Jump to content

Another Redirect and Trojan Horse hider.OMK infection


PTN

Recommended Posts

Hi,

thanks for any help in advance. i have run malwarebytes several times as well as superantispyware and they have removed lots of stuff but now running them doesn't bring up any infections but while they run, my AVG alerts me to Trojan Horse Hider.OMK found in Windows\System32\Drivers\netbt.sys over and over. since it is a system file it only allows me to ignore it and won't remove it. Also, i keep getting redirected to various websites when in IE so i am writing from a different computer. Please help.

just a note that malwarebytes has helped me many times before with lots of different computers but this is the first time i can't fix it myself.

here are the two files requested in the instructions: (DDS and Attach)

DDS below and Attach is attached.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Anna at 19:52:10 on 2011-12-15

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.829 [GMT -5:00]

.

AV: AVG Anti-Virus Free *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Free Firewall *Enabled*

.

============== Running Processes ===============

.

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup

svchost.exe

svchost.exe

C:\Program Files\CheckPoint\ZoneAlarm\vsmon.exe

C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe

C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Rundll32.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe

C:\WINDOWS\system32\dla\tfswctrl.exe

C:\Program Files\QuickTime\qttask.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Samsung\EmoDio\SMSTray.exe

C:\Program Files\CheckPoint\ZAForceField\ForceField.exe

C:\Program Files\CheckPoint\ZoneAlarm\zatray.exe

C:\Program Files\Garmin\Lifetime Updater\GarminLifetime.exe

C:\PROGRA~1\MUSICM~1\MUSICM~3\MMDiag.exe

C:\Program Files\DAEMON Tools Pro\DTAgent.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\FinePixViewer\QuickDCF.exe

svchost.exe

C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe

C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\WINDOWS\system32\CTsvcCDA.EXE

C:\Program Files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\tcpsvcs.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\MsPMSPSv.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = https://www.google.com/

uDefault_Page_URL = hxxp://www.dell.com

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll

BHO: ZoneAlarm Security Engine Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll

TB: ZoneAlarm Security Engine: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTAgent.exe" -autorun

uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN

mRun: [P17Helper] Rundll32 P17.dll,P17Helper

mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe

mRun: [dla] c:\windows\system32\dla\tfswctrl.exe

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [sMSTray] c:\program files\samsung\emodio\SMSTray.exe

mRun: [backupNowEZtray] "c:\program files\newtech infosystems\backup now ez\BackupNowEZtray.exe" -k

mRun: [iSW] "c:\program files\checkpoint\zaforcefield\ForceField.exe" /icon="hidden"

mRun: [ZoneAlarm] "c:\program files\checkpoint\zonealarm\zatray.exe"

mRun: [Garmin Lifetime Updater] c:\program files\garmin\lifetime updater\GarminLifetime.exe /StartMinimized

dRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\stardu~1.lnk - c:\windows\SCMain.exe

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_04\bin\npjpi150_04.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll

LSP: mswsock.dll

Trusted Zone: musicmatch.com\online

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {0067DBFC-A752-458C-AE6E-B9C7E63D4824} - hxxp://www.logitech.com/devicedetector/plugins/LogitechDeviceDetection32.cab

DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab

DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab

DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab

DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,90/mcinsctl.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1130561715156

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx

DPF: {A9F8D9EC-3D0A-4A60-BD82-FBD64BAD370D} - hxxp://h20264.www2.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab

DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,23/mcgdmgr.cab

DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab

DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} - hxxp://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

.

============= SERVICES / DRIVERS ===============

.

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-25 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2006-11-5 27784]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\drivers\dtsoftbus01.sys [2011-3-22 233024]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2010-2-17 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67664]

R1 Vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2011-11-9 525840]

R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCORE.EXE [2010-6-29 116608]

R2 aawservice;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\aawservice.exe [2008-5-12 611664]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-2 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-2 297752]

R2 Iprip;RIP Listener;c:\windows\system32\svchost.exe -k netsvcs [2004-8-4 14336]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2011-11-3 27016]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2011-11-3 497280]

R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\newtech infosystems\backup now ez\BackupNowEZSvr.exe [2009-5-8 45312]

R2 vsmon;TrueVector Internet Monitor;c:\program files\checkpoint\zonealarm\vsmon.exe -service --> c:\program files\checkpoint\zonealarm\vsmon.exe -service [?]

