24:01.0230 4888 TsUsbFlt - ok
14:24:01.0261 4888 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys
14:24:01.0261 4888 tunnel - ok
14:24:01.0276 4888 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys
14:24:01.0276 4888 uagp35 - ok
14:24:01.0323 4888 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys
14:24:01.0323 4888 udfs - ok
14:24:01.0354 4888 UI0Detect (8344fd4fce927880aa1aa7681d4927e5) C:\Windows\system32\UI0Detect.exe
14:24:01.0370 4888 UI0Detect - ok
14:24:01.0401 4888 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys
14:24:01.0401 4888 uliagpkx - ok
14:24:01.0432 4888 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys
14:24:01.0432 4888 umbus - ok
14:24:01.0432 4888 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys
14:24:01.0448 4888 UmPass - ok
14:24:01.0464 4888 upnphost (833fbb672460efce8011d262175fad33) C:\Windows\System32\upnphost.dll
14:24:01.0464 4888 upnphost - ok
14:24:01.0495 4888 USBAAPL (eafe1e00739afe6c51487a050e772e17) C:\Windows\system32\Drivers\usbaapl.sys
14:24:01.0495 4888 USBAAPL - ok
14:24:01.0526 4888 usbccgp (bd9c55d7023c5de374507acc7a14e2ac) C:\Windows\system32\DRIVERS\usbccgp.sys
14:24:01.0542 4888 usbccgp - ok
14:24:01.0542 4888 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys
14:24:01.0557 4888 usbcir - ok
14:24:01.0557 4888 usbehci (f92de757e4b7ce9c07c5e65423f3ae3b) C:\Windows\system32\drivers\usbehci.sys
14:24:01.0573 4888 usbehci - ok
14:24:01.0588 4888 usbhub (8dc94aec6a7e644a06135ae7506dc2e9) C:\Windows\system32\DRIVERS\usbhub.sys
14:24:01.0604 4888 usbhub - ok
14:24:01.0635 4888 usbohci (e185d44fac515a18d9deddc23c2cdf44) C:\Windows\system32\drivers\usbohci.sys
14:24:01.0635 4888 usbohci - ok
14:24:01.0666 4888 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys
14:24:01.0666 4888 usbprint - ok
14:24:01.0682 4888 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys
14:24:01.0698 4888 usbscan - ok
14:24:01.0729 4888 USBSTOR (f991ab9cc6b908db552166768176896a) C:\Windows\system32\drivers\USBSTOR.SYS
14:24:01.0729 4888 USBSTOR - ok
14:24:01.0744 4888 usbuhci (68df884cf41cdada664beb01daf67e3d) C:\Windows\system32\drivers\usbuhci.sys
14:24:01.0760 4888 usbuhci - ok
14:24:01.0760 4888 UxSms (081e6e1c91aec36758902a9f727cd23c) C:\Windows\System32\uxsms.dll
14:24:01.0776 4888 UxSms - ok
14:24:01.0791 4888 VaultSvc (81951f51e318aecc2d68559e47485cc4) C:\Windows\system32\lsass.exe
14:24:01.0791 4888 VaultSvc - ok
14:24:01.0807 4888 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys
14:24:01.0807 4888 vdrvroot - ok
14:24:01.0854 4888 vds (c3cd30495687c2a2f66a65ca6fd89be9) C:\Windows\System32\vds.exe
14:24:01.0869 4888 vds - ok
14:24:01.0885 4888 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys
14:24:01.0900 4888 vga - ok
14:24:01.0916 4888 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys
14:24:01.0916 4888 VgaSave - ok
14:24:01.0932 4888 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys
14:24:01.0947 4888 vhdmp - ok
14:24:01.0963 4888 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys
14:24:01.0978 4888 viaagp - ok
14:24:01.0994 4888 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys
14:24:02.0010 4888 ViaC7 - ok
14:24:02.0010 4888 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys
14:24:02.0025 4888 viaide - ok
14:24:02.0025 4888 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys
14:24:02.0025 4888 volmgr - ok
14:24:02.0041 4888 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys
14:24:02.0041 4888 volmgrx - ok
14:24:02.0056 4888 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys
14:24:02.0056 4888 volsnap - ok
14:24:02.0072 4888 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys
14:24:02.0088 4888 vsmraid - ok
14:24:02.0134 4888 VSS (209a3b1901b83aeb8527ed211cce9e4c) C:\Windows\system32\vssvc.exe
14:24:02.0134 4888 VSS - ok
14:24:02.0150 4888 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys
14:24:02.0166 4888 vwifibus - ok
14:24:02.0181 4888 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys
14:24:02.0181 4888 vwififlt - ok
14:24:02.0212 4888 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys
14:24:02.0212 4888 vwifimp - ok
14:24:02.0244 4888 W32Time (55187fd710e27d5095d10a472c8baf1c) C:\Windows\system32\w32time.dll
14:24:02.0244 4888 W32Time - ok
14:24:02.0259 4888 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys
14:24:02.0259 4888 WacomPen - ok
