Google search engine not workig dds report * attach zip*** please help malware

kidkrops · Aug 25, 2012

HI loyal community,

So i've been having some recent issues with my computer lately and i want to get this system runnning to its fullest potential.

Everytime i open google.com and run a seach on the search engine, i always get a black screen and i get no results. Its like the webpage freezes. Also when i try opening a website like www.google.com/maps or www.google.com/finance i get this

"404 Not Found

--------------------------------------------------------------------------------

nginx/1.2.0
eae00bb3-d172-439f-a81c-6c3c7ba87ea1
Y2:eae00bb3-d172-439f-a81c-6c3c7ba87ea1
"
Here is my DDS REPORT
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Joe at 15:52:56 on 2012-08-25
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1599 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Palm, Inc\novacomd\x86\novacomd.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Application Data\WeCareReminder\ReminderHelper.exe
c:\Program Files\Microsoft Silverlight\5.1.10411.0\agcp.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: WeCareReminder Class: {d824f0de-3d60-4f57-9eb1-66033ecd8abb} - c:\documents and settings\all users\application data\wecarereminder\IEHelperv2.5.0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\joe\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [StartNowToolbarHelper] "c:\program files\startnow toolbar\ToolbarHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\joe\startm~1\programs\startup\erunta~1.lnk - c:\documents and settings\joe\desktop\help\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320210431218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320215336734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{13DC235B-8EBF-4AFA-B4FD-6A3FF757B880} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R2 NovacomD;Palm Novacom;c:\program files\palm, inc\novacomd\x86\novacomd.exe [2011-3-15 61440]
R2 Updater Service for StartNow Toolbar;Updater Service for StartNow Toolbar;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-7-27 267488]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-1-3 30312]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-1-3 96488]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-1-3 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-1-3 121576]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-08-23 14:09:15 -------- d-sh--w- C:\found.000
2012-08-17 21:24:19 -------- d-----w- c:\documents and settings\joe\local settings\application data\Deployment
2012-08-08 00:21:54 -------- d-----w- c:\documents and settings\joe\local settings\application data\Sun
2012-08-08 00:20:45 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20:28 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:12:01 -------- d-----w- c:\program files\Citrix
2012-08-08 00:11:42 60304 ----a-w- c:\documents and settings\joe\g2mdlhlpx.exe
2012-07-31 17:47:28 -------- d-----w- c:\documents and settings\joe\WER6262.dir00
2012-07-31 17:46:58 -------- d-----w- c:\documents and settings\joe\WERf5bd.dir00
2012-07-31 17:46:48 -------- d-----w- c:\documents and settings\joe\WER9374.dir00
2012-07-31 17:46:45 -------- d-----w- c:\documents and settings\joe\WERb4fd.dir00
2012-07-27 20:51:30 184248 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll
2012-07-27 13:24:05 -------- d-----w- c:\documents and settings\joe\.swt
.
==================== Find3M ====================
.
2012-07-06 02:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-06-05 15:50:25 1372672 ----a-w- c:\windows\system32\msxml6.dll
2012-06-05 15:50:25 1172480 ----a-w- c:\windows\system32\msxml3.dll
2012-06-04 04:32:08 152576 ----a-w- c:\windows\system32\schannel.dll
2012-06-02 19:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 19:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 19:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 19:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 19:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 19:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 19:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 19:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A1D72E2
user & kernel MBR OK
.
============= FINISH: 16:00:14.87 ===============

ANSWMBR REPORT

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-25 16:03:09
-----------------------------
16:03:09.781 OS Version: Windows 5.1.2600 Service Pack 3
16:03:09.781 Number of processors: 2 586 0x1706
16:03:09.781 ComputerName: TRADE2WIN UserName: Joe
16:03:13.640 Initialize success
16:11:53.484 AVAST engine defs: 12082501
16:12:33.687 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\help\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-25 16:03:09
-----------------------------
16:03:09.781 OS Version: Windows 5.1.2600 Service Pack 3
16:03:09.781 Number of processors: 2 586 0x1706
16:03:09.781 ComputerName: TRADE2WIN UserName: Joe
16:03:13.640 Initialize success
16:11:53.484 AVAST engine defs: 12082501
16:12:33.687 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\help\aswMBR.txt"
16:13:10.656 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\aswMBR.txt"
16:14:29.812 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
16:14:29.828 Disk 0 Vendor: WDC_WD3200AAKS-75B3A0 01.03A01 Size: 305245MB BusType: 3
16:14:29.828 Device \Driver\atapi -> DriverStartIo 8a1d72e2
16:14:29.828 Disk 0 MBR read successfully
16:14:29.828 Disk 0 MBR scan
16:14:29.875 Disk 0 Windows XP default MBR code
16:14:29.890 Disk 0 MBR hidden
16:14:29.890 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 54 MB offset 63
16:14:29.906 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 112640
16:14:29.921 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 294949 MB offset 21084160
16:14:29.921 Disk 0 scanning sectors +625139712
16:14:30.015 Disk 0 scanning C:\WINDOWS\system32\drivers
16:14:38.703 Service scanning
16:14:49.125 Modules scanning
16:14:52.828 Disk 0 trace - called modules:
16:14:52.843 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a1d74b1]<<
16:14:52.843 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a4edab8]
16:14:52.843 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000005b[0x8a4ee510]
16:14:52.843 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> [0x8a4df940]
16:14:52.859 \Driver\atapi[0x8a45c5d8] -> IRP_MJ_CREATE -> 0x8a1d74b1
16:14:54.843 AVAST engine scan C:\WINDOWS
16:15:09.328 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Joe\Desktop\help\MBR.dat"
16:15:09.375 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\help\aswMBR.txt"

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-08-25 16:17:39
-----------------------------
16:17:39.609 OS Version: Windows 5.1.2600 Service Pack 3
16:17:39.609 Number of processors: 2 586 0x1706
16:17:39.609 ComputerName: TRADE2WIN UserName: Joe
16:17:41.250 Initialze error C000010E - driver not loaded
16:17:41.281 write error "aswCmnB.dll". The process cannot access the file because it is being used by another process.
16:17:46.750 AVAST engine defs: 12082501
16:17:51.968 Service scanning
16:18:03.125 Modules scanning
16:18:03.156 Disk 0 trace - called modules:
16:18:03.156
16:18:04.984 AVAST engine scan C:\WINDOWS
16:18:20.437 AVAST engine scan C:\WINDOWS\system32
16:20:20.312 AVAST engine scan C:\WINDOWS\system32\drivers
16:20:32.125 AVAST engine scan C:\Documents and Settings\Joe
16:21:00.828 The log file has been saved successfully to "C:\Documents and Settings\Joe\Desktop\help\aswMBR.txt"

Blade81 · Sep 3, 2012

Hi,

If help still needed post fresh dds logs, please.

kidkrops · Sep 3, 2012

New dds

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Joe at 15:24:48 on 2012-09-03
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2329 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Joe\Desktop\help\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Update\1.3.21.115\GoogleCrashHandler.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\documents and settings\joe\desktop\help\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\joe\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [SpybotSD TeaTimer] c:\documents and settings\joe\desktop\help\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\documents and settings\joe\desktop\help\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320210431218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320215336734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{13DC235B-8EBF-4AFA-B4FD-6A3FF757B880} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-03 17:35:11 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-08-23 14:09:15 -------- d-sh--w- C:\found.000
2012-08-17 21:24:19 -------- d-----w- c:\documents and settings\joe\local settings\application data\Deployment
2012-08-08 00:21:54 -------- d-----w- c:\documents and settings\joe\local settings\application data\Sun
2012-08-08 00:20:45 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20:28 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:12:01 -------- d-----w- c:\program files\Citrix
2012-08-08 00:11:42 60304 ----a-w- c:\documents and settings\joe\g2mdlhlpx.exe
.
==================== Find3M ====================
.
2012-07-06 02:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x89F5B4B1]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89f6293c]; MOV EAX, [0x89f62ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8A4D4AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000005b[0x8A487510]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8A4D7940]
\Driver\atapi[0x8A44C268] -> IRP_MJ_CREATE -> 0x89F5B4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89F5B2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 15:26:13.09 ===============

Blade81 · Sep 4, 2012

Hi

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
Remember to re-enable them afterwards.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

kidkrops · Sep 5, 2012

here are the 2 new logs..

so i did what you said, and somehow now my Internet Explorer is acting up and i can't get it to open.. I def. dl more malware while trying to DL combofix.

Anyways, here are the 2 logs you requested::

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Joe at 19:25:22 on 2012-09-04
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2101 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Joe\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\documents and settings\joe\desktop\help\spybot - search & destroy\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\documents and settings\joe\desktop\help\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\documents and settings\joe\desktop\help\spybot - search & destroy\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320210431218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320215336734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{13DC235B-8EBF-4AFA-B4FD-6A3FF757B880} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-04 22:50:05 -------- d-----w- C:\ComboFix
2012-09-04 22:48:10 -------- d-sha-r- C:\cmdcons
2012-09-04 22:34:36 98816 ----a-w- c:\windows\sed.exe
2012-09-04 22:34:36 518144 ----a-w- c:\windows\SWREG.exe
2012-09-04 22:34:36 256000 ----a-w- c:\windows\PEV.exe
2012-09-04 22:34:36 208896 ----a-w- c:\windows\MBR.exe
2012-09-03 17:35:11 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-08-17 21:24:19 -------- d-----w- c:\documents and settings\joe\local settings\application data\Deployment
2012-08-08 00:21:54 -------- d-----w- c:\documents and settings\joe\local settings\application data\Sun
2012-08-08 00:20:45 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20:28 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:12:01 -------- d-----w- c:\program files\Citrix
.
==================== Find3M ====================
.
2012-07-06 02:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A12E4B1]<<
c:\docume~1\joe\locals~1\temp\catchme.sys
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a13593c]; MOV EAX, [0x8a135ab0]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\Harddisk0\DR0[0x8A4FBAB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> \Device\0000005c[0x8A4D4510]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1B0] -> [0x8A4FE940]
\Driver\atapi[0x8A3F1D58] -> IRP_MJ_CREATE -> 0x8A12E4B1
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A12E2E2
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:26:09.82 ===============

Blade81 · Sep 5, 2012

Hi,

I don't see ComboFix log there.

kidkrops · Sep 5, 2012

Combo fix

Ops, i must have replaced it with the DDS LOG.

here is the COMBO FIX LOG:

