Possible Trojan infection - FakeMoz.ED

**lather** · 2014-11-14, 17:48

Hit a problem with one of the family laptops that looks like it could be a Trojan.FakeMoz.ED infection. When the computer booted up, we got a security message saying that the firewall wasn't running. So I reactivated the firewall manually and all seemed well. Next boot-up, not only did it say that the firewall wasn't running, it also reported a problem with AVG. The firewall apparently activated manually again and checking AVG showed that Resident Shield wasn't running and couldn't be activated manually (the box at the bottom of the screen was greyed out).

Suspecting a malware issue, I ran Mbam and it located and quarantined an infection - below is the extract from the log detailing what it found:

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32, Quarantined, [81cb3ffca3d94bebc848c8948f75916f],

Registry Values: 1
Trojan.Agent, HKLM\SYSTEM\CURRENTCONTROLSET\SERVICES\SYSHOST32|ImagePath, "C:\WINDOWS\Installer\{86EF14D4-A6DF-EBFD-96D2-93387672418F}\syshost.exe" /service, Quarantined, [81cb3ffca3d94bebc848c8948f75916f]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.FakeMoz.ED, C:\WINDOWS\Installer\{86EF14D4-A6DF-EBFD-96D2-93387672418F}\syshost.exe, Quarantined, [3517b685572542f4a06b81601be6ed13],

Physical Sectors: 0
(No malicious items detected)

Running Mbam seemed to fix the firewall issue, as two subsequent reboots have reported no issue with it, but the problem with AVG is still there. Apart from the AVG issue, the machine seems to be running fine, as I'm using it to do this post, but obviously not having AVG running properly does leave it vulnerable.

So I've followed the instructions and run the required scans - although I did hit one issue as, because this was a second-hand ex-business machine, we've never had any admin password, so couldn't run the scans as the admin. However, the only user profile on the machine has always been able to do all admin-level tasks OK in the past, so I'm hoping that it won't have made any difference.

(Also, I know that some programs are a little out-of-date, but the machine is so old and low spec that it can't run the newer versions...)

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 13-11-2014 01
Ran by IBM (administrator) on THINKPAD on 14-11-2014 15:33:55
Running from C:\Documents and Settings\IBM\Desktop
Loaded Profile: IBM (Available profiles: IBM & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\ibmpmsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
() C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\WINDOWS\system32\QCONSVC.EXE
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(IBM Corporation) C:\WINDOWS\system32\tp4serv.exe
(IBM Corp.) C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
() C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
() C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
() C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
(Agere Systems) C:\WINDOWS\AGRSMMSG.exe
(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG9\avgtray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe
(Microsoft Corporation) C:\WINDOWS\system32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIModeChange] => C:\WINDOWS\system32\Ati2mdxx.exe [28672 2002-06-12] (ATI Technologies, Inc.)
HKLM\...\Run: [TrackPointSrv] => C:\WINDOWS\system32\tp4serv.exe [179200 2002-03-20] (IBM Corporation)
HKLM\...\Run: [TPTRAY] => C:\Program Files\ThinkPad\Utilities\TP98TRAY.EXE [48128 2002-03-26] (IBM Corp.)
HKLM\...\Run: [BMMGAG] => RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
HKLM\...\Run: [QCTRAY] => C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE [491520 2002-07-15] ()
HKLM\...\Run: [QCWLICON] => C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE [49152 2002-07-15] ()
HKLM\...\Run: [TP4EX] => C:\WINDOWS\system32\tp4ex.exe [40960 2002-02-22] (IBM Corporation)
HKLM\...\Run: [TPHOTKEY] => C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe [69632 2002-05-30] ()
HKLM\...\Run: [UC_SMB] => [X]
HKLM\...\Run: [Tgcmd] => C:\Program Files\Support.com\bin\tgcmd.exe [1519616 2001-11-07] (Support.com, Inc.)
HKLM\...\Run: [AGRSMMSG] => C:\WINDOWS\AGRSMMSG.exe [88363 2003-06-27] (Agere Systems)
HKLM\...\Run: [NeroCheck] => C:\WINDOWS\system32\\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG9_TRAY] => C:\Program Files\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\Run: [updateMgr] => "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\MountPoints2: {9e452150-6d2a-11dd-b2de-0018e7297566} - E:\LaunchU3.exe -a
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk
ShortcutTarget: Wireless Configuration Utility HW.15.lnk -> C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe ()
Startup: C:\Documents and Settings\IBM\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk
ShortcutTarget: Microsoft Office Fast Start.lnk -> C:\MSOffice\Office\FASTBOOT.EXE ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents/Links_07.htm
HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
SearchScopes: HKCU - DefaultScope {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
SearchScopes: HKCU - {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer211.dll (Copernic Technologies Inc.)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite....x/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1166184064923
DPF: {74FFE28D-2378-11D5-990C-006094235084} https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab
DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} https://www-307.ibm.com/pc/support/a...AcpControl.cab
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default
FF Homepage: file:///C:/Documents/Links_07.htm
FF NetworkProxy: "no_proxies_on", "localhost,127.0.0.1"
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: British English Dictionary - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2010-12-10]
FF Extension: external IP - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\externalip@erik.morlin [2010-01-25]
FF Extension: printpdf - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\printpdf@pavlov.net [2010-08-10]
FF Extension: YouTube Unblocker - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\youtubeunblocker@unblocker.yt [2013-06-09]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-04-28]
FF Extension: Media Converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18} [2009-04-07]
FF Extension: DownloadHelper - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: RightToClick - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e} [2012-01-23]
FF Extension: Adblock Plus - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2012-01-06]
FF Extension: Block site - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2013-08-12]
FF Extension: DownThemAll! - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8} [2013-04-03]
FF Extension: Web2PDF converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{e8f509f0-b677-11de-8a39-0800200c9a66} [2011-07-07]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [2009-03-06]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009-04-01]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009-06-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009-08-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [2009-11-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-04-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010-08-14]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010-10-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011-02-16]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-20]
FF HKLM\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files\AVG\AVG9\Firefox
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG9\Firefox [2009-11-05]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-22]

Chrome:
=======
CHR HomePage: Default -> file:///C:/Documents/Links_07.htm
CHR StartupUrls: Default -> "file:///C:/Documents/Links_07.htm"
CHR Profile: C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-12-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-12-12]
CHR Extension: (Google Search) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-12-12]
CHR Extension: (Google Wallet) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (Adblock Pro) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch [2014-01-19]
CHR Extension: (Gmail) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-12-12]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

Locked "13c0aa386e2175ba" service could not be unlocked. <===== ATTENTION

R2 Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [131072 2002-06-12] ()
R2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 IBMPMSVC; C:\WINDOWS\system32\ibmpmsvc.exe [57344 2003-07-03] ()
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-18] (Oracle Corporation)
R2 QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [40960 2002-07-15] () [File not signed]
S4 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2007-10-22] (Meetinghouse Data Communications) [File not signed]
R1 AvgLdx86; C:\WINDOWS\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
S1 AvgMfx86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\Drivers\avgtdix.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)
R1 DSMBATT; C:\WINDOWS\System32\drivers\DSMBATT.SYS [9888 2002-04-05] () [File not signed]
R2 EGATHDRV; C:\WINDOWS\system32\EGATHDRV.SYS [11712 2006-06-29] (IBM Corporation)
R3 IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [11344 2003-07-03] (IBM Corp.)
R1 IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2295 2002-07-15] () [File not signed]
R2 PMEM; C:\WINDOWS\system32\drivers\PMEMNT.SYS [7012 2001-09-13] (Microsoft Corporation) [File not signed]
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 rtl8185; C:\WINDOWS\System32\DRIVERS\rtl8185.sys [306304 2007-01-29] (Realtek Semiconductor Corporation ) [File not signed]
R1 Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [13824 2002-03-26] (Microsoft Corporation) [File not signed]
R1 TDSMAPI; C:\WINDOWS\System32\Drivers\TDSMAPI.SYS [7168 2002-03-26] () [File not signed]
R3 Tp4Track; C:\WINDOWS\System32\DRIVERS\tp4track.sys [14175 2002-03-20] (IBM Corporation)
R1 TPHKDRV; C:\WINDOWS\system32\Drivers\TPHKDRV.sys [11550 2002-01-28] (IBM Corporation) [File not signed]
R1 TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [12288 2002-03-26] (IBM Corp.) [File not signed]
R1 TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [7168 2002-03-26] () [File not signed]
U5 13c0aa386e2175ba; C:\Windows\System32\Drivers\13c0aa386e2175ba.sys [70528 2014-11-13] () <===== ATTENTION Necurs Rootkit?
S4 hpt3xx; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 15:33 - 2014-11-14 15:34 - 00019360 _____ () C:\Documents and Settings\IBM\Desktop\FRST.txt
2014-11-14 15:33 - 2014-11-14 15:34 - 00000000 ____D () C:\FRST
2014-11-14 15:28 - 2014-11-14 15:28 - 00000000 ____D () C:\RegBackup
2014-11-14 15:26 - 2014-11-14 15:26 - 00001887 _____ () C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-11-14 15:15 - 2014-11-14 15:15 - 05198336 _____ (AVAST Software) C:\Documents and Settings\IBM\Desktop\aswMBR.exe
2014-11-14 15:15 - 2014-11-14 15:15 - 01108480 _____ (Farbar) C:\Documents and Settings\IBM\Desktop\FRST.exe
2014-11-14 15:14 - 2014-11-14 15:14 - 04215584 _____ () C:\Documents and Settings\IBM\Desktop\tweaking.com_registry_backup_setup.exe
2014-11-14 03:04 - 2014-11-14 03:04 - 00001434 _____ () C:\Documents and Settings\IBM\Desktop\mbam_scan.txt
2014-11-14 03:01 - 2014-11-14 03:01 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\46EE46CA.sys
2014-11-14 00:27 - 2014-11-14 00:27 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\34C750CB.sys
2014-11-13 20:19 - 2014-11-13 20:19 - 00070528 _____ () C:\WINDOWS\system32\Drivers\13c0aa386e2175ba.sys
2014-11-10 16:36 - 2014-11-10 16:36 - 00242592 _____ () C:\Documents and Settings\IBM\Desktop\separate+-0.5.7.zip
2014-10-24 23:32 - 2014-10-24 23:33 - 00000000 ____D () C:\Program Files\GUMF.tmp
2014-10-19 00:19 - 2014-11-13 00:45 - 00016896 _____ () C:\Documents and Settings\IBM\Desktop\2015 Tour.xls
2014-10-18 16:36 - 2014-10-18 16:36 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-18 16:35 - 2014-10-18 16:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-10-18 16:35 - 2014-10-18 16:34 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-18 16:35 - 2014-10-18 16:34 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-14 15:34 - 2006-12-15 18:03 - 00000000 ____D () C:\Documents and Settings\IBM\Local Settings\Temp
2014-11-14 15:29 - 2010-01-14 11:19 - 00256041 _____ () C:\WINDOWS\setupapi.log
2014-11-14 15:28 - 2006-12-04 23:46 - 00000000 ____D () C:\WINDOWS\Registration
2014-11-14 15:28 - 2006-12-04 23:37 - 00000000 ____D () C:\WINDOWS\repair
2014-11-14 15:25 - 2009-11-15 02:09 - 00000000 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\prvlcl.dat
2014-11-14 15:20 - 2008-06-22 14:05 - 00000000 ____D () C:\WINDOWS\system32\Drivers\Avg
2014-11-14 15:11 - 2007-10-22 13:22 - 00007356 _____ () C:\WINDOWS\RTacDbg.txt
2014-11-14 15:08 - 2012-12-12 16:25 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-14 15:08 - 2006-12-04 23:50 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-14 15:08 - 2006-12-04 23:44 - 00000157 _____ () C:\WINDOWS\wiadebug.log
2014-11-14 15:08 - 2006-12-04 23:44 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-11-14 15:08 - 1980-01-01 08:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-14 03:17 - 2006-12-15 19:17 - 01076008 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-14 03:17 - 2006-12-15 18:03 - 00000178 ___SH () C:\Documents and Settings\IBM\ntuser.ini
2014-11-14 03:17 - 2006-12-05 00:15 - 00031988 _____ () C:\WINDOWS\SchedLgU.Txt
2014-11-14 03:13 - 2006-12-05 00:21 - 00000314 _____ () C:\WINDOWS\Tasks\BMMTask.job
2014-11-14 02:43 - 2012-12-12 16:25 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-14 01:34 - 2012-01-11 17:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2646524$
2014-11-13 20:25 - 2014-08-06 14:25 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-11-13 20:24 - 2014-08-06 14:24 - 00000788 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-13 02:15 - 2007-12-02 16:46 - 00000551 _____ () C:\WINDOWS\IBM.xlb
2014-11-08 18:23 - 2013-06-02 14:26 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Derbyshire Heritage Walks
2014-11-08 00:12 - 2010-07-30 07:13 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Desktop cleanup
2014-11-08 00:11 - 2014-08-17 12:54 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\2014
2014-10-27 15:49 - 2007-09-24 10:58 - 00131584 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-26 13:54 - 2006-12-04 23:40 - 00509652 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-25 22:40 - 2010-07-30 07:51 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\vlc
2014-10-25 21:53 - 2011-01-14 01:00 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\dvdcss
2014-10-18 16:34 - 2007-09-24 13:27 - 00000000 ____D () C:\Program Files\Java

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\Default User\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Default User\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Default User\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\{1ACB7F4D-5850-43BD-917E-D317FFF39891}-37.0.2062.124_37.0.2062.120_chrome_updater.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

Additional scan result of Farbar Recovery Scan Tool (x86) Version: 13-11-2014 01
Ran by IBM at 2014-11-14 15:36:08
Running from C:\Documents and Settings\IBM\Desktop
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: AVG Anti-Virus Free (Disabled - Up to date) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

802.11g Wireless Adapter HW.15 V.1.00 (HKLM\...\InstallShield_{F266A90C-3F4A-4F65-9901-3DBBB0D77D80}) (Version: 1.00.0000 - )
802.11g Wireless Adapter HW.15 V.1.00 (Version: 1.00.0000 - ) Hidden
Access ThinkPad (HKLM\...\{B5599ECB-DA72-43EE-8A30-2C80396FF8BB}) (Version: 3.5 - IBM Corporation)
Adobe Flash Player 11 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 11.6.602.180 - Adobe Systems Incorporated)
Adobe Flash Player 12 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 12.0.0.44 - Adobe Systems Incorporated)
Adobe Reader 8.1.7 (HKLM\...\{AC76BA86-7AD7-1033-7B44-A81300000003}) (Version: 8.1.7 - Adobe Systems Incorporated)
Agere Systems AC'97 Modem (HKLM\...\Agere Systems Soft Modem) (Version: 2.1.31 - )
ArcSoft PhotoStudio 5 (HKLM\...\{03F1CC67-5BD8-4C36-8394-76311B2AE69A}) (Version: - )
ATI Display Driver (HKLM\...\ATI Display Driver) (Version: - )
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version: - )
AVG Free 9.0 (HKLM\...\AVG9Uninstall) (Version: - AVG Technologies)
Bullzip PDF Printer 10.3.0.2191 (HKLM\...\Bullzip PDF Printer_is1) (Version: 10.3.0.2191 - Bullzip)
Canon CanoScan Toolbox 4.1 (HKLM\...\{BCE46757-7674-4416-BEDB-68205A60409E}) (Version: - )
CanoScan LiDE20,30 Manual (HKLM\...\{B360A8E5-C171-4AAE-9777-65B3CDB0072C}) (Version: - )
Critical Update for Windows Media Player 11 (KB959772) (HKLM\...\KB959772_WM11) (Version: - Microsoft Corporation)
dBpoweramp FLAC Codec (HKLM\...\dBpoweramp FLAC Codec) (Version: Release 10 (FLAC 1.2.0) - Illustrate)
dBpoweramp m4a Codec (HKLM\...\dBpoweramp m4a Codec) (Version: Release 9 - Illustrate)
dBpoweramp Music Converter (HKLM\...\dBpoweramp Music Converter) (Version: Release 12.3 - )
dBpoweramp Shorten Codec (HKLM\...\dBpoweramp Shorten Codec) (Version: - )
dBpoweramp Windows Media Audio 10 Codec (HKLM\...\dBpoweramp Windows Media Audio 10 Codec) (Version: - )
DOOM Collector's Edition (HKLM\...\DOOM Collector's Edition) (Version: - )
FileZilla (remove only) (HKLM\...\FileZilla) (Version: - )
FLV Player (HKLM\...\FLV Player2.0 ) (Version: 2.0 - Applian Technologies Inc.)
FLV Player 2.0 (build 25) (HKLM\...\FLV Player) (Version: 2.0 (build 25) - Martijn de Visser)
Google Chrome (HKLM\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
IBM Access Connections (HKLM\...\{22B71A00-4DED-11D4-A5E5-0004AC564F43}) (Version: - )
IBM Rapid Restore PC Setup (HKLM\...\{3B7B3B4A-AF8C-4671-A92E-3E7E9ABCB22B}) (Version: 1.00.1100 - IBM Corporation)
IBM ThinkPad Access Support (HKLM\...\IBM Access Support) (Version: - )
IBM ThinkPad Power Management Driver (HKLM\...\Power Management Driver) (Version: 1.25.01 - )
IBM TrackPoint Accessibility Features (HKLM\...\{EA664480-3844-11D5-8C25-444553540000}) (Version: - )
IBM TrackPoint Support (HKLM\...\TrackPoint) (Version: - )
Intel(R) PRO Ethernet Adapter and Software (HKLM\...\PROSet) (Version: - )
InterVideo WinDVD (HKLM\...\{C1939820-A945-11D4-86F6-0001031E5712}) (Version: - InterVideo Inc.)
Java 7 Update 71 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217071FF}) (Version: 7.0.710 - Oracle)
LightScribe 1.6.43.1 (Version: 1.6.43.1 - http://www.lightscribe.com) Hidden
Malwarebytes Anti-Malware version 2.0.3.1025 (HKLM\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.3.1025 - Malwarebytes Corporation)
Microsoft .NET Framework 2.0 Service Pack 2 (HKLM\...\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}) (Version: 2.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.0 Service Pack 2 (HKLM\...\{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}) (Version: 3.2.30729 - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation)
Microsoft Compression Client Pack 1.0 for Windows XP (HKLM\...\MSCompPackV1) (Version: 1 - Microsoft Corporation)
Microsoft Excel 7.0 (HKLM\...\Excel) (Version: - )
Microsoft User-Mode Driver Framework Feature Pack 1.0 (HKLM\...\Wudf01000) (Version: - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Word 97 (HKLM\...\Word8.0) (Version: - )
Mozilla Firefox (3.6.28) (HKLM\...\Mozilla Firefox (3.6.28)) (Version: 3.6.28 (en-US) - Mozilla)
MSXML 6.0 Parser (KB933579) (HKLM\...\{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}) (Version: 6.10.1200.0 - Microsoft Corporation)
Nero - Burning Rom (HKLM\...\{A4D7B764-4140-11D4-88EB-0050DA3579C0}) (Version: 5.5.9 - ahead software gmbh)
Orange Siemens Router (HKLM\...\OrangeSiemens) (Version: - )
Orange Toolbar (HKLM\...\OrangeToolbarUK) (Version: 1.0 - France Telecom SA)
PhotoFinish® 4.1 (HKLM\...\pfinish41) (Version: - )
Replay Converter 3 (HKLM\...\Replay Converter 3) (Version: 3.20 - Applian Technologies Inc.)
Spybot - Search & Destroy (HKLM\...\{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1) (Version: 1.6.2 - Safer Networking Limited)
Support.com Software (HKLM\...\Support.com) (Version: - )
ThinkPad Configuration (HKLM\...\ThinkPad Configuration) (Version: - )
ThinkPad FullScreen Magnifier (HKLM\...\ThinkPad FullScreen Magnifier) (Version: - )
ThinkPad Software Installer (HKLM\...\ThinkPadSoftwareInstaller) (Version: - )
Tweaking.com - Registry Backup (HKLM\...\Tweaking.com - Registry Backup) (Version: 1.10.1 - Tweaking.com)
Uninstall PC-Doctor (HKLM\...\PC-Doctor) (Version: - )
VLC media player 1.0.1 (HKLM\...\VLC media player) (Version: 1.0.1 - VideoLAN Team)
WebFldrs XP (Version: 9.50.5318 - Microsoft Corporation) Hidden
Windows Genuine Advantage Notifications (KB905474) (HKLM\...\WgaNotify) (Version: 1.9.0040.0 - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\KB892130) (Version: - Microsoft Corporation)
Windows Genuine Advantage Validation Tool (KB892130) (HKLM\...\WGA) (Version: 1.7.0069.2 - Microsoft Corporation)
Windows Internet Explorer 7 (HKLM\...\ie7) (Version: 20061107.210142 - Microsoft Corporation)
Windows Media Format 11 runtime (HKLM\...\Windows Media Format Runtime) (Version: - )
Windows Media Player 11 (HKLM\...\Windows Media Player) (Version: - )
Windows Rights Management Client Backwards Compatibility SP2 (HKLM\...\{EC905264-BCFE-423B-9C42-C3A106266790}) (Version: 5.2.70 - Microsoft)
Windows Rights Management Client with Service Pack 2 (HKLM\...\{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}) (Version: 5.2.70 - Microsoft)
Windows XP Service Pack 3 (HKLM\...\Windows XP Service Pack) (Version: 20080414.031525 - Microsoft Corporation)
xp-AntiSpy 3.92 (HKLM\...\xp-AntiSpy) (Version: 3.92 - Christian Taubenheim)
Xvid Video Codec (HKLM\...\Xvid Video Codec 1.3.2) (Version: 1.3.2 - Xvid Team)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