14:24:02.0290 4888 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
14:24:02.0306 4888 WANARP - ok
14:24:02.0306 4888 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys
14:24:02.0306 4888 Wanarpv6 - ok
14:24:02.0368 4888 WatAdminSvc (353a04c273ec58475d8633e75ccd5604) C:\Windows\system32\Wat\WatAdminSvc.exe
14:24:02.0446 4888 WatAdminSvc - ok
14:24:02.0493 4888 wbengine (691e3285e53dca558e1a84667f13e15a) C:\Windows\system32\wbengine.exe
14:24:02.0556 4888 wbengine - ok
14:24:02.0571 4888 WbioSrvc (9614b5d29dc76ac3c29f6d2d3aa70e67) C:\Windows\System32\wbiosrvc.dll
14:24:02.0587 4888 WbioSrvc - ok
14:24:02.0634 4888 wcncsvc (34eee0dfaadb4f691d6d5308a51315dc) C:\Windows\System32\wcncsvc.dll
14:24:02.0649 4888 wcncsvc - ok
14:24:02.0649 4888 WcsPlugInService (5d930b6357a6d2af4d7653bdabbf352f) C:\Windows\System32\WcsPlugInService.dll
14:24:02.0665 4888 WcsPlugInService - ok
14:24:02.0696 4888 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys
14:24:02.0696 4888 Wd - ok
14:24:02.0727 4888 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys
14:24:02.0727 4888 Wdf01000 - ok
14:24:02.0727 4888 WdiServiceHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
14:24:02.0743 4888 WdiServiceHost - ok
14:24:02.0743 4888 WdiSystemHost (46ef9dc96265fd0b423db72e7c38c2a5) C:\Windows\system32\wdi.dll
14:24:02.0743 4888 WdiSystemHost - ok
14:24:02.0758 4888 WebClient (a9d880f97530d5b8fee278923349929d) C:\Windows\System32\webclnt.dll
14:24:02.0758 4888 WebClient - ok
14:24:02.0774 4888 Wecsvc (760f0afe937a77cff27153206534f275) C:\Windows\system32\wecsvc.dll
14:24:02.0774 4888 Wecsvc - ok
14:24:02.0790 4888 wercplsupport (ac804569bb2364fb6017370258a4091b) C:\Windows\System32\wercplsupport.dll
14:24:02.0790 4888 wercplsupport - ok
14:24:02.0805 4888 WerSvc (08e420d873e4fd85241ee2421b02c4a4) C:\Windows\System32\WerSvc.dll
14:24:02.0821 4888 WerSvc - ok
14:24:02.0852 4888 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys
14:24:02.0852 4888 WfpLwf - ok
14:24:02.0868 4888 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys
14:24:02.0883 4888 WIMMount - ok
14:24:02.0930 4888 WinDefend (3fae8f94296001c32eab62cd7d82e0fd) C:\Program Files\Windows Defender\mpsvc.dll
14:24:02.0946 4888 WinDefend - ok
14:24:02.0946 4888 WinHttpAutoProxySvc - ok
14:24:02.0977 4888 Winmgmt (f62e510b6ad4c21eb9fe8668ed251826) C:\Windows\system32\wbem\WMIsvc.dll
14:24:02.0977 4888 Winmgmt - ok
14:24:03.0024 4888 WinRM (1b91cd34ea3a90ab6a4ef0550174f4cc) C:\Windows\system32\WsmSvc.dll
14:24:03.0039 4888 WinRM - ok
14:24:03.0086 4888 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\DRIVERS\WinUsb.sys
14:24:03.0102 4888 WinUsb - ok
14:24:03.0148 4888 Wlansvc (16935c98ff639d185086a3529b1f2067) C:\Windows\System32\wlansvc.dll
14:24:03.0148 4888 Wlansvc - ok
14:24:03.0211 4888 wlcrasvc (6067acef367e79914af628fa1e9b5330) C:\Program Files\Windows Live\Mesh\wlcrasvc.exe
14:24:03.0226 4888 wlcrasvc - ok
14:24:03.0289 4888 wlidsvc (0a70f4022ec2e14c159efc4f69aa2477) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
14:24:03.0289 4888 wlidsvc - ok
14:24:03.0351 4888 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys
14:24:03.0367 4888 WmiAcpi - ok
14:24:03.0398 4888 wmiApSrv (6eb6b66517b048d87dc1856ddf1f4c3f) C:\Windows\system32\wbem\WmiApSrv.exe
14:24:03.0398 4888 wmiApSrv - ok
14:24:03.0476 4888 WMPNetworkSvc (3b40d3a61aa8c21b88ae57c58ab3122e) C:\Program Files\Windows Media Player\wmpnetwk.exe
14:24:03.0476 4888 WMPNetworkSvc - ok
14:24:03.0492 4888 WPCSvc (a2f0ec770a92f2b3f9de6d518e11409c) C:\Windows\System32\wpcsvc.dll
14:24:03.0507 4888 WPCSvc - ok
14:24:03.0538 4888 WPDBusEnum (aa53356d60af47eacc85bc617a4f3f66) C:\Windows\system32\wpdbusenum.dll
14:24:03.0538 4888 WPDBusEnum - ok
14:24:03.0570 4888 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys
14:24:03.0570 4888 ws2ifsl - ok
14:24:03.0585 4888 wscsvc (6f5d49efe0e7164e03ae773a3fe25340) C:\Windows\system32\wscsvc.dll
14:24:03.0585 4888 wscsvc - ok
14:24:03.0585 4888 WSearch - ok
14:24:03.0648 4888 wuauserv (3026418a50c5b4761befa632cedb7406) C:\Windows\system32\wuaueng.dll
14:24:03.0663 4888 wuauserv - ok
14:24:03.0710 4888 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys
14:24:03.0726 4888 WudfPf - ok
14:24:03.0741 4888 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:24:03.0741 4888 WUDFRd - ok
14:24:03.0788 4888 wudfsvc (8d1e1e529a2c9e9b6a85b55a345f7629) C:\Windows\System32\WUDFSvc.dll