ComboFix 12-09-04.02 - Joe 09/04/2012 18:51:19.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2527 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\help\ComboFix.exe
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Joe\g2mdlhlpx.exe
C:\test.txt
c:\windows\system32\DIFxAPI.dll
c:\windows\system32\DIFxAPI.dll\DIFxAPI.dll
c:\windows\system32\dllcache\dlimport.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-08-04 to 2012-09-04 )))))))))))))))))))))))))))))))
.
.
2012-09-03 17:35 . 2012-09-03 17:37 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56 . 2012-09-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-08-23 14:09 . 2012-08-23 14:09 -------- d-----w- C:\found.000
2012-08-17 21:24 . 2012-08-20 06:05 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Deployment
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\program files\Common Files\Java
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Sun
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\documents and settings\Joe\Application Data\Oracle
2012-08-08 00:20 . 2012-07-06 02:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:18 . 2012-08-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-08 00:12 . 2012-08-08 00:12 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 02:07 . 2012-03-16 04:23 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-02 39408]
"SpybotSD TeaTimer"="c:\documents and settings\Joe\Desktop\help\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-23 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004Core.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-04 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004UA.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-04 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-08-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-09-04 c:\windows\Tasks\User_Feed_Synchronization-{D288B110-DBAE-473C-9AF0-7ACA0638B08D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-04 19:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD3200AAKS-75B3A0 rev.01.03A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A12E2E2
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(776)
c:\windows\system32\WININET.dll
.
Completion time: 2012-09-04 19:09:02
ComboFix-quarantined-files.txt 2012-09-04 23:08
.
Pre-Run: 289,574,338,560 bytes free
Post-Run: 292,419,063,808 bytes free
.
- - End Of File - - 58073F8BBB79CB2172A94C164A60FEA4

Blade81 · Sep 5, 2012

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select skip and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

