PDA

View Full Version : Browser and Security Center hijacked



two beers
2012-09-29, 02:18
Google and Bing search engines are hijacked on my computer. Also, the XP Security Center doesn't open, even after I reset it to automatic.

Avast and MalwareBytes found nothing. Spybot S&D found and fixed many entries, but the problem persists. I tried running Avast, S&D, and MalwareBytes in Safe Mode with Networking, but the problem persists.

I will paste DDS.txt and aswMBR.txt below, and attach the DDS attach.zip file.

I will be away from my computer for two days, and will check back on Monday.

Thank you in advance for any help!


DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_35
Run by rob at 15:08:58 on 2012-09-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.456 [GMT -7:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxedcoms.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\Synaptics\SynTP\Toshiba.exe
C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe
C:\WINDOWS\system32\TDispVol.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Lexmark S600 Series\lxedmon.exe
C:\Program Files\Lexmark S600 Series\ezprint.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDWelcome.exe
C:\Program Files\Spybot - Search & Destroy 2\SDScan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\rob\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Intuit\QuickBooks 2006\qbw32.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
C:\Program Files\Adobe\Reader 10.0\Reader\AcroRd32.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Page_URL = hxxp://www.toshibadirect.com/dpdstart
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [IBP]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\rob\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [SpybotDeletingF7843] "c:\program files\spybot - search & destroy 2\sddelfile.exe" "c:\windows\SchedLgU.Txt"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NDSTray.exe] NDSTray.exe
mRun: [TPSMain] TPSMain.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [TFncKy] TFncKy.exe
mRun: [TDispVol] TDispVol.exe
mRun: [CFSServ.exe] CFSServ.exe -NoClient
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [lxedmon.exe] "c:\program files\lexmark s600 series\lxedmon.exe"
mRun: [EzPrint] "c:\program files\lexmark s600 series\ezprint.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRunOnce: [SpybotDeletingE5136] "c:\program files\spybot - search & destroy 2\sddelfile.exe" "c:\windows\SchedLgU.Txt"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\rob\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F4430FE8-2638-42e5-B849-800749B94EED}
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1348783863707
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0035-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_35-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F80F7DEB-5040-4F02-8917-730A28570253} : DhcpNameServer = 192.168.1.254
Notify: AtiExtEvent - Ati2evxx.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rob\application data\mozilla\firefox\profiles\qeog174w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ups.com/content/us/en/index.jsx
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
FF - component: c:\documents and settings\rob\application data\mozilla\firefox\profiles\qeog174w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\rob\application data\mozilla\firefox\profiles\qeog174w.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\rob\application data\mozilla\firefox\profiles\qeog174w.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\documents and settings\rob\local settings\application data\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\5.1.10411.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - plugin: c:\windows\system32\npdeployJava1.dll
FF - plugin: c:\windows\system32\npptools.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2012-9-27 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2012-9-27 355632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2012-9-27 21256]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2012-9-27 44808]
R2 lxed_device;lxed_device;c:\windows\system32\lxedcoms.exe -service --> c:\windows\system32\lxedcoms.exe -service [?]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-9-27 1074720]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-9-27 1358360]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 lxedCATSCustConnectService;lxedCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxedserv.exe [2010-1-7 193192]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\macromed\flash\FlashPlayerUpdateService.exe [2012-6-8 250288]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-4-26 114144]
.
=============== Created Last 30 ================
.
2012-09-28 02:12:12 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-09-28 02:11:54 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-09-28 01:29:40 388096 ----a-r- c:\documents and settings\rob\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-09-28 01:29:39 -------- d-----w- c:\program files\Trend Micro
2012-09-28 01:21:09 -------- d-----w- c:\documents and settings\rob\application data\Product_RM
2012-09-28 01:21:09 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-09-28 00:59:25 -------- d-----w- c:\documents and settings\rob\application data\ElevatedDiagnostics
2012-09-27 22:04:35 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-27 22:04:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-27 21:24:10 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-27 21:23:34 41224 ----a-w- c:\windows\avastSS.scr
2012-09-27 21:23:02 -------- d-----w- c:\program files\AVAST Software
2012-09-27 21:23:02 -------- d-----w- c:\documents and settings\all users\application data\AVAST Software
2012-09-27 00:07:09 114688 --sha-r- c:\windows\system32\EBPPORT3R.dll
2012-09-19 15:48:43 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-09-07 01:29:37 114144 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-09-07 01:29:36 425952 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2012-09-07 01:29:35 82400 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2012-09-07 01:29:34 917984 ----a-w- c:\program files\mozilla firefox\firefox.exe
2012-09-07 01:29:34 258528 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2012-09-07 01:29:34 2288608 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-09-07 01:29:33 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-09-07 01:29:33 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2012-09-07 01:29:33 118240 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2012-09-07 01:29:28 73696 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll
2012-09-07 01:29:28 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-09-07 01:29:28 18912 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
.
==================== Find3M ====================
.
2012-09-20 21:07:33 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-20 21:07:33 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-19 15:48:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-19 15:48:21 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 20:29:36 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-30 20:29:36 667136 ----a-w- c:\windows\system32\wininet.dll
2012-08-30 20:29:36 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-08-28 13:00:25 369664 ----a-w- c:\windows\system32\html.iec
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2007-12-15 19:34:02 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
.
============= FINISH: 15:12:55.26 ===============


aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-09-28 15:47:51
-----------------------------
15:47:51.250 OS Version: Windows 5.1.2600 Service Pack 3
15:47:51.250 Number of processors: 1 586 0xE08
15:47:51.250 ComputerName: TOSHIBA-USER UserName: rob
15:47:52.984 Initialize success
15:47:54.640 AVAST engine defs: 12092701
15:48:01.484 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
15:48:01.484 Disk 0 Vendor: HTS541080G9SA00 MB4OC60R Size: 76319MB BusType: 3
15:48:01.531 Disk 0 MBR read successfully
15:48:01.531 Disk 0 MBR scan
15:48:01.531 Disk 0 Windows XP default MBR code
15:48:01.546 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 76010 MB offset 63
15:48:01.562 Disk 0 Partition 2 00 88 Linux plaintext A Kárò'ó 305 MB offset 155669850
15:48:01.562 Disk 0 scanning sectors +156296385
15:48:01.640 Disk 0 scanning C:\WINDOWS\system32\drivers
15:48:20.171 Service scanning
15:48:42.531 Modules scanning
15:48:51.109 Module: C:\WINDOWS\System32\DLA\DLADResN.SYS **SUSPICIOUS**
15:48:53.515 Disk 0 trace - called modules:
15:48:53.546 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS
15:48:53.546 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a689ab8]
15:48:53.546 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a70cd98]
15:48:54.109 AVAST engine scan C:\WINDOWS
15:49:00.875 AVAST engine scan C:\WINDOWS\system32
15:52:05.609 AVAST engine scan C:\WINDOWS\system32\drivers
15:52:31.343 AVAST engine scan C:\Documents and Settings\rob
15:53:10.828 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\rob\My Documents\MALWARE\MBR.dat"
15:53:10.843 The log file has been saved successfully to "C:\Documents and Settings\rob\My Documents\MALWARE\aswMBR.txt"

oldman960
2012-10-05, 01:33
Hi two beers, welcome to the forum.

To make cleaning this machine easier
Please do not uninstall/install any programs unless asked to
It is more difficult when files/programs are appearing in/disappearing from the logs.
Please do not run any scans other than those requested
Please follow all instructions in the order posted
All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
Do not attach any logs/reports, etc.. unless specifically requested to do so.
If you have problems with or do not understand the instructions, Please ask before continuing.
Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Please download Farbar Service Scanner (http://www.bleepingcomputer.com/download/farbar-service-scanner/dl/62/) and run it on the computer with the issue.
Check all boxes
Press "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Please copy and paste the log to your reply.


Next

Download Rogue Killer (http://www.sur-la-toile.com/RogueKiller/)and save it to your desktop.

double click the Rogue Killer icon to run it
After it has completed it's prescan click scan
When the scan is complete click report
Please post the log.