14:24:03.0804 4888 wudfsvc - ok
14:24:03.0819 4888 WwanSvc (ff2d745b560f7c71b31f30f4d49f73d2) C:\Windows\System32\wwansvc.dll
14:24:03.0819 4888 WwanSvc - ok
14:24:03.0897 4888 MBR (0x1B8) (cdb4de4bbd714f152979da2dcbef57eb) \Device\Harddisk0\DR0
14:24:03.0944 4888 \Device\Harddisk0\DR0 - ok
14:24:03.0960 4888 Boot (0x1200) (a5bf4fe20e92c6620247172b7d65f9af) \Device\Harddisk0\DR0\Partition0
14:24:03.0960 4888 \Device\Harddisk0\DR0\Partition0 - ok
14:24:03.0960 4888 Boot (0x1200) (383da9b9c2f51e423b543eda09fe46bf) \Device\Harddisk0\DR0\Partition1
14:24:03.0960 4888 \Device\Harddisk0\DR0\Partition1 - ok
14:24:03.0960 4888 ============================================================
14:24:03.0960 4888 Scan finished
14:24:03.0960 4888 ============================================================
14:24:03.0975 0620 Detected object count: 0
14:24:03.0975 0620 Actual detected object count: 0
shelf life
2012-05-14, 03:53
Your welcome. We are done. You can delete the tdsskiller icon and log.
The free version of Malwarebytes does not have a real time protection component or auto updates. In this case you would have to update it manually and start a scan manually.
If its not kept updated it will soon be worthless as a antimalware app. Updates cover new threats.
I believe its good practice to check for new updates once or twice a week even if you dont do a system scan at that time, just to ensure you always have the latest updates.
If all is good:
10 Tips for Prevention and Avoidance of Malware:
There is no reason why your computer can not stay malware free.
No software can think for you. Help yourself. In no special order:
1) It is essential to keep your operating system (Windows) browser (IE, FireFox, Chrome, Opera) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update (http://www.update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us) frequently or use the Windows auto-update feature. (http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx) Staying updated is also essential for other web based applications like Java, Adobe Flash/Reader, iTunes, media players, browser plugins and add-ons. More and more third party applications are being targeted. Not sure if you are using the latest version of software? Check their version status and get the updates here. (http://secunia.com/vulnerability_scanning/online/)
2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.malwarevault.com/signs.html)that you may have malware on your computer.
3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*.
4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).
5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.
6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?
7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Vista and Windows 7 and 8 attempt to address.
8) Install and understand the *limitations* of a software firewall.
9) The why and how to secure (http://www.cert.org/tech_tips/securing_browser/) your browser for safer surfing.
10) Warez, cracks, keygens etc are very popular for carrying malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks you will encounter malware. A file can be named anything, be nothing but malware or have malware bundled in it.
Do you really trust the source?
More info/tips with pictures in links below.
plooploo
2012-05-14, 08:05
Thank you for your time and help! Do you recommend any specific antivirus and anti malware? Or maybe I can put it another way - what do you choose to use on your personal machines? Thanks again and have a great day.
shelf life
2012-05-15, 02:36
I actually use Fedora Linux 95% of the time but I do have a couple of Window machines and on them I run Avast (free) on one, Panda Cloud AV (free) on another and MS Security Essentials on the third. Also I run Malwarebytes (free) on them as a antimalware app. Thats it. The basics.
I really cant recommend one over the other. No software can think for you, having and practicing good computing habits will go along way in preventing malware from getting on your machine.
Happy Safe Surfing.
plooploo
2012-05-15, 06:03
Thanks for your advice, again. I agree that safe browsing habits are the first and best line of defense, but as my parents are not quite as technologically savvy, I still would like to set up the best passive defense possible to keep their computers safe.