==================== Restore Points =========================

07-10-2014 22:22:27 System Checkpoint
10-10-2014 10:23:40 System Checkpoint
14-10-2014 16:56:13 System Checkpoint
17-10-2014 15:02:43 System Checkpoint
18-10-2014 16:32:57 Removed Java 7 Update 67
18-10-2014 16:34:15 Installed Java 7 Update 71
19-10-2014 17:18:02 System Checkpoint
21-10-2014 17:16:15 System Checkpoint
23-10-2014 17:02:34 System Checkpoint
25-10-2014 17:18:25 System Checkpoint
27-10-2014 18:08:20 System Checkpoint
28-10-2014 18:16:45 System Checkpoint
30-10-2014 18:02:37 System Checkpoint
02-11-2014 18:47:01 System Checkpoint
05-11-2014 14:49:57 Avg Update
06-11-2014 18:00:06 System Checkpoint
07-11-2014 18:44:35 System Checkpoint
11-11-2014 18:30:56 System Checkpoint
12-11-2014 18:35:17 System Checkpoint

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

1980-01-01 08:00 - 2014-05-29 16:41 - 00453965 ____R C:\WINDOWS\system32\Drivers\etc\hosts
127.0.0.1 localhost
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com
127.0.0.1 www.1001-search.info
127.0.0.1 1001-search.info
127.0.0.1 www.100888290cs.com
127.0.0.1 100888290cs.com
127.0.0.1 www.100sexlinks.com
127.0.0.1 100sexlinks.com
127.0.0.1 www.10sek.com
127.0.0.1 10sek.com
127.0.0.1 www.123topsearch.com
127.0.0.1 123topsearch.com
127.0.0.1 www.132.com
127.0.0.1 132.com
127.0.0.1 www.136136.net
127.0.0.1 136136.net
127.0.0.1 www.139mm.com
127.0.0.1 139mm.com
127.0.0.1 www.163ns.com
127.0.0.1 163ns.com

There are 1000 more lines.

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\WINDOWS\Tasks\BMMTask.job => C:\PROGRA~1\ThinkPad\UTILIT~1\Bmmtask.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe

==================== Loaded Modules (whitelisted) =============

1980-01-01 08:00 - 2003-07-03 09:25 - 00057344 _____ () C:\WINDOWS\system32\ibmpmsvc.exe
1980-01-01 08:00 - 2002-06-12 21:27 - 00131072 _____ () C:\WINDOWS\System32\Ati2evxx.exe
2006-12-05 00:21 - 2002-07-15 10:20 - 00040960 _____ () C:\WINDOWS\System32\QCONSVC.EXE
1980-01-01 08:00 - 2002-03-20 11:05 - 00114688 _____ () C:\WINDOWS\system32\tp4uires.dll
2006-12-05 00:21 - 2002-07-15 10:20 - 00491520 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
2006-12-05 00:21 - 2002-07-15 10:20 - 00376832 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCON.dll
2006-12-05 00:21 - 2002-07-15 10:20 - 00049152 _____ () C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
1980-01-01 08:00 - 2002-05-30 05:01 - 00069632 _____ () C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
1980-01-01 08:00 - 2001-11-14 01:16 - 00024576 _____ () C:\Program Files\ThinkPad\PkgMgr\HOTKEY_2\tphk_2k.dll
2006-11-19 22:04 - 2006-11-19 22:04 - 00634880 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe
2007-10-22 13:20 - 2006-11-19 22:02 - 00049152 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanDll.dll
2007-10-22 13:20 - 2006-07-29 03:05 - 00979035 _____ () C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\acAuth.dll
1980-01-01 08:00 - 2008-04-14 00:11 - 00059904 _____ () C:\WINDOWS\System32\devenum.dll
1980-01-01 08:00 - 2008-04-14 00:11 - 00014336 _____ () C:\WINDOWS\system32\msdmo.dll
2014-10-28 19:45 - 2014-10-22 04:04 - 08910664 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\pdf.dll
2014-10-28 19:45 - 2014-10-22 04:04 - 01681224 _____ () C:\Program Files\Google\Chrome\Application\38.0.2125.111\ffmpegsumo.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\UploadMgr => ""="Service"

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Administrator (S-1-5-21-247674877-3848448594-3852255402-500 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\Administrator
Guest (S-1-5-21-247674877-3848448594-3852255402-501 - Limited - Disabled)
HelpAssistant (S-1-5-21-247674877-3848448594-3852255402-1003 - Limited - Disabled)
IBM (S-1-5-21-247674877-3848448594-3852255402-1004 - Administrator - Enabled) => %SystemDrive%\Documents and Settings\IBM
SUPPORT_388945a0 (S-1-5-21-247674877-3848448594-3852255402-1002 - Limited - Disabled)

==================== Faulty Device Manager Devices =============

==================== Event log errors: =========================

Application errors:
==================
Error: (11/08/2014 07:42:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.111, faulting module chrome.dll, version 38.0.2125.111, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (11/04/2014 05:56:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.111, faulting module chrome.dll, version 38.0.2125.111, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/27/2014 03:49:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application explorer.exe, version 6.0.2900.5512, faulting module avisplitter.ax, version 1.0.0.7, fault address 0x000234e8.
Processing media-specific event for [explorer.exe!ws!]

Error: (10/20/2014 04:11:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.104, faulting module chrome.dll, version 38.0.2125.104, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/19/2014 00:17:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 38.0.2125.104, faulting module chrome.dll, version 38.0.2125.104, fault address 0x00007d42.
Processing media-specific event for [chrome.exe!ws!]

Error: (10/04/2014 03:25:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.124, faulting module chrome.dll, version 37.0.2062.124, fault address 0x00007f75.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/23/2014 06:00:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.120, faulting module chrome.dll, version 37.0.2062.120, fault address 0x00008ad8.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/07/2014 03:30:18 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: Fault bucket 478813462.
The Wep key exchange did not result in a secure connection setup after 802.1x authentication. The current setting has been marked as failed and the Wireless connection will be disconnected.

Error: (09/07/2014 03:17:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 37.0.2062.103, faulting module chrome.dll, version 37.0.2062.103, fault address 0x002f07ed.
Processing media-specific event for [chrome.exe!ws!]

Error: (09/01/2014 11:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: Faulting application chrome.exe, version 36.0.1985.143, faulting module chrome.dll, version 36.0.1985.143, fault address 0x00007c31.
Processing media-specific event for [chrome.exe!ws!]

System errors:
=============
Error: (11/14/2014 03:11:10 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 03:08:39 PM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 02:59:20 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 02:53:58 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 01:36:07 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 00:23:56 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/14/2014 00:23:53 AM) (Source: Service Control Manager) (EventID: 7026) (User: )
Description: The following boot-start or system-start driver(s) failed to load:
AvgMfx86

Error: (11/14/2014 00:18:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: The SjyPkt service failed to start due to the following error:
%%2

Error: (11/13/2014 08:36:54 PM) (Source: 0) (EventID: 1) (User: )
Description: \Device\ACPIEC

Error: (11/13/2014 08:19:57 PM) (Source: Service Control Manager) (EventID: 7028) (User: )
Description: The wuauserv Registry key denied access to SYSTEM account programs so the Service Control Manager took ownership of the Registry key.

Microsoft Office Sessions:
=========================
Error: (11/08/2014 07:42:19 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.111chrome.dll38.0.2125.11100007d42

Error: (11/04/2014 05:56:14 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.111chrome.dll38.0.2125.11100007d42

Error: (10/27/2014 03:49:08 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: explorer.exe6.0.2900.5512avisplitter.ax1.0.0.7000234e8

Error: (10/20/2014 04:11:42 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.104chrome.dll38.0.2125.10400007d42

Error: (10/19/2014 00:17:49 AM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe38.0.2125.104chrome.dll38.0.2125.10400007d42

Error: (10/04/2014 03:25:32 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.124chrome.dll37.0.2062.12400007f75

Error: (09/23/2014 06:00:17 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.120chrome.dll37.0.2062.12000008ad8

Error: (09/07/2014 03:30:18 PM) (Source: Application Error) (EventID: 1001) (User: )
Description: 478813462

Error: (09/07/2014 03:17:35 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe37.0.2062.103chrome.dll37.0.2062.103002f07ed

Error: (09/01/2014 11:33:40 PM) (Source: Application Error) (EventID: 1000) (User: )
Description: chrome.exe36.0.1985.143chrome.dll36.0.1985.14300007c31

==================== Memory info ===========================

Processor: Mobile Intel(R) Pentium(R) 4 - M CPU 1.70GHz
Percentage of memory in use: 50%
Total physical RAM: 1022.98 MB
Available physical RAM: 504.39 MB
Total Pagefile: 1311.25 MB
Available Pagefile: 555.52 MB
Total Virtual: 2047.88 MB
Available Virtual: 1916.28 MB

==================== Drives ================================

Drive c: (IBM_PRELOAD) (Fixed) (Total:17.22 GB) (Free:1.17 GB) NTFS ==>[Drive with boot components (Windows XP)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 18.6 GB) (Disk ID: A266A266)
Partition 1: (Active) - (Size=17.2 GB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=1.4 GB) - (Type=1C)

==================== End Of Log ============================

aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2014-11-14 15:37:49
-----------------------------
15:37:49.903 OS Version: Windows 5.1.2600 Service Pack 3
15:37:49.903 Number of processors: 1 586 0x207
15:37:49.903 ComputerName: THINKPAD UserName: IBM
15:37:50.744 Initialze error C0000001 - driver not loaded
15:43:41.990 AVAST engine defs: 14111301
15:44:14.897 Service scanning
15:44:21.837 Service 13c0aa386e2175ba C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys **HIDDEN**
15:44:23.499 Service 13c0aa386e2175ba C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys **LOCKED**
15:45:21.953 Modules scanning
15:45:21.953 Disk 0 trace - called modules:
15:45:21.963
15:45:24.217 AVAST engine scan C:\WINDOWS
15:46:16.271 AVAST engine scan C:\WINDOWS\system32
15:51:00.610 AVAST engine scan C:\WINDOWS\system32\drivers
15:51:25.246 AVAST engine scan C:\Documents and Settings\IBM
16:11:53.502 AVAST engine scan C:\Documents and Settings\All Users
16:16:24.732 Scan finished successfully
16:17:03.818 The log file has been saved successfully to "C:\Documents and Settings\IBM\Desktop\aswMBR.txt"

Hope you can help with this one as, while it may be an old and fairly slow machine, it is by far the most reliable computer I've ever had!!

**OCD** · 2014-11-15, 04:12

Hi lather,

My name is OCD. I would be more than happy to take a look at your log and help you with solving any malware problems you might have. Logs can take a while to research, so please be patient and know that I am working hard to get you a clean and functional system back in your hands. I'd be grateful if you would note the following:

I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for the issues on this machine.
Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
It's often worth reading through these instructions and printing them for ease of reference.
If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
Please reply to this thread. Do not start a new topic.
Copy and Paste logs directly into the reply window. DO NOT attach the logs unless specifically instructed to do so.

IMPORTANT NOTE : Please do not delete, download or install anything unless instructed to do so.

DO NOT use any TOOLS such as Combofix or HijackThis fixes without supervision. Doing so could make your system inoperable and could require a full reinstall of your Operating System and losing all your programs and data.

Please stay with this topic until I let you know that your system appears to be "All Clear"

Important: All tools MUST be run from the Desktop.

=========================

As you've stated in your intro you are well aware of the age of your computer. But please be mindful of the fact that Microsoft no longer offers updates for Windows XP. Even running a firewall and anti-virus your computer will still be very vulnerable to infection. You should really consider upgrading to a supported operating system.

With that said, you've managed to pick up a Necurs Rootkit. Let's see what we can do to remove it.

=========================

RogueKiller

Download to your desktop RogueKiller (by tigzy)

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Quit all programs
Wait until Prescan has finished ...
Click on Scan, Do Not Fix Anything at this point.
Click the Report button, save the report to your desktop

=========================

In your next post please provide the following:
RogueKiller log

**lather** · 2014-11-16, 01:42

Hi, and thanks for the help. Looked up the details of Necurs and it looks nasty!

Here's the report:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : IBM [Administrator]
Mode : Scan -- Date : 11/16/2014 00:35:09

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312

-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[Root.Necurs] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\13c0aa386e2175ba -> Found
[Root.Necurs] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\13c0aa386e2175ba -> Found
[Root.Necurs] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\13c0aa386e2175ba -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet

Explorer\Main | Start Page : file:///C:/Documents/Links_07.htm -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet

Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004

\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Found
[PUM.DesktopIcons]

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel |

{20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc0000001]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] it92t6zv.default : user_pref("browser.startup.homepage",

"file:///C:/Documents/Links_07.htm"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: IC25N020ATCS04-0 +++++
--- User ---
[MBR] b6351a83af7db8b2b21a75bce7ef0bde
[BSP] 8ac2aeb576eb43be8ab59644d36fa76e : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 17637 MB
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 36121680 | Size: 1439 MB
User = LL1 ... OK
User = LL2 ... OK

**OCD** · 2014-11-16, 04:22

Hi lather,

Re-run RogueKiller

Right click and select "Run as Administrator"

Quit all programs
Wait until Prescan has finished ...
Click on Scan.
After the scan has completed click on the Registry tab
Wait until the Status box shows "Scan Finished"
Click the Delete button
Wait until the Status box shows "Deleting Finished"
Click the Report button, save the report to your desktop

=========================

TDSSKiller

Please download TDSSKiller.zip - Extract it to your desktop
or from here >> http://www.bleepingcomputer.com/download/tdsskiller/

TDSSKiller.exe
- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)

=========================

Re-run Farbar Recovery Scan Tool it should be on your desktop.

- Windows XP : Double click on the icon to run it.
- Windows Vista, Windows 7 & 8 : Right click and select "Run as Administrator"
When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.

=========================

In your next post please provide the following:
RogueKiller log
TDSSKiller log
new FRST.txt

**lather** · 2014-11-16, 17:21

OK, I've run the programs you asked for, and the results are included below. Things are definitely looking hopeful, as AVG is no longer reporting an error.

One thought that has struck me, and that may need a little additional attention, is that when the problems first started, we'd got a second hard drive in the machine in a caddy in place of the DVD drive. As this was removed and the DVD drive re-installed before the issue was identified as being something more than a typical Windows start-up glitch, it hasn't been scanned by any of the programs used up to now. Is it possible that the infection could also have hit this drive (set up as a non-bootable D: drive containing an archive of data files like Word documents, pictures, videos and music tracks, plus archived software in zip files), and if so, what's going to be the best way of checking it to make sure its OK?