Please post back with
Listparts log (FSS.txt)
RogueKiller log

two beers
2012-10-05, 01:54
Farbar Service Scanner Version: 19-09-2012
Ran by rob (administrator) on 04-10-2012 at 15:51:26
Running from "C:\Documents and Settings\rob\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) aswTdi(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A00000009000000040000000100000002000000030000000A00000005000000060000000700000008000000


**** End of log ****

two beers
2012-10-05, 02:02
RogueKiller V8.1.1 [10/03/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website: http://tigzy.geekstogo.com/roguekiller.php
Blog: http://tigzyrk.blogspot.com

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : rob [Admin rights]
Mode : Scan -- Date : 10/04/2012 15:59:23

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowRecentDocs (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowMyMusic (0) -> FOUND
[HJ SMENU] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
[...]


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: HTS541080G9SA00 +++++
--- User ---
[MBR] 23644a7d3775203f9e70d1a6b39e8d02
[BSP] e69d996b4eab0d15baddc30d80c71042 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 76010 Mo
3 - [XXXXXX] UNKNOWN (0x88) [VISIBLE] Offset (sectors): 155669850 | Size: 305 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

two beers
2012-10-05, 02:05
Sorry about that.

Farbar Service Scanner Version: 19-09-2012
Ran by rob (administrator) on 04-10-2012 at 16:04:07
Running from "C:\Documents and Settings\rob\Desktop"
Microsoft Windows XP Home Edition Service Pack 3 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============
wscsvc Service is not running. Checking service configuration:
The start type of wscsvc service is set to Disabled. The default start type is Auto.
The ImagePath of wscsvc service is OK.
The ServiceDll of wscsvc service is OK.


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\tcpip.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\ipsec.sys => MD5 is legit
C:\WINDOWS\system32\dnsrslvr.dll => MD5 is legit
C:\WINDOWS\system32\ipnathlp.dll => MD5 is legit
C:\WINDOWS\system32\netman.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\srsvc.dll => MD5 is legit
C:\WINDOWS\system32\Drivers\sr.sys => MD5 is legit
C:\WINDOWS\system32\wscsvc.dll => MD5 is legit
C:\WINDOWS\system32\wbem\WMIsvc.dll => MD5 is legit
C:\WINDOWS\system32\wuauserv.dll => MD5 is legit
C:\WINDOWS\system32\qmgr.dll => MD5 is legit
C:\WINDOWS\system32\es.dll => MD5 is legit
C:\WINDOWS\system32\cryptsvc.dll => MD5 is legit
C:\WINDOWS\system32\svchost.exe => MD5 is legit
C:\WINDOWS\system32\rpcss.dll => MD5 is legit
C:\WINDOWS\system32\services.exe => MD5 is legit

Extra List:
=======
AegisP(8) aswTdi(10) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3)
0x0A00000009000000040000000100000002000000030000000A00000005000000060000000700000008000000


**** End of log ****

two beers
2012-10-05, 02:08
Thank you for the response, oldman. Please let me know if I didn't post the above logs correctly. I won't add or delete any programs, or run any other scans, until further notice.

oldman960
2012-10-05, 10:36
Hi two beers,

Please read through these instructions to familarize yourself with what to expect when this tool runs


Download ComboFix from:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs (http://forums.whatthetech.com/How_to_Disable_your_Security_Programs_t96260.html)

Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://img.photobucket.com/albums/v706/ried7/RCUpdate1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

two beers
2012-10-06, 08:46
I am running Avast AV, Malware Bytes, and Windows Firewall, all of which look simple enough to disable per instructions, but I also have SpyBot 2 (not TeaTimer), and the instructions don't deal with this version, as far as I can tell....Advice, please?

Otherwise, I think I can proceed with ComboFix.

oldman960
2012-10-06, 10:09
Hi two beers,

Go to Start Center and click on the top blue 'beam'.

There you can disable the 'Live Protection Background Service' by clicking on stop or only unticking the option 'Enable scanning of programs before they start'.

two beers
2012-10-07, 01:27
When I click on the blue beam, I get options to Restore, Minimize, About Start Center, Show License, and Close.

I poked around in the Start Center panel, and can't find anything which would allow me to "disable the 'Live Protection Background Service' by clicking on stop or only unticking the option 'Enable scanning of programs before they start'."

I don't remember which site I downloaded Spybot 2 from, and I don't know why it is the "professional edition." Does that make a difference?

oldman960
2012-10-07, 09:29
Hi two beers,

If you have Spybot-S&D 2.0 RC 2 it doesn't have the live protection component. Go ahead and run combofix. If you recieve a meassage from your security programs that combofix is attempting to make changes allow it.

two beers
2012-10-07, 21:20
oldman- here's the log:


ComboFix 12-10-04.02 - rob 10/07/2012 11:06:06.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.879 [GMT -7:00]
Running from: c:\documents and settings\rob\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\3293417008
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\SPL2040.tmp
c:\documents and settings\All Users\SPL49B5.tmp
c:\documents and settings\All Users\SPL49BB.tmp
c:\documents and settings\All Users\SPL7F09.tmp
c:\documents and settings\browser\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\documents and settings\rob\WINDOWS
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\SET1A2.tmp
c:\windows\system32\SET1A7.tmp
c:\windows\system32\URTTemp
c:\windows\system32\URTTemp\fusion.dll
c:\windows\system32\URTTemp\mscoree.dll
c:\windows\system32\URTTemp\mscoree.dll.local
c:\windows\system32\URTTemp\mscorsn.dll
c:\windows\system32\URTTemp\mscorwks.dll
c:\windows\system32\URTTemp\msvcr71.dll
c:\windows\system32\URTTemp\regtlib.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-09-07 to 2012-10-07 )))))))))))))))))))))))))))))))
.
.
2012-09-28 22:02 . 2012-09-28 22:03 -------- d-----w- c:\program files\ERUNT
2012-09-28 04:48 . 2012-09-28 04:48 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2012-09-28 02:12 . 2009-01-25 20:14 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-09-28 02:11 . 2012-09-28 02:13 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-09-28 01:29 . 2012-09-28 01:29 388096 ----a-r- c:\documents and settings\rob\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-09-28 01:29 . 2012-09-28 01:29 -------- d-----w- c:\program files\Trend Micro
2012-09-28 01:21 . 2012-09-28 01:21 -------- d-----w- c:\documents and settings\rob\Application Data\Product_RM
2012-09-28 01:21 . 2012-09-28 01:21 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-09-28 00:59 . 2012-09-28 00:59 -------- d-----w- c:\documents and settings\rob\Application Data\ElevatedDiagnostics
2012-09-27 22:04 . 2012-09-27 22:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-09-27 22:04 . 2012-09-08 00:04 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-09-27 21:24 . 2012-08-21 09:13 355632 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-09-27 21:24 . 2012-08-21 09:13 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-09-27 21:24 . 2012-08-21 09:13 35928 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-09-27 21:24 . 2012-08-21 09:13 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-09-27 21:24 . 2012-08-21 09:13 729752 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-09-27 21:24 . 2012-08-21 09:13 97608 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-09-27 21:24 . 2012-08-21 09:13 89624 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-09-27 21:24 . 2012-08-21 09:13 25256 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-09-27 21:23 . 2012-08-21 09:12 41224 ----a-w- c:\windows\avastSS.scr
2012-09-27 21:23 . 2012-08-21 09:12 227648 ----a-w- c:\windows\system32\aswBoot.exe
2012-09-27 21:23 . 2012-09-27 21:23 -------- d-----w- c:\program files\AVAST Software
2012-09-27 21:23 . 2012-09-27 21:23 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2012-09-27 00:07 . 2012-09-27 00:07 114688 --sha-r- c:\windows\system32\EBPPORT3R.dll
2012-09-19 15:48 . 2012-09-19 15:48 477168 ----a-w- c:\windows\system32\npdeployJava1.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-09-20 21:07 . 2012-06-08 17:38 696240 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-09-20 21:07 . 2011-09-01 19:10 73136 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-09-19 15:48 . 2008-06-13 19:50 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-09-19 15:48 . 2010-05-19 20:35 473072 ----a-w- c:\windows\system32\deployJava1.dll
2012-08-30 20:29 . 2010-02-24 00:49 81920 ----a-w- c:\windows\system32\ieencode.dll
2012-08-30 20:29 . 2006-03-20 16:49 667136 ----a-w- c:\windows\system32\wininet.dll
2012-08-30 20:29 . 2006-03-20 16:49 61952 ----a-w- c:\windows\system32\tdc.ocx
2012-08-28 13:00 . 2006-03-20 16:48 369664 ----a-w- c:\windows\system32\html.iec
2007-12-15 19:34 . 2007-12-15 20:23 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
2012-09-07 01:32 . 2012-09-07 01:29 266720 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-08-21 09:12 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CFSServ.exe"="CFSServ.exe -NoClient" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-03-03 82012]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761948]
"NDSTray.exe"="NDSTray.exe" [BU]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-17 221184]
"lxedmon.exe"="c:\program files\Lexmark S600 Series\lxedmon.exe" [2010-05-17 770728]
"EzPrint"="c:\program files\Lexmark S600 Series\ezprint.exe" [2010-05-17 148280]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-07-06 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-08-21 4282728]
"SDTray"="c:\program files\Spybot - Search & Destroy 2\SDTray.exe" [2012-08-30 3904536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
c:\documents and settings\rob\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-3-20 155648]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0\0sdnclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Tvs"=c:\program files\Toshiba\Tvs\TvsTray.exe
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
"LtMoh"=c:\program files\ltmoh\Ltmoh.exe
"PadTouch"=c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
"SmoothView"=c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
"Alcmtr"=ALCMTR.EXE
"dla"=c:\windows\system32\dla\DLACTRLW.exe
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" -start
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" -hide
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\lxedcoms.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDTray.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDFSSvc.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdate.exe"=
"c:\\Program Files\\Spybot - Search & Destroy 2\\SDUpdSvc.exe"=
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [9/27/2012 2:24 PM 729752]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [9/27/2012 2:24 PM 355632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [9/27/2012 2:24 PM 21256]
R2 lxed_device;lxed_device;c:\windows\system32\lxedcoms.exe -service --> c:\windows\system32\lxedcoms.exe -service [?]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\Spybot - Search & Destroy 2\SDFSSvc.exe [9/27/2012 7:12 PM 1074720]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\Spybot - Search & Destroy 2\SDUpdSvc.exe [9/27/2012 7:12 PM 1358360]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 lxedCATSCustConnectService;lxedCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxedserv.exe [1/7/2010 1:20 PM 193192]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/8/2012 10:38 AM 250288]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [4/26/2012 12:46 PM 114144]
.
Contents of the 'Scheduled Tasks' folder
.
2012-10-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-08 21:07]
.
2012-09-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 00:57]
.
2012-10-07 c:\windows\Tasks\avast! Emergency Update.job
- c:\program files\AVAST Software\Avast\AvastEmUpdate.exe [2012-09-27 09:12]
.
2012-10-07 c:\windows\Tasks\Check for updates (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDUpdate.exe [2012-09-28 21:11]
.
2012-10-07 c:\windows\Tasks\CWYVPB.job
- c:\windows\system32\EBPPORT3R.dll [2012-09-27 00:07]
.
2012-10-01 c:\windows\Tasks\GoogleUpdate.job
- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 21:01]
.
2012-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248697534-1558390014-450578763-1006Core.job
- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 21:01]
.
2012-10-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3248697534-1558390014-450578763-1006UA.job
- c:\documents and settings\rob\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-06 21:01]
.
2012-09-28 c:\windows\Tasks\Refresh immunization (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDImmunize.exe [2012-09-28 21:10]
.
2012-09-28 c:\windows\Tasks\Scan the system (Spybot - Search & Destroy).job
- c:\program files\Spybot - Search & Destroy 2\SDScan.exe [2012-09-28 21:11]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 10.0.0.1
FF - ProfilePath - c:\documents and settings\rob\Application Data\Mozilla\Firefox\Profiles\qeog174w.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ups.com/content/us/en/index.jsx
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?sourceid=navclient&hl=en&q=
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-IBP - (no file)
Notify-SDWinLogon - SDWinLogon.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-07 11:12
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_4_402_278_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(608)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-07 11:15:26
ComboFix-quarantined-files.txt 2012-10-07 18:15
.
Pre-Run: 57,118,072,832 bytes free
Post-Run: 57,384,710,144 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
[spybotsd]
timeout.old=3
.
- - End Of File - - 97D273DC7969F3A91135655B5EC23E5D

oldman960
2012-10-07, 22:48
Hi two beers,


How's the computer? Are your seaches still being redirected?

two beers
2012-10-07, 23:00
I just tried searching, and there are no problems!

Windows Security Center is still not running; should I try to activate it?

What other steps should I take?

Thank you!

oldman960
2012-10-08, 00:57
Hi two beers,

Click start > run. Copy and paste the following into the run box and hit enter.

services.msc

In the services console locate Security Center
right click it and click properties
Use the dropdown menu and set Start up type to automatic
under Service status click start
Did it start or did you recieve an error?

two beers
2012-10-08, 04:08
oldman-

It started.

Thank you.

two beers
2012-10-08, 04:15
oldman-

Are there any further steps I need to take?

oldman960
2012-10-08, 08:28
Hi two beers,

You have some very old vulnerable java installed. Click start > Control Panel > Add/ remove programs and uninstall

J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 6
Java(TM) 6 Update 7

Do not uninstall Java(TM) 6 Update 35


Next

Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop

Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean


Next

You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Next

One more scan to check for stragglers.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Go here to run an online scannner from
ESET (http://www.eset.eu/online-scanner)

(Note: You can use Internet Explorer or FireFox for this scan. If you use FireFox you will be asked to install an additional component. Please allow this.)


Click the Run ESET online scanner button
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Disable your Antivirus software. You can usually do this with its Notfication Tray icon near the clock
Click Start
Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is Checked.
Click Scan.
Wait for the scan to finish.
When the scan completes, click List of found threats
click Export to Text file and save the file to your desktop using a unique name, such as ESETScan.
Include the contents of this report in your next reply

Note - when ESET doesn't find any threats, no report will be created.

Push the back button.
Push Finish
Re-enable your Antivirus software.


Please post back with
MBAM log
ESET log if there was one

two beers
2012-10-08, 09:25
MNAM log below; will get back with ESET results.

(One thing I just noticed, is that upon restart, Security Center is disabled. I can start it in the Control Panel. I selected Automatic, clicked Apply and Ok, and it started, but it is disabled upon restart.)


Malwarebytes Anti-Malware 1.65.0.1400
www.malwarebytes.org

Database version: v2012.10.08.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
rob :: TOSHIBA-USER [administrator]

10/7/2012 11:09:00 PM
mbam-log-2012-10-07 (23-09-00).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 231329
Time elapsed: 6 minute(s), 20 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

two beers
2012-10-08, 19:45
oldman- here's the ESETS log:

C:\Program Files\PDFCreator\message.exe a variant of Win32/InstallCore.A application
C:\System Volume Information\_restore{E50A3772-ADC6-42F8-B62F-FEBA80092159}\RP8\A0000867.exe a variant of Win32/InstallCore.AW application

two beers
2012-10-08, 21:45
Ugh, searches are hijacked again. I'm pretty sure I've just visited my usual sites, and with the AV and firewall on...

oldman960
2012-10-09, 03:51
Hi two beers,

Nothing to worry about in the ESET log.



Download the latest version of TDSSKiller from here (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your Desktop.



Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

If malicious objects are found, they will show in the Scan results and offer three (3) options.
Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.