I may just be paranoid but - I am having difficulty updating Spybot, when I click on Update it says "Please select some update files from the list first." without letting me select any; I do see a window the proper size for the update server list pop up briefly, but it disappears on its own. This persists despite me downloading and installing a fresh copy of spybot from the official website.
I also wanted to uninstall Sophos and change over to Avast. However, upon close inspection of Sophos, the icon persistently says on-access scanning is disabled, though the Sophos logs and in-program settings say on-access scanning is on. Finally, I am unable to update Sophos but this is a corporate remotely-managed institutional license for Sophos from my sister's medical school so I am not sure if that is simply how they manage it.
In any case, I don't mind uninstalling Sophos and installing Avast myself, I know you are not here for software technical support, but just wanted to know that you were sure the computer is clean before I set those things up and start using the computer again.
There has been no usage of the computer since the last post save for what I mentioned above. I ran MalwareBytes which showed no infection and I will attach a fresh DDS log in case it is useful to you.
Apologies if I am wasting more of your valuable time, I suppose these two abnormal behaviors could be coincidence but I'd rather be 100% sure the computer is clean.
Malwarebytes
===========================
Malwarebytes Anti-Malware (Trial) 1.61.0.1400
www.malwarebytes.org
Database version: v2012.05.14.07
Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Mom and Dad :: MOMANDDAD-PC [administrator]
Protection: Enabled
5/14/2012 8:43:12 PM
mbam-log-2012-05-14 (20-43-12).txt
Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 327634
Time elapsed: 40 minute(s), 12 second(s)
Memory Processes Detected: 0
(No malicious items detected)
Memory Modules Detected: 0
(No malicious items detected)
Registry Keys Detected: 0
(No malicious items detected)
Registry Values Detected: 0
(No malicious items detected)
Registry Data Items Detected: 0
(No malicious items detected)
Folders Detected: 0
(No malicious items detected)
Files Detected: 0
(No malicious items detected)
(end)
=========DDS=======
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Mom and Dad at 21:58:32 on 2012-05-14
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1462 [GMT -5:00]
.
AV: Sophos Anti-Virus *Enabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Enabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Windows\System32\svchost.exe -k NetworkService
C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Broadcom\BPowMon\BPowMon.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\WUDFHost.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Pure Networks\Network Magic\nmapp.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Common Files\Apple\Internet Services\ubd.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: TmIEPlugInBHO Class: {1ca1377b-dc1d-4a52-9585-6e06050fac53} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - c:\program files\windows live\companion\companioncore.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [MobileDocuments] c:\program files\common files\apple\internet services\ubd.exe
uRun: [Ufzeufpafo] "c:\users\mom and dad\appdata\roaming\buluas\ynas.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe -s
mRun: [DBRMTray] c:\dell\dbrm\reminder\DbrmTrayIcon.exe
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [nmapp] "c:\program files\pure networks\network magic\nmapp.exe" -autorun -nosplash
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [Sophos AutoUpdate Monitor] c:\program files\sophos\autoupdate\almon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [LFS-SnapShot] c:\program files\lifescan\onetouchdmspro\bin\SnapShot.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRunOnce: [DBRMTray] c:\dell\dbrm\reminder\TrayApp.exe
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: EnableLinkedConnections = 1 (0x1)
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - c:\program files\windows live\companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\programdata\sophos web intelligence\swi_lsp.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} - hxxps://utswra.swmed.edu/dana-cached/sc/JuniperSetupClient.cab
TCP: DhcpNameServer = 192.168.0.1
TCP: Interfaces\{214D11F4-7E50-41CD-9503-3907EC4F40AA} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{460FCA68-077C-4CA1-B7FB-A8FDBD8E5A0C} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{823D521D-5484-41F1-8A1D-DEC6D3DFD6D9} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{9736988B-7442-414B-A74F-E9452DED24CA} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{9A4C7A79-523F-4C81-94D1-12B9D2B624BE} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{BF61424D-8977-4C7A-BCB3-81FC26A7ED74} : DhcpNameServer = 192.168.0.1
TCP: Interfaces\{CB7A7CD2-4993-48B4-A06A-3B1A2B4FF34C} : DhcpNameServer = 192.168.1.254
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D} : DhcpNameServer = 68.94.156.1 151.164.8.201
TCP: Interfaces\{D9A85ECF-4E08-49E6-B123-548B11110C6D}\97F6378696 : DhcpNameServer = 192.168.2.1 68.94.156.1 151.164.8.201
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - c:\program files\trend micro\client server security agent\bho\1009\TmIEPlg.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll
Notify: GoToAssist - c:\program files\citrix\gotoassist\615\G2AWinLogon.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\sophos_detoured.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\mom and dad\appdata\roaming\mozilla\firefox\profiles\7pnbjaan.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
============= SERVICES / DRIVERS ===============
.