Anyway, here's the reports you asked for. Two TDSSkiller reports were generated - looks like one before and one after the reboot. The second one looks like it was just a partial one, but I've included both, just in case:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : IBM [Administrator]
Mode : Delete -- Date : 11/16/2014 15:24:10

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 9 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Not selected
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Not selected
[Root.Necurs] HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\13c0aa386e2175ba -> ERROR [4001]
[Root.Necurs] HKEY_LOCAL_MACHINE\System\ControlSet002\Services\13c0aa386e2175ba -> ERROR [4001]
[Root.Necurs] HKEY_LOCAL_MACHINE\System\ControlSet003\Services\13c0aa386e2175ba -> ERROR [4001]
[PUM.HomePage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Start Page : file:///C:/Documents/Links_07.htm -> Not selected
[PUM.SearchPage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Not selected
[PUM.StartMenu] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Not selected
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Not selected

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc0000001]) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] it92t6zv.default : user_pref("browser.startup.homepage", "file:///C:/Documents/Links_07.htm"); -> Not selected

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: IC25N020ATCS04-0 +++++
--- User ---
[MBR] b6351a83af7db8b2b21a75bce7ef0bde
[BSP] 8ac2aeb576eb43be8ab59644d36fa76e : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 17637 MB
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 36121680 | Size: 1439 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_SCN_11162014_003509.log - RKreport_SCN_11162014_152242.log