A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

two beers
2012-10-09, 05:16
oldman- here's the TDSS file:

19:02:39.0328 2676 TDSS rootkit removing tool 2.8.10.0 Sep 17 2012 19:23:24
19:02:40.0031 2676 ============================================================
19:02:40.0031 2676 Current date / time: 2012/10/08 19:02:40.0031
19:02:40.0031 2676 SystemInfo:
19:02:40.0031 2676
19:02:40.0031 2676 OS Version: 5.1.2600 ServicePack: 3.0
19:02:40.0031 2676 Product type: Workstation
19:02:40.0031 2676 ComputerName: TOSHIBA-USER
19:02:40.0031 2676 UserName: rob
19:02:40.0031 2676 Windows directory: C:\WINDOWS
19:02:40.0031 2676 System windows directory: C:\WINDOWS
19:02:40.0031 2676 Processor architecture: Intel x86
19:02:40.0046 2676 Number of processors: 1
19:02:40.0046 2676 Page size: 0x1000
19:02:40.0046 2676 Boot type: Normal boot
19:02:40.0046 2676 ============================================================
19:02:42.0984 2676 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
19:02:43.0031 2676 ============================================================
19:02:43.0046 2676 \Device\Harddisk0\DR0:
19:02:43.0078 2676 MBR partitions:
19:02:43.0078 2676 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x947551B
19:02:43.0078 2676 ============================================================
19:02:43.0093 2676 C: <-> \Device\Harddisk0\DR0\Partition1
19:02:43.0093 2676 ============================================================
19:02:43.0093 2676 Initialize success
19:02:43.0093 2676 ============================================================
19:05:29.0281 3464 ============================================================
19:05:29.0312 3464 Scan started
19:05:29.0312 3464 Mode: Manual; SigCheck; TDLFS;
19:05:29.0312 3464 ============================================================
19:05:29.0687 3464 ================ Scan system memory ========================
19:05:34.0437 3464 System memory - ok
19:05:34.0453 3464 ================ Scan services =============================
19:05:34.0734 3464 [ 0352A73CD6B1782EA3ED7A03A8268F55 ] Aavmker4 C:\WINDOWS\system32\drivers\Aavmker4.sys
19:05:35.0343 3464 Aavmker4 - ok
19:05:35.0359 3464 Abiosdsk - ok
19:05:35.0375 3464 abp480n5 - ok
19:05:35.0453 3464 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:05:37.0156 3464 ACPI - ok
19:05:37.0218 3464 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:05:37.0625 3464 ACPIEC - ok
19:05:37.0703 3464 [ 552CF8B82150C0E70D5B017F32EFA067 ] ACS C:\WINDOWS\system32\acs.exe
19:05:37.0765 3464 ACS ( UnsignedFile.Multi.Generic ) - warning
19:05:37.0765 3464 ACS - detected UnsignedFile.Multi.Generic (1)
19:05:37.0937 3464 [ E12CFCF1DDBFC50948A75E6E38793225 ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
19:05:38.0031 3464 AdobeFlashPlayerUpdateSvc - ok
19:05:38.0062 3464 adpu160m - ok
19:05:38.0125 3464 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
19:05:38.0609 3464 aec - ok
19:05:38.0656 3464 [ ACCD563BF09C4659B54143FDE633B57D ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
19:05:38.0671 3464 AegisP ( UnsignedFile.Multi.Generic ) - warning
19:05:38.0671 3464 AegisP - detected UnsignedFile.Multi.Generic (1)
19:05:38.0750 3464 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
19:05:38.0875 3464 AFD - ok
19:05:38.0984 3464 [ C41A5740468D0B9CB46E6390A0E15CE3 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
19:05:39.0156 3464 AgereSoftModem - ok
19:05:39.0171 3464 Aha154x - ok
19:05:39.0203 3464 aic78u2 - ok
19:05:39.0234 3464 aic78xx - ok
19:05:39.0296 3464 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
19:05:39.0765 3464 Alerter - ok
19:05:39.0812 3464 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
19:05:40.0281 3464 ALG - ok
19:05:40.0312 3464 AliIde - ok
19:05:40.0343 3464 amsint - ok
19:05:40.0375 3464 AppMgmt - ok
19:05:40.0468 3464 [ 3D769924A07C00F5BB4B890F3934CD1E ] AR5211 C:\WINDOWS\system32\DRIVERS\ar5211.sys
19:05:40.0578 3464 AR5211 - ok
19:05:40.0656 3464 [ B5B8A80875C1DEDEDA8B02765642C32F ] Arp1394 C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:05:41.0125 3464 Arp1394 - ok
19:05:41.0156 3464 asc - ok
19:05:41.0187 3464 asc3350p - ok
19:05:41.0234 3464 asc3550 - ok
19:05:41.0406 3464 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
19:05:41.0500 3464 aspnet_state - ok
19:05:41.0593 3464 [ F5DC168BF77572D51BE28BA261B30CB4 ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys
19:05:41.0671 3464 aswFsBlk - ok
19:05:41.0718 3464 [ 2B9B1DF809E965EF63402CBBA6DB50AE ] aswMon2 C:\WINDOWS\system32\drivers\aswMon2.sys
19:05:41.0781 3464 aswMon2 - ok
19:05:41.0859 3464 [ B7D5E4486BA658ED08624D8084ABB830 ] AswRdr C:\WINDOWS\system32\drivers\AswRdr.sys
19:05:41.0906 3464 AswRdr - ok
19:05:41.0984 3464 [ 30E45AF8B4D83176CA850FC9699E860B ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys
19:05:42.0109 3464 aswSnx - ok
19:05:42.0218 3464 [ F04BDBCB965C05C51F4A7DE7B62063D6 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys
19:05:42.0312 3464 aswSP - ok
19:05:42.0343 3464 [ DFE9152ABFA89BB8CFDC057409B2D4DA ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys
19:05:42.0437 3464 aswTdi - ok
19:05:42.0484 3464 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:05:42.0921 3464 AsyncMac - ok
19:05:43.0015 3464 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
19:05:43.0468 3464 atapi - ok
19:05:43.0484 3464 Atdisk - ok
19:05:43.0578 3464 [ ABC57A6F6070BAF9786C318F59F29F0B ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
19:05:43.0718 3464 Ati HotKey Poller - ok
19:05:43.0906 3464 [ 03621F7F968FF63713943405DEB777F9 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
19:05:44.0109 3464 ati2mtag - ok
19:05:44.0156 3464 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:05:44.0593 3464 Atmarpc - ok
19:05:44.0671 3464 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
19:05:45.0062 3464 AudioSrv - ok
19:05:45.0125 3464 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
19:05:45.0578 3464 audstub - ok
19:05:45.0703 3464 [ 04AC21E821F259845BD7367CEE057290 ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe
19:05:45.0796 3464 avast! Antivirus - ok
19:05:45.0828 3464 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
19:05:46.0281 3464 Beep - ok
19:05:46.0375 3464 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
19:05:46.0906 3464 BITS - ok
19:05:47.0015 3464 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
19:05:47.0093 3464 Browser - ok
19:05:47.0265 3464 catchme - ok
19:05:47.0375 3464 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
19:05:47.0906 3464 cbidf2k - ok
19:05:47.0937 3464 cd20xrnt - ok
19:05:48.0000 3464 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
19:05:48.0484 3464 Cdaudio - ok
19:05:48.0515 3464 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
19:05:48.0953 3464 Cdfs - ok
19:05:49.0000 3464 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:05:49.0484 3464 Cdrom - ok
19:05:49.0546 3464 [ 3CB0CC8879956C187E87E18634EE5164 ] CFSvcs C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
19:05:49.0625 3464 CFSvcs ( UnsignedFile.Multi.Generic ) - warning
19:05:49.0625 3464 CFSvcs - detected UnsignedFile.Multi.Generic (1)
19:05:49.0640 3464 Changer - ok
19:05:49.0703 3464 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
19:05:50.0109 3464 CiSvc - ok
19:05:50.0187 3464 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
19:05:50.0625 3464 ClipSrv - ok
19:05:50.0671 3464 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:05:50.0843 3464 clr_optimization_v2.0.50727_32 - ok
19:05:50.0875 3464 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:05:51.0328 3464 CmBatt - ok
19:05:51.0343 3464 CmdIde - ok
19:05:51.0390 3464 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:05:51.0906 3464 Compbatt - ok
19:05:51.0937 3464 COMSysApp - ok
19:05:51.0984 3464 Cpqarray - ok
19:05:52.0062 3464 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
19:05:52.0515 3464 CryptSvc - ok
19:05:52.0531 3464 dac2w2k - ok
19:05:52.0562 3464 dac960nt - ok
19:05:52.0656 3464 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
19:05:52.0781 3464 DcomLaunch - ok
19:05:52.0843 3464 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
19:05:53.0453 3464 Dhcp - ok
19:05:53.0484 3464 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
19:05:53.0953 3464 Disk - ok
19:05:54.0015 3464 [ EE4325BECEF51B8C32B4329097E4F301 ] DLABOIOM C:\WINDOWS\system32\DLA\DLABOIOM.SYS
19:05:54.0062 3464 DLABOIOM ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0062 3464 DLABOIOM - detected UnsignedFile.Multi.Generic (1)
19:05:54.0093 3464 [ D979BEBCF7EDCC9C9EE1857D1A68C67B ] DLACDBHM C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
19:05:54.0109 3464 DLACDBHM ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0109 3464 DLACDBHM - detected UnsignedFile.Multi.Generic (1)
19:05:54.0171 3464 [ 1E6C6597833A04C2157BE7B39EA92CE1 ] DLADResN C:\WINDOWS\system32\DLA\DLADResN.SYS
19:05:54.0218 3464 DLADResN ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0218 3464 DLADResN - detected UnsignedFile.Multi.Generic (1)
19:05:54.0250 3464 [ 752376E109A090970BFA9722F0F40B03 ] DLAIFS_M C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
19:05:54.0281 3464 DLAIFS_M ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0281 3464 DLAIFS_M - detected UnsignedFile.Multi.Generic (1)
19:05:54.0312 3464 [ 62EE7902E74B90BF1CCC4643FC6C07A7 ] DLAOPIOM C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
19:05:54.0343 3464 DLAOPIOM ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0343 3464 DLAOPIOM - detected UnsignedFile.Multi.Generic (1)
19:05:54.0375 3464 [ 5C220124C5AFEAEE84A9BB89D685C17B ] DLAPoolM C:\WINDOWS\system32\DLA\DLAPoolM.SYS