R1 SAVOnAccess;SAVOnAccess;c:\windows\system32\drivers\savonaccess.sys [2011-7-2 122360]
R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]
R2 AERTFilters;Andrea RT Filters Service;c:\program files\realtek\audio\hda\AERTSrv.exe [2010-12-14 81920]
R2 BPowMon;Broadcom Power monitoring service;c:\program files\broadcom\bpowmon\BPowMon.exe [2009-8-17 79168]
R2 cvhsvc;Client Virtualization Handler;c:\program files\common files\microsoft shared\virtualization handler\CVHSVC.EXE [2012-1-4 822624]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-5-11 654408]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2011-7-2 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2011-7-2 97520]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2010-12-22 1153368]
R2 sftlist;Application Virtualization Client;c:\program files\microsoft application virtualization client\sftlist.exe [2011-10-1 508776]
R2 Sophos Agent;Sophos Agent;c:\program files\sophos\remote management system\ManagementAgentNT.exe [2011-7-2 282624]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2010-9-30 230640]
R2 Sophos Message Router;Sophos Message Router;c:\program files\sophos\remote management system\RouterNT.exe [2011-7-2 806912]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\sophos\sophos anti-virus\web intelligence\swi_service.exe [2012-4-8 1543704]
R3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\k57nd60x.sys [2010-12-14 273960]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-5-11 22344]
R3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\drivers\netr28u.sys [2010-1-15 841504]
R3 Sftfs;Sftfs;c:\windows\system32\drivers\Sftfslh.sys [2011-10-1 579944]
R3 Sftplay;Sftplay;c:\windows\system32\drivers\Sftplaylh.sys [2011-10-1 194408]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirlh.sys [2011-10-1 21864]
R3 Sftvol;Sftvol;c:\windows\system32\drivers\Sftvollh.sys [2011-10-1 19304]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\microsoft application virtualization client\sftvsa.exe [2011-10-1 219496]
R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-4-8 257696]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-7-30 21744]
S3 sdcfilter;sdcfilter;c:\windows\system32\drivers\sdcfilter.sys [2011-7-2 23928]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-13 52224]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-12-22 1343400]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2011-7-2 22536]
S4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\windows live\mesh\wlcrasvc.exe [2010-9-22 51040]
.
=============== Created Last 30 ================
.
2012-05-13 19:19:47 6734704 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{f2f82cc4-9753-4e1e-8622-281ce6baddb0}\mpengine.dll
2012-05-11 21:16:27 -------- d-----w- c:\users\mom and dad\appdata\roaming\Malwarebytes
2012-05-11 21:15:55 -------- d-----w- c:\programdata\Malwarebytes
2012-05-11 21:15:54 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-11 21:15:54 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 13:35:12 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 13:35:11 936960 ----a-w- c:\program files\common files\microsoft shared\ink\journal.dll
2012-05-11 13:35:10 989184 ----a-w- c:\program files\windows journal\JNTFiltr.dll
2012-05-11 13:35:10 969216 ----a-w- c:\program files\windows journal\JNWDRV.dll
2012-05-11 13:35:10 1221632 ----a-w- c:\program files\windows journal\NBDoc.DLL
2012-05-11 13:35:06 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 13:35:06 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 13:35:06 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 13:34:47 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 13:34:46 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 03:13:13 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-11 03:13:11 -------- d-----w- c:\users\mom and dad\appdata\local\temp
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:59:15 -------- d-----w- c:\users\mom and dad\appdata\local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Fine
2012-04-22 13:58:30 -------- d-----w- c:\users\mom and dad\appdata\roaming\Domii
2012-04-22 13:58:28 -------- d-----w- c:\users\mom and dad\appdata\local\MF
.
==================== Find3M ====================
.
2012-05-05 22:43:23 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-05 22:43:23 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-03-01 05:46:57 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37:41 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33:23 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29:16 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 15:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34:22 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14:08 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13:22 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
2012-02-15 16:01:50 4547944 ----a-w- c:\windows\system32\usbaaplrc.dll
2012-02-15 16:01:50 43520 ----a-w- c:\windows\system32\drivers\usbaapl.sys
.
============= FINISH: 21:59:55.51 ===============
shelf life
2012-05-16, 00:32
ok no problem. Disabling or not be able to update software could be a sign of malware, like you suggest. We can get another look and see if that resolves any issues. We can start with combofix. Download a new copy and run it like you did before. Please post the new log. We will go from there.
plooploo
2012-05-16, 03:32
Re-downloaded fresh copy of Combofix, here is the log. Thank you again. If there are detected problems I may not be able to make it back to this machine until next weekend. If indicated, let me know and I will keep the machine powered off until more can be done. Thanks!
Combofix log
----------------------
ComboFix 12-05-15.04 - Mom and Dad 05/15/2012 19:22:39.2.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1964 [GMT -5:00]
Running from: c:\users\Mom and Dad\Desktop\virus killing software\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Disabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-16 to 2012-05-16 )))))))))))))))))))))))))))))))
.