15:25:52.0396 0x0bcc TDSS rootkit removing tool 3.0.0.41 Oct 28 2014 17:58:34
15:26:05.0765 0x0bcc ============================================================
15:26:05.0765 0x0bcc Current date / time: 2014/11/16 15:26:05.0765
15:26:05.0765 0x0bcc SystemInfo:
15:26:05.0765 0x0bcc
15:26:05.0765 0x0bcc OS Version: 5.1.2600 ServicePack: 3.0
15:26:05.0765 0x0bcc Product type: Workstation
15:26:05.0765 0x0bcc ComputerName: THINKPAD
15:26:05.0765 0x0bcc UserName: IBM
15:26:05.0765 0x0bcc Windows directory: C:\WINDOWS
15:26:05.0765 0x0bcc System windows directory: C:\WINDOWS
15:26:05.0765 0x0bcc Processor architecture: Intel x86
15:26:05.0765 0x0bcc Number of processors: 1
15:26:05.0765 0x0bcc Page size: 0x1000
15:26:05.0765 0x0bcc Boot type: Normal boot
15:26:05.0765 0x0bcc ============================================================
15:26:10.0021 0x0bcc KLMD registered as C:\WINDOWS\system32\drivers\58266890.sys
15:26:42.0839 0x0bcc System UUID: {65C7A9CC-C291-863E-FB8C-E2EA3E48D80E}
15:26:45.0202 0x0bcc !crdlk
15:26:45.0232 0x0bcc Drive \Device\Harddisk0\DR0 - Size: 0x4A8530000 ( 18.63 Gb ), SectorSize: 0x200, Cylinders: 0xA18, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'A'
15:26:45.0292 0x0bcc ============================================================
15:26:45.0292 0x0bcc \Device\Harddisk0\DR0:
15:26:45.0292 0x0bcc MBR partitions:
15:26:45.0292 0x0bcc \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2272C11
15:26:45.0292 0x0bcc ============================================================
15:26:45.0322 0x0bcc C: <-> \Device\Harddisk0\DR0\Partition1
15:26:45.0502 0x0bcc ============================================================
15:26:45.0502 0x0bcc Initialize success
15:26:45.0502 0x0bcc ============================================================
15:26:58.0281 0x0734 ============================================================
15:26:58.0281 0x0734 Scan started
15:26:58.0281 0x0734 Mode: Manual;
15:26:58.0281 0x0734 ============================================================
15:26:58.0281 0x0734 KSN ping started
15:27:03.0118 0x0734 KSN ping finished: true
15:27:05.0011 0x0734 ================ Scan system memory ========================
15:27:05.0011 0x0734 System memory - ok
15:27:05.0031 0x0734 ================ Scan services =============================
15:27:05.0161 0x0734 Suspicious service (NoAccess): 13c0aa386e2175ba
15:27:05.0481 0x0734 [ FBF43299719DF340CF426A96CD5DD8F1, 55C8A2762DB4C0E56A09F1F473C699767D079D3B1B9656A58E6066FBA28AAF6F ] 13c0aa386e2175ba C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys
15:27:05.0481 0x0734 Suspicious file ( NoAccess ): C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys. md5: FBF43299719DF340CF426A96CD5DD8F1, sha256: 55C8A2762DB4C0E56A09F1F473C699767D079D3B1B9656A58E6066FBA28AAF6F
15:27:06.0282 0x0734 13c0aa386e2175ba - detected Rootkit.Win32.Necurs.gen ( 0 )
15:27:09.0146 0x0734 13c0aa386e2175ba ( Rootkit.Win32.Necurs.gen ) - infected
15:27:09.0146 0x0734 Force sending object to P2P due to detect: 13c0aa386e2175ba
15:27:11.0710 0x0734 Object send P2P result: true
15:27:17.0208 0x0734 Abiosdsk - ok
15:27:17.0268 0x0734 abp480n5 - ok
15:27:17.0418 0x0734 [ 8FD99680A539792A30E97944FDAECF17, 594F8E0C3695400B0C09A797AF6BDFAC6F750ECD67D0EE803914C572B1DCC43C ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:27:17.0428 0x0734 ACPI - ok
15:27:17.0559 0x0734 [ 9859C0F6936E723E4892D7141B1327D5, 5E8F6A2FC4DF2E5E92A1D66ECC2810E08B42B64E9CD0DF4AD3F78EA8558B90AF ] ACPIEC C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
15:27:17.0559 0x0734 ACPIEC - ok
15:27:17.0609 0x0734 adpu160m - ok
15:27:17.0749 0x0734 [ 8BED39E3C35D6A489438B8141717A557, 1B5796E56B0927360CE0759641B1151828BC0A9E45620D2B2D880491F5CE33D0 ] aec C:\WINDOWS\system32\drivers\aec.sys
15:27:17.0759 0x0734 aec - ok
15:27:17.0939 0x0734 [ 58A8273918EEF2BF9204B12ED171513A, 6C79AC93FBBD8B877DD71557A8B2A2B9C20277BBFCEDE6A1ECA7FFC650FC6143 ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
15:27:17.0939 0x0734 AegisP - ok
15:27:18.0079 0x0734 [ 1E44BC1E83D8FD2305F8D452DB109CF9, CF5EC07E0B589FA2A4701C6CFD69E893FC3ABF274AD57AE3C13FFE49063B02C8 ] AFD C:\WINDOWS\System32\drivers\afd.sys
15:27:18.0099 0x0734 AFD - ok
15:27:18.0410 0x0734 [ AFF071B6290776E1FA162837C35EAC78, 07F3CDB27C767BEDB9E8C82A4FE738AD408225C2A22428669F742EDF30410758 ] AgereSoftModem C:\WINDOWS\system32\DRIVERS\AGRSM.sys
15:27:18.0550 0x0734 AgereSoftModem - ok
15:27:18.0820 0x0734 [ 08FD04AA961BDC77FB983F328334E3D7, A784EC8A9EDB579262366B5A9AB177DB7BEC0A421BDE85431D0AD4959D5AF5E7 ] agp440 C:\WINDOWS\system32\DRIVERS\agp440.sys
15:27:18.0820 0x0734 agp440 - ok
15:27:18.0870 0x0734 Aha154x - ok
15:27:18.0890 0x0734 aic78u2 - ok
15:27:18.0951 0x0734 aic78xx - ok
15:27:19.0041 0x0734 [ A9A3DAA780CA6C9671A19D52456705B4, 67C959144B57AE0BBF1D82DBED197F32CDB06FECD883A80C441A0202FE83FAB4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
15:27:19.0041 0x0734 Alerter - ok
15:27:19.0111 0x0734 [ 8C515081584A38AA007909CD02020B3D, A5E13CA10F702928E0DE84C74D0EA8ACCB117FD76FBABC55220C75C4FFD596DC ] ALG C:\WINDOWS\System32\alg.exe
15:27:19.0121 0x0734 ALG - ok
15:27:19.0191 0x0734 AliIde - ok
15:27:19.0241 0x0734 amsint - ok
15:27:19.0421 0x0734 [ D8849F77C0B66226335A59D26CB4EDC6, 4990031453204C57E36E850252A39B05D6ECDAB9E71A8136FB4900F17E59C9CA ] AppMgmt C:\WINDOWS\System32\appmgmts.dll
15:27:19.0431 0x0734 AppMgmt - ok
15:27:19.0501 0x0734 asc - ok
15:27:19.0561 0x0734 asc3350p - ok
15:27:19.0592 0x0734 asc3550 - ok
15:27:19.0862 0x0734 [ 0E5E4957549056E2BF2C49F4F6B601AD, F7F19FDC906B719A3516D30A9B4A2262C8CC5B36B94E3D4195C345EC4610FF2B ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:27:20.0092 0x0734 aspnet_state - ok
15:27:20.0232 0x0734 [ B153AFFAC761E7F5FCFA822B9C4E97BC, 7E60F572A6B3C6219E3C86225AA37243AFFD74337DB7F108B04778042E5CC959 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:27:20.0232 0x0734 AsyncMac - ok
15:27:20.0353 0x0734 [ 9F3A2F5AA6875C72BF062C712CFA2674, B4DF1D2C56A593C6B54DE57395E3B51D288F547842893B32B0F59228A0CF70B9 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
15:27:20.0363 0x0734 atapi - ok
15:27:20.0443 0x0734 Atdisk - ok
15:27:20.0563 0x0734 [ 418CDC2888D01E1CD5CE297AF00807A3, 1DE3277683E0D3D2B1B83FF9D718C125E3D542477C1505063DDE8145C408391D ] Ati HotKey Poller C:\WINDOWS\System32\Ati2evxx.exe
15:27:20.0573 0x0734 Ati HotKey Poller - ok
15:27:20.0783 0x0734 [ D1F804642C627782C6D213BCE0604F09, 43DB2A74835B5E5C796509990E0FCB4A4897A027D0117F5B6C8ECD37E80F7F28 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:27:20.0823 0x0734 ati2mtag - ok
15:27:20.0984 0x0734 [ 9916C1225104BA14794209CFA8012159, 5D6F05F715C52A16D05CAE15C3DFE77A139A7F27F7AE710EC9A10F9EE05115A1 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:27:20.0984 0x0734 Atmarpc - ok
15:27:21.0094 0x0734 [ DEF7A7882BEC100FE0B2CE2549188F9D, 462C95B63D0A1058291A2DC8CBFCB13D7D74CCD1CA43B613A7EB43D49E3276F8 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
15:27:21.0104 0x0734 AudioSrv - ok
15:27:21.0224 0x0734 [ D9F724AA26C010A217C97606B160ED68, 329B5118F2409731D06FDAE85B6ADD64A048292801BCB3546651CEB303111695 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
15:27:21.0224 0x0734 audstub - ok
15:27:21.0594 0x0734 [ AA054CD537357F03D5BA6ABA7562B35F, F331D929920D38B53FEA464AF54DB59224882D386C55689CDDF6C6DC1473284E ] avg9emc C:\Program Files\AVG\AVG9\avgemc.exe
15:27:21.0685 0x0734 avg9emc - ok
15:27:21.0915 0x0734 [ C4D15594DB5BE042D3346EA58DF87D89, 8E24868518DE53F28C92C473A415BED613665287F338B815FEDE21D151F01962 ] avg9wd C:\Program Files\AVG\AVG9\avgwdsvc.exe
15:27:21.0945 0x0734 avg9wd - ok
15:27:22.0135 0x0734 [ A9F4D19DE72C738759330D10D35C4398, 46D760EBFBABF3FDCD02F4AC38180FBFFEFFA36F68C18602695A9FCB6C4C13DE ] AvgLdx86 C:\WINDOWS\System32\Drivers\avgldx86.sys
15:27:22.0145 0x0734 AvgLdx86 - ok
15:27:22.0285 0x0734 [ 80FF2B1B7EEDA966394F0BAA895BBF4B, D8F5C111837707DC37975C1E315FCD33BF96AB21D89874CB0290134A44C46BEF ] AvgMfx86 C:\WINDOWS\System32\Drivers\avgmfx86.sys
15:27:22.0295 0x0734 AvgMfx86 - ok
15:27:22.0416 0x0734 [ 9A7A93388F503A34E7339AE7F9997449, 9549146C19EAF65DB98314A7CCB0AB27503DC812B521444CBEA5493998ADAA80 ] AvgTdiX C:\WINDOWS\System32\Drivers\avgtdix.sys
15:27:22.0446 0x0734 AvgTdiX - ok
15:27:22.0606 0x0734 [ DA1F27D85E0D1525F6621372E7B685E9, 5A81A46A3BDD19DAFC6C87D277267A5D44F3A1B5302F2CC1111D84B7BAD5610D ] Beep C:\WINDOWS\system32\drivers\Beep.sys
15:27:22.0616 0x0734 Beep - ok
15:27:22.0796 0x0734 [ 574738F61FCA2935F5265DC4E5691314, 3C7CCF064397186C3A3863DD2370AB6414A61B330097DCA4F299CA7BBAA3D1B4 ] BITS C:\WINDOWS\system32\qmgr.dll
15:27:23.0097 0x0734 BITS - ok
15:27:23.0287 0x0734 [ CFD4E51402DA9838B5A04AE680AF54A0, 5378F42B195B5832B00A05AD64E00473A45FFB86AC25C57241F26EA82B149FE1 ] Browser C:\WINDOWS\System32\browser.dll
15:27:23.0297 0x0734 Browser - ok
15:27:23.0387 0x0734 [ 90A673FC8E12A79AFBED2576F6A7AAF9, BDE7858A3457DB979FEDD8577FA6321BF72848E4A7BF9F173C78A6A10CBB3EBE ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
15:27:23.0397 0x0734 cbidf2k - ok
15:27:23.0477 0x0734 cd20xrnt - ok
15:27:23.0567 0x0734 [ C1B486A7658353D33A10CC15211A873B, AA4DD9E7AAE5AAB1146B360B17001F975D2F29A1281CF7B13E7136480410F347 ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
15:27:23.0567 0x0734 Cdaudio - ok
15:27:23.0667 0x0734 [ C885B02847F5D2FD45A24E219ED93B32, B26B2F8E3A831E2B65EB0C5195B0645CD50E22615CE79C9B0B391CD563B121DB ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
15:27:23.0677 0x0734 Cdfs - ok
15:27:24.0038 0x0734 [ 1F4260CC5B42272D71F79E570A27A4FE, B51C2A3ED3C309953D0EA45869C8E464C10F2533DADE9E0286AF674979098D1D ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:27:24.0038 0x0734 Cdrom - ok
15:27:24.0088 0x0734 Changer - ok
15:27:24.0178 0x0734 [ 1CFE720EB8D93A7158A4EBC3AB178BDE, 65D2A9D9A88F38D4AF323134C151BA0F4B3CD0F6A134AF86E7AC9D07319F1726 ] cisvc C:\WINDOWS\System32\cisvc.exe
15:27:24.0188 0x0734 cisvc - ok
15:27:24.0298 0x0734 [ 34CBE729F38138217F9C80212A2A0C82, A9FD7A758D12E0818A11BEEF1CE772FEFA8373E92EF6C0DA8628CD4572CC9A43 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
15:27:24.0308 0x0734 ClipSrv - ok
15:27:24.0428 0x0734 [ D87ACAED61E417BBA546CED5E7E36D9C, 14AC6034A5BC0FB2A1AFDAD42BEF4DE641556E54AD30D0C46765660A4BE55462 ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:27:24.0719 0x0734 clr_optimization_v2.0.50727_32 - ok
15:27:24.0899 0x0734 [ 0F6C187D38D98F8DF904589A5F94D411, DB987093446216CEE913AC27503BF7E23E5A62DF169B355730285DAB64F6ED28 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
15:27:24.0899 0x0734 CmBatt - ok
15:27:24.0949 0x0734 CmdIde - ok
15:27:24.0999 0x0734 [ 6E4C9F21F0FAE8940661144F41B13203, 731202A0DD021FCF9287FEA631212603AAAC23F9E7F76B2882F913B18A971F1C ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
15:27:25.0009 0x0734 Compbatt - ok
15:27:25.0089 0x0734 COMSysApp - ok
15:27:25.0180 0x0734 Cpqarray - ok
15:27:25.0350 0x0734 [ 3D4E199942E29207970E04315D02AD3B, 0825960894CF9C86CC8775BDD2A262948A09CA495AA7FE9F210FAF49E7086383 ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
15:27:25.0350 0x0734 CryptSvc - ok
15:27:25.0430 0x0734 dac2w2k - ok
15:27:25.0470 0x0734 dac960nt - ok
15:27:25.0660 0x0734 [ 6B27A5C03DFB94B4245739065431322C, 6AEAC16AB4E0DFD25123AAF4D4181FEE1B919B7B2793117006CE8CF30E826CFD ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
15:27:25.0690 0x0734 DcomLaunch - ok
15:27:25.0991 0x0734 [ 5E38D7684A49CACFB752B046357E0589, F192AD4190BCFB6939A5CBC91648FE63168AF79A5E227A111DEAD6A92E42AB8D ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
15:27:26.0001 0x0734 Dhcp - ok
15:27:26.0151 0x0734 [ 044452051F3E02E7963599FC8F4F3E25, 584BDDB074618BE76454CF90E74829CFF588B5B5FAEB793E2F7AAD26352DD689 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
15:27:26.0161 0x0734 Disk - ok
15:27:26.0211 0x0734 dmadmin - ok
15:27:26.0491 0x0734 [ D992FE1274BDE0F84AD826ACAE022A41, C82BD6561A14F2932A761F5883A787B99031250EE5E9B7B5714AA045545C9B99 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
15:27:26.0552 0x0734 dmboot - ok
15:27:26.0712 0x0734 [ 7C824CF7BBDE77D95C08005717A95F6F, A73CB323B7A6410C3D3F258BF204E716ADF8C84C9E4F6562C57AB73DAED8CCDE ] dmio C:\WINDOWS\system32\drivers\dmio.sys
15:27:26.0722 0x0734 dmio - ok
15:27:26.0902 0x0734 [ E9317282A63CA4D188C0DF5E09C6AC5F, D41E002F555FE9015EF620975255F58BB79198CA1FF0E09EC950CB450FF77CF7 ] dmload C:\WINDOWS\system32\drivers\dmload.sys
15:27:26.0902 0x0734 dmload - ok
15:27:27.0062 0x0734 [ 57EDEC2E5F59F0335E92F35184BC8631, 61F6F0DC2D1A6C61D5EF0D5CC4BE0FFC217F1E61FDA3EA9F704709293656600F ] dmserver C:\WINDOWS\System32\dmserver.dll
15:27:27.0062 0x0734 dmserver - ok
15:27:27.0202 0x0734 [ 8A208DFCF89792A484E76C40E5F50B45, 4E40E2EB38C6254E7CAA488200E89EE7DEBBBA773890BC6A84313CC68178D54F ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
15:27:27.0202 0x0734 DMusic - ok
15:27:27.0363 0x0734 [ 5F7E24FA9EAB896051FFB87F840730D2, 356EEFDCD54DECAD0170B34B993E4BF80DD039E2B2922D7A8D09B84031E9FC7A ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
15:27:27.0373 0x0734 Dnscache - ok
15:27:27.0473 0x0734 [ 0F0F6E687E5E15579EF4DA8DD6945814, 5C32D88119EB1465B2D719BEE2E05888D1A73454B5E33F2D4928DA710F8BFBA3 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
15:27:27.0483 0x0734 Dot3svc - ok
15:27:27.0563 0x0734 dpti2o - ok
15:27:27.0663 0x0734 [ 8F5FCFF8E8848AFAC920905FBD9D33C8, C8C6FB97AB0871C8C88A2201525A5CF10D5131CB6980D32692ED7A8F58399AD5 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
15:27:27.0673 0x0734 drmkaud - ok
15:27:27.0803 0x0734 [ 816AC73D056626333DD1D8F759F0AFAA, E41A12680088D927D011F84F1F173DB9D47444A7C7F701BCC39E7165A313B5A8 ] DSMBATT C:\WINDOWS\system32\drivers\DSMBATT.SYS
15:27:27.0803 0x0734 DSMBATT - ok
15:27:27.0944 0x0734 [ 81459BD6D8FEAADF2848AE88B3D02EC3, 240CEBFD1CDF824C43748362B3BDCE1B9D9CA238EDDC1E14051D006C6CCDFCF5 ] E100B C:\WINDOWS\system32\DRIVERS\e100b325.sys
15:27:27.0954 0x0734 E100B - ok
15:27:28.0054 0x0734 [ 2187855A7703ADEF0CEF9EE4285182CC, 8233CC11F637866C0074043835A785EA2B616739B6B1181B143A253CF2508CFD ] EapHost C:\WINDOWS\System32\eapsvc.dll
15:27:28.0064 0x0734 EapHost - ok
15:27:28.0234 0x0734 [ 938F1EC77BA35858248E584B2D2E9776, E48E7C363F4AAF8601016E3AAAD50C5C99E83747733C6339D9E21D3C8DDDE7B5 ] EGATHDRV C:\WINDOWS\system32\EGATHDRV.SYS
15:27:28.0234 0x0734 EGATHDRV - ok
15:27:28.0444 0x0734 [ BC93B4A066477954555966D77FEC9ECB, 27F5B780175EF46DA102EE33F7F33559C8B40C077EEA4405D579D9507F4B1C23 ] ERSvc C:\WINDOWS\System32\ersvc.dll
15:27:28.0444 0x0734 ERSvc - ok
15:27:28.0604 0x0734 [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] Eventlog C:\WINDOWS\system32\services.exe
15:27:28.0614 0x0734 Eventlog - ok
15:27:28.0775 0x0734 [ D4991D98F2DB73C60D042F1AEF79EFAE, 58AF949EAEBF4FF3E3314DFB66CE4198BF65F0836B68CD27A6ED319742CCCCD2 ] EventSystem C:\WINDOWS\System32\es.dll
15:27:28.0795 0x0734 EventSystem - ok
15:27:29.0045 0x0734 [ 38D332A6D56AF32635675F132548343E, E6909DB836AF679B4F4D62C7396D6C82769CC7ABB8C919C2AABFE934FCE268F6 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
15:27:29.0055 0x0734 Fastfat - ok
15:27:29.0235 0x0734 [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:27:29.0245 0x0734 FastUserSwitchingCompatibility - ok
15:27:29.0356 0x0734 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81, 8307A532AB4D05CBBCE206DC2759497708BF5AAA880BD00F0E4F281D8578A1F5 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
15:27:29.0366 0x0734 Fdc - ok
15:27:29.0456 0x0734 [ D45926117EB9FA946A6AF572FBE1CAA3, 4C94EF009D778BE0BDF8F812F026B96F91F641BE30AA2531427A5E63DBD280DA ] Fips C:\WINDOWS\system32\drivers\Fips.sys
15:27:29.0456 0x0734 Fips - ok
15:27:29.0536 0x0734 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0, 69C271AD5BCEBFD8AE5A769BDD7EC51256DA3A8ADAD5D12E5C0D13F4E82D8805 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys
15:27:29.0536 0x0734 Flpydisk - ok
15:27:29.0716 0x0734 [ B2CF4B0786F8212CB92ED2B50C6DB6B0, 280F5CF8A90F7BEDE73ADD0DD0F8952088133A7CA9A3D3B7041957E33B36845D ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
15:27:29.0736 0x0734 FltMgr - ok
15:27:29.0976 0x0734 [ 8BA7C024070F2B7FDD98ED8A4BA41789, 47585006F86B2C6016EC54250A416794792D1E4024FF229C120BC25B684AF66A ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:27:30.0006 0x0734 FontCache3.0.0.0 - ok
15:27:30.0087 0x0734 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A, EC635E071201A766845D48973772CBE0958942B4162F3F5F70660D114CC877E0 ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:27:30.0087 0x0734 Fs_Rec - ok
15:27:30.0237 0x0734 [ 6AC26732762483366C3969C9E4D2259D, FF2C9A23CC17F380093F0BEA955B1925794271C2FEA16B9B7639668E6999BAE3 ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:27:30.0247 0x0734 Ftdisk - ok
15:27:30.0387 0x0734 [ 0A02C63C8B144BD8C86B103DEE7C86A2, 7A3235DD3E1995DD72B212FAEB3ECA2A974434DE9BF6D269EA11BA65A80E7E50 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:27:30.0387 0x0734 Gpc - ok
15:27:30.0637 0x0734 [ 506708142BC63DABA64F2D3AD1DCD5BF, 9C36A08D9E7932FF4DA7B5F24E6B42C92F28685B8ABE964C870E8D7670FD531A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
15:27:30.0647 0x0734 gupdate - ok
15:27:30.0768 0x0734 [ 506708142BC63DABA64F2D3AD1DCD5BF, 9C36A08D9E7932FF4DA7B5F24E6B42C92F28685B8ABE964C870E8D7670FD531A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
15:27:30.0778 0x0734 gupdatem - ok
15:27:31.0008 0x0734 [ 4FCCA060DFE0C51A09DD5C3843888BCD, D82417706B517F2610DDF7C86BE03A72EFA9A2A389DF5C8F8ADEAB8144E2C80A ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:27:31.0008 0x0734 helpsvc - ok
15:27:31.0098 0x0734 HidServ - ok
15:27:31.0198 0x0734 [ CCF82C5EC8A7326C3066DE870C06DAF1, 93395FA4C26B2E82DC8B7025ED3BCF583885E5D8C5F60CD6EEAA6335D6A126EC ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:27:31.0198 0x0734 hidusb - ok
15:27:31.0318 0x0734 [ 8878BD685E490239777BFE51320B88E9, C5C3ECF6B049B6736E35B39518A8F830B45C45A88FFE8E3A6B7922AD946597E2 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
15:27:31.0328 0x0734 hkmsvc - ok
15:27:31.0398 0x0734 hpn - ok
15:27:31.0449 0x0734 hpt3xx - ok
15:27:31.0619 0x0734 [ F80A415EF82CD06FFAF0D971528EAD38, 524D9E9201572929522F6805011783711B7C0F76308B924C89CF75F4B7A1FDF3 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
15:27:31.0649 0x0734 HTTP - ok
15:27:31.0729 0x0734 [ 6100A808600F44D999CEBDEF8841C7A3, 61A75118C327812C60622010985A2E80E79B6FD9030A5732390EE5426E4AF6C9 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
15:27:31.0799 0x0734 HTTPFilter - ok
15:27:31.0879 0x0734 i2omgmt - ok
15:27:31.0909 0x0734 i2omp - ok
15:27:32.0039 0x0734 [ 4A0B06AA8943C1E332520F7440C0AA30, DB2452390CCFE67E0C5FEB4FD42CA24ABE2DDD40D0B22DD5F5B8F70416863918 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
15:27:32.0039 0x0734 i8042prt - ok
15:27:32.0130 0x0734 [ 293131C1DA5F53CB05F75D637739D79C, F5F1A03FB012101FA143A288BCBC048A652A285F7DF533D1D08279E3A4D24326 ] IBMPMDRV C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
15:27:32.0130 0x0734 IBMPMDRV - ok
15:27:32.0220 0x0734 [ 91FA023C5203503776BCCC9CF96A0C59, A47C788A26E4D2A282DE2EC8A75E1544CAB17A2C5F4CF867026D3B95B3651D1D ] IBMPMSVC C:\WINDOWS\system32\ibmpmsvc.exe
15:27:32.0230 0x0734 IBMPMSVC - ok
15:27:32.0350 0x0734 [ 28DEEBA2E29CB0E91B641CA95F7740FD, 3E4D92E7211AA0CCD38561DB5F7CDC583C141A40D9077AA7D482336D3080369B ] IBMTPCHK C:\WINDOWS\system32\drivers\IBMBLDID.SYS
15:27:32.0350 0x0734 IBMTPCHK - ok
15:27:32.0600 0x0734 [ DAF66902F08796F9C694901660E5A64A, F4A4764DED05980426BAB54AAF040BC27A39C80315F5161E8D0B4C7F694BD8E6 ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
15:27:32.0600 0x0734 IDriverT - ok
15:27:32.0991 0x0734 [ C01AC32DC5C03076CFB852CB5DA5229C, A4D7749220B5BC965D96A267F1E02FE8284A230BA249109207BD4B9EA8DFAC96 ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:27:33.0231 0x0734 idsvc - ok
15:27:33.0411 0x0734 [ 083A052659F5310DD8B6A6CB05EDCF8E, 48D39B03FFB6FAA1529B774443BA12618AE3982D9F65A7B9D18F2269F78B31F4 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
15:27:33.0421 0x0734 Imapi - ok
15:27:33.0522 0x0734 [ 30DEAF54A9755BB8546168CFE8A6B5E1, 3936228CD3125C763ABFCB93E86E4B43838202BCC0913A28E84AC0263B43EE0D ] ImapiService C:\WINDOWS\System32\imapi.exe
15:27:33.0532 0x0734 ImapiService - ok
15:27:33.0652 0x0734 ini910u - ok
15:27:33.0782 0x0734 [ B5466A9250342A7AA0CD1FBA13420678, 87E735C4E8924A883AB692D387A83BCBFAE6E165688336AE7AB488F7CA8D339E ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
15:27:33.0792 0x0734 IntelIde - ok
15:27:33.0902 0x0734 [ 8C953733D8F36EB2133F5BB58808B66B, 555868F246D73652E998B0B1296476E42FCEDED30D646CC000F31ECE4EBC25E6 ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:27:33.0902 0x0734 intelppm - ok
15:27:33.0962 0x0734 [ 3BB22519A194418D5FEC05D800A19AD0, F6662F440950596DC1382DD1DB5D7891CCEA30A6062BEA942C18445B5F0D8B16 ] ip6fw C:\WINDOWS\system32\drivers\ip6fw.sys
15:27:33.0962 0x0734 ip6fw - ok
15:27:34.0112 0x0734 [ 731F22BA402EE4B62748ADAF6363C182, 5C3BEBD008A5BE4DC2F92076FF41A10DDC01E10EC7E6552213CFA11970811848 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:27:34.0122 0x0734 IpFilterDriver - ok
15:27:34.0172 0x0734 [ B87AB476DCF76E72010632B5550955F5, E6E74D3A86A7917A8BAED44F8E97CCD2EB171E4E4B27E9907F60D1523FAF319A ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:27:34.0172 0x0734 IpInIp - ok
15:27:34.0323 0x0734 [ CC748EA12C6EFFDE940EE98098BF96BB, AF523E21C25D9A1715EFEA573E4F52AF5D4FC9F28A2D613F5DB629C186C439E0 ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:27:34.0343 0x0734 IpNat - ok
15:27:34.0453 0x0734 [ 23C74D75E36E7158768DD63D92789A91, 394D296F38E7D8EFD91A6EEC301D9CE6AF910E35EB9819F1A9E3363863AEDFDC ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:27:34.0463 0x0734 IPSec - ok
15:27:34.0553 0x0734 [ ACA5E7B54409F9CB5EED97ED0C81120E, 1E22F442EA77596F58D133F1A5887CDC4F3325DD0836D24A665E1D31287ABFF7 ] irda C:\WINDOWS\system32\DRIVERS\irda.sys
15:27:34.0573 0x0734 irda - ok
15:27:34.0663 0x0734 [ C93C9FF7B04D772627A3646D89F7BF89, 805FA48E7A46D4F10240BF880A2468F53DEA36E83004399228AB70DB7D20544A ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
15:27:34.0673 0x0734 IRENUM - ok
15:27:34.0793 0x0734 [ 49CC4533CE897CB2E93C1E84A818FDE5, F2AC81CDB971F630699616509748DCE133874EFC79B9D6230517B5A4DFBE193D ] Irmon C:\WINDOWS\System32\irmon.dll
15:27:34.0803 0x0734 Irmon - ok
15:27:35.0014 0x0734 [ 05A299EC56E52649B1CF2FC52D20F2D7, 2654619DB3E6D6C385B63AB02F87D4241C4F0250CC31383D1B3586917166C2DC ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:27:35.0024 0x0734 isapnp - ok
15:27:35.0364 0x0734 [ DBDB1A25291B2D18C614F5CA963156A8, C8EA730A6A5BCBE7952AAA22F212C244014F206D2F4A274E29384C09F1F10A66 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
15:27:35.0384 0x0734 JavaQuickStarterService - ok
15:27:35.0534 0x0734 [ 463C1EC80CD17420A542B7F36A36F128, E3B11BA26AFEAFB50B0FC168EA07F6049DA6B88BCDDEEE20310602D7FC27A3A7 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:27:35.0534 0x0734 Kbdclass - ok
15:27:35.0635 0x0734 [ 692BCF44383D056AED41B045A323D378, 1A99DEE83FFAF64E73067FC049C0A4CE07D94E4AE31EFA17B38CEFA9E41D67DC ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
15:27:35.0655 0x0734 kmixer - ok
15:27:35.0865 0x0734 [ B467646C54CC746128904E1654C750C1, 3BD71BE3663EA23463D236D8A2A2E42DFA10C502BDB4B6E131FAF0FBA748219E ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
15:27:35.0875 0x0734 KSecDD - ok
15:27:36.0055 0x0734 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527, 0044F03132596A494448CCE5F3D6ECC12617BB4CF6BAE348F79D4DC40ACD6EE0 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
15:27:36.0065 0x0734 lanmanserver - ok
15:27:36.0255 0x0734 [ A8888A5327621856C0CEC4E385F69309, B08B63300D824E35E31EEEA2C4C086DFA2C2A964CEDAE512E74D3D88AADAA2C1 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:27:36.0265 0x0734 lanmanworkstation - ok
15:27:36.0316 0x0734 lbrtfdc - ok
15:27:36.0526 0x0734 [ 31D8B705DCD5F2366186E731F87C7A71, D73DC732EF74C3C0EADD650B65BC6EEB44EA2C4E86BFD5BE989971A34FBA160A ] LightScribeService C:\Program Files\Common Files\LightScribe\LSSrvc.exe
15:27:36.0536 0x0734 LightScribeService - ok
15:27:36.0716 0x0734 [ A7DB739AE99A796D91580147E919CC59, EDF4E039BA277B0E6D66FEB0B28096E67D682C09DFC18ECECF062D9DCFB75ACF ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
15:27:36.0716 0x0734 LmHosts - ok
15:27:36.0786 0x0734 [ 986B1FF5814366D71E0AC5755C88F2D3, E6AF051174531C24B38E73987755D366ABEC595476C6D17793E8DCCC73F55340 ] Messenger C:\WINDOWS\System32\msgsvc.dll
15:27:36.0786 0x0734 Messenger - ok
15:27:36.0946 0x0734 [ 4AE068242760A1FB6E1A44BF4E16AFA6, 1FB771162B96AAF787AC24867B818DF8511F0780BB094FA9A38C11D8DBFE68BC ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
15:27:36.0946 0x0734 mnmdd - ok
15:27:37.0077 0x0734 [ D18F1F0C101D06A1C1ADF26EED16FCDD, BA0837C7780BD8262E143E2935AFA63BE59C3C39EF56CB8608EED0F50AF070D4 ] mnmsrvc C:\WINDOWS\System32\mnmsrvc.exe
15:27:37.0077 0x0734 mnmsrvc - ok
15:27:37.0247 0x0734 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1, B342CC9EC3729AB1AB4B5E2E99F890C1E0CA649162DE91F6768AB857B719E97B ] Modem C:\WINDOWS\system32\drivers\Modem.sys
15:27:37.0257 0x0734 Modem - ok
15:27:37.0337 0x0734 [ 35C9E97194C8CFB8430125F8DBC34D04, 0C0FCE6B0A23FB0ECB92E1663E1C72D2DD5B177D82E04782957690B69530DB39 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:27:37.0337 0x0734 Mouclass - ok
15:27:37.0507 0x0734 [ B1C303E17FB9D46E87A98E4BA6769685, 161A45488522055D0F0474ABEDA04DDD0B5DAC2411AF9154B15190BBD66E7153 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:27:37.0517 0x0734 mouhid - ok
15:27:37.0607 0x0734 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD, 2A5E15ED2C24C6C65EF2F7E1FD93374774076C9D8D451E4422561F4D269C012F ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
15:27:37.0607 0x0734 MountMgr - ok
15:27:37.0698 0x0734 mraid35x - ok
15:27:37.0768 0x0734 [ 11D42BB6206F33FBB3BA0288D3EF81BD, 76ABCFB62C5AC549F58C231F72A99882CDEB74928104B77FE52554765C2B1A22 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:27:37.0788 0x0734 MRxDAV - ok
15:27:37.0978 0x0734 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0, DB9B186F7076D7B94F45041AF7B77C1AD2CAB504D683B459C6CB1C22840ED170 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:27:38.0018 0x0734 MRxSmb - ok
15:27:38.0178 0x0734 [ A137F1470499A205ABBB9AAFB3B6F2B1, FB4951727543030D9E6ED74149C3FAACE2CA9DA8C1B5F616301B30B858C724E8 ] MSDTC C:\WINDOWS\System32\msdtc.exe
15:27:38.0178 0x0734 MSDTC - ok
15:27:38.0288 0x0734 [ C941EA2454BA8350021D774DAF0F1027, C940E978C7B66A713A0FDAB54B5F995DF59D089AFCD96221DD3222948CD49BBD ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
15:27:38.0288 0x0734 Msfs - ok
15:27:38.0389 0x0734 MSIServer - ok
15:27:38.0439 0x0734 [ D1575E71568F4D9E14CA56B7B0453BF1, 4ABE0E24786C0D39FA2B885447E56204CA6942FB175E534DCE675D7BCF0B176A ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:27:38.0449 0x0734 MSKSSRV - ok
15:27:38.0539 0x0734 [ 325BB26842FC7CCC1FCCE2C457317F3E, C07BE560513B1FB91D756494F0BA4AEEB2E1998DE0E1C21EE83DB1183B0CEE91 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:27:38.0539 0x0734 MSPCLOCK - ok
15:27:38.0639 0x0734 [ BAD59648BA099DA4A17680B39730CB3D, 9AD4C7C94C186C8815D0BC75DCAFB962158DA6935A244BA243EDDDEB33F9816C ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
15:27:38.0649 0x0734 MSPQM - ok
15:27:38.0729 0x0734 [ AF5F4F3F14A8EA2C26DE30F7A1E17136, AC93A1E4ABB0D038B772E429015567E44CC2EDB66C54DBE23A5F98176FAC1520 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:27:38.0739 0x0734 mssmbios - ok
15:27:38.0839 0x0734 [ DE6A75F5C270E756C5508D94B6CF68F5, FCC972DDC36C2C44D836913F10004C2C33B11C54DEFFF0C63E0FDF901D2F9261 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
15:27:38.0849 0x0734 Mup - ok
15:27:39.0029 0x0734 [ 0102140028FAD045756796E1C685D695, 5335B8278418CA200E2772124F0602C3E15A5CAF2D5CC59F6785DFAABF339B09 ] napagent C:\WINDOWS\System32\qagentrt.dll
15:27:39.0049 0x0734 napagent - ok
15:27:39.0150 0x0734 [ 1DF7F42665C94B825322FAE71721130D, FE0DCB728471465B39A42A7511F4133021FBA5DF88F88BCB5FE2FF34CFD713F9 ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
15:27:39.0170 0x0734 NDIS - ok
15:27:39.0320 0x0734 [ 0109C4F3850DFBAB279542515386AE22, 4F6DB1E499AC853FD36FD603FBB6D3AC9BDCEB298C7FE1FB59A9236CB46729B2 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:27:39.0320 0x0734 NdisTapi - ok
15:27:39.0480 0x0734 [ F927A4434C5028758A842943EF1A3849, B1AA3AF150C05307461774925901789456B0CCCD03A5E71ADA4AB58455962BEE ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:27:39.0480 0x0734 Ndisuio - ok
15:27:39.0570 0x0734 [ EDC1531A49C80614B2CFDA43CA8659AB, 494042F790F33721328B4451E79842E21919681CC421A4F9633EC4D383E06097 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:27:39.0580 0x0734 NdisWan - ok
15:27:39.0720 0x0734 [ 9282BD12DFB069D3889EB3FCC1000A9B, 09A46F1712BD9165068D8E153585FE3E6E5CBF4F1DDEC142115555D3A91AEC09 ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
15:27:39.0720 0x0734 NDProxy - ok
15:27:39.0851 0x0734 [ 5D81CF9A2F1A3A756B66CF684911CDF0, 7989C36607CAEA17AFA2C1C9904145CA0714A54B9F712D9D4C1AB140D0B2CC0C ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
15:27:39.0851 0x0734 NetBIOS - ok
15:27:39.0981 0x0734 [ 74B2B2F5BEA5E9A3DC021D685551BD3D, 7932B71F98B4122BE88F576BF6D745A757AE378A48924B7F4358837B75640A82 ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
15:27:40.0001 0x0734 NetBT - ok
15:27:40.0111 0x0734 [ B857BA82860D7FF85AE29B095645563B, 86FF0E4CDD9C394E8BABD93A4D57E73FF9A779261717DEC6E9CDE99F1C6B0F4C ] NetDDE C:\WINDOWS\system32\netdde.exe
15:27:40.0121 0x0734 NetDDE - ok
15:27:40.0231 0x0734 [ B857BA82860D7FF85AE29B095645563B, 86FF0E4CDD9C394E8BABD93A4D57E73FF9A779261717DEC6E9CDE99F1C6B0F4C ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