R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-10 135664]

.

=============== Created Last 30 ================

.

2011-12-02 01:03:50 1409 ----a-w- c:\windows\QTFont.for

2011-11-24 04:50:42 -------- d-----w- c:\documents and settings\anna\application data\AccurateRip

2011-11-24 04:50:38 6908648 ----a-w- c:\windows\system32\SpoonUninstall.exe

2011-11-24 04:50:31 -------- d-----w- c:\program files\Illustrate

2011-11-24 01:04:00 -------- d-----w- c:\documents and settings\all users\application data\Garmin

2011-11-23 20:40:01 -------- d-----w- c:\documents and settings\anna\application data\Garmin

2011-11-23 20:39:09 -------- d-----w- c:\program files\Garmin

2011-11-23 18:11:48 -------- d-----w- c:\windows\Internet Logs

2011-11-23 18:10:04 -------- d-----w- c:\documents and settings\all users\application data\CheckPoint

.

==================== Find3M ====================

.

2011-10-27 15:54:50 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll

2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll

2011-09-26 15:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll

2011-09-26 15:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll

2011-09-26 15:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll

.

============= FINISH: 19:53:05.23 ===============

i just read another post about ping.exe and i forgot to mention that my computer also starts this up when connected to the internet so i disconnected the wire. it can't connect wirelessly.

thanks again.

After running superantispyware as mentioned previously, it picked up lots of adware tracking cookies which i removed. they were always in the networkservice folder.

i want to add that it seems that there are no desktop icons missing or data lost when i check my directories and the only symptoms are the ping.exe and redirects when it was connected to the internet. initially, i had a couple of splash screens regarding virus protection or something (several days ago) and thats when i rebooted into safe mode and began running both malwarebytes and superantispyware. when there were no more virus findings, i rebooted normally and the splash screens were gone but the other stuff was happening as previously described. now that i'm not connected to the internet i don't see anything happening and after running the anti spyware programs they don't come up with anything but i still get AVG popping up here and there with the Trojan Horse Hider.OMK warnings.

hi, i haven't had any help here as yet. anyone?

attach.zip

Link to post
Share on other sites

  • 2 weeks later...

:welcome:

Sorry about the delay in responding :(

We look for post with 0 replies, so when you replied to your own topic, we assumed you were being helped.

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

Download TDSSKiller from here and save it to your Desktop.

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  1. Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    tdss_1.jpg
  2. Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.
    tdss_2.jpg
  3. Click the Start Scan button.
    tdss_3.jpg
  4. If a suspicious object is detected, the default action will be Skip, click on Continue.
    tdss_4.jpg
  5. If malicious objects are found, they will show in the Scan results and offer three (3) options.
  6. Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
    tdss_5.jpg

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

Link to post
Share on other sites

Here is the report:

12:18:17.0796 3836 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16

12:18:19.0796 3836 ============================================================

12:18:19.0796 3836 Current date / time: 2011/12/31 12:18:19.0796

12:18:19.0796 3836 SystemInfo:

12:18:19.0796 3836

12:18:19.0796 3836 OS Version: 5.1.2600 ServicePack: 3.0

12:18:19.0796 3836 Product type: Workstation

12:18:19.0796 3836 ComputerName: ANNADESKXP

12:18:19.0796 3836 UserName: Anna

12:18:19.0796 3836 Windows directory: C:\WINDOWS

12:18:19.0796 3836 System windows directory: C:\WINDOWS

12:18:19.0796 3836 Processor architecture: Intel x86

12:18:19.0796 3836 Number of processors: 2

12:18:19.0796 3836 Page size: 0x1000

12:18:19.0796 3836 Boot type: Normal boot

12:18:19.0796 3836 ============================================================

12:18:22.0921 3836 Initialize success

12:18:36.0781 3872 ============================================================

12:18:36.0781 3872 Scan started

12:18:36.0781 3872 Mode: Manual; SigCheck; TDLFS;