.
2012-05-16 00:27 . 2012-05-16 00:27 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-15 20:48 . 2012-04-13 07:36 6734704 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD7C28DD-52CD-46B8-9F50-0A8507A67D20}\mpengine.dll
2012-05-15 14:03 . 2012-05-15 14:03 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-05-15 13:55 . 2012-05-15 13:55 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2012-05-11 21:16 . 2012-05-11 21:16 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Malwarebytes
2012-05-11 21:15 . 2012-05-11 21:15 -------- d-----w- c:\programdata\Malwarebytes
2012-05-11 21:15 . 2012-05-11 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 21:15 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-11 13:35 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 13:35 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 13:35 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 13:35 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 13:35 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 13:35 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 13:35 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 13:35 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 13:34 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 13:34 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 03:13 . 2012-05-16 00:27 -------- d-----w- c:\users\Mom and Dad\AppData\Local\temp
2012-04-22 13:59 . 2012-04-22 13:59 -------- d-----w- c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:59 . 2012-04-22 13:59 -------- d-----w- c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
2012-04-22 13:58 . 2012-05-11 02:38 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Domii
2012-04-22 13:58 . 2012-04-22 13:58 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Fine
2012-04-22 13:58 . 2012-05-11 03:07 -------- d-----w- c:\users\Mom and Dad\AppData\Local\MF
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 22:43 . 2012-04-08 23:55 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 22:43 . 2011-06-17 11:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 05:46 . 2012-04-12 08:01 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-12 08:01 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-12 08:01 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 08:01 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18 . 2012-04-12 08:08 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 08:08 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 08:08 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 08:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-23 15:18 . 2010-12-22 19:37 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-02-17 05:34 . 2012-03-14 12:13 826880 ----a-w- c:\windows\system32\rdpcore.dll
2012-02-17 04:14 . 2012-03-14 12:13 183808 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-02-17 04:13 . 2012-03-14 12:13 24576 ----a-w- c:\windows\system32\drivers\tdtcp.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Spotify Web Helper"="c:\users\Mom and Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-15 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"LFS-SnapShot"="c:\program files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe" [2010-09-16 6635571]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-07-27 23:17 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-07-02 23928]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-23 1343400]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-07-02 22536]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2011-07-02 122360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-07-02 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2011-07-02 97520]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-04-08 1543704]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2010-12-26 841504]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-07-30 21744]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-15 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:43]
.
2012-05-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000Core.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000UA.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-14 c:\windows\Tasks\Nightly 2AM.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-07-02 20:28]
.
2012-04-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-05-15 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\programdata\Sophos Web Intelligence\swi_lsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mom and Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7pnbjaan.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-Ufzeufpafo - c:\users\Mom and Dad\AppData\Roaming\Buluas\ynas.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(7604)
c:\program files\Pure Networks\Network Magic\nmrsrc.dll
.
Completion time: 2012-05-15 19:30:08
ComboFix-quarantined-files.txt 2012-05-16 00:30
ComboFix2.txt 2012-05-11 03:13
.
- - End Of File - - 04B4B205802DD26C1F097118C43D0DF2
shelf life
2012-05-16, 04:42
ok. We will use combofix to remove some folders. First please temporarily disable any running AV or antimalware until after combofix has finished.
Open notepad
Copy/paste the text in the code box below into notepad:
Folder::
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
DirLook::
c:\users\Mom and Dad\AppData\Roaming\Domii
c:\users\Mom and Dad\AppData\Roaming\Fine
c:\users\Mom and Dad\AppData\Local\MF
Name the Notepad file CFScript.txt and Save it to your desktop.
Now locate the file you just saved and the combofix icon, both on your desktop. Using your mouse drag and drop the CFScript you saved right on top of the combofix icon and release. Combofix will run and produce a new log. Post the new log.
We will also get one more download to use. Its called aswmbr.exe:
Please download aswmbr.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.
Double click the aswMBR.exe to run it
Click the "Scan" button to start scan
On completion of the scan click save log, save it to your desktop and post in your next reply.
Should know more about any potential malware after you post the above logs. If you cant post until the weekend then I would leave the machine powered off just to be on the safe side.
plooploo
2012-05-26, 08:28
Thanks for your patience. Sorry I could not make it back to the machine until tonight. Ran updated version of Combofix with your script and then aswMBR, both logs to follow in that order:
---combofix---
ComboFix 12-05-26.01 - Mom and Dad 05/25/2012 23:36:49.3.2 - x86
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3037.1853 [GMT -5:00]
Running from: c:\users\Mom and Dad\Desktop\virus killing software\ComboFix.exe
Command switches used :: c:\users\Mom and Dad\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Disabled/Outdated* {479CCF92-4960-B3E0-7373-BF453B467D2C}
SP: Sophos Anti-Virus *Disabled/Outdated* {FCFD2E76-6F5A-BC6E-49C3-843740C13791}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}
c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}\chrome.manifest
c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}\chrome\content\browser.xul
c:\users\Mom and Dad\AppData\Local\{538C6839-8C83-11E1-826D-B8AC6F996F26}\install.rdf
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}\background.html
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}\icon.png
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}\manager.js
c:\users\Mom and Dad\AppData\Local\{538CACED-8C83-11E1-826D-B8AC6F996F26}\manifest.json
.