kidkrops · Sep 5, 2012

TDSSKiller Log

14:21:44.0109 0888 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
14:21:44.0328 0888 ============================================================
14:21:44.0328 0888 Current date / time: 2012/09/05 14:21:44.0328
14:21:44.0328 0888 SystemInfo:
14:21:44.0328 0888
14:21:44.0328 0888 OS Version: 5.1.2600 ServicePack: 3.0
14:21:44.0328 0888 Product type: Workstation
14:21:44.0328 0888 ComputerName: TRADE2WIN
14:21:44.0328 0888 UserName: Joe
14:21:44.0328 0888 Windows directory: C:\WINDOWS
14:21:44.0328 0888 System windows directory: C:\WINDOWS
14:21:44.0328 0888 Processor architecture: Intel x86
14:21:44.0328 0888 Number of processors: 2
14:21:44.0328 0888 Page size: 0x1000
14:21:44.0328 0888 Boot type: Normal boot
14:21:44.0328 0888 ============================================================
14:21:45.0359 0888 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:21:45.0359 0888 ============================================================
14:21:45.0359 0888 \Device\Harddisk0\DR0:
14:21:45.0359 0888 MBR partitions:
14:21:45.0359 0888 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1B800, BlocksNum 0x1400000
14:21:45.0359 0888 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x141B800, BlocksNum 0x24012800
14:21:45.0359 0888 ============================================================
14:21:45.0406 0888 C: <-> \Device\Harddisk0\DR0\Partition2
14:21:45.0437 0888 D: <-> \Device\Harddisk0\DR0\Partition1
14:21:45.0437 0888 ============================================================
14:21:45.0437 0888 Initialize success
14:21:45.0437 0888 ============================================================
14:21:46.0531 3972 ============================================================
14:21:46.0531 3972 Scan started
14:21:46.0531 3972 Mode: Manual;
14:21:46.0531 3972 ============================================================
14:21:47.0421 3972 ================ Scan system memory ========================
14:21:47.0421 3972 System memory - ok
14:21:47.0421 3972 ================ Scan services =============================
14:21:47.0515 3972 Abiosdsk - ok
14:21:47.0531 3972 abp480n5 - ok
14:21:47.0562 3972 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
14:21:47.0562 3972 ACPI - ok
14:21:47.0593 3972 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
14:21:47.0593 3972 ACPIEC - ok
14:21:47.0593 3972 adpu160m - ok
14:21:47.0609 3972 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
14:21:47.0609 3972 aec - ok
14:21:47.0640 3972 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
14:21:47.0640 3972 AFD - ok
14:21:47.0656 3972 Aha154x - ok
14:21:47.0656 3972 aic78u2 - ok
14:21:47.0656 3972 aic78xx - ok
14:21:47.0703 3972 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
14:21:47.0703 3972 Alerter - ok
14:21:47.0734 3972 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
14:21:47.0734 3972 ALG - ok
14:21:47.0734 3972 AliIde - ok
14:21:47.0734 3972 amsint - ok
14:21:47.0734 3972 AppMgmt - ok
14:21:47.0750 3972 asc - ok
14:21:47.0750 3972 asc3350p - ok
14:21:47.0750 3972 asc3550 - ok
14:21:47.0796 3972 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
14:21:47.0796 3972 aspnet_state - ok
14:21:47.0843 3972 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
14:21:47.0843 3972 AsyncMac - ok
14:21:47.0843 3972 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
14:21:47.0843 3972 atapi - ok
14:21:47.0859 3972 Atdisk - ok
14:21:47.0890 3972 [ 192A651DF943EE391DFD2E4A123F07F6 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
14:21:47.0890 3972 Ati HotKey Poller - ok
14:21:48.0031 3972 [ 0A8B257DB810BE78AC9FD1860B4BA22B ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
14:21:48.0062 3972 ati2mtag - ok
14:21:48.0109 3972 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
14:21:48.0109 3972 Atmarpc - ok
14:21:48.0140 3972 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
14:21:48.0140 3972 AudioSrv - ok
14:21:48.0171 3972 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
14:21:48.0171 3972 audstub - ok
14:21:48.0187 3972 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
14:21:48.0187 3972 Beep - ok
14:21:48.0234 3972 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
14:21:48.0234 3972 BITS - ok
14:21:48.0265 3972 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
14:21:48.0265 3972 Browser - ok
14:21:48.0359 3972 catchme - ok
14:21:48.0375 3972 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
14:21:48.0375 3972 cbidf2k - ok
14:21:48.0375 3972 cd20xrnt - ok
14:21:48.0406 3972 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
14:21:48.0406 3972 Cdaudio - ok
14:21:48.0421 3972 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
14:21:48.0421 3972 Cdfs - ok
14:21:48.0453 3972 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
14:21:48.0453 3972 Cdrom - ok
14:21:48.0453 3972 Changer - ok
14:21:48.0500 3972 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
14:21:48.0500 3972 CiSvc - ok
14:21:48.0500 3972 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
14:21:48.0515 3972 ClipSrv - ok
14:21:48.0546 3972 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
14:21:48.0546 3972 clr_optimization_v2.0.50727_32 - ok
14:21:48.0562 3972 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
14:21:48.0562 3972 clr_optimization_v4.0.30319_32 - ok
14:21:48.0562 3972 CmdIde - ok
14:21:48.0578 3972 COMSysApp - ok
14:21:48.0578 3972 Cpqarray - ok
14:21:48.0609 3972 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
14:21:48.0609 3972 CryptSvc - ok
14:21:48.0609 3972 dac2w2k - ok
14:21:48.0609 3972 dac960nt - ok
14:21:48.0640 3972 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
14:21:48.0640 3972 DcomLaunch - ok
14:21:48.0671 3972 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
14:21:48.0671 3972 Dhcp - ok
14:21:48.0671 3972 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
14:21:48.0671 3972 Disk - ok
14:21:48.0671 3972 dmadmin - ok
14:21:48.0718 3972 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
14:21:48.0718 3972 dmboot - ok
14:21:48.0734 3972 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
14:21:48.0734 3972 dmio - ok
14:21:48.0750 3972 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
14:21:48.0750 3972 dmload - ok
14:21:48.0796 3972 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
14:21:48.0796 3972 dmserver - ok
14:21:48.0812 3972 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
14:21:48.0812 3972 DMusic - ok
14:21:48.0859 3972 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
14:21:48.0859 3972 Dnscache - ok
14:21:48.0906 3972 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
14:21:48.0906 3972 Dot3svc - ok
14:21:48.0906 3972 dpti2o - ok
14:21:48.0906 3972 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
14:21:48.0906 3972 drmkaud - ok
14:21:48.0953 3972 [ 34AAA3B298A852B3663E6E0D94D12945 ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
14:21:48.0953 3972 e1express - ok
14:21:48.0984 3972 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
14:21:48.0984 3972 EapHost - ok
14:21:49.0031 3972 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
14:21:49.0031 3972 ERSvc - ok
14:21:49.0062 3972 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
14:21:49.0062 3972 Eventlog - ok
14:21:49.0078 3972 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
14:21:49.0093 3972 EventSystem - ok
14:21:49.0109 3972 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
14:21:49.0109 3972 Fastfat - ok
14:21:49.0156 3972 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
14:21:49.0156 3972 FastUserSwitchingCompatibility - ok
14:21:49.0156 3972 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
14:21:49.0156 3972 Fdc - ok
14:21:49.0156 3972 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
14:21:49.0171 3972 Fips - ok
14:21:49.0171 3972 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
14:21:49.0171 3972 Flpydisk - ok
14:21:49.0187 3972 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
14:21:49.0187 3972 FltMgr - ok
14:21:49.0250 3972 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
14:21:49.0250 3972 FontCache3.0.0.0 - ok
14:21:49.0250 3972 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
14:21:49.0250 3972 Fs_Rec - ok
14:21:49.0250 3972 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
14:21:49.0250 3972 Ftdisk - ok
14:21:49.0296 3972 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
14:21:49.0296 3972 Gpc - ok
14:21:49.0406 3972 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
14:21:49.0406 3972 gupdate - ok
14:21:49.0406 3972 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
14:21:49.0406 3972 gupdatem - ok
14:21:49.0453 3972 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
14:21:49.0453 3972 gusvc - ok
14:21:49.0500 3972 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
14:21:49.0500 3972 HDAudBus - ok
14:21:49.0546 3972 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
14:21:49.0546 3972 helpsvc - ok
14:21:49.0562 3972 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
14:21:49.0562 3972 HidServ - ok
14:21:49.0562 3972 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
14:21:49.0562 3972 hidusb - ok
14:21:49.0593 3972 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
14:21:49.0593 3972 hkmsvc - ok
14:21:49.0609 3972 hpn - ok
14:21:49.0640 3972 [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
14:21:49.0640 3972 HPZid412 - ok
14:21:49.0640 3972 [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
14:21:49.0640 3972 HPZipr12 - ok
14:21:49.0671 3972 [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
14:21:49.0687 3972 HPZius12 - ok
14:21:49.0718 3972 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
14:21:49.0718 3972 HTTP - ok
14:21:49.0750 3972 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
14:21:49.0750 3972 HTTPFilter - ok
14:21:49.0750 3972 i2omgmt - ok
14:21:49.0750 3972 i2omp - ok
14:21:49.0750 3972 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\drivers\i8042prt.sys
14:21:49.0765 3972 i8042prt - ok
14:21:49.0828 3972 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
14:21:49.0828 3972 idsvc - ok
14:21:49.0859 3972 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
14:21:49.0859 3972 Imapi - ok
14:21:49.0906 3972 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
14:21:49.0906 3972 ImapiService - ok
14:21:49.0906 3972 ini910u - ok
14:21:50.0015 3972 [ 17BBBABB21F86B650B2626045A9D016C ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
14:21:50.0031 3972 IntcAzAudAddService - ok
14:21:50.0031 3972 IntelIde - ok
14:21:50.0078 3972 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
14:21:50.0078 3972 intelppm - ok
14:21:50.0109 3972 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
14:21:50.0109 3972 Ip6Fw - ok
14:21:50.0140 3972 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
14:21:50.0140 3972 IpFilterDriver - ok
14:21:50.0156 3972 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
14:21:50.0156 3972 IpInIp - ok
14:21:50.0187 3972 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
14:21:50.0187 3972 IpNat - ok
14:21:50.0187 3972 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
14:21:50.0187 3972 IPSec - ok
14:21:50.0218 3972 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
14:21:50.0218 3972 IRENUM - ok
14:21:50.0296 3972 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
14:21:50.0296 3972 isapnp - ok
14:21:50.0468 3972 [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
14:21:50.0468 3972 JavaQuickStarterService - ok
14:21:50.0500 3972 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
14:21:50.0500 3972 Kbdclass - ok
14:21:50.0531 3972 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
14:21:50.0531 3972 kbdhid - ok
14:21:50.0546 3972 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
14:21:50.0546 3972 kmixer - ok
14:21:50.0562 3972 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
14:21:50.0562 3972 KSecDD - ok
14:21:50.0593 3972 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
14:21:50.0593 3972 lanmanserver - ok
14:21:50.0593 3972 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
14:21:50.0593 3972 lanmanworkstation - ok
14:21:50.0609 3972 lbrtfdc - ok
14:21:50.0640 3972 [ 691D50CF54BE2013659925D3FF953DC2 ] LCcfltr C:\WINDOWS\system32\Drivers\LCcFltr.Sys
14:21:50.0640 3972 LCcfltr - ok
14:21:50.0656 3972 [ 03976C309EDE05D39017C05B817CD94F ] LHidFlt2 C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
14:21:50.0656 3972 LHidFlt2 - ok
14:21:50.0656 3972 [ 25688115843C4028686A96D88BC28007 ] LHidUsb C:\WINDOWS\system32\Drivers\LHidUsb.Sys
14:21:50.0656 3972 LHidUsb - ok
14:21:50.0687 3972 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
14:21:50.0687 3972 LmHosts - ok
14:21:50.0703 3972 [ 26407519FCA64EC4091FE1F815B4AFC4 ] LMouFlt2 C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
14:21:50.0703 3972 LMouFlt2 - ok
14:21:50.0734 3972 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
14:21:50.0734 3972 Messenger - ok
14:21:50.0765 3972 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
14:21:50.0765 3972 mnmdd - ok
14:21:50.0796 3972 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
14:21:50.0796 3972 mnmsrvc - ok
14:21:50.0812 3972 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
14:21:50.0812 3972 Modem - ok
14:21:50.0812 3972 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
14:21:50.0812 3972 Mouclass - ok
14:21:50.0828 3972 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
14:21:50.0828 3972 mouhid - ok
14:21:50.0828 3972 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
14:21:50.0828 3972 MountMgr - ok
14:21:50.0828 3972 mraid35x - ok
14:21:50.0875 3972 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
14:21:50.0875 3972 MRxDAV - ok
14:21:50.0921 3972 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
14:21:50.0937 3972 MRxSmb - ok
14:21:50.0953 3972 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
14:21:50.0953 3972 MSDTC - ok
14:21:50.0953 3972 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
14:21:50.0968 3972 Msfs - ok
14:21:50.0968 3972 MSIServer - ok
14:21:50.0984 3972 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
14:21:50.0984 3972 MSKSSRV - ok
14:21:51.0000 3972 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
14:21:51.0000 3972 MSPCLOCK - ok
14:21:51.0000 3972 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
14:21:51.0000 3972 MSPQM - ok
14:21:51.0000 3972 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
14:21:51.0000 3972 mssmbios - ok
14:21:51.0015 3972 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
14:21:51.0015 3972 Mup - ok
14:21:51.0046 3972 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
14:21:51.0046 3972 napagent - ok
14:21:51.0078 3972 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
14:21:51.0078 3972 NDIS - ok
14:21:51.0093 3972 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
14:21:51.0093 3972 NdisTapi - ok
14:21:51.0109 3972 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
14:21:51.0109 3972 Ndisuio - ok
14:21:51.0109 3972 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
14:21:51.0109 3972 NdisWan - ok
14:21:51.0125 3972 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
14:21:51.0125 3972 NDProxy - ok
14:21:51.0125 3972 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
14:21:51.0125 3972 NetBIOS - ok
14:21:51.0156 3972 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
14:21:51.0156 3972 NetBT - ok
14:21:51.0171 3972 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
14:21:51.0171 3972 NetDDE - ok
14:21:51.0171 3972 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
14:21:51.0171 3972 NetDDEdsdm - ok
14:21:51.0218 3972 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
14:21:51.0218 3972 Netlogon - ok
14:21:51.0250 3972 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
14:21:51.0250 3972 Netman - ok
14:21:51.0296 3972 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
14:21:51.0296 3972 NetTcpPortSharing - ok
14:21:51.0312 3972 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
14:21:51.0312 3972 Nla - ok
14:21:51.0312 3972 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
14:21:51.0312 3972 Npfs - ok
14:21:51.0343 3972 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
14:21:51.0343 3972 Ntfs - ok
14:21:51.0359 3972 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
14:21:51.0359 3972 NtLmSsp - ok
14:21:51.0406 3972 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
14:21:51.0406 3972 NtmsSvc - ok
14:21:51.0437 3972 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
14:21:51.0437 3972 Null - ok
14:21:51.0468 3972 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
14:21:51.0468 3972 NwlnkFlt - ok
14:21:51.0468 3972 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
14:21:51.0468 3972 NwlnkFwd - ok
14:21:51.0484 3972 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
14:21:51.0484 3972 Parport - ok
14:21:51.0484 3972 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
14:21:51.0484 3972 PartMgr - ok
14:21:51.0515 3972 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
14:21:51.0515 3972 ParVdm - ok
14:21:51.0515 3972 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
14:21:51.0515 3972 PCI - ok
14:21:51.0515 3972 PCIDump - ok
14:21:51.0546 3972 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
14:21:51.0546 3972 PCIIde - ok
14:21:51.0562 3972 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
14:21:51.0562 3972 Pcmcia - ok
14:21:51.0562 3972 PDCOMP - ok
14:21:51.0578 3972 PDFRAME - ok
14:21:51.0578 3972 PDRELI - ok
14:21:51.0578 3972 PDRFRAME - ok
14:21:51.0578 3972 perc2 - ok
14:21:51.0593 3972 perc2hib - ok
14:21:51.0625 3972 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
14:21:51.0625 3972 PlugPlay - ok
14:21:51.0671 3972 [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
14:21:51.0671 3972 Pml Driver HPZ12 - ok
14:21:51.0671 3972 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
14:21:51.0671 3972 PolicyAgent - ok
14:21:51.0671 3972 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
14:21:51.0671 3972 PptpMiniport - ok
14:21:51.0671 3972 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
14:21:51.0687 3972 ProtectedStorage - ok
14:21:51.0687 3972 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
14:21:51.0687 3972 PSched - ok
14:21:51.0703 3972 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
14:21:51.0703 3972 Ptilink - ok
14:21:51.0750 3972 [ E6BE48AFDCF7BE96F69455581F15221C ] QBCFMonitorService C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
14:21:51.0750 3972 QBCFMonitorService - ok
14:21:51.0781 3972 [ 2241EAF40E472C471CB80CF6B97CCA11 ] QBFCService C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
14:21:51.0781 3972 QBFCService - ok
14:21:51.0781 3972 ql1080 - ok
14:21:51.0796 3972 Ql10wnt - ok
14:21:51.0796 3972 ql12160 - ok
14:21:51.0796 3972 ql1240 - ok
14:21:51.0812 3972 ql1280 - ok
14:21:51.0812 3972 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
14:21:51.0812 3972 RasAcd - ok
14:21:51.0843 3972 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
14:21:51.0843 3972 RasAuto - ok
14:21:51.0843 3972 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
14:21:51.0843 3972 Rasl2tp - ok
14:21:51.0906 3972 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
14:21:51.0906 3972 RasMan - ok
14:21:51.0906 3972 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
14:21:51.0906 3972 RasPppoe - ok
14:21:51.0906 3972 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
14:21:51.0906 3972 Raspti - ok
14:21:51.0921 3972 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
14:21:51.0921 3972 Rdbss - ok
14:21:51.0921 3972 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
14:21:51.0921 3972 RDPCDD - ok
14:21:51.0953 3972 [ 6589DB6E5969F8EEE594CF71171C5028 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
14:21:51.0953 3972 RDPWD - ok
14:21:51.0984 3972 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
14:21:51.0984 3972 RDSessMgr - ok
14:21:52.0000 3972 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
14:21:52.0000 3972 redbook - ok
14:21:52.0046 3972 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
14:21:52.0046 3972 RemoteAccess - ok
14:21:52.0046 3972 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
14:21:52.0046 3972 RpcLocator - ok
14:21:52.0078 3972 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
14:21:52.0078 3972 RpcSs - ok
14:21:52.0078 3972 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
14:21:52.0078 3972 RSVP - ok
14:21:52.0093 3972 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
14:21:52.0093 3972 SamSs - ok
14:21:52.0093 3972 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
14:21:52.0093 3972 SCardSvr - ok
14:21:52.0125 3972 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
14:21:52.0140 3972 Schedule - ok
14:21:52.0156 3972 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
14:21:52.0156 3972 Secdrv - ok
14:21:52.0187 3972 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
14:21:52.0187 3972 seclogon - ok
14:21:52.0203 3972 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
14:21:52.0203 3972 SENS - ok
14:21:52.0234 3972 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
14:21:52.0234 3972 Serial - ok
14:21:52.0265 3972 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
14:21:52.0265 3972 Sfloppy - ok
14:21:52.0312 3972 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
14:21:52.0312 3972 SharedAccess - ok
14:21:52.0328 3972 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
14:21:52.0328 3972 ShellHWDetection - ok
14:21:52.0328 3972 Simbad - ok
14:21:52.0343 3972 Sparrow - ok
14:21:52.0359 3972 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
14:21:52.0359 3972 splitter - ok
14:21:52.0375 3972 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
14:21:52.0390 3972 Spooler - ok
14:21:52.0406 3972 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
14:21:52.0406 3972 sr - ok
14:21:52.0421 3972 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
14:21:52.0421 3972 srservice - ok
14:21:52.0437 3972 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
14:21:52.0437 3972 Srv - ok
14:21:52.0468 3972 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
14:21:52.0468 3972 SSDPSRV - ok
14:21:52.0500 3972 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
14:21:52.0515 3972 stisvc - ok
14:21:52.0515 3972 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
14:21:52.0515 3972 swenum - ok
14:21:52.0531 3972 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
14:21:52.0531 3972 swmidi - ok
14:21:52.0531 3972 SwPrv - ok
14:21:52.0531 3972 symc810 - ok
14:21:52.0546 3972 symc8xx - ok
14:21:52.0546 3972 sym_hi - ok
14:21:52.0546 3972 sym_u3 - ok
14:21:52.0593 3972 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
14:21:52.0593 3972 sysaudio - ok
14:21:52.0593 3972 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
14:21:52.0593 3972 SysmonLog - ok
14:21:52.0625 3972 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
14:21:52.0625 3972 TapiSrv - ok
14:21:52.0671 3972 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
14:21:52.0671 3972 Tcpip - ok
14:21:52.0703 3972 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
14:21:52.0703 3972 TDPIPE - ok
14:21:52.0734 3972 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
14:21:52.0734 3972 TDTCP - ok
14:21:52.0750 3972 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
14:21:52.0750 3972 TermDD - ok
14:21:52.0765 3972 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
14:21:52.0781 3972 TermService - ok
14:21:52.0796 3972 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
14:21:52.0796 3972 Themes - ok
14:21:52.0796 3972 TosIde - ok
14:21:52.0796 3972 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
14:21:52.0796 3972 TrkWks - ok
14:21:52.0828 3972 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
14:21:52.0828 3972 Udfs - ok
14:21:52.0828 3972 ultra - ok
14:21:52.0843 3972 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
14:21:52.0843 3972 Update - ok
14:21:52.0875 3972 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
14:21:52.0875 3972 upnphost - ok
14:21:52.0875 3972 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
14:21:52.0890 3972 UPS - ok
14:21:52.0921 3972 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
14:21:52.0921 3972 usbccgp - ok
14:21:52.0953 3972 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
14:21:52.0953 3972 usbehci - ok
14:21:52.0968 3972 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
14:21:52.0968 3972 usbhub - ok
14:21:52.0984 3972 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
14:21:52.0984 3972 usbprint - ok
14:21:53.0015 3972 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
14:21:53.0015 3972 usbscan - ok
14:21:53.0031 3972 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
14:21:53.0031 3972 USBSTOR - ok
14:21:53.0046 3972 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
14:21:53.0046 3972 usbuhci - ok
14:21:53.0062 3972 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
14:21:53.0062 3972 VgaSave - ok
14:21:53.0062 3972 ViaIde - ok
14:21:53.0078 3972 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
14:21:53.0078 3972 VolSnap - ok
14:21:53.0109 3972 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
14:21:53.0109 3972 VSS - ok
14:21:53.0140 3972 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
14:21:53.0140 3972 W32Time - ok
14:21:53.0156 3972 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
14:21:53.0156 3972 Wanarp - ok
14:21:53.0187 3972 [ D918617B46457B9AC28027722E30F647 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
14:21:53.0187 3972 Wdf01000 - ok
14:21:53.0203 3972 WDICA - ok
14:21:53.0234 3972 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
14:21:53.0234 3972 wdmaud - ok
14:21:53.0265 3972 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
14:21:53.0265 3972 WebClient - ok
14:21:53.0328 3972 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
14:21:53.0328 3972 winmgmt - ok
14:21:53.0343 3972 [ 30FC6E5448D0CBAAA95280EEEF7FEDAE ] WinUSB C:\WINDOWS\system32\DRIVERS\WinUSB.sys
14:21:53.0343 3972 WinUSB - ok
14:21:53.0390 3972 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
14:21:53.0390 3972 WmdmPmSN - ok
14:21:53.0406 3972 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
14:21:53.0406 3972 WmiApSrv - ok
14:21:53.0468 3972 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
14:21:53.0484 3972 WMPNetworkSvc - ok
14:21:53.0515 3972 [ C60DC16D4E406810FAD54B98DC92D5EC ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
14:21:53.0515 3972 WpdUsb - ok
14:21:53.0671 3972 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
14:21:53.0671 3972 WPFFontCache_v0400 - ok
14:21:53.0703 3972 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
14:21:53.0703 3972 WS2IFSL - ok
14:21:53.0734 3972 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
14:21:53.0734 3972 wscsvc - ok
14:21:53.0750 3972 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
14:21:53.0750 3972 wuauserv - ok
14:21:53.0796 3972 [ 6FF66513D372D479EF1810223C8D20CE ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
14:21:53.0796 3972 WudfPf - ok
14:21:53.0812 3972 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
14:21:53.0812 3972 WudfRd - ok
14:21:53.0828 3972 [ 575A4190D989F64732119E4114045A4F ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
14:21:53.0828 3972 WudfSvc - ok
14:21:53.0875 3972 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
14:21:53.0875 3972 WZCSVC - ok
14:21:53.0937 3972 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
14:21:53.0937 3972 xmlprov - ok
14:21:53.0937 3972 ================ Scan global ===============================
14:21:53.0968 3972 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
14:21:54.0015 3972 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:21:54.0015 3972 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
14:21:54.0031 3972 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
14:21:54.0031 3972 [Global] - ok
14:21:54.0031 3972 ================ Scan MBR ==================================
14:21:54.0031 3972 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
14:21:54.0031 3972 Suspicious mbr (Forged): \Device\Harddisk0\DR0
14:21:54.0062 3972 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - infected
14:21:54.0062 3972 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.c (0)
14:21:54.0062 3972 ================ Scan VBR ==================================
14:21:54.0093 3972 [ D2B6AB2A8D875CC05D8B2FBF10517E2C ] \Device\Harddisk0\DR0\Partition1
14:21:54.0093 3972 \Device\Harddisk0\DR0\Partition1 - ok
14:21:54.0093 3972 [ 1B71DE0A2A7D867862175129AB969063 ] \Device\Harddisk0\DR0\Partition2
14:21:54.0093 3972 \Device\Harddisk0\DR0\Partition2 - ok
14:21:54.0093 3972 ============================================================
14:21:54.0093 3972 Scan finished
14:21:54.0093 3972 ============================================================
14:21:54.0109 3456 Detected object count: 1
14:21:54.0109 3456 Actual detected object count: 1
14:22:07.0828 3456 \Device\Harddisk0\DR0\# - copied to quarantine
14:22:07.0828 3456 \Device\Harddisk0\DR0 - copied to quarantine
14:22:07.0875 3456 \Device\Harddisk0\DR0\TDLFS\ldrm - copied to quarantine
14:22:07.0890 3456 \Device\Harddisk0\DR0\TDLFS\cmd.dll - copied to quarantine
14:22:07.0890 3456 \Device\Harddisk0\DR0\TDLFS\cmd64.dll - copied to quarantine
14:22:07.0890 3456 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
14:22:07.0890 3456 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
14:22:07.0906 3456 \Device\Harddisk0\DR0\TDLFS\drv32 - copied to quarantine
14:22:07.0906 3456 \Device\Harddisk0\DR0\TDLFS\drv64 - copied to quarantine
14:22:07.0906 3456 \Device\Harddisk0\DR0\TDLFS\servers.dat - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\ldr16 - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\ldr32 - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\ldr64 - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\s - copied to quarantine
14:22:07.0953 3456 \Device\Harddisk0\DR0\TDLFS\u - copied to quarantine
14:22:07.0968 3456 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
14:22:07.0968 3456 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - will be cured on reboot
14:22:07.0968 3456 \Device\Harddisk0\DR0 - ok
14:22:07.0968 3456 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.c ) - User select action: Cure
14:22:12.0296 0508 Deinitialize success