12:18:36.0781 3872 ============================================================

12:18:37.0281 3872 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys

12:18:38.0484 3872 61883 - ok

12:18:38.0640 3872 Abiosdsk - ok

12:18:38.0734 3872 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

12:18:38.0906 3872 abp480n5 - ok

12:18:39.0000 3872 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

12:18:39.0250 3872 ACPI - ok

12:18:39.0296 3872 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

12:18:39.0578 3872 ACPIEC - ok

12:18:39.0640 3872 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

12:18:39.0890 3872 adpu160m - ok

12:18:39.0921 3872 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

12:18:40.0171 3872 aec - ok

12:18:40.0250 3872 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

12:18:40.0343 3872 AFD - ok

12:18:40.0421 3872 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

12:18:40.0734 3872 agp440 - ok

12:18:40.0750 3872 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

12:18:41.0046 3872 agpCPQ - ok

12:18:41.0140 3872 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

12:18:41.0281 3872 Aha154x - ok

12:18:41.0296 3872 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

12:18:41.0593 3872 aic78u2 - ok

12:18:41.0625 3872 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

12:18:41.0890 3872 aic78xx - ok

12:18:41.0921 3872 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

12:18:42.0156 3872 AliIde - ok

12:18:42.0187 3872 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

12:18:42.0578 3872 alim1541 - ok

12:18:42.0828 3872 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

12:18:43.0093 3872 amdagp - ok

12:18:43.0187 3872 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

12:18:43.0312 3872 amsint - ok

12:18:43.0390 3872 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys

12:18:43.0640 3872 Arp1394 - ok

12:18:43.0703 3872 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

12:18:43.0953 3872 asc - ok

12:18:43.0968 3872 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

12:18:44.0109 3872 asc3350p - ok

12:18:44.0125 3872 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

12:18:44.0359 3872 asc3550 - ok

12:18:44.0406 3872 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys

12:18:44.0500 3872 ASCTRM ( UnsignedFile.Multi.Generic ) - warning

12:18:44.0500 3872 ASCTRM - detected UnsignedFile.Multi.Generic (1)

12:18:44.0562 3872 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

12:18:44.0859 3872 AsyncMac - ok

12:18:44.0890 3872 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

12:18:45.0140 3872 atapi - ok

12:18:45.0156 3872 Atdisk - ok

12:18:45.0218 3872 ati2mtag (f0d0b0cdec0be32d775f404cac2604bf) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

12:18:45.0359 3872 ati2mtag - ok

12:18:45.0390 3872 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

12:18:45.0687 3872 Atmarpc - ok

12:18:45.0765 3872 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

12:18:45.0984 3872 audstub - ok

12:18:46.0031 3872 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys

12:18:46.0281 3872 Avc - ok

12:18:46.0375 3872 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys

12:18:46.0453 3872 AvgLdx86 - ok

12:18:46.0515 3872 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys

12:18:46.0562 3872 AvgMfx86 - ok

12:18:46.0625 3872 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

12:18:46.0875 3872 Beep - ok

12:18:46.0906 3872 bvrp_pci - ok

12:18:46.0921 3872 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

12:18:47.0171 3872 cbidf - ok

12:18:47.0187 3872 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

12:18:47.0390 3872 cbidf2k - ok

12:18:47.0437 3872 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

12:18:47.0718 3872 CCDECODE - ok

12:18:47.0843 3872 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

12:18:47.0968 3872 cd20xrnt - ok

12:18:48.0000 3872 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

12:18:48.0218 3872 Cdaudio - ok

12:18:48.0234 3872 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

12:18:48.0531 3872 Cdfs - ok

12:18:48.0593 3872 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

12:18:48.0890 3872 Cdrom - ok

12:18:48.0906 3872 Changer - ok

12:18:49.0000 3872 Cinemsup (f6a0f51706cb4b0d5b8718ff69f831ba) C:\WINDOWS\system32\drivers\Cinemsup.sys