19:05:54.0437 3464 DLAPoolM ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0437 3464 DLAPoolM - detected UnsignedFile.Multi.Generic (1)
19:05:54.0468 3464 [ 7EE0852AE8907689DF25049DCD2342E8 ] DLARTL_N C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
19:05:54.0484 3464 DLARTL_N ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0484 3464 DLARTL_N - detected UnsignedFile.Multi.Generic (1)
19:05:54.0515 3464 [ 4EBB78D9BBF072119363B35B9B3E518F ] DLAUDFAM C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
19:05:54.0578 3464 DLAUDFAM ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0578 3464 DLAUDFAM - detected UnsignedFile.Multi.Generic (1)
19:05:54.0625 3464 [ 333B770E52D2CEA7BD86391120466E43 ] DLAUDF_M C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
19:05:54.0718 3464 DLAUDF_M ( UnsignedFile.Multi.Generic ) - warning
19:05:54.0718 3464 DLAUDF_M - detected UnsignedFile.Multi.Generic (1)
19:05:54.0734 3464 dmadmin - ok
19:05:54.0875 3464 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
19:05:55.0406 3464 dmboot - ok
19:05:55.0468 3464 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
19:05:55.0953 3464 dmio - ok
19:05:56.0015 3464 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
19:05:56.0546 3464 dmload - ok
19:05:56.0609 3464 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
19:05:57.0078 3464 dmserver - ok
19:05:57.0125 3464 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
19:05:57.0531 3464 DMusic - ok
19:05:57.0593 3464 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
19:05:57.0718 3464 Dnscache - ok
19:05:57.0812 3464 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
19:05:59.0500 3464 Dot3svc - ok
19:05:59.0515 3464 dpti2o - ok
19:05:59.0578 3464 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
19:06:00.0093 3464 drmkaud - ok
19:06:00.0171 3464 [ FD0F95981FEF9073659D8EC58E40AA3C ] DRVMCDB C:\WINDOWS\system32\Drivers\DRVMCDB.SYS
19:06:00.0234 3464 DRVMCDB ( UnsignedFile.Multi.Generic ) - warning
19:06:00.0234 3464 DRVMCDB - detected UnsignedFile.Multi.Generic (1)
19:06:00.0250 3464 [ B4869D320428CDC5EC4D7F5E808E99B5 ] DRVNDDM C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
19:06:00.0281 3464 DRVNDDM ( UnsignedFile.Multi.Generic ) - warning
19:06:00.0281 3464 DRVNDDM - detected UnsignedFile.Multi.Generic (1)
19:06:00.0390 3464 [ C9FFBD6B8EDC46CD3D13E3C6DB914FB7 ] DVD-RAM_Service C:\WINDOWS\system32\DVDRAMSV.exe
19:06:00.0453 3464 DVD-RAM_Service ( UnsignedFile.Multi.Generic ) - warning
19:06:00.0453 3464 DVD-RAM_Service - detected UnsignedFile.Multi.Generic (1)
19:06:00.0578 3464 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
19:06:01.0296 3464 EapHost - ok
19:06:01.0375 3464 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
19:06:02.0203 3464 ERSvc - ok
19:06:02.0296 3464 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
19:06:02.0484 3464 Eventlog - ok
19:06:02.0562 3464 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
19:06:02.0968 3464 EventSystem - ok
19:06:03.0000 3464 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
19:06:03.0890 3464 Fastfat - ok
19:06:04.0062 3464 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
19:06:04.0218 3464 FastUserSwitchingCompatibility - ok
19:06:04.0296 3464 [ E97D6A8684466DF94FF3BC24FB787A07 ] Fax C:\WINDOWS\system32\fxssvc.exe
19:06:05.0234 3464 Fax - ok
19:06:05.0312 3464 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
19:06:05.0906 3464 Fdc - ok
19:06:06.0015 3464 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
19:06:07.0171 3464 Fips - ok
19:06:07.0203 3464 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
19:06:08.0234 3464 Flpydisk - ok
19:06:08.0359 3464 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
19:06:09.0906 3464 FltMgr - ok
19:06:10.0109 3464 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
19:06:10.0296 3464 FontCache3.0.0.0 - ok
19:06:10.0375 3464 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:06:11.0984 3464 Fs_Rec - ok
19:06:12.0046 3464 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:06:13.0921 3464 Ftdisk - ok
19:06:14.0062 3464 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:06:16.0031 3464 Gpc - ok
19:06:16.0125 3464 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:06:17.0703 3464 HDAudBus - ok
19:06:17.0875 3464 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
19:06:19.0406 3464 helpsvc - ok
19:06:19.0484 3464 HidServ - ok
19:06:19.0546 3464 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:06:20.0281 3464 HidUsb - ok
19:06:20.0406 3464 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
19:06:21.0062 3464 hkmsvc - ok
19:06:21.0062 3464 hpn - ok
19:06:21.0156 3464 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
19:06:21.0343 3464 HTTP - ok
19:06:21.0437 3464 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
19:06:22.0109 3464 HTTPFilter - ok
19:06:22.0140 3464 i2omgmt - ok
19:06:22.0156 3464 i2omp - ok
19:06:22.0218 3464 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:06:22.0796 3464 i8042prt - ok
19:06:22.0906 3464 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:06:23.0093 3464 idsvc - ok
19:06:23.0156 3464 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
19:06:23.0718 3464 Imapi - ok
19:06:23.0781 3464 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
19:06:24.0390 3464 ImapiService - ok
19:06:24.0406 3464 ini910u - ok
19:06:25.0906 3464 [ B12A9FC49CD2765A43829D834F518AED ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
19:06:26.0484 3464 IntcAzAudAddService - ok
19:06:26.0484 3464 IntelIde - ok
19:06:26.0593 3464 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:06:27.0484 3464 intelppm - ok
19:06:27.0515 3464 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
19:06:27.0890 3464 Ip6Fw - ok
19:06:27.0968 3464 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:06:28.0250 3464 IpFilterDriver - ok
19:06:28.0343 3464 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:06:28.0687 3464 IpInIp - ok
19:06:28.0718 3464 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:06:28.0968 3464 IpNat - ok
19:06:29.0000 3464 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:06:29.0250 3464 IPSec - ok
19:06:29.0281 3464 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
19:06:29.0625 3464 IRENUM - ok
19:06:29.0750 3464 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:06:30.0250 3464 isapnp - ok
19:06:30.0421 3464 [ 0E410EDC8D0527801B899CF29E60597C ] JavaQuickStarterService C:\Program Files\Java\jre6\bin\jqs.exe
19:06:30.0515 3464 JavaQuickStarterService - ok
19:06:30.0546 3464 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:06:30.0765 3464 Kbdclass - ok
19:06:30.0828 3464 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
19:06:31.0015 3464 kmixer - ok
19:06:31.0062 3464 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
19:06:31.0093 3464 KSecDD - ok
19:06:31.0203 3464 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
19:06:31.0250 3464 lanmanserver - ok
19:06:31.0343 3464 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
19:06:31.0406 3464 lanmanworkstation - ok
19:06:31.0421 3464 Lbd - ok
19:06:31.0437 3464 lbrtfdc - ok
19:06:31.0515 3464 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
19:06:31.0671 3464 LmHosts - ok
19:06:31.0812 3464 [ 1F37F74E1F719B0D75F0398F1F397F66 ] lxedCATSCustConnectService C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxedserv.exe
19:06:31.0875 3464 lxedCATSCustConnectService - ok
19:06:31.0890 3464 lxed_device - ok
19:06:31.0953 3464 [ 3F6F7993AE46ADED2DB2886ED3080C80 ] LxrJD31d C:\WINDOWS\system32\Drivers\LxrJD31d.sys
19:06:31.0984 3464 LxrJD31d ( UnsignedFile.Multi.Generic ) - warning
19:06:31.0984 3464 LxrJD31d - detected UnsignedFile.Multi.Generic (1)
19:06:32.0000 3464 LxrJD31s - ok
19:06:32.0062 3464 [ 7EFAC183A25B30FB5D64CC9D484B1EB6 ] meiudf C:\WINDOWS\system32\Drivers\meiudf.sys
19:06:32.0093 3464 meiudf ( UnsignedFile.Multi.Generic ) - warning
19:06:32.0093 3464 meiudf - detected UnsignedFile.Multi.Generic (1)
19:06:32.0234 3464 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
19:06:32.0421 3464 Messenger - ok
19:06:32.0453 3464 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
19:06:32.0656 3464 mnmdd - ok
19:06:32.0703 3464 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
19:06:32.0906 3464 mnmsrvc - ok
19:06:32.0921 3464 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
19:06:33.0078 3464 Modem - ok
19:06:33.0109 3464 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:06:33.0296 3464 Mouclass - ok
19:06:33.0343 3464 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:06:33.0531 3464 mouhid - ok
19:06:33.0546 3464 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
19:06:33.0734 3464 MountMgr - ok
19:06:33.0796 3464 [ CB8AF049AC9BE419A77ADAE288673359 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
19:06:33.0828 3464 MozillaMaintenance - ok
19:06:33.0828 3464 mraid35x - ok
19:06:33.0875 3464 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:06:34.0062 3464 MRxDAV - ok
19:06:34.0140 3464 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:06:34.0296 3464 MRxSmb - ok
19:06:34.0343 3464 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
19:06:34.0625 3464 MSDTC - ok
19:06:34.0640 3464 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
19:06:34.0828 3464 Msfs - ok
19:06:34.0843 3464 MSIServer - ok
19:06:34.0890 3464 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:06:35.0078 3464 MSKSSRV - ok
19:06:35.0109 3464 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:06:35.0296 3464 MSPCLOCK - ok
19:06:35.0296 3464 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