kidkrops · Sep 5, 2012

All new everything.. All new logs::

MOST RECENT COMBO FIX LOG:

ComboFix 12-09-05.02 - Joe 09/05/2012 15:14:27.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2471 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\help\ComboFix.exe
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-05 to 2012-09-05 )))))))))))))))))))))))))))))))
.
.
2012-09-05 18:25 . 2012-09-05 18:25 -------- d-----w- c:\windows\LastGood
2012-09-05 18:22 . 2012-09-05 18:22 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-05 18:21 . 2012-09-05 18:21 -------- d-----w- C:\tdsskiller
2012-09-05 18:20 . 2012-08-24 13:28 2211928 ----a-w- C:\TDSSKiller.exe
2012-09-03 17:35 . 2012-09-03 17:37 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56 . 2012-09-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-08-17 21:24 . 2012-08-20 06:05 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Deployment
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\program files\Common Files\Java
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Sun
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\documents and settings\Joe\Application Data\Oracle
2012-08-08 00:20 . 2012-07-06 02:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:18 . 2012-08-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-08 00:12 . 2012-08-08 00:12 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 02:07 . 2012-03-16 04:23 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((( SnapShot@2012-09-04_23.05.14 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-09-05 18:23 . 2012-09-05 18:23 16384 c:\windows\Temp\Perflib_Perfdata_9c.dat
- 2012-08-20 02:42 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\98ba44a9c208ed8f29b83af1026daea1\update\spcustom.dll
- 2012-08-20 02:42 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\98ba44a9c208ed8f29b83af1026daea1\spmsg.dll
- 2012-08-20 02:42 . 2010-07-05 13:15 26488 c:\windows\SoftwareDistribution\Download\4a0e4531b96faf560594eec84d879de6\update\spcustom.dll
- 2012-08-20 02:42 . 2010-07-05 13:15 17272 c:\windows\SoftwareDistribution\Download\4a0e4531b96faf560594eec84d879de6\spmsg.dll
- 2012-08-20 02:42 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\98ba44a9c208ed8f29b83af1026daea1\update\updspapi.dll
- 2012-08-20 02:42 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\98ba44a9c208ed8f29b83af1026daea1\update\update.exe
- 2012-08-20 02:42 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\98ba44a9c208ed8f29b83af1026daea1\spuninst.exe
- 2012-08-20 02:42 . 2010-07-05 13:16 382840 c:\windows\SoftwareDistribution\Download\4a0e4531b96faf560594eec84d879de6\update\updspapi.dll
- 2012-08-20 02:42 . 2010-07-05 13:15 755576 c:\windows\SoftwareDistribution\Download\4a0e4531b96faf560594eec84d879de6\update\update.exe
- 2012-08-20 02:42 . 2010-07-05 13:15 231288 c:\windows\SoftwareDistribution\Download\4a0e4531b96faf560594eec84d879de6\spuninst.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-02 39408]
"SpybotSD TeaTimer"="c:\documents and settings\Joe\Desktop\help\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-23 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 04986721
*NewlyCreated* - 76761113
*Deregistered* - 04986721
*Deregistered* - 76761113
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004Core.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004UA.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-05 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-09-05 c:\windows\Tasks\User_Feed_Synchronization-{D288B110-DBAE-473C-9AF0-7ACA0638B08D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-04986721.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-05 15:18
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(712)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3348)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-05 15:19:33
ComboFix-quarantined-files.txt 2012-09-05 19:19
ComboFix2.txt 2012-09-05 17:17
ComboFix3.txt 2012-09-04 23:09
.
Pre-Run: 292,465,549,312 bytes free
Post-Run: 292,510,416,896 bytes free
.
- - End Of File - - 9B3EF1603F96CE01073DB424C9655258