12:18:49.0031 3872 Cinemsup ( UnsignedFile.Multi.Generic ) - warning

12:18:49.0031 3872 Cinemsup - detected UnsignedFile.Multi.Generic (1)

12:18:49.0078 3872 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

12:18:49.0312 3872 CmdIde - ok

12:18:49.0359 3872 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

12:18:49.0625 3872 Cpqarray - ok

12:18:49.0703 3872 ctsfm2k (8db84de3aab34a8b4c2f644eff41cd76) C:\WINDOWS\system32\DRIVERS\ctsfm2k.sys

12:18:49.0828 3872 ctsfm2k - ok

12:18:49.0890 3872 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

12:18:50.0140 3872 dac2w2k - ok

12:18:50.0171 3872 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

12:18:50.0406 3872 dac960nt - ok

12:18:50.0437 3872 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

12:18:50.0718 3872 Disk - ok

12:18:50.0796 3872 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

12:18:51.0125 3872 dmboot - ok

12:18:51.0187 3872 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

12:18:51.0484 3872 dmio - ok

12:18:51.0500 3872 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

12:18:51.0765 3872 dmload - ok

12:18:51.0812 3872 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

12:18:52.0062 3872 DMusic - ok

12:18:52.0156 3872 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

12:18:52.0390 3872 dpti2o - ok

12:18:52.0437 3872 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

12:18:52.0671 3872 drmkaud - ok

12:18:52.0750 3872 drvmcdb (049177996e5e33b5faf40cad2b82098c) C:\WINDOWS\system32\drivers\drvmcdb.sys

12:18:52.0796 3872 drvmcdb ( UnsignedFile.Multi.Generic ) - warning

12:18:52.0796 3872 drvmcdb - detected UnsignedFile.Multi.Generic (1)

12:18:52.0812 3872 drvnddm (2f4134d073f972575c174e3d621f0107) C:\WINDOWS\system32\drivers\drvnddm.sys

12:18:52.0859 3872 drvnddm ( UnsignedFile.Multi.Generic ) - warning

12:18:52.0859 3872 drvnddm - detected UnsignedFile.Multi.Generic (1)

12:18:52.0953 3872 dtsoftbus01 (16c5891c6d1fa0b5d9014f85a482eb20) C:\WINDOWS\system32\DRIVERS\dtsoftbus01.sys