15:27:40.0241 0x0734 NetDDEdsdm - ok
15:27:40.0341 0x0734 [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] Netlogon C:\WINDOWS\System32\lsass.exe
15:27:40.0341 0x0734 Netlogon - ok
15:27:40.0542 0x0734 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE, 4E0A67B3CC897E80D4B342FFE8B7B4CC4F6CA2EF2D34C136027A098B2E1C6166 ] Netman C:\WINDOWS\System32\netman.dll
15:27:40.0572 0x0734 Netman - ok
15:27:40.0772 0x0734 [ D34612C5D02D026535B3095D620626AE, 1BBCCCBF49EB8807240A77DCB43C25C21682073CC5356594E2C4F53EF36BF657 ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:27:40.0782 0x0734 NetTcpPortSharing - ok
15:27:41.0032 0x0734 [ 943337D786A56729263071623BBB9DE5, B631B47C869FE4ACF46E4AA272435D9A9CA536E3349E3FFBB8602636FEE7AFD4 ] Nla C:\WINDOWS\System32\mswsock.dll
15:27:41.0052 0x0734 Nla - ok
15:27:41.0263 0x0734 NMIndexingService - ok
15:27:41.0363 0x0734 [ 3182D64AE053D6FB034F44B6DEF8034A, 4ADFC76965BA2A5F488E71789A4E4EA702A74AF42725F72130D1CA919406CF19 ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
15:27:41.0363 0x0734 Npfs - ok
15:27:41.0493 0x0734 [ 2ADC0CA9945C65284B3D19BC18765974, A8E2B848E85A3B38350F4134DE9CA6749854B988F9A0087C60D97E19D474CBF3 ] NSCIRDA C:\WINDOWS\system32\DRIVERS\nscirda.sys
15:27:41.0493 0x0734 NSCIRDA - ok
15:27:41.0623 0x0734 [ 78A08DD6A8D65E697C18E1DB01C5CDCA, E0E6F3ED05068E32F1D5C2D2B38CDEF4536B8656DB6756C66CF6B40B60C8F3DA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
15:27:41.0693 0x0734 Ntfs - ok
15:27:41.0833 0x0734 [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] NtLmSsp C:\WINDOWS\System32\lsass.exe
15:27:41.0833 0x0734 NtLmSsp - ok
15:27:42.0064 0x0734 [ 156F64A3345BD23C600655FB4D10BC08, 9611BE411586E068D9297D77102DB3BE48AA67F1BAD6F61A84F83FC3043FA9CD ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
15:27:42.0144 0x0734 NtmsSvc - ok
15:27:42.0444 0x0734 [ 73C1E1F395918BC2C6DD67AF7591A3AD, B21133A75253EC15E2DFF66D3B480AB1A7E1A2360476C810E7AA55D0F0EB08D4 ] Null C:\WINDOWS\system32\drivers\Null.sys
15:27:42.0454 0x0734 Null - ok
15:27:42.0615 0x0734 [ B305F3FAD35083837EF46A0BBCE2FC57, 9D0E0E666D652D0FC9EAB97280A5D67AAF61D6B21929DF7CF8ED72A367720464 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:27:42.0615 0x0734 NwlnkFlt - ok
15:27:42.0675 0x0734 [ C99B3415198D1AAB7227F2C88FD664B9, DD8DA4B5E804F134AB9233859544C025062902DFC3E8FB8A09A67337A4E73F55 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:27:42.0675 0x0734 NwlnkFwd - ok
15:27:43.0005 0x0734 [ 5575FAF8F97CE5E713D108C2A58D7C7C, 96D4595D19A78CCBE8B325A08780AC077AE5CC99642ACD72FB47AEAE8D344D3B ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
15:27:43.0015 0x0734 Parport - ok
15:27:43.0266 0x0734 [ BEB3BA25197665D82EC7065B724171C6, 7E71C13BA30CD95CEE8A9CC85E6F48A01F30EDEAADEE69D80AE828BF97E5A5CA ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
15:27:43.0276 0x0734 PartMgr - ok
15:27:43.0486 0x0734 [ 70E98B3FD8E963A6A46A2E6247E0BEA1, 6771313EC41B3B5BFD398F60706E40BE71617046880CC352DD110B001AFC22A1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
15:27:43.0486 0x0734 ParVdm - ok
15:27:43.0846 0x0734 [ A219903CCF74233761D92BEF471A07B1, D4E6C360A1D2FCA4D17C991B834D68BF20F5111DD06B1FAB8B22984804CEC269 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
15:27:43.0856 0x0734 PCI - ok
15:27:43.0997 0x0734 PCIDump - ok
15:27:44.0047 0x0734 PCIIde - ok
15:27:44.0347 0x0734 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1, 0BA3DB21DC7C641C181E2635B5C9B73965FDCDCD3EBBBE48FCFEC1C8C987F617 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
15:27:44.0357 0x0734 Pcmcia - ok
15:27:44.0507 0x0734 PDCOMP - ok
15:27:44.0557 0x0734 PDFRAME - ok
15:27:44.0628 0x0734 PDRELI - ok
15:27:44.0658 0x0734 PDRFRAME - ok
15:27:44.0718 0x0734 perc2 - ok
15:27:44.0788 0x0734 perc2hib - ok
15:27:45.0369 0x0734 [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] PlugPlay C:\WINDOWS\system32\services.exe
15:27:45.0379 0x0734 PlugPlay - ok
15:27:45.0459 0x0734 [ FA292805788528C083F416E151B60AB6, CF47525D15FF3FF98768FF5AE8A8F0C01AE6300C249D24E518D2A02100D5A68A ] PMEM C:\WINDOWS\system32\drivers\PMEMNT.SYS
15:27:45.0469 0x0734 PMEM - ok
15:27:45.0719 0x0734 [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] PolicyAgent C:\WINDOWS\System32\lsass.exe
15:27:45.0719 0x0734 PolicyAgent - ok
15:27:46.0050 0x0734 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99, C5F0C8C66A3AF7E7BB04CEDE4AC5306F8387AB384A2107DC5BE413AAE968EFF1 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:27:46.0050 0x0734 PptpMiniport - ok
15:27:46.0420 0x0734 [ A32BEBAF723557681BFC6BD93E98BD26, 35039BA72A29F87B2CA37DCDE4EFDAABBDEAD8CE3EB8652ACC665994118145A6 ] Processor C:\WINDOWS\system32\DRIVERS\processr.sys
15:27:46.0420 0x0734 Processor - ok
15:27:46.0640 0x0734 [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
15:27:46.0650 0x0734 ProtectedStorage - ok
15:27:46.0841 0x0734 [ 09298EC810B07E5D582CB3A3F9255424, 35473A1BE25AC289474090EB0806AC6B3035DC33D1F3DF97A14BF1E361AC6AC3 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
15:27:46.0851 0x0734 PSched - ok
15:27:46.0961 0x0734 [ 80D317BD1C3DBC5D4FE7B1678C60CADD, DA76804B55D0CAB3DDD01EFC06673764AE4860693375C658B6063FB14AF7F12C ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:27:46.0961 0x0734 Ptilink - ok
15:27:47.0141 0x0734 [ 1BCFED0946F9460D6272F85B70B87A52, 6EDE283D9B5173D9F91C969E5F97A21282395769C989F609B1EFDE7B5E40EA97 ] QCONSVC C:\WINDOWS\system32\QCONSVC.EXE
15:27:47.0151 0x0734 QCONSVC - ok
15:27:47.0191 0x0734 ql1080 - ok
15:27:47.0241 0x0734 Ql10wnt - ok
15:27:47.0281 0x0734 ql12160 - ok
15:27:47.0351 0x0734 ql1240 - ok
15:27:47.0391 0x0734 ql1280 - ok
15:27:47.0472 0x0734 [ FE0D99D6F31E4FAD8159F690D68DED9C, 998685622ABE631984B7E4DBF91AB3594B1F574378D75EB9F6265F4650470692 ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:27:47.0472 0x0734 RasAcd - ok
15:27:47.0642 0x0734 [ AD188BE7BDF94E8DF4CA0A55C00A5073, C7D76CB579FAEBCCC2873499441BACDD6BD6668ACF5ED7F31862656E96E2B20C ] RasAuto C:\WINDOWS\System32\rasauto.dll
15:27:47.0652 0x0734 RasAuto - ok
15:27:47.0832 0x0734 [ 0207D26DDF796A193CCD9F83047BB5FC, 13613036BCB869FBD7229A0FE25D324710308385D8C35E5D990A40E52BE040DF ] Rasirda C:\WINDOWS\system32\DRIVERS\rasirda.sys
15:27:47.0842 0x0734 Rasirda - ok
15:27:47.0892 0x0734 [ 11B4A627BC9614B885C4969BFA5FF8A6, EAE0A412A2B0F68919C32A96B3A08CC1A06585E4998819F5C9051745F63FF5AD ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:27:47.0892 0x0734 Rasl2tp - ok
15:27:48.0082 0x0734 [ 76A9A3CBEADD68CC57CDA5E1D7448235, 4AFD048C5D2306AB8DE46F3AA60AC0213333DDA3B09A9E91F7585DB6EB978EC8 ] RasMan C:\WINDOWS\System32\rasmans.dll
15:27:48.0113 0x0734 RasMan - ok
15:27:48.0183 0x0734 [ 5BC962F2654137C9909C3D4603587DEE, A5CE5653D0105240F5E86CFAAB89E7917D42D939E2F27A5A7D6979289CA651B8 ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:27:48.0193 0x0734 RasPppoe - ok
15:27:48.0363 0x0734 [ FDBB1D60066FCFBB7452FD8F9829B242, 10A2DACF944BD000032EBA8C095CB3D879CC55B28C377ADF6E52E508E47444DB ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
15:27:48.0373 0x0734 Raspti - ok
15:27:48.0513 0x0734 [ 7AD224AD1A1437FE28D89CF22B17780A, 6645235CA27D671954E3557FA37082881C3D7D47492C71264CD8CB8D108EC801 ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:27:48.0533 0x0734 Rdbss - ok
15:27:48.0653 0x0734 [ 4912D5B403614CE99C28420F75353332, 975341ECD660209987B5E5171B8315E032439E408CBE8A5986E67AF767F373BB ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:27:48.0653 0x0734 RDPCDD - ok
15:27:48.0743 0x0734 [ 15CABD0F7C00C47C70124907916AF3F1, 66B5C978B7FB6359AD8BAC9F568FE9D469E358FEAB07B1F129BA9E85F1DF723E ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys
15:27:48.0763 0x0734 rdpdr - ok
15:27:48.0984 0x0734 [ 43AF5212BD8FB5BA6EED9754358BD8F7, AF330F61CECA4AFA359CEABC5EB3227E6B56A9A2DCE50701381D665122D7356D ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
15:27:48.0994 0x0734 RDPWD - ok
15:27:49.0174 0x0734 [ 3C37BF86641BDA977C3BF8A840F3B7FA, AB9A6E54DBA3F4561CD4837372BECCE0D73943D02E3288F944333039375AC08C ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
15:27:49.0194 0x0734 RDSessMgr - ok
15:27:49.0304 0x0734 [ F828DD7E1419B6653894A8F97A0094C5, E6150E1F598BA4CFEDB8FF075BC0D576518C331B864388F1CAE8812EFF106ECF ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
15:27:49.0314 0x0734 redbook - ok
15:27:49.0434 0x0734 [ 7E699FF5F59B5D9DE5390E3C34C67CF5, 3FCF0442D80AB181FED4303E570378736AA1F8718C0B8B70F689A1E45200FFE4 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
15:27:49.0454 0x0734 RemoteAccess - ok
15:27:49.0625 0x0734 [ 5B19B557B0C188210A56A6B699D90B8F, 0FA880B81AE615206FD1738B83428AAA491D54B24168339DE6E87FDE8C6C14B0 ] RemoteRegistry C:\WINDOWS\system32\regsvc.dll
15:27:49.0635 0x0734 RemoteRegistry - ok
15:27:49.0735 0x0734 [ AAED593F84AFA419BBAE8572AF87CF6A, CC0FFC5A69394C8830DC66320DA01A820BBF41AD7E57D0FC343561DC5EF9A360 ] RpcLocator C:\WINDOWS\System32\locator.exe
15:27:49.0745 0x0734 RpcLocator - ok
15:27:49.0975 0x0734 [ 6B27A5C03DFB94B4245739065431322C, 6AEAC16AB4E0DFD25123AAF4D4181FEE1B919B7B2793117006CE8CF30E826CFD ] RpcSs C:\WINDOWS\system32\rpcss.dll
15:27:50.0015 0x0734 RpcSs - ok
15:27:50.0296 0x0734 [ 471B3F9741D762ABE75E9DEEA4787E47, D9ADE42965EC22AEB4B2AD21D429C3C8232A60AA9853DEFDA7AED86A13FE8623 ] RSVP C:\WINDOWS\System32\rsvp.exe
15:27:50.0316 0x0734 RSVP - ok
15:27:50.0526 0x0734 [ 88B63F291AE10C1B66D2B9ED6921A7DF, A0174FC75459CE38028B1436BD46234062A3FCBE164E139F53BE49BAB3B8F95F ] rtl8185 C:\WINDOWS\system32\DRIVERS\rtl8185.sys
15:27:50.0566 0x0734 rtl8185 - ok
15:27:50.0676 0x0734 [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] SamSs C:\WINDOWS\system32\lsass.exe
15:27:50.0676 0x0734 SamSs - ok
15:27:50.0806 0x0734 [ 86D007E7A654B9A71D1D7D856B104353, 7B1DE53D637A5FC9619D5D07C48927AFEC89D959207F6F2E2F45DD054EEA04C7 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
15:27:50.0816 0x0734 SCardSvr - ok
15:27:51.0067 0x0734 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA, 0B582F47BD70732BAC48B8B86E5D06CE7F299A20E8177F3F2E6F28217C3FB605 ] Schedule C:\WINDOWS\system32\schedsvc.dll
15:27:51.0097 0x0734 Schedule - ok
15:27:51.0297 0x0734 [ 90A3935D05B494A5A39D37E71F09A677, F72733A69BC6E1A2BB91D7632FF3463C12563F60FDCC00A2CDD67FF20D479952 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:27:51.0297 0x0734 Secdrv - ok
15:27:51.0437 0x0734 [ CBE612E2BB6A10E3563336191EDA1250, C331797DC3569F0E715766561DE2562F60B924378842246C35D2B1CF867E9D96 ] seclogon C:\WINDOWS\System32\seclogon.dll
15:27:51.0447 0x0734 seclogon - ok
15:27:51.0577 0x0734 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0, 7105B026F966A992430F86C3698ABE15EC73E4772F1A3E362E29FD5247A5DCA6 ] SENS C:\WINDOWS\system32\sens.dll
15:27:51.0588 0x0734 SENS - ok
15:27:51.0688 0x0734 [ 0F29512CCD6BEAD730039FB4BD2C85CE, 4F98AE390D1B14A755700DD6CEFB9CF921F0404AF2145D2D7E5F52394F87C6A5 ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
15:27:51.0698 0x0734 serenum - ok
15:27:51.0838 0x0734 [ CCA207A8896D4C6A0C9CE29A4AE411A7, 5999B39242283CD803319AADCA171CCCC6E2A40FB2FAFA51B1D29F3FF2DD8D6C ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
15:27:51.0838 0x0734 Serial - ok
15:27:52.0028 0x0734 [ 8E6B8C671615D126FDC553D1E2DE5562, CEEC0067514555D5CA489F50E3D7562FCA8DB8E952C3C878604C9277FC77959F ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
15:27:52.0028 0x0734 Sfloppy - ok
15:27:52.0198 0x0734 [ 83F41D0D89645D7235C051AB1D9523AC, B681F33EEAA511D6A2DCB9FBAA407B739184C9FF6067C6B7E51F1FC37E9D4DD7 ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
15:27:52.0228 0x0734 SharedAccess - ok
15:27:52.0359 0x0734 [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
15:27:52.0369 0x0734 ShellHWDetection - ok
15:27:52.0429 0x0734 Simbad - ok
15:27:52.0509 0x0734 SjyPkt - ok
15:27:52.0619 0x0734 [ E061A9A43C80BE5AA5D94F1EF4A713C1, 334CD9E8C4A57C2BF43A0D3895D18832C7EB0C5A6455CF3361A09F7A28DF4A6F ] Smapint C:\WINDOWS\system32\drivers\Smapint.sys
15:27:52.0619 0x0734 Smapint - ok
15:27:52.0879 0x0734 [ 7B06A22F16B64C23C41E0278B8DC90BF, 02867493783DAC96A90B6CD14B358C05C63FE0862A98BD71CD54F34E31632C54 ] smwdm C:\WINDOWS\system32\drivers\smwdm.sys
15:27:52.0929 0x0734 smwdm - ok
15:27:53.0010 0x0734 Sparrow - ok
15:27:53.0140 0x0734 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F, DD17733CBB370FCA08F0296704D7CBEACA3C8F76D0ABE4761C3B1FFDF7481D9E ] splitter C:\WINDOWS\system32\drivers\splitter.sys
15:27:53.0140 0x0734 splitter - ok
15:27:53.0320 0x0734 [ 60784F891563FB1B767F70117FC2428F, E0B07F08E60FFBAD36C2E58180F4B2A16DCA47716044CBE0213DF7B74D742F1F ] Spooler C:\WINDOWS\system32\spoolsv.exe
15:27:53.0330 0x0734 Spooler - ok
15:27:53.0430 0x0734 [ 76BB022C2FB6902FD5BDD4F78FC13A5D, 6031CB2344D7277FC703480EB43CF856A0F8F818EA98FF26A2CA532336CD2DFA ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
15:27:53.0440 0x0734 sr - ok
15:27:53.0600 0x0734 [ 3805DF0AC4296A34BA4BF93B346CC378, B57A14F1B7B0997E619DDD62B73157AA2399A9852166FB58139CBB358A88F6F3 ] srservice C:\WINDOWS\System32\srsvc.dll
15:27:53.0620 0x0734 srservice - ok
15:27:53.0801 0x0734 [ 47DDFC2F003F7F9F0592C6874962A2E7, 17C643BD4EB09B5666FE41817DC785BE04A6E491CE79E8E5A702CDBD98E1BDD7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
15:27:53.0831 0x0734 Srv - ok
15:27:54.0011 0x0734 [ 0A5679B3714EDAB99E357057EE88FCA6, 01E1A101FFF48402C77E385A78FEF27876E04533B60EB1C18558A737E57E5FA8 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
15:27:54.0021 0x0734 SSDPSRV - ok
15:27:54.0251 0x0734 [ 8BAD69CBAC032D4BBACFCE0306174C30, 2AA0DA710FCBFF38FE8DA91EE02E7A4503269347E61F8D3246FCA3384BBA2305 ] stisvc C:\WINDOWS\system32\wiaservc.dll
15:27:54.0281 0x0734 stisvc - ok
15:27:54.0402 0x0734 [ 3941D127AEF12E93ADDF6FE6EE027E0F, EA1F0E32E1C5E90FA4AAC421DEBBE086512340758D3217A6334E886BCE638B51 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
15:27:54.0402 0x0734 swenum - ok
15:27:54.0532 0x0734 [ 8CE882BCC6CF8A62F2B2323D95CB3D01, B408550A581F3DA222355964AFA4E976AD8471F0AA37573C42C4948AE5A23A3B ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
15:27:54.0532 0x0734 swmidi - ok
15:27:54.0602 0x0734 SwPrv - ok
15:27:54.0672 0x0734 symc810 - ok
15:27:54.0732 0x0734 symc8xx - ok
15:27:54.0772 0x0734 sym_hi - ok
15:27:54.0822 0x0734 sym_u3 - ok
15:27:54.0942 0x0734 [ 8B83F3ED0F1688B4958F77CD6D2BF290, 546D3602183702B4F53E84413CFA2C933D64C8540378E54A8DCD148F3F36A2DA ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
15:27:54.0952 0x0734 sysaudio - ok
15:27:55.0093 0x0734 [ C7ABBC59B43274B1109DF6B24D617051, 4384CA0AA6CE9B603CF7DB775A3C721E46715D5B120B94FB57DEADAADE18535B ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
15:27:55.0103 0x0734 SysmonLog - ok
15:27:55.0293 0x0734 [ 3CB78C17BB664637787C9A1C98F79C38, F35C31F6B7F366CB949D1044B357C76DEC9170441C5E559802794F62B72FD255 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
15:27:55.0323 0x0734 TapiSrv - ok
15:27:55.0503 0x0734 [ 9AEFA14BD6B182D61E3119FA5F436D3D, EA29E49434585409272E7901AF89771FE9D6E911A7DC44AB3C7020CFF8A44552 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:27:55.0543 0x0734 Tcpip - ok
15:27:55.0623 0x0734 [ 6471A66807F5E104E4885F5B67349397, F35CBFFB8BB235CCE30EF94A5273333900DD49FD506BF9D55D99A320B8A53A5A ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
15:27:55.0623 0x0734 TDPIPE - ok
15:27:55.0723 0x0734 [ 0353AC9D91E28D936E4227539B1B2393, 8B31C2F496C446DF69B898B9B585A1097DDCA3EE50ACD31B5E09D8B1CD68DF94 ] TDSMAPI C:\WINDOWS\system32\Drivers\TDSMAPI.SYS
15:27:55.0723 0x0734 TDSMAPI - ok
15:27:55.0824 0x0734 [ C56B6D0402371CF3700EB322EF3AAF61, 7743FA4C734BCE38EFB1CA69BC17364D8421E2CD172F856F7E38E7AE1EE93F2F ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
15:27:55.0824 0x0734 TDTCP - ok
15:27:55.0924 0x0734 [ 88155247177638048422893737429D9E, B6D4E8691917946332C2208D01F8C8281978C1AD1E9951C5D99DF0D49AC34B3B ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
15:27:55.0934 0x0734 TermDD - ok
15:27:56.0194 0x0734 [ FF3477C03BE7201C294C35F684B3479F, D6246521539BA4ACD022D26983182F5E323D2EF1EA7C54265A248C43A1CE5202 ] TermService C:\WINDOWS\System32\termsrv.dll
15:27:56.0224 0x0734 TermService - ok
15:27:56.0384 0x0734 [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] Themes C:\WINDOWS\System32\shsvcs.dll
15:27:56.0404 0x0734 Themes - ok
15:27:56.0515 0x0734 [ DB7205804759FF62C34E3EFD8A4CC76A, 13A4248F528CE98ACA66898E56822E4FC49B11F491FF1F61A687BA601BF0A802 ] TlntSvr C:\WINDOWS\System32\tlntsvr.exe
15:27:56.0525 0x0734 TlntSvr - ok
15:27:56.0605 0x0734 TosIde - ok
15:27:56.0695 0x0734 [ 90579B74E1E110C2F379117047BDB356, EDD255C1A104DA6469846A4B4CDBFC5CB40DCD69DDE5207D799FB7DC850A014A ] Tp4Track C:\WINDOWS\system32\DRIVERS\tp4track.sys
15:27:56.0695 0x0734 Tp4Track - ok
15:27:56.0725 0x0734 [ 47F23B26F771765FD8CAC0EBAE4545E9, 2AFE4C57FE833F18E65F959DAF8879823CE8BEB13B1BA34A61E6806AF609EDC5 ] TPHKDRV C:\WINDOWS\system32\drivers\TPHKDRV.sys
15:27:56.0745 0x0734 TPHKDRV - ok
15:27:56.0845 0x0734 [ C10B74CF569D39594E170734DB590661, 134890D6FAE83FA38F8EEA3B72EC0E12778D6E15C7605758D9933AA4A945E755 ] TPPWR C:\WINDOWS\system32\drivers\Tppwr.sys
15:27:56.0845 0x0734 TPPWR - ok
15:27:56.0985 0x0734 [ 55BCA12F7F523D35CA3CB833C725F54E, 849FB1AE31B143B14B298BBC0D91230693D41DEB95F46516878F53A7F4186C38 ] TrkWks C:\WINDOWS\system32\trkwks.dll
15:27:57.0005 0x0734 TrkWks - ok
15:27:57.0166 0x0734 [ A1965DFC0CD91E7CFC42925F8F597274, 7478D7DACD94F0C3D4F0CDAC9CD71CB03CB45C503DE6B1207A51F989844CB1F3 ] TrueSight C:\WINDOWS\system32\drivers\TrueSight.sys
15:27:57.0176 0x0734 TrueSight - ok
15:27:57.0306 0x0734 [ 76F0A07D83FA24478C07250F4FC8B128, 4894CD9ABDDC9712D3D9938A66B9CD83485AEA7F0D351769D58AC80FA5885412 ] TSMAPIP C:\WINDOWS\system32\drivers\TSMAPIP.SYS
15:27:57.0306 0x0734 TSMAPIP - ok
15:27:57.0386 0x0734 [ 5787B80C2E3C5E2F56C2A233D91FA2C9, 3774905CF77954DFCECDA5BCC7CDE3D0ED72712BFAAD85ADAE5246306447E46C ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
15:27:57.0396 0x0734 Udfs - ok
15:27:57.0446 0x0734 ultra - ok
15:27:57.0596 0x0734 [ 402DDC88356B1BAC0EE3DD1580C76A31, 32A686595710336A6BFD54C03F552AE39439611662F84EF5D24193AE5665C6F3 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
15:27:57.0636 0x0734 Update - ok
15:27:57.0796 0x0734 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91, 7746916DB48E3F5B243B63C066596AD9037A494BF1AD935946DD04AC85D983DF ] upnphost C:\WINDOWS\System32\upnphost.dll
15:27:57.0816 0x0734 upnphost - ok
15:27:57.0897 0x0734 [ 05365FB38FCA1E98F7A566AAAF5D1815, 16843048CEEC3DAA3B953A12FF1EE339E86783A08F2A56DA7F94AD9F9717D77D ] UPS C:\WINDOWS\System32\ups.exe
15:27:57.0907 0x0734 UPS - ok
15:27:58.0007 0x0734 [ 65DCF09D0E37D4C6B11B5B0B76D470A7, 90EBA8BAF45932B453D905EDF2BDDDF3A432BFD50B9F7DF58CDEAE98D11C2E2F ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:27:58.0007 0x0734 usbehci - ok
15:27:58.0167 0x0734 [ 1AB3CDDE553B6E064D2E754EFE20285C, A99C4528C4227B1E96847614745AAFACD3C5F1BDFE435214DBF78740FFB300FE ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:27:58.0177 0x0734 usbhub - ok
15:27:58.0337 0x0734 [ A0B8CF9DEB1184FBDD20784A58FA75D4, D8AFD45BD9CF7B02F2554AA6085194DE82893AF794EDF479BC9B9E9C1758DC75 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:27:58.0357 0x0734 usbscan - ok
15:27:58.0538 0x0734 [ A32426D9B14A089EAA1D922E0C5801A9, ED1DC52EE45F8EAD3AEC4B1F817BB25634141CF48295494C5947DCE6CF7A9817 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:27:58.0538 0x0734 USBSTOR - ok
15:27:58.0658 0x0734 [ 26496F9DEE2D787FC3E61AD54821FFE6, 8BE7FF647470B9A951CBB478FAF83D657A15CC78037F42348A6B738F21D523DA ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:27:58.0668 0x0734 usbuhci - ok
15:27:58.0768 0x0734 [ 0D3A8FAFCEACD8B7625CD549757A7DF1, B9CFDEFCD66AA139F3DC2F967B184669532922563AD5A71769BABDC4370D065E ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
15:27:58.0778 0x0734 VgaSave - ok
15:27:58.0908 0x0734 ViaIde - ok
15:27:59.0018 0x0734 [ 4C8FCB5CC53AAB716D810740FE59D025, 010EAC43DBED700B73E4FC908FAAF9F6A0168EBBD5D86751E49BC33AAA18BFA4 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
15:27:59.0018 0x0734 VolSnap - ok
15:27:59.0188 0x0734 [ 7A9DB3A67C333BF0BD42E42B8596854B, D31A9A3B1AAAB373EDD73B674102395212FCB616F829E938B7B2B7BE7D4752C5 ] VSS C:\WINDOWS\System32\vssvc.exe
15:27:59.0208 0x0734 VSS - ok
15:27:59.0429 0x0734 [ 54AF4B1D5459500EF0937F6D33B1914F, FA1876888BCB9C72A92369DBED4FF1A8666784523FB41E618FA0919490FCDDB9 ] W32Time C:\WINDOWS\System32\w32time.dll
15:27:59.0449 0x0734 W32Time - ok
15:27:59.0579 0x0734 [ E20B95BAEDB550F32DD489265C1DA1F6, 5589B2067E6C9FBA290D8C5EADDC198EBAF39C50C3CD7D2BC5CDA7CBFBC445E5 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:27:59.0579 0x0734 Wanarp - ok
15:27:59.0629 0x0734 WDICA - ok
15:27:59.0729 0x0734 [ 6768ACF64B18196494413695F0C3A00F, 3A8F8586F1D997D19A8478345338D2AECD785AEABDB61531DD3F92003D3230A5 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
15:27:59.0739 0x0734 wdmaud - ok
15:27:59.0849 0x0734 [ 77A354E28153AD2D5E120A5A8687BC06, 8B2D37A4443501C0A8E70BC2079BE27F0A36FD07B561E6F68B40A72EABBC2DFE ] WebClient C:\WINDOWS\System32\webclnt.dll
15:27:59.0859 0x0734 WebClient - ok
15:28:00.0090 0x0734 [ 2D0E4ED081963804CCC196A0929275B5, E1D75C7D7233D81DFDE13160B0C80138DF8B35230D04FB79B367A52FACF69BF8 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
15:28:00.0100 0x0734 winmgmt - ok
15:28:00.0360 0x0734 [ C51B4A5C05A5475708E3C81C7765B71D, F776D2680BD3407307B7072626F78460361FC5BC38623C9E16F394D300AB25DE ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
15:28:00.0360 0x0734 WmdmPmSN - ok
15:28:00.0570 0x0734 [ E76F8807070ED04E7408A86D6D3A6137, BFCF5361B7335760A7AE4B6958DE516A27AC60AA09135A46F0B49F588FAFE3A0 ] Wmi C:\WINDOWS\System32\advapi32.dll
15:28:00.0631 0x0734 Wmi - ok
15:28:00.0781 0x0734 [ E0673F1106E62A68D2257E376079F821, 12992F18C9653050B10DC61D12988067933FCFDF02123D3A7EF5DE607A785DDC ] WmiApSrv C:\WINDOWS\System32\wbem\wmiapsrv.exe
15:28:00.0791 0x0734 WmiApSrv - ok
15:28:01.0051 0x0734 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B, C71FAAC752F6D58BF8556661252DBF8C5DDD090CAE002A2C7E09C9A014526066 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
15:28:01.0131 0x0734 WMPNetworkSvc - ok
15:28:01.0392 0x0734 [ CF4DEF1BF66F06964DC0D91844239104, CC1D9CECE2056D29A9651D51BB57C3F4F9BF9E90A4808CF7496C683C874FBD51 ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:28:01.0402 0x0734 WpdUsb - ok
15:28:01.0562 0x0734 [ 7C278E6408D1DCE642230C0585A854D5, DA46079A04F6E8E3441E4AE454AEAC02B3E935DE29CE7F6D4476F57867FCC12A ] wscsvc C:\WINDOWS\system32\wscsvc.dll
15:28:01.0572 0x0734 wscsvc - ok
15:28:01.0632 0x0734 [ 35321FB577CDC98CE3EB3A3EB9E4610A, C9A6F5CF282D8FCB3CDFCC4B306013480E78E1B664E1A60A4E27B161F9FFD4CD ] wuauserv C:\WINDOWS\system32\wuauserv.dll
15:28:01.0642 0x0734 wuauserv - ok
15:28:01.0792 0x0734 [ F15FEAFFFBB3644CCC80C5DA584E6311, 79B3E9AF35976CE49921E9BEA3BA3B4A8AF762FD3F284B62954038B5FFB32471 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:28:01.0802 0x0734 WudfPf - ok
15:28:02.0103 0x0734 [ 28B524262BCE6DE1F7EF9F510BA3985B, AEFF02B899801A63CBB262757C3D4369E38BFF0690BD085DE60E873DFBE3C3F4 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:28:02.0113 0x0734 WudfRd - ok
15:28:02.0233 0x0734 [ 05231C04253C5BC30B26CBAAE680ED89, 5C03C2D7E0B573646D32F4093E2FF2C3BA391C39F5BA37D67F69D38E357FCC3D ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
15:28:02.0243 0x0734 WudfSvc - ok
15:28:02.0453 0x0734 [ 81DC3F549F44B1C1FFF022DEC9ECF30B, 3D14BFEA539F9CEB16555BD56C5E3C7C8F6692FC62C2789F8AAEA1C042E63940 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
15:28:02.0503 0x0734 WZCSVC - ok
15:28:02.0643 0x0734 [ 295D21F14C335B53CB8154E5B1F892B9, 9418477C2E3EA93E93D931A4EDD4500DA568FAD6040204B5201D1080203B0BBC ] xmlprov C:\WINDOWS\System32\xmlprov.dll
15:28:02.0663 0x0734 xmlprov - ok
15:28:02.0724 0x0734 ================ Scan global ===============================
15:28:02.0994 0x0734 [ 42F1F4C0AFB08410E5F02D4B13EBB623, 924C30587C51C0D1E1F47991969AF492A644552E15F2480EA991DCB74A3E68D5 ] C:\WINDOWS\system32\basesrv.dll
15:28:03.0114 0x0734 [ 69AE2B2E6968C316536E5B10B9702E63, D9C5DA7A20DDE69D91E72400C3F06F3CB099DEF42EA6C53FCE076258A0C22391 ] C:\WINDOWS\system32\winsrv.dll
15:28:03.0194 0x0734 [ 69AE2B2E6968C316536E5B10B9702E63, D9C5DA7A20DDE69D91E72400C3F06F3CB099DEF42EA6C53FCE076258A0C22391 ] C:\WINDOWS\system32\winsrv.dll
15:28:03.0264 0x0734 [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] C:\WINDOWS\system32\services.exe
15:28:03.0274 0x0734 [ Global ] - ok
15:28:03.0274 0x0734 ================ Scan MBR ==================================
15:28:03.0324 0x0734 [ AB67D479E4EE1CCAD757294B60DDB98F ] \Device\Harddisk0\DR0
15:28:03.0615 0x0734 \Device\Harddisk0\DR0 - ok
15:28:03.0625 0x0734 ================ Scan VBR ==================================
15:28:03.0645 0x0734 [ 4FDC23B120F0EC5F80AE98557F4D9DCB ] \Device\Harddisk0\DR0\Partition1
15:28:03.0645 0x0734 \Device\Harddisk0\DR0\Partition1 - ok
15:28:03.0655 0x0734 ================ Scan generic autorun ======================
15:28:03.0705 0x0734 [ FAE95D6D7651B5629C4E19ADBC9A3863, 8209A13B8C845D8EFB1B1C21135B5119E6E2AC5694B982E2103E53D0CBAA080C ] C:\WINDOWS\system32\Ati2mdxx.exe
15:28:03.0705 0x0734 ATIModeChange - ok
15:28:03.0825 0x0734 [ 97826CB927E0E7F4500879D99DE6D3C5, 0FB04C5AA4C1BE2E35BBDE474916DF00E223A41D6E0C590FF0C5132EBBA69051 ] C:\WINDOWS\system32\tp4serv.exe
15:28:03.0845 0x0734 TrackPointSrv - ok
15:28:04.0025 0x0734 [ 71E256D5C8FB8FD1933968DCCFD967A0, 92481C790B092CC363BABEA16B0252BEEE1A7CBC1C6FF55F93030DD4AB92FA66 ] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
15:28:04.0035 0x0734 TPTRAY - ok
15:28:04.0055 0x0734 BMMGAG - ok
15:28:04.0176 0x0734 [ 6C2CF216C460BED0D4B83AF07980A761, B8BF59F1F5937558B73F1D6728E92AE8B07CB38AD529357A4E16663A969A81BE ] C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
15:28:04.0216 0x0734 QCTRAY - ok
15:28:04.0276 0x0734 [ 8633F1E7AA1912AD962E5A656D264045, BB17957ECE5EC9ED25E9B58315AD436C76B2FF1B5A1C5D8397FC7950CC65F126 ] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
15:28:04.0276 0x0734 QCWLICON - ok
15:28:04.0366 0x0734 [ AA3B957AF3F3B4AA9047D5531696AB0E, BA826D7A0B56C04528C4A8EDA498173C533BA3CDD75E1C73E224AFD712F06680 ] C:\WINDOWS\system32\tp4ex.exe
15:28:04.0376 0x0734 TP4EX - ok
15:28:04.0456 0x0734 [ 6CE63001262FB82D746E1DEEBF00B43B, B660ECA6989ABFC3B97FCEB8D692A11F77B9D4A81D5FC34759462D2EC37A2F63 ] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
15:28:04.0466 0x0734 TPHOTKEY - ok
15:28:04.0526 0x0734 Tgcmd - ok
15:28:04.0576 0x0734 [ C0041BB27E2E5B0550C179ECF53425CD, 82EB1BF88B1D93F4AEC5EB6A1DB790E6EFA0379DD771251707BE9F67266D3547 ] C:\WINDOWS\AGRSMMSG.exe
15:28:06.0329 0x0734 AGRSMMSG - ok
15:28:06.0439 0x0734 [ 3E4C03CEFAD8DE135263236B61A49C90, 243201B64F4B60D55CDB1A3BF4B9AA60BC22EB8ACA88E95042EE48AC5DF5F397 ] C:\WINDOWS\system32\\NeroCheck.exe
15:28:06.0459 0x0734 NeroCheck - ok
15:28:06.0569 0x0734 [ E284188C5CF416378CC740EB13059A50, 0E0863D84B29662B3EEE0602742CAE8F966CE043E690C62BC3A00244B7D35D04 ] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
15:28:06.0579 0x0734 Adobe Reader Speed Launcher - ok
15:28:06.0879 0x0734 [ 29FB6EF1EFB1357E2883FE297F1EBC31, A6F465EA84277D88771BE6438CAC32D8E2C73A6EEC809CB38E1090FFFB27804E ] C:\PROGRA~1\AVG\AVG9\avgtray.exe
15:28:07.0090 0x0734 AVG9_TRAY - ok
15:28:07.0410 0x0734 [ 3103FE27C967675B019E880AA6DA3D6D, 515E750ACD28C3CFD8174B7F213E2AA741D8942FB68E57F701EBCBB92EC3F537 ] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
15:28:07.0681 0x0734 Adobe ARM - ok
15:28:07.0901 0x0734 [ 14D6542607ACD4B2D1DDB1A36E0D8813, 3A270600549E8E7988D5AF3486C0F504269B9573393D87BF87BDB2287BF007B2 ] C:\Program Files\Common Files\Java\Java Update\jusched.exe
15:28:07.0921 0x0734 SunJavaUpdateSched - ok
15:28:07.0991 0x0734 [ 5F1D5F88303D4A4DBC8E5F97BA967CC3, 5FB24FC7916A6E6B3BE7D84CB1684215B266CD1495575C2E5672B8447932E5B1 ] C:\WINDOWS\system32\ctfmon.exe
15:28:07.0991 0x0734 ctfmon.exe - ok
15:28:08.0021 0x0734 updateMgr - ok
15:28:08.0051 0x0734 MSMSGS - ok
15:28:08.0071 0x0734 NeroHomeFirstStart - ok
15:28:08.0191 0x0734 [ 269AFE2F2E2957DF8F7A5F82B2B092DB, 37B8B913090A01EC5C656214F9081AC93ADE8682582327366A7F76EDBDC98A39 ] C:\Program Files\AVG\AVG9\Notification\SPChecker1.exe
15:28:08.0231 0x0734 avg_spchecker - ok
15:28:08.0241 0x0734 Waiting for KSN requests completion. In queue: 252
15:28:09.0243 0x0734 Waiting for KSN requests completion. In queue: 252
15:28:10.0244 0x0734 Waiting for KSN requests completion. In queue: 252
15:28:11.0246 0x0734 Waiting for KSN requests completion. In queue: 252
15:28:12.0247 0x0734 Waiting for KSN requests completion. In queue: 252
15:28:13.0639 0x0734 AV detected via SS1: AVG Anti-Virus Free, 9.0, disabled, updated
15:28:13.0649 0x0734 Win FW state via NFM: enabled
15:28:16.0113 0x0734 ============================================================
15:28:16.0113 0x0734 Scan finished
15:28:16.0113 0x0734 ============================================================
15:28:16.0163 0x0188 Detected object count: 1
15:28:16.0163 0x0188 Actual detected object count: 1
15:28:56.0170 0x0188 C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys - copied to quarantine
15:28:56.0311 0x0188 HKLM\SYSTEM\ControlSet002\services\13c0aa386e2175ba - will be deleted on reboot
15:28:56.0511 0x0188 HKLM\SYSTEM\ControlSet003\services\13c0aa386e2175ba - will be deleted on reboot
15:28:56.0941 0x0188 C:\WINDOWS\System32\Drivers\13c0aa386e2175ba.sys - will be deleted on reboot
15:28:56.0941 0x0188 13c0aa386e2175ba ( Rootkit.Win32.Necurs.gen ) - User select action: Delete
15:28:58.0984 0x0188 KLMD registered as C:\WINDOWS\system32\drivers\15012141.sys
15:29:08.0368 0x0250 Deinitialize success