NEW DDS LOG::

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Joe at 15:22:44 on 2012-09-05
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2342 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\docume~1\joe\desktop\help\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\documents and settings\joe\desktop\help\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\docume~1\joe\desktop\help\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320210431218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320215336734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{13DC235B-8EBF-4AFA-B4FD-6A3FF757B880} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-05 18:22:07 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-05 18:21:18 -------- d-----w- C:\tdsskiller
2012-09-05 18:20:56 2211928 ----a-w- C:\TDSSKiller.exe
2012-09-04 22:48:10 -------- d-sha-r- C:\cmdcons
2012-09-04 22:34:36 98816 ----a-w- c:\windows\sed.exe
2012-09-04 22:34:36 518144 ----a-w- c:\windows\SWREG.exe
2012-09-04 22:34:36 256000 ----a-w- c:\windows\PEV.exe
2012-09-04 22:34:36 208896 ----a-w- c:\windows\MBR.exe
2012-09-03 17:35:11 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-08-17 21:24:19 -------- d-----w- c:\documents and settings\joe\local settings\application data\Deployment
2012-08-08 00:21:54 -------- d-----w- c:\documents and settings\joe\local settings\application data\Sun
2012-08-08 00:20:45 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20:28 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:12:01 -------- d-----w- c:\program files\Citrix
.
==================== Find3M ====================
.
2012-07-06 02:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-13 13:19:59 1866112 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 15:22:51.95 ===============

TDSSKILLRT LOG:::