19:06:35.0656 3464 MSPQM - ok
19:06:35.0703 3464 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:06:36.0015 3464 mssmbios - ok
19:06:36.0078 3464 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
19:06:36.0125 3464 Mup - ok
19:06:36.0187 3464 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
19:06:36.0406 3464 napagent - ok
19:06:36.0437 3464 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
19:06:36.0593 3464 NDIS - ok
19:06:36.0656 3464 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:06:36.0718 3464 NdisTapi - ok
19:06:36.0734 3464 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:06:36.0937 3464 Ndisuio - ok
19:06:36.0953 3464 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:06:37.0234 3464 NdisWan - ok
19:06:37.0343 3464 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
19:06:37.0421 3464 NDProxy - ok
19:06:37.0500 3464 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
19:06:37.0796 3464 NetBIOS - ok
19:06:37.0828 3464 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
19:06:38.0062 3464 NetBT - ok
19:06:38.0109 3464 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
19:06:38.0406 3464 NetDDE - ok
19:06:38.0406 3464 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
19:06:38.0593 3464 NetDDEdsdm - ok
19:06:38.0656 3464 [ 1265EB253ED4EBE4ACB3BD5F548FF796 ] Netdevio C:\WINDOWS\system32\DRIVERS\netdevio.sys
19:06:38.0687 3464 Netdevio ( UnsignedFile.Multi.Generic ) - warning
19:06:38.0687 3464 Netdevio - detected UnsignedFile.Multi.Generic (1)
19:06:38.0796 3464 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
19:06:39.0359 3464 Netlogon - ok
19:06:39.0421 3464 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
19:06:39.0828 3464 Netman - ok
19:06:40.0015 3464 [ 37E7512BFBE86871FB4E5A101CF5E7FB ] netrcacm C:\WINDOWS\system32\DRIVERS\netrcacm.sys
19:06:40.0093 3464 netrcacm - ok
19:06:40.0125 3464 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
19:06:40.0156 3464 NetTcpPortSharing - ok
19:06:40.0187 3464 [ E9E47CFB2D461FA0FC75B7A74C6383EA ] NIC1394 C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:06:40.0484 3464 NIC1394 - ok
19:06:40.0546 3464 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
19:06:40.0687 3464 Nla - ok
19:06:40.0718 3464 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
19:06:41.0078 3464 Npfs - ok
19:06:41.0140 3464 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
19:06:41.0546 3464 Ntfs - ok
19:06:42.0281 3464 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
19:06:42.0562 3464 NtLmSsp - ok
19:06:42.0687 3464 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
19:06:43.0000 3464 NtmsSvc - ok
19:06:43.0062 3464 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
19:06:43.0250 3464 Null - ok
19:06:43.0281 3464 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:06:43.0562 3464 NwlnkFlt - ok
19:06:43.0593 3464 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:06:43.0828 3464 NwlnkFwd - ok
19:06:43.0875 3464 [ CA33832DF41AFB202EE7AEB05145922F ] ohci1394 C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:06:44.0062 3464 ohci1394 - ok
19:06:44.0093 3464 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
19:06:44.0312 3464 Parport - ok
19:06:44.0328 3464 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
19:06:44.0593 3464 PartMgr - ok
19:06:44.0640 3464 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
19:06:44.0859 3464 ParVdm - ok
19:06:44.0859 3464 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
19:06:45.0046 3464 PCI - ok
19:06:45.0062 3464 PCIDump - ok
19:06:45.0078 3464 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
19:06:45.0296 3464 PCIIde - ok
19:06:45.0359 3464 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:06:45.0546 3464 Pcmcia - ok
19:06:45.0562 3464 PDCOMP - ok
19:06:45.0578 3464 PDFRAME - ok
19:06:45.0593 3464 PDRELI - ok
19:06:45.0609 3464 PDRFRAME - ok
19:06:45.0625 3464 perc2 - ok
19:06:45.0625 3464 perc2hib - ok
19:06:45.0687 3464 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
19:06:45.0750 3464 PlugPlay - ok
19:06:45.0781 3464 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
19:06:46.0078 3464 PolicyAgent - ok
19:06:46.0140 3464 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:06:46.0890 3464 PptpMiniport - ok
19:06:46.0906 3464 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
19:06:47.0093 3464 ProtectedStorage - ok
19:06:47.0109 3464 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
19:06:47.0343 3464 PSched - ok
19:06:47.0390 3464 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:06:47.0671 3464 Ptilink - ok
19:06:47.0703 3464 [ D86B4A68565E444D76457F14172C875A ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:06:47.0718 3464 PxHelp20 - ok
19:06:47.0734 3464 ql1080 - ok
19:06:47.0750 3464 Ql10wnt - ok
19:06:47.0765 3464 ql12160 - ok
19:06:47.0781 3464 ql1240 - ok
19:06:47.0796 3464 ql1280 - ok
19:06:47.0812 3464 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:06:48.0031 3464 RasAcd - ok
19:06:48.0078 3464 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
19:06:48.0265 3464 RasAuto - ok
19:06:48.0296 3464 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:06:48.0484 3464 Rasl2tp - ok
19:06:48.0578 3464 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
19:06:48.0734 3464 RasMan - ok
19:06:48.0750 3464 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:06:48.0937 3464 RasPppoe - ok
19:06:48.0984 3464 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
19:06:49.0250 3464 Raspti - ok
19:06:49.0281 3464 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:06:49.0453 3464 Rdbss - ok
19:06:49.0484 3464 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:06:49.0656 3464 RDPCDD - ok
19:06:49.0734 3464 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
19:06:49.0781 3464 RDPWD - ok
19:06:49.0843 3464 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
19:06:50.0031 3464 RDSessMgr - ok
19:06:50.0093 3464 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
19:06:50.0296 3464 redbook - ok
19:06:50.0343 3464 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
19:06:50.0531 3464 RemoteAccess - ok
19:06:50.0578 3464 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
19:06:50.0765 3464 RpcLocator - ok
19:06:50.0859 3464 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
19:06:51.0031 3464 RpcSs - ok
19:06:51.0062 3464 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
19:06:51.0968 3464 RSVP - ok
19:06:52.0015 3464 [ 7988BFE882BCD94199225B5C3482F1BD ] RTL8023xp C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
19:06:52.0109 3464 RTL8023xp - ok
19:06:52.0125 3464 [ D507C1400284176573224903819FFDA3 ] rtl8139 C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
19:06:54.0890 3464 rtl8139 - ok
19:06:54.0921 3464 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
19:06:55.0078 3464 SamSs - ok
19:06:55.0125 3464 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
19:06:55.0406 3464 SCardSvr - ok
19:06:55.0515 3464 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
19:06:55.0765 3464 Schedule - ok
19:06:56.0140 3464 [ D98E936BDD4A6CFE39535F3696D0EC6F ] SDScannerService C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
19:06:56.0406 3464 SDScannerService - ok
19:06:56.0734 3464 [ 2D5088524613D1ED55D20195AF42DDC7 ] SDUpdateService C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
19:06:57.0421 3464 SDUpdateService - ok
19:06:57.0515 3464 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:06:57.0828 3464 Secdrv - ok
19:06:57.0875 3464 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
19:06:58.0109 3464 seclogon - ok
19:06:58.0140 3464 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
19:06:58.0343 3464 SENS - ok
19:06:58.0375 3464 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
19:06:58.0531 3464 Serial - ok
19:06:58.0593 3464 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
19:06:58.0781 3464 Sfloppy - ok
19:06:58.0843 3464 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
19:06:59.0109 3464 SharedAccess - ok
19:06:59.0156 3464 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
19:06:59.0187 3464 ShellHWDetection - ok
19:06:59.0203 3464 Simbad - ok
19:06:59.0218 3464 Sparrow - ok
19:06:59.0250 3464 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
19:06:59.0562 3464 splitter - ok
19:06:59.0609 3464 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
19:06:59.0656 3464 Spooler - ok
19:06:59.0687 3464 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
19:06:59.0890 3464 sr - ok
19:06:59.0953 3464 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
19:07:00.0156 3464 srservice - ok
19:07:00.0218 3464 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
19:07:00.0375 3464 Srv - ok
19:07:00.0406 3464 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
19:07:00.0578 3464 SSDPSRV - ok
19:07:00.0625 3464 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
19:07:00.0906 3464 stisvc - ok
19:07:00.0984 3464 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
19:07:01.0281 3464 swenum - ok
19:07:01.0328 3464 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
19:07:01.0562 3464 swmidi - ok
19:07:01.0578 3464 SwPrv - ok
19:07:01.0750 3464 [ 486A64AABD88E4E174681E89E9736BC9 ] Swupdtmr c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
19:07:01.0812 3464 Swupdtmr ( UnsignedFile.Multi.Generic ) - warning
19:07:01.0812 3464 Swupdtmr - detected UnsignedFile.Multi.Generic (1)
19:07:01.0828 3464 symc810 - ok
19:07:01.0859 3464 symc8xx - ok
19:07:01.0875 3464 sym_hi - ok
19:07:01.0890 3464 sym_u3 - ok
19:07:02.0015 3464 [ A6CC8C28D5AAD4179EF32F05BED55E91 ] SynTP C:\WINDOWS\system32\DRIVERS\SynTP.sys