15:33:47.0974 0x017c TDSS rootkit removing tool 3.0.0.41 Oct 28 2014 17:58:34
15:33:49.0986 0x017c ============================================================
15:33:49.0986 0x017c Current date / time: 2014/11/16 15:33:49.0986
15:33:49.0986 0x017c SystemInfo:
15:33:49.0986 0x017c
15:33:49.0986 0x017c OS Version: 5.1.2600 ServicePack: 3.0
15:33:49.0986 0x017c Product type: Workstation
15:33:49.0986 0x017c ComputerName: THINKPAD
15:33:49.0986 0x017c UserName: IBM
15:33:49.0986 0x017c Windows directory: C:\WINDOWS
15:33:49.0986 0x017c System windows directory: C:\WINDOWS
15:33:49.0986 0x017c Processor architecture: Intel x86
15:33:49.0986 0x017c Number of processors: 1
15:33:49.0986 0x017c Page size: 0x1000
15:33:49.0986 0x017c Boot type: Normal boot
15:33:49.0986 0x017c ============================================================
15:33:49.0996 0x017c BG loaded
15:34:04.0768 0x017c System UUID: {65C7A9CC-C291-863E-FB8C-E2EA3E48D80E}
15:34:43.0974 0x017c Drive \Device\Harddisk0\DR0 - Size: 0x4A8530000 ( 18.63 Gb ), SectorSize: 0x200, Cylinders: 0xA18, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000044
15:34:44.0054 0x017c ============================================================
15:34:44.0054 0x017c \Device\Harddisk0\DR0:
15:34:45.0016 0x017c MBR partitions:
15:34:45.0016 0x017c \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x2272C11
15:34:45.0016 0x017c ============================================================
15:34:47.0018 0x017c C: <-> \Device\Harddisk0\DR0\Partition1
15:34:47.0018 0x017c ============================================================
15:34:47.0018 0x017c Initialize success
15:34:47.0018 0x017c ============================================================
15:37:17.0675 0x0dd4 Deinitialize success