15:23:57.0203 2548 TDSS rootkit removing tool 2.8.8.0 Aug 24 2012 13:27:48
15:23:57.0421 2548 ============================================================
15:23:57.0421 2548 Current date / time: 2012/09/05 15:23:57.0421
15:23:57.0421 2548 SystemInfo:
15:23:57.0421 2548
15:23:57.0421 2548 OS Version: 5.1.2600 ServicePack: 3.0
15:23:57.0421 2548 Product type: Workstation
15:23:57.0421 2548 ComputerName: TRADE2WIN
15:23:57.0421 2548 UserName: Joe
15:23:57.0421 2548 Windows directory: C:\WINDOWS
15:23:57.0421 2548 System windows directory: C:\WINDOWS
15:23:57.0421 2548 Processor architecture: Intel x86
15:23:57.0421 2548 Number of processors: 2
15:23:57.0421 2548 Page size: 0x1000
15:23:57.0421 2548 Boot type: Normal boot
15:23:57.0421 2548 ============================================================
15:23:58.0187 2548 BG loaded
15:23:58.0375 2548 Drive \Device\Harddisk0\DR0 - Size: 0x4A85D56000 (298.09 Gb), SectorSize: 0x200, Cylinders: 0x9801, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
15:23:58.0375 2548 ============================================================
15:23:58.0375 2548 \Device\Harddisk0\DR0:
15:23:58.0375 2548 MBR partitions:
15:23:58.0375 2548 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1B800, BlocksNum 0x1400000
15:23:58.0375 2548 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x141B800, BlocksNum 0x24012800
15:23:58.0375 2548 ============================================================
15:23:58.0421 2548 C: <-> \Device\Harddisk0\DR0\Partition2
15:23:58.0453 2548 D: <-> \Device\Harddisk0\DR0\Partition1
15:23:58.0453 2548 ============================================================
15:23:58.0453 2548 Initialize success
15:23:58.0453 2548 ============================================================
15:23:59.0328 1416 ============================================================
15:23:59.0328 1416 Scan started
15:23:59.0328 1416 Mode: Manual;
15:23:59.0328 1416 ============================================================
15:24:00.0062 1416 ================ Scan system memory ========================
15:24:00.0062 1416 System memory - ok
15:24:00.0062 1416 ================ Scan services =============================
15:24:00.0156 1416 Abiosdsk - ok
15:24:00.0171 1416 abp480n5 - ok
15:24:00.0203 1416 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
15:24:00.0203 1416 ACPI - ok
15:24:00.0234 1416 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
15:24:00.0234 1416 ACPIEC - ok
15:24:00.0234 1416 adpu160m - ok
15:24:00.0250 1416 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
15:24:00.0250 1416 aec - ok
15:24:00.0281 1416 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
15:24:00.0281 1416 AFD - ok
15:24:00.0296 1416 Aha154x - ok
15:24:00.0296 1416 aic78u2 - ok
15:24:00.0296 1416 aic78xx - ok
15:24:00.0343 1416 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
15:24:00.0343 1416 Alerter - ok
15:24:00.0375 1416 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
15:24:00.0375 1416 ALG - ok
15:24:00.0375 1416 AliIde - ok
15:24:00.0375 1416 amsint - ok
15:24:00.0375 1416 AppMgmt - ok
15:24:00.0390 1416 asc - ok
15:24:00.0390 1416 asc3350p - ok
15:24:00.0390 1416 asc3550 - ok
15:24:00.0468 1416 [ 0E5E4957549056E2BF2C49F4F6B601AD ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
15:24:00.0484 1416 aspnet_state - ok
15:24:00.0515 1416 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
15:24:00.0515 1416 AsyncMac - ok
15:24:00.0515 1416 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
15:24:00.0515 1416 atapi - ok
15:24:00.0531 1416 Atdisk - ok
15:24:00.0562 1416 [ 192A651DF943EE391DFD2E4A123F07F6 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe
15:24:00.0562 1416 Ati HotKey Poller - ok
15:24:00.0703 1416 [ 0A8B257DB810BE78AC9FD1860B4BA22B ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
15:24:00.0734 1416 ati2mtag - ok
15:24:00.0781 1416 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
15:24:00.0781 1416 Atmarpc - ok
15:24:00.0812 1416 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
15:24:00.0812 1416 AudioSrv - ok
15:24:00.0843 1416 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
15:24:00.0843 1416 audstub - ok
15:24:00.0875 1416 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
15:24:00.0875 1416 Beep - ok
15:24:00.0906 1416 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
15:24:00.0906 1416 BITS - ok
15:24:00.0937 1416 [ A06CE3399D16DB864F55FAEB1F1927A9 ] Browser C:\WINDOWS\System32\browser.dll
15:24:00.0937 1416 Browser - ok
15:24:01.0031 1416 catchme - ok
15:24:01.0046 1416 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
15:24:01.0046 1416 cbidf2k - ok
15:24:01.0046 1416 cd20xrnt - ok
15:24:01.0078 1416 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
15:24:01.0078 1416 Cdaudio - ok
15:24:01.0093 1416 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
15:24:01.0093 1416 Cdfs - ok
15:24:01.0109 1416 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
15:24:01.0109 1416 Cdrom - ok
15:24:01.0109 1416 Changer - ok
15:24:01.0140 1416 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
15:24:01.0140 1416 CiSvc - ok
15:24:01.0140 1416 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
15:24:01.0140 1416 ClipSrv - ok
15:24:01.0187 1416 [ D87ACAED61E417BBA546CED5E7E36D9C ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
15:24:01.0187 1416 clr_optimization_v2.0.50727_32 - ok
15:24:01.0203 1416 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
15:24:01.0203 1416 clr_optimization_v4.0.30319_32 - ok
15:24:01.0203 1416 CmdIde - ok
15:24:01.0218 1416 COMSysApp - ok
15:24:01.0218 1416 Cpqarray - ok
15:24:01.0250 1416 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
15:24:01.0250 1416 CryptSvc - ok
15:24:01.0265 1416 dac2w2k - ok
15:24:01.0265 1416 dac960nt - ok
15:24:01.0296 1416 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
15:24:01.0296 1416 DcomLaunch - ok
15:24:01.0328 1416 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
15:24:01.0328 1416 Dhcp - ok
15:24:01.0328 1416 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
15:24:01.0328 1416 Disk - ok
15:24:01.0343 1416 dmadmin - ok
15:24:01.0375 1416 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
15:24:01.0375 1416 dmboot - ok
15:24:01.0390 1416 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
15:24:01.0390 1416 dmio - ok
15:24:01.0406 1416 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
15:24:01.0406 1416 dmload - ok
15:24:01.0453 1416 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
15:24:01.0453 1416 dmserver - ok
15:24:01.0468 1416 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
15:24:01.0468 1416 DMusic - ok
15:24:01.0500 1416 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
15:24:01.0500 1416 Dnscache - ok
15:24:01.0546 1416 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
15:24:01.0546 1416 Dot3svc - ok
15:24:01.0546 1416 dpti2o - ok
15:24:01.0546 1416 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
15:24:01.0546 1416 drmkaud - ok
15:24:01.0593 1416 [ 34AAA3B298A852B3663E6E0D94D12945 ] e1express C:\WINDOWS\system32\DRIVERS\e1e5132.sys
15:24:01.0593 1416 e1express - ok
15:24:01.0625 1416 [ 2187855A7703ADEF0CEF9EE4285182CC ] EapHost C:\WINDOWS\System32\eapsvc.dll
15:24:01.0625 1416 EapHost - ok
15:24:01.0671 1416 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
15:24:01.0671 1416 ERSvc - ok
15:24:01.0703 1416 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
15:24:01.0703 1416 Eventlog - ok
15:24:01.0718 1416 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
15:24:01.0734 1416 EventSystem - ok
15:24:01.0750 1416 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
15:24:01.0750 1416 Fastfat - ok
15:24:01.0796 1416 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
15:24:01.0796 1416 FastUserSwitchingCompatibility - ok
15:24:01.0796 1416 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys
15:24:01.0796 1416 Fdc - ok
15:24:01.0796 1416 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
15:24:01.0796 1416 Fips - ok
15:24:01.0812 1416 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
15:24:01.0812 1416 Flpydisk - ok
15:24:01.0828 1416 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
15:24:01.0828 1416 FltMgr - ok
15:24:01.0890 1416 [ 8BA7C024070F2B7FDD98ED8A4BA41789 ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
15:24:01.0890 1416 FontCache3.0.0.0 - ok
15:24:01.0890 1416 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
15:24:01.0890 1416 Fs_Rec - ok
15:24:01.0890 1416 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
15:24:01.0890 1416 Ftdisk - ok
15:24:01.0921 1416 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
15:24:01.0921 1416 Gpc - ok
15:24:02.0015 1416 [ F02A533F517EB38333CB12A9E8963773 ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
15:24:02.0015 1416 gupdate - ok
15:24:02.0015 1416 [ F02A533F517EB38333CB12A9E8963773 ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
15:24:02.0031 1416 gupdatem - ok
15:24:02.0062 1416 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
15:24:02.0062 1416 gusvc - ok
15:24:02.0109 1416 [ 573C7D0A32852B48F3058CFD8026F511 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
15:24:02.0109 1416 HDAudBus - ok
15:24:02.0156 1416 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
15:24:02.0156 1416 helpsvc - ok
15:24:02.0187 1416 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
15:24:02.0187 1416 HidServ - ok
15:24:02.0187 1416 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] hidusb C:\WINDOWS\system32\DRIVERS\hidusb.sys
15:24:02.0187 1416 hidusb - ok
15:24:02.0218 1416 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
15:24:02.0218 1416 hkmsvc - ok
15:24:02.0218 1416 hpn - ok
15:24:02.0250 1416 [ 9F1D80908658EB7F1BF70809E0B51470 ] HPZid412 C:\WINDOWS\system32\DRIVERS\HPZid412.sys
15:24:02.0250 1416 HPZid412 - ok
15:24:02.0250 1416 [ F7E3E9D50F9CD3DE28085A8FDAA0A1C3 ] HPZipr12 C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
15:24:02.0265 1416 HPZipr12 - ok
15:24:02.0296 1416 [ CF1B7951B4EC8D13F3C93B74BB2B461B ] HPZius12 C:\WINDOWS\system32\DRIVERS\HPZius12.sys
15:24:02.0296 1416 HPZius12 - ok
15:24:02.0343 1416 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
15:24:02.0343 1416 HTTP - ok
15:24:02.0359 1416 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
15:24:02.0359 1416 HTTPFilter - ok
15:24:02.0359 1416 i2omgmt - ok
15:24:02.0375 1416 i2omp - ok
15:24:02.0375 1416 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\drivers\i8042prt.sys
15:24:02.0375 1416 i8042prt - ok
15:24:02.0453 1416 [ C01AC32DC5C03076CFB852CB5DA5229C ] idsvc c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
15:24:02.0453 1416 idsvc - ok
15:24:02.0468 1416 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
15:24:02.0468 1416 Imapi - ok
15:24:02.0546 1416 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
15:24:02.0546 1416 ImapiService - ok
15:24:02.0546 1416 ini910u - ok
15:24:02.0671 1416 [ 17BBBABB21F86B650B2626045A9D016C ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys
15:24:02.0687 1416 IntcAzAudAddService - ok
15:24:02.0687 1416 IntelIde - ok
15:24:02.0734 1416 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
15:24:02.0734 1416 intelppm - ok
15:24:02.0765 1416 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
15:24:02.0765 1416 Ip6Fw - ok
15:24:02.0796 1416 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
15:24:02.0796 1416 IpFilterDriver - ok
15:24:02.0828 1416 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
15:24:02.0828 1416 IpInIp - ok
15:24:02.0859 1416 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
15:24:02.0859 1416 IpNat - ok
15:24:02.0859 1416 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
15:24:02.0859 1416 IPSec - ok
15:24:02.0875 1416 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
15:24:02.0875 1416 IRENUM - ok
15:24:02.0906 1416 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
15:24:02.0906 1416 isapnp - ok
15:24:02.0953 1416 [ 4F2143570D2250CA4C4A4C98553C82CD ] JavaQuickStarterService C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
15:24:02.0953 1416 JavaQuickStarterService - ok
15:24:02.0984 1416 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
15:24:02.0984 1416 Kbdclass - ok
15:24:02.0984 1416 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
15:24:02.0984 1416 kbdhid - ok
15:24:02.0984 1416 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
15:24:03.0000 1416 kmixer - ok
15:24:03.0015 1416 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
15:24:03.0015 1416 KSecDD - ok
15:24:03.0046 1416 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
15:24:03.0046 1416 lanmanserver - ok
15:24:03.0046 1416 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
15:24:03.0046 1416 lanmanworkstation - ok
15:24:03.0046 1416 lbrtfdc - ok
15:24:03.0093 1416 [ 691D50CF54BE2013659925D3FF953DC2 ] LCcfltr C:\WINDOWS\system32\Drivers\LCcFltr.Sys
15:24:03.0093 1416 LCcfltr - ok
15:24:03.0093 1416 [ 03976C309EDE05D39017C05B817CD94F ] LHidFlt2 C:\WINDOWS\system32\DRIVERS\LHidFlt2.Sys
15:24:03.0093 1416 LHidFlt2 - ok
15:24:03.0109 1416 [ 25688115843C4028686A96D88BC28007 ] LHidUsb C:\WINDOWS\system32\Drivers\LHidUsb.Sys
15:24:03.0109 1416 LHidUsb - ok
15:24:03.0140 1416 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
15:24:03.0140 1416 LmHosts - ok
15:24:03.0140 1416 [ 26407519FCA64EC4091FE1F815B4AFC4 ] LMouFlt2 C:\WINDOWS\system32\DRIVERS\LMouFlt2.Sys
15:24:03.0140 1416 LMouFlt2 - ok
15:24:03.0187 1416 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
15:24:03.0187 1416 Messenger - ok
15:24:03.0203 1416 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
15:24:03.0203 1416 mnmdd - ok
15:24:03.0250 1416 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
15:24:03.0250 1416 mnmsrvc - ok
15:24:03.0265 1416 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
15:24:03.0265 1416 Modem - ok
15:24:03.0265 1416 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
15:24:03.0265 1416 Mouclass - ok
15:24:03.0281 1416 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
15:24:03.0281 1416 mouhid - ok
15:24:03.0281 1416 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
15:24:03.0281 1416 MountMgr - ok
15:24:03.0281 1416 mraid35x - ok
15:24:03.0312 1416 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
15:24:03.0312 1416 MRxDAV - ok
15:24:03.0359 1416 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
15:24:03.0359 1416 MRxSmb - ok
15:24:03.0375 1416 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
15:24:03.0375 1416 MSDTC - ok
15:24:03.0390 1416 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
15:24:03.0390 1416 Msfs - ok
15:24:03.0390 1416 MSIServer - ok
15:24:03.0437 1416 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
15:24:03.0437 1416 MSKSSRV - ok
15:24:03.0437 1416 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
15:24:03.0437 1416 MSPCLOCK - ok