19:07:02.0109 3464 SynTP - ok
19:07:02.0203 3464 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
19:07:02.0406 3464 sysaudio - ok
19:07:02.0468 3464 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
19:07:02.0671 3464 SysmonLog - ok
19:07:02.0781 3464 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
19:07:03.0109 3464 TapiSrv - ok
19:07:03.0203 3464 [ 36772B5EAAAF42DB5C5EE6EEB0EC0AF7 ] TAPPSRV C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
19:07:03.0234 3464 TAPPSRV ( UnsignedFile.Multi.Generic ) - warning
19:07:03.0234 3464 TAPPSRV - detected UnsignedFile.Multi.Generic (1)
19:07:03.0312 3464 [ 7147B0575BCC93A6AB7D5C90F47C0B9F ] tbiosdrv C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
19:07:03.0375 3464 tbiosdrv - ok
19:07:03.0484 3464 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:07:03.0656 3464 Tcpip - ok
19:07:03.0734 3464 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
19:07:04.0093 3464 TDPIPE - ok
19:07:04.0125 3464 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
19:07:04.0328 3464 TDTCP - ok
19:07:04.0328 3464 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
19:07:04.0546 3464 TermDD - ok
19:07:04.0609 3464 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
19:07:04.0843 3464 TermService - ok
19:07:04.0875 3464 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
19:07:04.0906 3464 Themes - ok
19:07:04.0921 3464 TosIde - ok
19:07:04.0953 3464 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
19:07:05.0140 3464 TrkWks - ok
19:07:05.0234 3464 [ 676DB15DDF2E0FF6EC03068DEA428B8B ] TVALD C:\WINDOWS\system32\DRIVERS\NBSMI.sys
19:07:05.0250 3464 TVALD ( UnsignedFile.Multi.Generic ) - warning
19:07:05.0250 3464 TVALD - detected UnsignedFile.Multi.Generic (1)
19:07:05.0312 3464 [ 568DCCFF5D0F2BE99CB04A49A70A63D4 ] Tvs C:\WINDOWS\system32\DRIVERS\Tvs.sys
19:07:05.0328 3464 Tvs ( UnsignedFile.Multi.Generic ) - warning
19:07:05.0328 3464 Tvs - detected UnsignedFile.Multi.Generic (1)
19:07:05.0375 3464 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
19:07:05.0546 3464 Udfs - ok
19:07:05.0562 3464 ultra - ok
19:07:05.0734 3464 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
19:07:05.0921 3464 Update - ok
19:07:05.0953 3464 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
19:07:06.0140 3464 upnphost - ok
19:07:06.0187 3464 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
19:07:06.0328 3464 UPS - ok
19:07:06.0375 3464 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:07:06.0546 3464 usbccgp - ok
19:07:06.0562 3464 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:07:06.0828 3464 usbehci - ok
19:07:06.0906 3464 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:07:07.0109 3464 usbhub - ok
19:07:07.0171 3464 [ 0DAECCE65366EA32B162F85F07C6753B ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys
19:07:07.0328 3464 usbohci - ok
19:07:07.0343 3464 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:07:07.0500 3464 usbprint - ok
19:07:07.0500 3464 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:07:07.0703 3464 usbscan - ok
19:07:07.0750 3464 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:07:07.0937 3464 USBSTOR - ok
19:07:07.0953 3464 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
19:07:08.0140 3464 VgaSave - ok
19:07:08.0156 3464 ViaIde - ok
19:07:08.0187 3464 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
19:07:08.0359 3464 VolSnap - ok
19:07:08.0484 3464 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
19:07:08.0703 3464 VSS - ok
19:07:08.0750 3464 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
19:07:08.0953 3464 W32Time - ok
19:07:09.0062 3464 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:07:09.0234 3464 Wanarp - ok
19:07:09.0265 3464 [ 0A716C08CB13C3A8F4F51E882DBF7416 ] wanatw C:\WINDOWS\system32\DRIVERS\wanatw4.sys
19:07:09.0312 3464 wanatw - ok
19:07:09.0328 3464 WDICA - ok
19:07:09.0359 3464 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
19:07:09.0531 3464 wdmaud - ok
19:07:09.0562 3464 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
19:07:12.0078 3464 WebClient - ok
19:07:12.0171 3464 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
19:07:12.0359 3464 winmgmt - ok
19:07:12.0515 3464 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
19:07:12.0562 3464 WmdmPmSN - ok
19:07:12.0609 3464 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
19:07:12.0812 3464 WmiApSrv - ok
19:07:12.0953 3464 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
19:07:13.0078 3464 WMPNetworkSvc - ok
19:07:13.0140 3464 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
19:07:13.0343 3464 WS2IFSL - ok
19:07:13.0468 3464 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
19:07:13.0656 3464 wscsvc - ok
19:07:13.0671 3464 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
19:07:13.0859 3464 wuauserv - ok
19:07:13.0953 3464 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
19:07:14.0015 3464 WudfPf - ok
19:07:14.0046 3464 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
19:07:14.0093 3464 WudfRd - ok
19:07:14.0125 3464 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
19:07:14.0187 3464 WudfSvc - ok
19:07:14.0265 3464 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
19:07:14.0515 3464 WZCSVC - ok
19:07:14.0546 3464 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
19:07:14.0718 3464 xmlprov - ok
19:07:14.0750 3464 ================ Scan global ===============================
19:07:14.0828 3464 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
19:07:14.0906 3464 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
19:07:14.0937 3464 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
19:07:14.0984 3464 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
19:07:14.0984 3464 [Global] - ok
19:07:14.0984 3464 ================ Scan MBR ==================================
19:07:15.0015 3464 [ 09CE7397AF23D4C0B331B89D0297CC7E ] \Device\Harddisk0\DR0
19:07:15.0312 3464 \Device\Harddisk0\DR0 - ok
19:07:15.0312 3464 ================ Scan VBR ==================================
19:07:15.0328 3464 [ 0A50C3C54CE787DDCF0B7AC2639DF0E4 ] \Device\Harddisk0\DR0\Partition1
19:07:15.0328 3464 \Device\Harddisk0\DR0\Partition1 - ok
19:07:15.0328 3464 ============================================================
19:07:15.0328 3464 Scan finished
19:07:15.0328 3464 ============================================================
19:07:15.0453 3756 Detected object count: 22
19:07:15.0453 3756 Actual detected object count: 22
19:07:52.0187 3756 ACS ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0187 3756 ACS ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0187 3756 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0187 3756 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0187 3756 CFSvcs ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0187 3756 CFSvcs ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0187 3756 DLABOIOM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0187 3756 DLABOIOM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0203 3756 DLACDBHM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0203 3756 DLACDBHM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0203 3756 DLADResN ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0203 3756 DLADResN ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0218 3756 DLAIFS_M ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0218 3756 DLAIFS_M ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0234 3756 DLAOPIOM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0234 3756 DLAOPIOM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0234 3756 DLAPoolM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0234 3756 DLAPoolM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0234 3756 DLARTL_N ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0234 3756 DLARTL_N ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0250 3756 DLAUDFAM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0250 3756 DLAUDFAM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0250 3756 DLAUDF_M ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0250 3756 DLAUDF_M ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0250 3756 DRVMCDB ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0250 3756 DRVMCDB ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0250 3756 DRVNDDM ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0250 3756 DRVNDDM ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0265 3756 DVD-RAM_Service ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0265 3756 DVD-RAM_Service ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0265 3756 LxrJD31d ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0265 3756 LxrJD31d ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0265 3756 meiudf ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0265 3756 meiudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0265 3756 Netdevio ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0265 3756 Netdevio ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0281 3756 Swupdtmr ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0281 3756 Swupdtmr ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0281 3756 TAPPSRV ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0281 3756 TAPPSRV ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0281 3756 TVALD ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0281 3756 TVALD ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:07:52.0296 3756 Tvs ( UnsignedFile.Multi.Generic ) - skipped by user
19:07:52.0296 3756 Tvs ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:10:40.0125 3824 Deinitialize success