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 16-11-2014 01
Ran by IBM (administrator) on THINKPAD on 16-11-2014 15:42:07
Running from C:\Documents and Settings\IBM\Desktop
Loaded Profile: IBM (Available profiles: IBM & Administrator)
Platform: Microsoft Windows XP Professional Service Pack 3 (X86) OS Language: English (United States)
Internet Explorer Version 7
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic...ery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

() C:\WINDOWS\system32\ibmpmsvc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgchsvx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgrsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
() C:\WINDOWS\system32\ati2evxx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgwdsvc.exe
(Oracle Corporation) C:\Program Files\Java\jre7\bin\jqs.exe
(Hewlett-Packard Company) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
() C:\WINDOWS\system32\QCONSVC.EXE
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgemc.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgnsx.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files\AVG\AVG9\avgcsrvx.exe
(Microsoft Corporation) C:\WINDOWS\system32\wscntfy.exe
(IBM Corporation) C:\WINDOWS\system32\tp4serv.exe
(IBM Corp.) C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
(Microsoft Corporation) C:\WINDOWS\system32\rundll32.exe
() C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE
() C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
() C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
(Agere Systems) C:\WINDOWS\AGRSMMSG.exe
(AVG Technologies CZ, s.r.o.) C:\PROGRA~1\AVG\AVG9\avgtray.exe
(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe
() C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [ATIModeChange] => C:\WINDOWS\system32\Ati2mdxx.exe [28672 2002-06-12] (ATI Technologies, Inc.)
HKLM\...\Run: [TrackPointSrv] => C:\WINDOWS\system32\tp4serv.exe [179200 2002-03-20] (IBM Corporation)
HKLM\...\Run: [TPTRAY] => C:\Program Files\ThinkPad\Utilities\TP98TRAY.EXE [48128 2002-03-26] (IBM Corp.)
HKLM\...\Run: [BMMGAG] => RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
HKLM\...\Run: [QCTRAY] => C:\Program Files\ThinkPad\ConnectUtilities\QCTRAY.EXE [491520 2002-07-15] ()
HKLM\...\Run: [QCWLICON] => C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE [49152 2002-07-15] ()
HKLM\...\Run: [TP4EX] => C:\WINDOWS\system32\tp4ex.exe [40960 2002-02-22] (IBM Corporation)
HKLM\...\Run: [TPHOTKEY] => C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe [69632 2002-05-30] ()
HKLM\...\Run: [UC_SMB] => [X]
HKLM\...\Run: [Tgcmd] => C:\Program Files\Support.com\bin\tgcmd.exe [1519616 2001-11-07] (Support.com, Inc.)
HKLM\...\Run: [AGRSMMSG] => C:\WINDOWS\AGRSMMSG.exe [88363 2003-06-27] (Agere Systems)
HKLM\...\Run: [NeroCheck] => C:\WINDOWS\system32\\NeroCheck.exe [155648 2001-07-09] (Ahead Software Gmbh)
HKLM\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [39792 2009-10-03] (Adobe Systems Incorporated)
HKLM\...\Run: [AVG9_TRAY] => C:\Program Files\AVG\AVG9\avgtray.exe [2077536 2012-01-26] (AVG Technologies CZ, s.r.o.)
HKLM\...\Run: [Adobe ARM] => C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [935288 2009-09-04] (Adobe Systems Incorporated)
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Common Files\Java\Java Update\jusched.exe [271744 2014-09-26] (Oracle Corporation)
Winlogon\Notify\avgrsstarter: C:\WINDOWS\system32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\Run: [updateMgr] => "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_1_0 -reboot 1
HKU\S-1-5-21-247674877-3848448594-3852255402-1004\...\MountPoints2: {9e452150-6d2a-11dd-b2de-0018e7297566} - E:\LaunchU3.exe -a
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
ShortcutTarget: Microsoft Find Fast.lnk -> C:\Program Files\Microsoft Office\Office\FINDFAST.EXE ()
Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Configuration Utility HW.15.lnk
ShortcutTarget: Wireless Configuration Utility HW.15.lnk -> C:\Program Files\802.11 Wireless LAN\802.11g Wireless Adapter HW.15 V.1.00\WlanCU.exe ()
Startup: C:\Documents and Settings\IBM\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk
ShortcutTarget: Microsoft Office Fast Start.lnk -> C:\MSOffice\Office\FASTBOOT.EXE ()

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
SearchScopes: HKCU - DefaultScope {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
SearchScopes: HKCU - {2737D436-02AF-442D-87F4-70874E2A19E8} URL = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
BHO: Adobe PDF Reader Link Helper -> {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
BHO: AVG Safe Search -> {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
BHO: Spybot-S&D IE Protection -> {53707962-6F74-2D53-2644-206D7942484F} -> C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
BHO: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
BHO: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
Toolbar: HKLM - Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer211.dll (Copernic Technologies Inc.)
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} http://appldnld.apple.com.edgesuite....x/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} http://upload.facebook.com/controls/...oUploader5.cab
DPF: {2DAD3559-2923-4935-AD49-B673D2539944} http://www-307.ibm.com/pc/support/acpir.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://update.microsoft.com/windowsu...?1166184064923
DPF: {74FFE28D-2378-11D5-990C-006094235084} https://www-307.ibm.com/pc/support/a...t/IbmEgath.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/...Uploader55.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get.../ultrashim.cab
DPF: {BE415DD9-C50D-46AA-9B5D-37F2EEBBBFE6} https://www-307.ibm.com/pc/support/a...AcpControl.cab
Handler: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\System32\msvidctl.dll (Microsoft Corporation)
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
Hosts: There are more than one entry in Hosts. See Hosts section of Addition.txt
Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

FireFox:
========
FF ProfilePath: C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default
FF Homepage: file:///C:/Documents/Links_07.htm
FF NetworkProxy: "no_proxies_on", "localhost,127.0.0.1"
FF Plugin: @adobe.com/FlashPlayer -> C:\WINDOWS\system32\Macromed\Flash\NPSWF32_12_0_0_44.dll ()
FF Plugin: @java.com/DTPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=10.71.2 -> C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/WPF,version=3.5 -> C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF Plugin: @tools.google.com/Google Update;version=3 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin: @tools.google.com/Google Update;version=9 -> C:\Program Files\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\npnul32.dll (mozilla.org)
FF Plugin ProgramFiles/Appdata: C:\Program Files\mozilla firefox\plugins\nppdf32.dll (Adobe Systems Inc.)
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\answers.xml
FF SearchPlugin: C:\Program Files\mozilla firefox\searchplugins\creativecommons.xml
FF Extension: British English Dictionary - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\en-GB@dictionaries.addons.mozilla.org [2010-12-10]
FF Extension: external IP - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\externalip@erik.morlin [2010-01-25]
FF Extension: printpdf - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\printpdf@pavlov.net [2010-08-10]
FF Extension: YouTube Unblocker - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\youtubeunblocker@unblocker.yt [2013-06-09]
FF Extension: Microsoft .NET Framework Assistant - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{20a82645-c095-46ed-80e3-08825760534b} [2010-04-28]
FF Extension: Media Converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{6e764c17-863a-450f-bdd0-6772bd5aaa18} [2009-04-07]
FF Extension: DownloadHelper - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d} [2014-03-25]
FF Extension: RightToClick - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{cd617375-6743-4ee8-bac4-fbf10f35729e} [2012-01-23]
FF Extension: Adblock Plus - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} [2012-01-06]
FF Extension: Block site - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{dd3d7613-0246-469d-bc65-2a3cc1668adc} [2013-08-12]
FF Extension: DownThemAll! - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{DDC359D1-844A-42a7-9AA1-88A850A938A8} [2013-04-03]
FF Extension: Web2PDF converter - C:\Documents and Settings\IBM\Application Data\Mozilla\Firefox\Profiles\it92t6zv.default\Extensions\{e8f509f0-b677-11de-8a39-0800200c9a66} [2011-07-07]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} [2009-03-06]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [2009-04-01]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} [2009-06-10]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} [2009-08-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} [2009-11-04]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} [2010-04-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} [2010-08-14]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [2010-10-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} [2011-01-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} [2011-02-16]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} [2011-06-15]
FF Extension: Java Console - C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0033-ABCDEFFEDCBA} [2012-06-20]
FF HKLM\...\Firefox\Extensions: [{3f963a5b-e555-4543-90e2-c3908898db71}] - C:\Program Files\AVG\AVG9\Firefox
FF Extension: AVG Safe Search - C:\Program Files\AVG\AVG9\Firefox [2009-11-05]
FF HKLM\...\Firefox\Extensions: [{20a82645-c095-46ed-80e3-08825760534b}] - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF Extension: Microsoft .NET Framework Assistant - C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension [2009-08-22]

Chrome:
=======
CHR HomePage: Default -> file:///C:/Documents/Links_07.htm
CHR StartupUrls: Default -> "file:///C:/Documents/Links_07.htm"
CHR Profile: C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default
CHR Extension: (Google Drive) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2012-12-12]
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-22]
CHR Extension: (YouTube) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-12-12]
CHR Extension: (Google Search) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-12-12]
CHR Extension: (Google Wallet) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-01]
CHR Extension: (Adblock Pro) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ocifcklkibdehekfnmflempfgjhbedch [2014-01-19]
CHR Extension: (Gmail) - C:\Documents and Settings\IBM\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-12-12]