15:24:03.0453 1416 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
15:24:03.0453 1416 MSPQM - ok
15:24:03.0453 1416 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
15:24:03.0453 1416 mssmbios - ok
15:24:03.0468 1416 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
15:24:03.0468 1416 Mup - ok
15:24:03.0500 1416 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
15:24:03.0500 1416 napagent - ok
15:24:03.0515 1416 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
15:24:03.0515 1416 NDIS - ok
15:24:03.0515 1416 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
15:24:03.0531 1416 NdisTapi - ok
15:24:03.0531 1416 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
15:24:03.0531 1416 Ndisuio - ok
15:24:03.0531 1416 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
15:24:03.0546 1416 NdisWan - ok
15:24:03.0578 1416 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
15:24:03.0578 1416 NDProxy - ok
15:24:03.0578 1416 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
15:24:03.0578 1416 NetBIOS - ok
15:24:03.0593 1416 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
15:24:03.0593 1416 NetBT - ok
15:24:03.0625 1416 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
15:24:03.0625 1416 NetDDE - ok
15:24:03.0625 1416 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
15:24:03.0625 1416 NetDDEdsdm - ok
15:24:03.0656 1416 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
15:24:03.0656 1416 Netlogon - ok
15:24:03.0703 1416 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
15:24:03.0703 1416 Netman - ok
15:24:03.0750 1416 [ D34612C5D02D026535B3095D620626AE ] NetTcpPortSharing c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
15:24:03.0750 1416 NetTcpPortSharing - ok
15:24:03.0765 1416 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
15:24:03.0765 1416 Nla - ok
15:24:03.0781 1416 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
15:24:03.0781 1416 Npfs - ok
15:24:03.0796 1416 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
15:24:03.0812 1416 Ntfs - ok
15:24:03.0812 1416 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
15:24:03.0812 1416 NtLmSsp - ok
15:24:03.0859 1416 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
15:24:03.0859 1416 NtmsSvc - ok
15:24:03.0890 1416 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
15:24:03.0890 1416 Null - ok
15:24:03.0906 1416 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
15:24:03.0906 1416 NwlnkFlt - ok
15:24:03.0921 1416 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
15:24:03.0921 1416 NwlnkFwd - ok
15:24:03.0921 1416 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\drivers\Parport.sys
15:24:03.0921 1416 Parport - ok
15:24:03.0937 1416 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
15:24:03.0937 1416 PartMgr - ok
15:24:03.0953 1416 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
15:24:03.0953 1416 ParVdm - ok
15:24:03.0953 1416 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
15:24:03.0968 1416 PCI - ok
15:24:03.0968 1416 PCIDump - ok
15:24:04.0000 1416 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
15:24:04.0000 1416 PCIIde - ok
15:24:04.0015 1416 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys
15:24:04.0015 1416 Pcmcia - ok
15:24:04.0015 1416 PDCOMP - ok
15:24:04.0015 1416 PDFRAME - ok
15:24:04.0031 1416 PDRELI - ok
15:24:04.0031 1416 PDRFRAME - ok
15:24:04.0031 1416 perc2 - ok
15:24:04.0031 1416 perc2hib - ok
15:24:04.0062 1416 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
15:24:04.0062 1416 PlugPlay - ok
15:24:04.0109 1416 [ 9D84376931440F3679BEEF2A414FA493 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.exe
15:24:04.0109 1416 Pml Driver HPZ12 - ok
15:24:04.0109 1416 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
15:24:04.0109 1416 PolicyAgent - ok
15:24:04.0109 1416 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
15:24:04.0109 1416 PptpMiniport - ok
15:24:04.0125 1416 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
15:24:04.0125 1416 ProtectedStorage - ok
15:24:04.0125 1416 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
15:24:04.0125 1416 PSched - ok
15:24:04.0140 1416 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
15:24:04.0140 1416 Ptilink - ok
15:24:04.0187 1416 [ E6BE48AFDCF7BE96F69455581F15221C ] QBCFMonitorService C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
15:24:04.0187 1416 QBCFMonitorService - ok
15:24:04.0234 1416 [ 2241EAF40E472C471CB80CF6B97CCA11 ] QBFCService C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
15:24:04.0234 1416 QBFCService - ok
15:24:04.0234 1416 ql1080 - ok
15:24:04.0234 1416 Ql10wnt - ok
15:24:04.0234 1416 ql12160 - ok
15:24:04.0250 1416 ql1240 - ok
15:24:04.0250 1416 ql1280 - ok
15:24:04.0250 1416 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
15:24:04.0250 1416 RasAcd - ok
15:24:04.0296 1416 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
15:24:04.0296 1416 RasAuto - ok
15:24:04.0296 1416 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
15:24:04.0296 1416 Rasl2tp - ok
15:24:04.0328 1416 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
15:24:04.0328 1416 RasMan - ok
15:24:04.0343 1416 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
15:24:04.0343 1416 RasPppoe - ok
15:24:04.0343 1416 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
15:24:04.0343 1416 Raspti - ok
15:24:04.0343 1416 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
15:24:04.0343 1416 Rdbss - ok
15:24:04.0359 1416 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
15:24:04.0359 1416 RDPCDD - ok
15:24:04.0406 1416 [ 6589DB6E5969F8EEE594CF71171C5028 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
15:24:04.0406 1416 RDPWD - ok
15:24:04.0437 1416 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
15:24:04.0437 1416 RDSessMgr - ok
15:24:04.0468 1416 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
15:24:04.0468 1416 redbook - ok
15:24:04.0500 1416 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
15:24:04.0500 1416 RemoteAccess - ok
15:24:04.0500 1416 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
15:24:04.0500 1416 RpcLocator - ok
15:24:04.0531 1416 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\System32\rpcss.dll
15:24:04.0531 1416 RpcSs - ok
15:24:04.0546 1416 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
15:24:04.0546 1416 RSVP - ok
15:24:04.0546 1416 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
15:24:04.0546 1416 SamSs - ok
15:24:04.0562 1416 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
15:24:04.0562 1416 SCardSvr - ok
15:24:04.0609 1416 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
15:24:04.0609 1416 Schedule - ok
15:24:04.0625 1416 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
15:24:04.0625 1416 Secdrv - ok
15:24:04.0656 1416 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
15:24:04.0656 1416 seclogon - ok
15:24:04.0656 1416 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
15:24:04.0656 1416 SENS - ok
15:24:04.0687 1416 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\drivers\Serial.sys
15:24:04.0687 1416 Serial - ok
15:24:04.0718 1416 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
15:24:04.0718 1416 Sfloppy - ok
15:24:04.0765 1416 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
15:24:04.0765 1416 SharedAccess - ok
15:24:04.0781 1416 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
15:24:04.0781 1416 ShellHWDetection - ok
15:24:04.0781 1416 Simbad - ok
15:24:04.0796 1416 Sparrow - ok
15:24:04.0828 1416 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
15:24:04.0828 1416 splitter - ok
15:24:04.0843 1416 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
15:24:04.0843 1416 Spooler - ok
15:24:04.0875 1416 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
15:24:04.0875 1416 sr - ok
15:24:04.0875 1416 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
15:24:04.0875 1416 srservice - ok
15:24:04.0906 1416 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
15:24:04.0906 1416 Srv - ok
15:24:04.0921 1416 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
15:24:04.0921 1416 SSDPSRV - ok
15:24:04.0968 1416 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
15:24:04.0968 1416 stisvc - ok
15:24:04.0984 1416 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
15:24:04.0984 1416 swenum - ok
15:24:04.0984 1416 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
15:24:04.0984 1416 swmidi - ok
15:24:04.0984 1416 SwPrv - ok
15:24:05.0000 1416 symc810 - ok
15:24:05.0000 1416 symc8xx - ok
15:24:05.0000 1416 sym_hi - ok
15:24:05.0000 1416 sym_u3 - ok
15:24:05.0015 1416 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
15:24:05.0015 1416 sysaudio - ok
15:24:05.0031 1416 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
15:24:05.0031 1416 SysmonLog - ok
15:24:05.0062 1416 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
15:24:05.0062 1416 TapiSrv - ok
15:24:05.0109 1416 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
15:24:05.0109 1416 Tcpip - ok
15:24:05.0140 1416 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
15:24:05.0140 1416 TDPIPE - ok
15:24:05.0187 1416 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
15:24:05.0187 1416 TDTCP - ok
15:24:05.0187 1416 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
15:24:05.0187 1416 TermDD - ok
15:24:05.0218 1416 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
15:24:05.0218 1416 TermService - ok
15:24:05.0234 1416 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
15:24:05.0234 1416 Themes - ok
15:24:05.0234 1416 TosIde - ok
15:24:05.0250 1416 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
15:24:05.0250 1416 TrkWks - ok
15:24:05.0281 1416 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
15:24:05.0281 1416 Udfs - ok
15:24:05.0281 1416 ultra - ok
15:24:05.0296 1416 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
15:24:05.0296 1416 Update - ok
15:24:05.0343 1416 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
15:24:05.0343 1416 upnphost - ok
15:24:05.0343 1416 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
15:24:05.0343 1416 UPS - ok
15:24:05.0359 1416 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
15:24:05.0359 1416 usbccgp - ok
15:24:05.0390 1416 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
15:24:05.0390 1416 usbehci - ok
15:24:05.0421 1416 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
15:24:05.0421 1416 usbhub - ok
15:24:05.0437 1416 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
15:24:05.0437 1416 usbprint - ok
15:24:05.0468 1416 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
15:24:05.0468 1416 usbscan - ok
15:24:05.0484 1416 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
15:24:05.0484 1416 USBSTOR - ok
15:24:05.0500 1416 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
15:24:05.0500 1416 usbuhci - ok
15:24:05.0515 1416 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
15:24:05.0515 1416 VgaSave - ok
15:24:05.0515 1416 ViaIde - ok
15:24:05.0515 1416 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
15:24:05.0515 1416 VolSnap - ok
15:24:05.0562 1416 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
15:24:05.0562 1416 VSS - ok
15:24:05.0593 1416 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
15:24:05.0593 1416 W32Time - ok
15:24:05.0609 1416 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
15:24:05.0625 1416 Wanarp - ok
15:24:05.0656 1416 [ D918617B46457B9AC28027722E30F647 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
15:24:05.0656 1416 Wdf01000 - ok
15:24:05.0656 1416 WDICA - ok
15:24:05.0687 1416 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
15:24:05.0687 1416 wdmaud - ok
15:24:05.0703 1416 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
15:24:05.0703 1416 WebClient - ok
15:24:05.0734 1416 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
15:24:05.0750 1416 winmgmt - ok
15:24:05.0781 1416 [ 30FC6E5448D0CBAAA95280EEEF7FEDAE ] WinUSB C:\WINDOWS\system32\DRIVERS\WinUSB.sys
15:24:05.0781 1416 WinUSB - ok
15:24:05.0828 1416 [ 051B1BDECD6DEE18C771B5D5EC7F044D ] WmdmPmSN C:\WINDOWS\system32\MsPMSNSv.dll
15:24:05.0828 1416 WmdmPmSN - ok
15:24:05.0828 1416 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
15:24:05.0828 1416 WmiApSrv - ok
15:24:05.0890 1416 [ 6BAB4DC65515A098505F8B3D01FB6FE5 ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe
15:24:05.0906 1416 WMPNetworkSvc - ok
15:24:05.0937 1416 [ C60DC16D4E406810FAD54B98DC92D5EC ] WpdUsb C:\WINDOWS\system32\DRIVERS\wpdusb.sys
15:24:05.0937 1416 WpdUsb - ok
15:24:06.0093 1416 [ DCF3E3EDF5109EE8BC02FE6E1F045795 ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
15:24:06.0093 1416 WPFFontCache_v0400 - ok
15:24:06.0125 1416 [ 6ABE6E225ADB5A751622A9CC3BC19CE8 ] WS2IFSL C:\WINDOWS\System32\drivers\ws2ifsl.sys
15:24:06.0125 1416 WS2IFSL - ok
15:24:06.0156 1416 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
15:24:06.0156 1416 wscsvc - ok
15:24:06.0187 1416 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
15:24:06.0203 1416 wuauserv - ok
15:24:06.0234 1416 [ 6FF66513D372D479EF1810223C8D20CE ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys
15:24:06.0234 1416 WudfPf - ok
15:24:06.0250 1416 [ AC13CB789D93412106B0FB6C7EB2BCB6 ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys
15:24:06.0250 1416 WudfRd - ok
15:24:06.0296 1416 [ 575A4190D989F64732119E4114045A4F ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll
15:24:06.0296 1416 WudfSvc - ok
15:24:06.0343 1416 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
15:24:06.0343 1416 WZCSVC - ok
15:24:06.0375 1416 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
15:24:06.0375 1416 xmlprov - ok
15:24:06.0390 1416 ================ Scan global ===============================
15:24:06.0406 1416 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
15:24:06.0453 1416 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:24:06.0453 1416 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
15:24:06.0484 1416 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
15:24:06.0484 1416 [Global] - ok
15:24:06.0484 1416 ================ Scan MBR ==================================
15:24:06.0500 1416 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
15:24:06.0656 1416 \Device\Harddisk0\DR0 - ok
15:24:06.0656 1416 ================ Scan VBR ==================================
15:24:06.0671 1416 [ D2B6AB2A8D875CC05D8B2FBF10517E2C ] \Device\Harddisk0\DR0\Partition1
15:24:06.0671 1416 \Device\Harddisk0\DR0\Partition1 - ok
15:24:06.0671 1416 [ 1B71DE0A2A7D867862175129AB969063 ] \Device\Harddisk0\DR0\Partition2
15:24:06.0671 1416 \Device\Harddisk0\DR0\Partition2 - ok
15:24:06.0671 1416 ============================================================
15:24:06.0671 1416 Scan finished
15:24:06.0671 1416 ============================================================
15:24:06.0687 2952 Detected object count: 0
15:24:06.0687 2952 Actual detected object count: 0
15:24:10.0234 3072 Deinitialize success