oldman960
2012-10-10, 08:15
Hi two beers.

Next, please click your start botton, click run
in the run box, type cmd
click ok
in the black command window that opens type ipconfig /flushdns
note there is a space between inconfig and the /
hit enter
it should give you a messeage similar to "Successfully flushed the DNS Resolver Cache"
close the window
Try some searches and see how it goes.

two beers
2012-10-10, 08:37
oldman-

I did the above, but it's still redirecting.

oldman960
2012-10-10, 15:34
Hi two beers,

We'll use a CD that we will make bootable. We also need a USB flashdrive that has some space on it. We will not be changing any of the data on the usb device just using it for a file.

You will also need to use FireFox to download a file as Internet Explorer seems to mangle the download.

If you have an problems with these steps please let me know. These may look complicated but it's fairly straight forward and for the most part automated.


Download GETxPUD.exe (http://noahdfear.net/downloads/GETxPUD.exe) to your desktop.

Run GETxPUD.exe by double clicking it.
A new folder will appear on the desktop.
Open the GETxPUD folder and click on the get&burn.bat
The program will download xpud_0.9.2.iso, and when finished, it will open BurnCDCC which will be ready to burn the image.
Click on Start and follow the prompts to burn the image to a CD


Using FireFox, please download and save dumpit (http://noahdfear.net/downloads/dumpit) to your usb device.

You may want to print out this part as you will not be able to view these instructions.


Leave the usb device attached to the computer
Boot the infected computer with the CD you just burned
with the CD in the computer, restart the computer

The computer must be set to boot from the CD,depending on your computer you can either do this by pressing F12 and selecting the CD as the first boot option or it can be set in the BIOS
Once you have the computer set to boot from the CD allow it to boot
A Welcome to xPUD screen will appear
Click on File
Expand mnt
sda1,2...usually corresponds to your HDD
sdb1 is likely your USB
Click on the folder that represents your USB drive (sdb1 ?)
(you will be able to tell if it the right one as the screen will populate with your files)
Locate the file you downloaded and saved earlier, dumpit
double click it to run it
a black window will open, follow the instructions to close the window when it's finished
a file called MBR.zip should now be placed in the right hand panel
Click the Home icon at top
Remove the CD and click Power off
Click restart


Once the computer has rebooted open the usb device and attach the MBR.zip file to your next reply.

two beers
2012-10-13, 01:41
oldman- when I click on dumpit, it opens a firefox page with lots of code strings; will this run?

oldman960
2012-10-13, 19:57
Hi two beers,

That's the same problem that happens in IE, it tries to open the file.

Try it this way. Right click the link and click save link as. Make sure the save as is set to all files

two beers
2012-10-14, 21:43
oldman-

hmm, after pressing F12, i get a black screen with:

PXE-E61: media test failure, check cable
PXE-MOF Exiting PXE system
Missing operating system_

I don't know if it's related, but I had noticed that I was unable to play CDs after the infection started.

oldman960
2012-10-15, 08:02
Hi two beers,

Click start
right click My Computer
click properties
click the hardware tab
click the device manager button
Are there any yellow exclaimation marks or question marks beside any of the entries?

What is listed under DVD/CD rom drives?


What is the make and model of your computer?

two beers
2012-10-15, 21:27
oldman-

There are no question marks or exclamation points.

Under DVD/CD: Matshita DVD/CDRW UJDA770

It's a Toshiba Satellite A105 -S2141. It's old, but it has been a real warhorse until now.

oldman960
2012-10-16, 16:01
Hi two beers,

Click start
right click My Computer
click properties
click the hardware tab
click the device manager button
right click on the Cd rom that is listed
click properties
click the drivers tab
click driver details
what is listed there?

two beers
2012-10-16, 20:22
oldman,

Here are the driver details:

C:\Windows\system 32\DRIVERS\cdrom.sys
C:\Windows\System 32\Drivers\DLACDBHM.SYS
C:\Windows\System 32\Drivers\DRVMCDB.SYS
C:\Windows\system 32\DRIVERS\imapi.sys
C:\Windows\System 32\Drivers\PxHelp20.sys
C:\Windows\system 32\DRIVERS\redbook.sys
C:\Windows\system 32\Drivers\storprop.dll

oldman960
2012-10-17, 15:53
Hi two beers,

Hi

When did you install sonic?

Let's try changing the boot order in the bios.
place in the xpUD disk in the cd player
reboot your computer
While the computer is rebooting you should see on the screen which key to press to enter the bios. It may be F2 for yours.

Once you have entered the bios look for a heading caleed boot order or something similar. Change the boot order so the cd is firat, your hard drive second and the Lan or network last.

There should be instructions on the screen which keys to use to navigate in the bios and which one will save the chanes and exit.

Once you exit the bios the computer should attempt to boot from the cd. If it is unable to boot from the cd it will either infrom you that it can't or it will simply continue on to boot from the hard drive.

Let me know how you make out.

oldman960
2012-10-28, 17:48
Due to inactivity, this thread will now be closed.

Note:If it has been three days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh DDS log and a link to your previous thread. Please do not add any logs that might have been requested in the closed topic, you would be starting fresh.