12:18:52.0984 3872 dtsoftbus01 - ok

12:18:53.0062 3872 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys

12:18:53.0234 3872 E100B - ok

12:18:53.0312 3872 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

12:18:53.0609 3872 Fastfat - ok

12:18:53.0656 3872 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

12:18:53.0937 3872 Fdc - ok

12:18:53.0968 3872 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

12:18:54.0218 3872 Fips - ok

12:18:54.0265 3872 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

12:18:54.0531 3872 Flpydisk - ok

12:18:54.0593 3872 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

12:18:54.0875 3872 FltMgr - ok

12:18:54.0937 3872 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

12:18:55.0156 3872 Fs_Rec - ok

12:18:55.0250 3872 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

12:18:55.0500 3872 Ftdisk - ok

12:18:55.0546 3872 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

12:18:55.0843 3872 Gpc - ok

12:18:55.0906 3872 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

12:18:56.0156 3872 HidUsb - ok

12:18:56.0250 3872 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

12:18:56.0500 3872 hpn - ok

12:18:56.0531 3872 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

12:18:56.0687 3872 HPZid412 - ok

12:18:56.0718 3872 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

12:18:56.0859 3872 HPZipr12 - ok

12:18:56.0890 3872 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

12:18:57.0015 3872 HPZius12 - ok

12:18:57.0078 3872 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

12:18:57.0156 3872 HTTP - ok

12:18:57.0234 3872 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

12:18:57.0484 3872 i2omgmt - ok

12:18:57.0531 3872 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

12:18:57.0859 3872 i2omp - ok

12:18:57.0875 3872 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

12:18:58.0140 3872 i8042prt - ok

12:18:58.0187 3872 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

12:18:58.0437 3872 Imapi - ok

12:18:58.0562 3872 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

12:18:58.0796 3872 ini910u - ok

12:18:58.0890 3872 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys

12:18:59.0109 3872 IntelC51 - ok

12:18:59.0171 3872 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys

12:18:59.0296 3872 IntelC52 - ok

12:18:59.0343 3872 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys

12:18:59.0421 3872 IntelC53 - ok

12:18:59.0515 3872 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

12:18:59.0765 3872 IntelIde - ok

12:18:59.0812 3872 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

12:19:00.0062 3872 intelppm - ok

12:19:00.0093 3872 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

12:19:00.0343 3872 Ip6Fw - ok

12:19:00.0406 3872 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

12:19:00.0671 3872 IpFilterDriver - ok

12:19:00.0703 3872 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

12:19:00.0953 3872 IpInIp - ok

12:19:01.0015 3872 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

12:19:01.0265 3872 IpNat - ok

12:19:01.0296 3872 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

12:19:01.0562 3872 IPSec - ok

12:19:01.0609 3872 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

12:19:01.0875 3872 IRENUM - ok

12:19:01.0906 3872 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

12:19:02.0156 3872 isapnp - ok

12:19:02.0359 3872 ISWKL (08a811bfd207dfdec588881c18bacbaa) C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys

12:19:02.0406 3872 ISWKL - ok

12:19:02.0468 3872 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

12:19:02.0718 3872 Kbdclass - ok

12:19:02.0765 3872 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

12:19:03.0015 3872 kbdhid - ok

12:19:03.0031 3872 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

12:19:03.0281 3872 kmixer - ok

12:19:03.0328 3872 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

12:19:03.0468 3872 KSecDD - ok

12:19:03.0500 3872 lbrtfdc - ok

12:19:03.0593 3872 MASPINT (98312c9eab656053be1aca3a8a5912b3) C:\WINDOWS\system32\drivers\MASPINT.sys

12:19:03.0687 3872 MASPINT ( UnsignedFile.Multi.Generic ) - warning

12:19:03.0687 3872 MASPINT - detected UnsignedFile.Multi.Generic (1)