Blade81 · Sep 6, 2012

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

Code:

DDS::
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe (let the tool to update itself if prompted).
Then post the resultant log.

If you don't need Java it's recommended to uninstall it. Let me know if that's not an option for you.

* Go here to run an online scanner from ESET.

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is UNchecked and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

kidkrops · Sep 6, 2012

Sorry, i couldnt uninstall JAVa, thats not really an option...Also everytime i run cobofix it says that i have somethign AVG update running but i dont even have AVG software installed on my computer..

Here is latest
COMBO FIX LOG::

ComboFix 12-09-06.02 - Joe 09/06/2012 12:59:19.5.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.2403 [GMT -4:00]
Running from: c:\documents and settings\Joe\Desktop\help\ComboFix.exe
Command switches used :: c:\documents and settings\Joe\Desktop\CFScript.txt
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((( Files Created from 2012-08-06 to 2012-09-06 )))))))))))))))))))))))))))))))
.
.
2012-09-06 16:27 . 2012-09-06 16:27 -------- d-----w- c:\program files\ESET
2012-09-05 18:22 . 2012-09-05 18:22 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-05 18:21 . 2012-09-05 18:21 -------- d-----w- C:\tdsskiller
2012-09-05 18:20 . 2012-08-24 13:28 2211928 ----a-w- C:\TDSSKiller.exe
2012-09-03 17:35 . 2012-09-03 17:37 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56 . 2012-09-03 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-08-17 21:24 . 2012-09-05 19:48 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Deployment
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\program files\Common Files\Java
2012-08-08 00:21 . 2012-08-08 00:21 -------- d-----w- c:\documents and settings\Joe\Local Settings\Application Data\Sun
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20 . 2012-08-08 00:20 -------- d-----w- c:\documents and settings\Joe\Application Data\Oracle
2012-08-08 00:20 . 2012-07-06 02:06 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:18 . 2012-08-08 00:18 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2012-08-08 00:12 . 2012-08-08 00:12 -------- d-----w- c:\program files\Citrix
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-06 13:58 . 2004-08-04 12:00 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-06 02:07 . 2012-03-16 04:23 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-04 14:05 . 2011-11-01 20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40 . 2004-08-04 12:00 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-11-02 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-26 16132608]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2011-09-08 98304]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 49152]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2011-06-15 1532760]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 20992]
"TkBellExe"="c:\program files\Real\RealPlayer\update\realsched.exe" [2011-12-23 296056]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2011-6-22 984936]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Java\\jre7\\bin\\javaw.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [11/2/2011 1:19 AM 136176]
.
Contents of the 'Scheduled Tasks' folder
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-11-02 05:19]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004Core.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-06 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-823518204-789336058-725345543-1004UA.job
- c:\documents and settings\Joe\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-11-02 05:24]
.
2012-09-06 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-09-05 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-823518204-789336058-725345543-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-11-29 21:02]
.
2012-09-06 c:\windows\Tasks\User_Feed_Synchronization-{D288B110-DBAE-473C-9AF0-7ACA0638B08D}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-PDF Reader - c:\program files\PDFReader\Uninstall\Uninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-09-06 13:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(720)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\atiadlxx.dll
.
- - - - - - - > 'explorer.exe'(3572)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2012-09-06 13:02:29
ComboFix-quarantined-files.txt 2012-09-06 17:02
ComboFix2.txt 2012-09-06 16:19
ComboFix3.txt 2012-09-05 19:19
ComboFix4.txt 2012-09-05 17:17
ComboFix5.txt 2012-09-06 16:58
.
Pre-Run: 292,170,928,128 bytes free
Post-Run: 292,181,770,240 bytes free
.
- - End Of File - - E4D5CE797A59B9DB63A27661BB736A34

DDS LOG:::

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.5.1
Run by Joe at 12:53:18 on 2012-09-06
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.3070.1843 [GMT -4:00]
.
AV: AVG Anti-Virus 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\Logi_MwX.Exe
C:\Program Files\Real\RealPlayer\update\realsched.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ESET\ESET Online Scanner\OnlineCmdLineScanner.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\docume~1\joe\desktop\help\spybot~1\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\oracle\javafx 2.1 runtime\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\oracle\javafx 2.1 runtime\bin\jp2ssv.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [Intuit SyncManager] c:\program files\common files\intuit\sync\IntuitSyncManager.exe startup
mRun: [Logitech Utility] Logi_MwX.Exe
mRun: [TkBellExe] "c:\program files\real\realplayer\update\realsched.exe" -osboot
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\docume~1\joe\desktop\help\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1320210431218
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1320215336734
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 167.206.251.129 167.206.251.130
TCP: Interfaces\{13DC235B-8EBF-4AFA-B4FD-6A3FF757B880} : DhcpNameServer = 167.206.251.129 167.206.251.130
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-11-2 136176]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-09-06 16:27:47 -------- d-----w- c:\program files\ESET
2012-09-05 18:22:07 -------- d-----w- C:\TDSSKiller_Quarantine
2012-09-05 18:21:18 -------- d-----w- C:\tdsskiller
2012-09-05 18:20:56 2211928 ----a-w- C:\TDSSKiller.exe
2012-09-04 22:48:10 -------- d-sha-r- C:\cmdcons
2012-09-04 22:34:36 98816 ----a-w- c:\windows\sed.exe
2012-09-04 22:34:36 518144 ----a-w- c:\windows\SWREG.exe
2012-09-04 22:34:36 256000 ----a-w- c:\windows\PEV.exe
2012-09-04 22:34:36 208896 ----a-w- c:\windows\MBR.exe
2012-09-03 17:35:11 -------- d-----w- c:\windows\SxsCaPendDel
2012-08-25 19:56:27 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-08-17 21:24:19 -------- d-----w- c:\documents and settings\joe\local settings\application data\Deployment
2012-08-08 00:21:54 -------- d-----w- c:\documents and settings\joe\local settings\application data\Sun
2012-08-08 00:20:45 -------- d-----w- c:\program files\Oracle
2012-08-08 00:20:28 772544 ----a-w- c:\windows\system32\npDeployJava1.dll
2012-08-08 00:12:01 -------- d-----w- c:\program files\Citrix
.
==================== Find3M ====================
.
2012-07-06 13:58:51 78336 ----a-w- c:\windows\system32\browser.dll
2012-07-06 02:07:08 143872 ----a-w- c:\windows\system32\javacpl.cpl
2012-07-04 14:05:18 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-07-03 13:40:15 1866112 ----a-w- c:\windows\system32\win32k.sys
2012-07-02 17:49:33 916992 ----a-w- c:\windows\system32\wininet.dll
2012-07-02 17:49:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2012-07-02 17:49:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-07-02 12:05:43 385024 ----a-w- c:\windows\system32\html.iec
.
============= FINISH: 12:53:33.10 ===============

Results of Online SCAN:

C:\Program Files\PDFReader\Uninstall\Uninstall.exe a variant of Win32/InstallCore.K application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP193\A0045786.exe Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP193\A0045787.dll a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP193\A0045788.exe a variant of Win32/Toolbar.Zugo application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP193\A0045791.dll a variant of Win32/Adware.Yontoo.B application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP199\A0050041.exe a variant of Win32/InstallCore.AG application cleaned by deleting - quarantined
C:\System Volume Information\_restore{FA6B17F2-B82A-4382-B17C-C53A923D7A54}\RP200\A0054761.exe a variant of Win32/InstallCore.K application cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0001.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0002.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0003.dta Win32/Olmarik.AYH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0004.dta Win64/Olmarik.AL trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0005.dta a variant of Win32/Rootkit.Kryptik.NH trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0010.dta Win32/Olmarik.AFK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0011.dta Win64/Olmarik.AK trojan cleaned by deleting - quarantined
C:\TDSSKiller_Quarantine\05.09.2012_14.21.44\mbr0000\tdlfs0000\tsk0014.dta a variant of Win32/Olmarik.AYI trojan cleaned by deleting - quarantined

Blade81 · Sep 7, 2012

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 7 Update 7.
Click the
Download
button to the right.
Select Windows on platform combobox and check the box that says:
Accept License Agreement. Click continue.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-7u7-windows-i586.exe to install the newest version.

Please download the Registry Search tool by clicking on the
hard drive icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for start.funmoods.com and click OK. Post the logfile from the tool here for me.

tashi · Sep 10, 2012

New topic closed: http://forums.spybot.info/showthread.php?p=430800#post430800

kidkrops · Sep 10, 2012

Hey, i just ran what you said and the registry log and it says that nothing was found,

kidkrops · Sep 10, 2012

kidkrops said:
Hey, i just ran what you said and the registry log and it says that nothing was found,

Opps, i lied..

here is the LOG you asked for:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "start.funmoods.com" 9/10/2012 1:05:07 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
"Start Page"="http://start.funmoods.com/?f=1&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDABC278-C6D0-4DA1-8A6E-C98DA4593281}]
"FaviconURL"="http://start.funmoods.com/favicon.ico"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDABC278-C6D0-4DA1-8A6E-C98DA4593281}]
"URL"="http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDABC278-C6D0-4DA1-8A6E-C98DA4593281}]
"TopResultURLFallback"="http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{BDABC278-C6D0-4DA1-8A6E-C98DA4593281}]
"FaviconURLFallback"="http://start.funmoods.com/favicon.ico"

[HKEY_USERS\S-1-5-21-823518204-789336058-725345543-1004\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
"URL"="http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579"

[HKEY_USERS\S-1-5-21-823518204-789336058-725345543-1004\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
"FaviconURLFallback"="http://start.funmoods.com/favicon.ico"

[HKEY_USERS\S-1-5-21-823518204-789336058-725345543-1004\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
"TopResultURLFallback"="http://start.funmoods.com/results.php?f=4&q={searchTerms}&a=test312&chnl=test312&cd=2XzuyEtN2Y1L1QzutDtDtBtCzy0BtD0CyDyE0B0DyC0B0A0BtN0D0Tzu0CtByEzztN1L2XzutBtFtCtFtCtFtAtCtB&cr=351168579"

[HKEY_USERS\S-1-5-21-823518204-789336058-725345543-1004\Software\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}]
"FaviconURL"="http://start.funmoods.com/favicon.ico"

Blade81 · Sep 11, 2012

Hi,

In IE click tools->internet options and there settings button of search section. Manage Add-ons window opens up. Take a screenshot of the view having Search Providers selected.

kidkrops · Sep 12, 2012

Screenshot

here is the screenshot, i realized that i had funmodes as a provider, i removed it useing the remove button.

thanks for the help BlaDE

kidkrops · Sep 12, 2012

includes sceenshot in proper format!

kidkrops said:
here is the screenshot, i realized that i had funmodes as a provider, i removed it useing the remove button.

thanks for the help BlaDE

kidkrops · Sep 12, 2012

screenshto

just screenshot this time.

Google search engine not workig ** dds report *** attach zip*** please help malware

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

New member

New member

Security Expert: Emeritus

New member

Security Expert: Emeritus

Member of Team Spybot

New member

New member

Security Expert: Emeritus

New member

New member

New member

Google search engine not workig dds report * attach zip*** please help malware