.
((((((((((((((((((((((((( Files Created from 2012-04-26 to 2012-05-26 )))))))))))))))))))))))))))))))
.
.
2012-05-26 04:47 . 2012-05-26 04:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-26 04:32 . 2012-05-08 16:40 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{80AE44A7-1F56-41A1-A580-166FA5D2717E}\mpengine.dll
2012-05-15 14:03 . 2012-05-15 14:03 -------- d-----w- c:\program files\Microsoft IntelliPoint
2012-05-15 13:55 . 2012-05-15 13:55 -------- d-----w- c:\program files\Microsoft IntelliType Pro
2012-05-11 21:16 . 2012-05-11 21:16 -------- d-----w- c:\users\Mom and Dad\AppData\Roaming\Malwarebytes
2012-05-11 21:15 . 2012-05-11 21:15 -------- d-----w- c:\programdata\Malwarebytes
2012-05-11 21:15 . 2012-05-11 21:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-05-11 21:15 . 2012-04-04 20:56 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-05-11 13:35 . 2012-03-30 10:23 1291632 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-05-11 13:35 . 2012-03-31 04:29 936960 ----a-w- c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-11 13:35 . 2012-03-31 04:30 1221632 ----a-w- c:\program files\Windows Journal\NBDoc.DLL
2012-05-11 13:35 . 2012-03-31 04:29 989184 ----a-w- c:\program files\Windows Journal\JNTFiltr.dll
2012-05-11 13:35 . 2012-03-31 04:29 969216 ----a-w- c:\program files\Windows Journal\JNWDRV.dll
2012-05-11 13:35 . 2012-03-31 04:39 3968368 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-11 13:35 . 2012-03-31 04:39 3913072 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-11 13:35 . 2012-03-31 02:36 2343424 ----a-w- c:\windows\system32\win32k.sys
2012-05-11 13:34 . 2012-03-17 07:27 56176 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-05-11 13:34 . 2012-03-03 05:31 1077248 ----a-w- c:\windows\system32\DWrite.dll
2012-05-11 03:13 . 2012-05-26 04:49 -------- d-----w- c:\users\Mom and Dad\AppData\Local\temp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-05 22:43 . 2012-04-08 23:55 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-05-05 22:43 . 2011-06-17 11:47 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-01 05:46 . 2012-04-12 08:01 19824 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-12 08:01 172544 ----a-w- c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-12 08:01 159232 ----a-w- c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-12 08:01 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-28 01:18 . 2012-04-12 08:08 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-12 08:08 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-12 08:08 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-12 08:08 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\users\Mom and Dad\AppData\Local\MF ----
.
.
---- Directory of c:\users\Mom and Dad\AppData\Roaming\Domii ----
.
.
---- Directory of c:\users\Mom and Dad\AppData\Roaming\Fine ----
.
2010-12-27 22:06 . 2012-04-22 13:58 415853 ----a-w- c:\users\Mom and Dad\AppData\Roaming\Fine\alohm.arn
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"MobileDocuments"="c:\program files\Common Files\Apple\Internet Services\ubd.exe" [2012-02-23 59240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Spotify Web Helper"="c:\users\Mom and Dad\AppData\Roaming\Spotify\Data\SpotifyWebHelper.exe" [2012-05-15 932528]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-09-12 7739936]
"DBRMTray"="c:\dell\DBRM\Reminder\DbrmTrayIcon.exe" [2010-05-20 206336]
"nmctxth"="c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" [2009-07-07 647216]
"nmapp"="c:\program files\Pure Networks\Network Magic\nmapp.exe" [2009-07-08 472112]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-30 439536]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2011-02-12 137752]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2011-02-12 171032]
"Persistence"="c:\windows\system32\igfxpers.exe" [2011-02-12 172568]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"LFS-SnapShot"="c:\program files\LifeScan\OneTouchDMSPro\Bin\SnapShot.exe" [2010-09-16 6635571]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2011-08-10 1313640]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-08-01 1821576]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"DBRMTray"="c:\dell\DBRM\Reminder\TrayApp.exe" [2010-02-04 7168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2011-07-27 23:17 13672 ----a-w- c:\program files\Citrix\GoToAssist\615\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Sophos\SOPHOS~1\sophos_detoured.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 257696]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4640000]
R3 sdcfilter;sdcfilter;c:\windows\system32\DRIVERS\sdcfilter.sys [2011-07-02 23928]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-12-23 1343400]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2011-07-02 22536]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 SAVOnAccess;SAVOnAccess;c:\windows\system32\DRIVERS\savonaccess.sys [2011-07-02 122360]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSrv.exe [2009-03-31 81920]
S2 BPowMon;Broadcom Power monitoring service;c:\program files\Broadcom\BPowMon\BPowMon.exe [2009-08-17 79168]
S2 cvhsvc;Client Virtualization Handler;c:\program files\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2012-01-04 822624]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2012-04-04 654408]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2011-07-02 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2011-07-02 97520]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2011-10-01 508776]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2012-04-08 1543704]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2011-05-18 40320]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2009-08-21 273960]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-04-04 22344]
S3 netr28u;Linksys USB Wireless LAN Card Driver for Vista;c:\windows\system32\DRIVERS\netr28u.sys [2010-12-26 841504]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2010-07-30 21744]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2011-10-01 579944]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2011-10-01 194408]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2011-10-01 21864]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2011-10-01 19304]
S3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2011-10-01 219496]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-26 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-04-08 22:43]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000Core.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4155596158-2073292560-1801079123-1000UA.job
- c:\users\Mom and Dad\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 18:40]
.