========================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [131072 2002-06-12] ()
R2 avg9emc; C:\Program Files\AVG\AVG9\avgemc.exe [921952 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 avg9wd; C:\Program Files\AVG\AVG9\avgwdsvc.exe [308136 2010-07-21] (AVG Technologies CZ, s.r.o.)
R2 IBMPMSVC; C:\WINDOWS\system32\ibmpmsvc.exe [57344 2003-07-03] ()
S3 IDriverT; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [69632 2005-11-14] (Macrovision Corporation) [File not signed]
R2 JavaQuickStarterService; C:\Program Files\Java\jre7\bin\jqs.exe [182696 2014-10-18] (Oracle Corporation)
R2 QCONSVC; C:\WINDOWS\System32\QCONSVC.EXE [40960 2002-07-15] () [File not signed]
S4 NMIndexingService; "C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe" [X]

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AegisP; C:\WINDOWS\System32\DRIVERS\AegisP.sys [21419 2007-10-22] (Meetinghouse Data Communications) [File not signed]
R1 AvgLdx86; C:\WINDOWS\System32\Drivers\avgldx86.sys [226016 2013-01-15] (AVG Technologies CZ, s.r.o.)
R1 AvgMfx86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [29712 2011-09-13] (AVG Technologies CZ, s.r.o.)
R1 AvgTdiX; C:\WINDOWS\System32\Drivers\avgtdix.sys [243152 2011-05-06] (AVG Technologies CZ, s.r.o.)
R1 DSMBATT; C:\WINDOWS\System32\drivers\DSMBATT.SYS [9888 2002-04-05] () [File not signed]
R2 EGATHDRV; C:\WINDOWS\system32\EGATHDRV.SYS [11712 2006-06-29] (IBM Corporation)
R3 IBMPMDRV; C:\WINDOWS\System32\DRIVERS\ibmpmdrv.sys [11344 2003-07-03] (IBM Corp.)
R1 IBMTPCHK; C:\WINDOWS\System32\drivers\IBMBLDID.SYS [2295 2002-07-15] () [File not signed]
R2 PMEM; C:\WINDOWS\system32\drivers\PMEMNT.SYS [7012 2001-09-13] (Microsoft Corporation) [File not signed]
R3 Rasirda; C:\WINDOWS\System32\DRIVERS\rasirda.sys [19584 2001-08-17] (Microsoft Corporation)
R3 rtl8185; C:\WINDOWS\System32\DRIVERS\rtl8185.sys [306304 2007-01-29] (Realtek Semiconductor Corporation ) [File not signed]
R1 Smapint; C:\WINDOWS\System32\drivers\Smapint.sys [13824 2002-03-26] (Microsoft Corporation) [File not signed]
R1 TDSMAPI; C:\WINDOWS\System32\Drivers\TDSMAPI.SYS [7168 2002-03-26] () [File not signed]
R3 Tp4Track; C:\WINDOWS\System32\DRIVERS\tp4track.sys [14175 2002-03-20] (IBM Corporation)
R1 TPHKDRV; C:\WINDOWS\system32\Drivers\TPHKDRV.sys [11550 2002-01-28] (IBM Corporation) [File not signed]
R1 TPPWR; C:\WINDOWS\System32\drivers\Tppwr.sys [12288 2002-03-26] (IBM Corp.) [File not signed]
U3 TrueSight; C:\WINDOWS\system32\drivers\TrueSight.sys [34808 2014-11-16] ()
R1 TSMAPIP; C:\WINDOWS\System32\drivers\TSMAPIP.SYS [7168 2002-03-26] () [File not signed]
S4 hpt3xx; No ImagePath
U5 ScsiPort; C:\WINDOWS\system32\drivers\scsiport.sys [96384 2008-04-13] (Microsoft Corporation)
S3 SjyPkt; \??\C:\WINDOWS\System32\Drivers\SjyPkt.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 15:42 - 2014-11-16 15:43 - 00018465 _____ () C:\Documents and Settings\IBM\Desktop\FRST.txt
2014-11-16 15:41 - 2014-11-16 15:41 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\FRST-OlderVersion
2014-11-16 15:28 - 2014-11-16 15:28 - 00000000 ____D () C:\TDSSKiller_Quarantine
2014-11-16 15:24 - 2014-11-16 15:24 - 00002602 _____ () C:\Documents and Settings\IBM\Desktop\RKreport_DEL_11162014_152357.log
2014-11-16 15:09 - 2014-11-16 15:10 - 04163057 _____ () C:\Documents and Settings\IBM\Desktop\tdsskiller.zip
2014-11-16 00:23 - 2014-11-16 15:14 - 00034808 _____ () C:\WINDOWS\system32\Drivers\TrueSight.sys
2014-11-16 00:23 - 2014-11-16 00:23 - 00000000 ____D () C:\Documents and Settings\All Users\Application Data\RogueKiller
2014-11-16 00:20 - 2014-11-16 00:20 - 14678104 _____ () C:\Documents and Settings\IBM\Desktop\RogueKiller.exe
2014-11-14 15:33 - 2014-11-16 15:42 - 00000000 ____D () C:\FRST
2014-11-14 15:28 - 2014-11-14 15:28 - 00000000 ____D () C:\RegBackup
2014-11-14 15:26 - 2014-11-14 15:26 - 00001887 _____ () C:\Documents and Settings\All Users\Desktop\Tweaking.com - Registry Backup.lnk
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Program Files\Tweaking.com
2014-11-14 15:26 - 2014-11-14 15:26 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Tweaking.com
2014-11-14 15:15 - 2014-11-16 15:41 - 01108992 _____ (Farbar) C:\Documents and Settings\IBM\Desktop\FRST.exe
2014-11-14 15:15 - 2014-11-14 15:15 - 05198336 _____ (AVAST Software) C:\Documents and Settings\IBM\Desktop\aswMBR.exe
2014-11-14 15:14 - 2014-11-14 15:14 - 04215584 _____ () C:\Documents and Settings\IBM\Desktop\tweaking.com_registry_backup_setup.exe
2014-11-14 03:04 - 2014-11-14 03:04 - 00001434 _____ () C:\Documents and Settings\IBM\Desktop\mbam_scan.txt
2014-11-14 03:01 - 2014-11-14 03:01 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\46EE46CA.sys
2014-11-14 00:27 - 2014-11-14 00:27 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\34C750CB.sys
2014-11-10 16:36 - 2014-11-10 16:36 - 00242592 _____ () C:\Documents and Settings\IBM\Desktop\separate+-0.5.7.zip
2014-10-28 18:00 - 2014-11-16 15:13 - 04184008 _____ (Kaspersky Lab ZAO) C:\Documents and Settings\IBM\Desktop\TDSSKiller.exe
2014-10-24 23:32 - 2014-10-24 23:33 - 00000000 ____D () C:\Program Files\GUMF.tmp
2014-10-19 00:19 - 2014-11-13 00:45 - 00016896 _____ () C:\Documents and Settings\IBM\Desktop\2015 Tour.xls
2014-10-18 16:36 - 2014-10-18 16:36 - 00000000 ____D () C:\Program Files\Common Files\Java
2014-10-18 16:35 - 2014-10-18 16:35 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Java
2014-10-18 16:35 - 2014-10-18 16:34 - 00272808 _____ (Oracle Corporation) C:\WINDOWS\system32\javaws.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\javaw.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00175528 _____ (Oracle Corporation) C:\WINDOWS\system32\java.exe
2014-10-18 16:35 - 2014-10-18 16:34 - 00145408 _____ (Oracle Corporation) C:\WINDOWS\system32\javacpl.cpl
2014-10-18 16:35 - 2014-10-18 16:34 - 00096680 _____ (Oracle Corporation) C:\WINDOWS\system32\WindowsAccessBridge.dll

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2014-11-16 15:43 - 2012-12-12 16:25 - 00000886 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
2014-11-16 15:43 - 2006-12-15 18:03 - 00000000 ____D () C:\Documents and Settings\IBM\Local Settings\Temp
2014-11-16 15:36 - 2007-09-26 13:10 - 00086528 ___SH () C:\WINDOWS\Thumbs.db
2014-11-16 15:34 - 2007-10-22 13:22 - 00006918 _____ () C:\WINDOWS\RTacDbg.txt
2014-11-16 15:34 - 2006-12-15 19:17 - 01080749 _____ () C:\WINDOWS\WindowsUpdate.log
2014-11-16 15:33 - 1980-01-01 08:00 - 00002206 _____ () C:\WINDOWS\system32\wpa.dbl
2014-11-16 15:32 - 2012-12-12 16:25 - 00000882 _____ () C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
2014-11-16 15:32 - 2006-12-04 23:50 - 00000006 ____H () C:\WINDOWS\Tasks\SA.DAT
2014-11-16 15:32 - 2006-12-04 23:44 - 00000159 _____ () C:\WINDOWS\wiadebug.log
2014-11-16 15:32 - 2006-12-04 23:44 - 00000050 _____ () C:\WINDOWS\wiaservc.log
2014-11-16 15:29 - 2006-12-15 18:03 - 00000178 ___SH () C:\Documents and Settings\IBM\ntuser.ini
2014-11-16 15:29 - 2006-12-05 00:15 - 00031988 _____ () C:\WINDOWS\SchedLgU.Txt
2014-11-16 15:22 - 2006-12-05 00:21 - 00000314 _____ () C:\WINDOWS\Tasks\BMMTask.job
2014-11-16 15:07 - 2008-06-22 14:05 - 00000000 ____D () C:\WINDOWS\system32\Drivers\Avg
2014-11-14 15:29 - 2010-01-14 11:19 - 00256041 _____ () C:\WINDOWS\setupapi.log
2014-11-14 15:28 - 2006-12-04 23:46 - 00000000 ____D () C:\WINDOWS\Registration
2014-11-14 15:28 - 2006-12-04 23:37 - 00000000 ____D () C:\WINDOWS\repair
2014-11-14 15:25 - 2009-11-15 02:09 - 00000000 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\prvlcl.dat
2014-11-14 01:34 - 2012-01-11 17:40 - 00000000 __HDC () C:\WINDOWS\$NtUninstallKB2646524$
2014-11-13 20:25 - 2014-08-06 14:25 - 00114904 _____ (Malwarebytes Corporation) C:\WINDOWS\system32\Drivers\MBAMSwissArmy.sys
2014-11-13 20:24 - 2014-08-06 14:24 - 00000788 _____ () C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Program Files\Malwarebytes Anti-Malware
2014-11-13 20:24 - 2014-08-06 14:24 - 00000000 ____D () C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes Anti-Malware
2014-11-13 02:15 - 2007-12-02 16:46 - 00000551 _____ () C:\WINDOWS\IBM.xlb
2014-11-08 18:23 - 2013-06-02 14:26 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Derbyshire Heritage Walks
2014-11-08 00:12 - 2010-07-30 07:13 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\Desktop cleanup
2014-11-08 00:11 - 2014-08-17 12:54 - 00000000 ____D () C:\Documents and Settings\IBM\Desktop\2014
2014-10-27 15:49 - 2007-09-24 10:58 - 00131584 _____ () C:\Documents and Settings\IBM\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2014-10-26 13:54 - 2006-12-04 23:40 - 00509652 _____ () C:\WINDOWS\system32\PerfStringBackup.INI
2014-10-25 22:40 - 2010-07-30 07:51 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\vlc
2014-10-25 21:53 - 2011-01-14 01:00 - 00000000 ____D () C:\Documents and Settings\IBM\Application Data\dvdcss
2014-10-18 16:34 - 2007-09-24 13:27 - 00000000 ____D () C:\Program Files\Java

Some content of TEMP:
====================
C:\Documents and Settings\Administrator\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\Default User\Local Settings\Temp\hhupd.exe
C:\Documents and Settings\Default User\Local Settings\Temp\ntfsfix.exe
C:\Documents and Settings\Default User\Local Settings\Temp\Shockwave_Installer_Full-8-5.exe
C:\Documents and Settings\IBM\Local Settings\Temp\dllnt_dump.dll
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u65-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u67-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\jre-7u71-windows-i586-iftw.exe
C:\Documents and Settings\IBM\Local Settings\Temp\{1ACB7F4D-5850-43BD-917E-D317FFF39891}-37.0.2062.124_37.0.2062.120_chrome_updater.exe
C:\Documents and Settings\IBM\Local Settings\Temp\{E56C9BA8-3DB2-4B17-91DF-80BB3AA87C80}.exe

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\WINDOWS\explorer.exe => File is digitally signed
C:\WINDOWS\system32\winlogon.exe => File is digitally signed
C:\WINDOWS\system32\svchost.exe => File is digitally signed
C:\WINDOWS\system32\services.exe => File is digitally signed
C:\WINDOWS\system32\User32.dll => File is digitally signed
C:\WINDOWS\system32\userinit.exe => File is digitally signed
C:\WINDOWS\system32\rpcss.dll => File is digitally signed
C:\WINDOWS\system32\Drivers\volsnap.sys => File is digitally signed

==================== End Of Log ============================

**OCD** · 2014-11-17, 04:24

Hi lather,

Is it possible that the infection could also have hit this drive (set up as a non-bootable D: drive containing an archive of data files like Word documents, pictures, videos and music tracks, plus archived software in zip files), and if so, what's going to be the best way of checking it to make sure its OK?

Yes it is possible. How do you access this drive?

=========================

Re-run RogueKiller

Right click and select "Run as Administrator"

Quit all programs
Wait until Prescan has finished ...
Click on Scan, Do Not Fix Anything at this point.
Click the Report button, save the report to your desktop

=========================

In your next post please provide the following:
RogueKiller log

**lather** · 2014-11-17, 15:51

OK, the second hard drive is in a caddy that slips into the computer itself in place of the internal DVD drive, so it is not a USB connection, but connects direct to the system board via what appears to be a direct IDE/PATA connection (the connector on the outside of the caddy isn't a standard IDE connector, but I think it just goes straight through from the IDE socket inside the caddy to the socket on the outside of it without any other circuitry inbetween). In 'My Computer', the drive appears as drive D:, next to the normal C: drive, and is accessed in exactly the same way. A full system scan in AVG also scans the drive, and I think it is the same in Mbam too. So the drive is essentially seen by Windows as an integral part of the system, not an external peripheral.

If it makes it easier to check it and see if it is OK, I do have an IDE to USB connector, which I can use to temporarily turn the drive into an external USB drive.

As per your instructions, I re-ran RogueKiller - I'm assuming that, as you made no mention of the D: drive that you didn't want me to insert it before running the scan. When I launched the program, I got an unexpected bit during the initialisation process when a Windows error message popped up about drive A: no being ready - unexpected as there is no A: drive on the machine! (It is on a docking station that allows you to connect an external floppy, but no such drive is connected, and I didn't get the error message before, so thought I'd better mention it as newly-seen anomalous behavior.) I was able to cancel it and, after the scan had finished and I'd saved the report, I exited and re-loaded RogueKiller to see if the error message came up again. It did, so I took a screen cap for you to see exactly what it said.

error_message.JPG

I'm hoping that its some sort of Windows glitch, and not a symptom of something nasty!

Anyway, here's the requested log:

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : IBM [Administrator]
Mode : Scan -- Date : 11/17/2014 14:09:08

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Start Page : file:///C:/Documents/Links_07.htm -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] it92t6zv.default : user_pref("browser.startup.homepage", "file:///C:/Documents/Links_07.htm"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: IC25N020ATCS04-0 +++++
--- User ---
[MBR] b6351a83af7db8b2b21a75bce7ef0bde
[BSP] 8ac2aeb576eb43be8ab59644d36fa76e : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 17637 MB
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 36121680 | Size: 1439 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_11162014_152357.log - RKreport_SCN_11162014_003509.log - RKreport_SCN_11162014_152242.log

**OCD** · 2014-11-17, 16:14

Hi lather,

OK, it seems I was a little confused at first at how the second drive was connected to your system. I thought you connected it, backed up any necessary files, then disconnected it.
That is not the case correct? It is always connected via the cables, it just occupies the DVD slot in the case.

To date, has the second drive been connected during the previous scans?
If not, then please connect it, (be sure the D drive shows in "My Computer") and run a new RogueKiller scan.

**lather** · 2014-11-17, 20:35

No, the second drive wasn't in place for any of the previous scans, so I've re-installed it and run RogueKiller again.

RogueKiller V10.0.6.0 [Nov 13 2014] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : IBM [Administrator]
Mode : Scan -- Date : 11/17/2014 19:25:00

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 6 ¤¤¤
[PUP] HKEY_CLASSES_ROOT\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUP] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -> Found
[PUM.HomePage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Start Page : file:///C:/Documents/Links_07.htm -> Found
[PUM.SearchPage] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Internet Explorer\Main | Search Page : http://www.microsoft.com/isapi/redir...ie&ar=iesearch -> Found
[PUM.StartMenu] HKEY_USERS\S-1-5-21-247674877-3848448594-3852255402-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced | Start_ShowRecentDocs : 2 -> Found
[PUM.DesktopIcons] HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 1 -> Found

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 1 ¤¤¤
[PUM.HomePage][FIREFX:Config] it92t6zv.default : user_pref("browser.startup.homepage", "file:///C:/Documents/Links_07.htm"); -> Found

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: IC25N020ATCS04-0 +++++
--- User ---
[MBR] b6351a83af7db8b2b21a75bce7ef0bde
[BSP] 8ac2aeb576eb43be8ab59644d36fa76e : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 17637 MB
1 - [XXXXXX] FAT32-LBA (0x1c) [HIDDEN!] Offset (sectors): 36121680 | Size: 1439 MB
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: SAMSUNG HM160HC +++++
--- User ---
[MBR] 0eab729657d325cc560e0cc412daff46
[BSP] b9c8f0477e8a5bf36e966c1e3ec93e3f : Windows XP MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 152625 MB
User = LL1 ... OK
User = LL2 ... OK

============================================
RKreport_DEL_11162014_152357.log - RKreport_SCN_11162014_003509.log - RKreport_SCN_11162014_152242.log - RKreport_SCN_11172014_140902.log

**OCD** · 2014-11-17, 21:31

Hi lather,

Re-run RogueKiller

Right click and select "Run as Administrator"

Quit all programs
Wait until Prescan has finished ...
Click on Scan.
After the scan has completed click on the Registry tab, and make sure all items found are selected for removal.
Do the same for the Web Browser tab, and make sure all items found are selected for removal.
Wait until the Status box shows "Scan Finished"
Click the Delete button
Wait until the Status box shows "Deleting Finished"
Click the Report button, save the report to your desktop

=========================

Reboot

=========================

And run new scans with the following tools: (in the order listed)

TDSSKiller
FRST

=========================

In your next post please provide the following:
RogueKiller report
TDSSKiller log
new FRST.txt
How is the computer running and issues?

Thread: Possible Trojan infection - FakeMoz.ED

Thread Tools

Display

Possible Trojan infection - FakeMoz.ED

Posting Permissions