2012-05-23 c:\windows\Tasks\Nightly 2AM.job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2011-07-02 20:28]
.
2012-04-12 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-08-05 23:47]
.
2012-05-26 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-08-05 23:47]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
LSP: c:\programdata\Sophos Web Intelligence\swi_lsp.dll
TCP: DhcpNameServer = 192.168.0.1
FF - ProfilePath - c:\users\Mom and Dad\AppData\Roaming\Mozilla\Firefox\Profiles\7pnbjaan.default\
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Sophos Message Router]
"ImagePath"="\"c:\program files\Sophos\Remote Management System\RouterNT.exe\" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-25 23:58:32
ComboFix-quarantined-files.txt 2012-05-26 04:58
ComboFix2.txt 2012-05-16 00:30
ComboFix3.txt 2012-05-11 03:13
.
- - End Of File - - 1EF4CD9594C90AA7BF36B9A134C12094
---aswMBR---
aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-05-26 00:00:52
-----------------------------
00:00:52.680 OS Version: Windows 6.1.7601 Service Pack 1
00:00:52.680 Number of processors: 2 586 0x170A
00:00:52.680 ComputerName: MOMANDDAD-PC UserName: Mom and Dad
00:01:37.843 Initialize success
00:04:59.578 AVAST engine defs: 12052501
00:06:09.748 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
00:06:09.748 Disk 0 Vendor: ST3500418AS CC46 Size: 476940MB BusType: 3
00:06:09.780 Disk 0 MBR read successfully
00:06:09.780 Disk 0 MBR scan
00:06:09.780 Disk 0 Windows VISTA default MBR code
00:06:09.795 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 39 MB offset 63
00:06:09.811 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 11418 MB offset 81920
00:06:09.826 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 465481 MB offset 23465984
00:06:09.826 Disk 0 scanning sectors +976771072
00:06:09.889 Disk 0 scanning C:\Windows\system32\drivers
00:06:18.032 Service scanning
00:06:33.039 Modules scanning
00:06:39.326 Disk 0 trace - called modules:
00:06:39.342 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
00:06:39.342 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86148030]
00:06:39.342 3 CLASSPNP.SYS[8b39159e] -> nt!IofCallDriver -> [0x85c66918]
00:06:39.357 5 ACPI.sys[8aeba3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85c95030]
00:06:46.502 AVAST engine scan C:\Windows
00:06:49.419 AVAST engine scan C:\Windows\system32
00:09:04.204 AVAST engine scan C:\Windows\system32\drivers
00:09:14.234 AVAST engine scan C:\Users\Mom and Dad
00:24:50.237 AVAST engine scan C:\ProgramData
00:27:20.294 File: C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\dplayx.dll.000 **INFECTED** Win32:Zbot-OGZ [Trj]
00:27:22.212 Scan finished successfully
00:27:52.929 Disk 0 MBR has been saved successfully to "C:\Users\Mom and Dad\Desktop\MBR.dat"
00:27:52.945 The log file has been saved successfully to "C:\Users\Mom and Dad\Desktop\aswMBR.txt"
shelf life
2012-05-26, 17:11
C:\ProgramData\Sophos\Sophos Anti-Virus\INFECTED\dplayx.dll.000 **INFECTED** Win32:Zbot-OGZ
This looks like a file thats in the Sophos quarantine folder. You can safely empty/delete it from the folder.
plooploo
2012-05-26, 19:05
Okay, no more steps? Thanks for all your help!
plooploo
2012-05-27, 01:00
Just wanted to confirm, is the computer clean and finished? If so I am going to remove Sophos and install Avast.
shelf life
2012-05-27, 22:23
As far as I mcan tell based on the logs it is clean. You can remove combofix like you did before and also delete the tdsskiller/aswmbr icons and logs. You can keep and use Malwarebytes. Dont forget to check for updates before a scan. Happy safe surfing out there.