12:19:03.0750 3872 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

12:19:03.0968 3872 mnmdd - ok

12:19:04.0000 3872 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

12:19:04.0281 3872 Modem - ok

12:19:04.0328 3872 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys

12:19:04.0546 3872 MODEMCSA - ok

12:19:04.0593 3872 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys

12:19:04.0671 3872 mohfilt - ok

12:19:04.0703 3872 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

12:19:04.0953 3872 Mouclass - ok

12:19:05.0031 3872 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

12:19:05.0281 3872 mouhid - ok

12:19:05.0312 3872 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

12:19:05.0609 3872 MountMgr - ok

12:19:05.0656 3872 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

12:19:05.0906 3872 mraid35x - ok

12:19:05.0921 3872 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

12:19:06.0171 3872 MRxDAV - ok

12:19:06.0265 3872 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

12:19:06.0421 3872 MRxSmb - ok

12:19:06.0453 3872 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys

12:19:06.0734 3872 MSDV - ok

12:19:06.0750 3872 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

12:19:07.0031 3872 Msfs - ok

12:19:07.0078 3872 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

12:19:07.0328 3872 MSKSSRV - ok

12:19:07.0406 3872 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

12:19:07.0640 3872 MSPCLOCK - ok

12:19:07.0671 3872 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

12:19:07.0937 3872 MSPQM - ok

12:19:07.0968 3872 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

12:19:08.0203 3872 mssmbios - ok

12:19:08.0250 3872 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

12:19:08.0531 3872 MSTEE - ok

12:19:08.0578 3872 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

12:19:08.0703 3872 Mup - ok

12:19:08.0750 3872 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

12:19:09.0031 3872 NABTSFEC - ok

12:19:09.0078 3872 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

12:19:09.0343 3872 NDIS - ok

12:19:09.0375 3872 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

12:19:09.0656 3872 NdisIP - ok

12:19:09.0718 3872 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

12:19:09.0765 3872 NdisTapi - ok

12:19:09.0796 3872 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

12:19:10.0031 3872 Ndisuio - ok

12:19:10.0062 3872 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

12:19:10.0312 3872 NdisWan - ok

12:19:10.0406 3872 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

12:19:10.0484 3872 NDProxy - ok

12:19:10.0531 3872 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

12:19:10.0781 3872 NetBIOS - ok

12:19:10.0843 3872 NetBT (28ede20f3d5e95daf113865c030562a3) C:\WINDOWS\system32\DRIVERS\netbt.sys

12:19:10.0859 3872 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\netbt.sys. Real md5: 28ede20f3d5e95daf113865c030562a3, Fake md5: 74b2b2f5bea5e9a3dc021d685551bd3d

12:19:10.0859 3872 NetBT ( Rootkit.Win32.ZAccess.k ) - infected

12:19:10.0859 3872 NetBT - detected Rootkit.Win32.ZAccess.k (0)

12:19:10.0921 3872 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys

12:19:11.0171 3872 NIC1394 - ok

12:19:11.0187 3872 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

12:19:11.0453 3872 Npfs - ok

12:19:11.0515 3872 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

12:19:11.0843 3872 Ntfs - ok

12:19:11.0921 3872 NTIDrvr (8055859b87ac3e504ece0c1e9353cc4e) C:\WINDOWS\system32\drivers\NTIDrvr.sys

12:19:11.0984 3872 NTIDrvr - ok

12:19:12.0015 3872 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

12:19:12.0234 3872 Null - ok

12:19:12.0375 3872 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

12:19:12.0765 3872 nv - ok

12:19:12.0812 3872 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

12:19:13.0062 3872 NwlnkFlt - ok

12:19:13.0109 3872 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

12:19:13.0390 3872 NwlnkFwd - ok

12:19:13.0484 3872 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys

12:19:13.0765 3872 ohci1394 - ok

12:19:13.0828 3872 omci (53d5f1278d9edb21689bbbcecc09108d) C:\WINDOWS\system32\DRIVERS\omci.sys

12:19:13.0859 3872 omci ( UnsignedFile.Multi.Generic ) - warning

12:19:13.0859 3872 omci - detected UnsignedFile.Multi.Generic (1)

12:19:13.0968 3872 ossrv (103a9b117a7d9903111955cdafe65ac6) C:\WINDOWS\system32\DRIVERS\ctoss2k.sys

12:19:14.0015 3872 ossrv - ok

12:19:14.0093 3872 P17 (df886ffed69aead0cf608b89b18c3f6f) C:\WINDOWS\system32\drivers\P17.sys

12:19:14.0250 3872 P17 - ok

12:19:14.0375 3872 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

12:19:14.0671 3872 Parport - ok

12:19:14.0687 3872 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

12:19:14.0968 3872 PartMgr - ok

12:19:15.0031 3872 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

12:19:15.0265 3872 ParVdm - ok

12:19:15.0296 3872 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

12:19:15.0531 3872 PCI - ok

12:19:15.0562 3872 PCIDump - ok

12:19:15.0625 3872 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

12:19:15.0875 3872 PCIIde - ok

12:19:15.0921 3872 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

12:19:16.0203 3872 Pcmcia - ok

12:19:16.0234 3872 PDCOMP - ok

12:19:16.0250 3872 PDFRAME - ok

12:19:16.0265 3872 PDRELI - ok

12:19:16.0281 3872 PDRFRAME - ok

12:19:16.0343 3872 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

12:19:16.0578 3872 perc2 - ok

12:19:16.0640 3872 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

12:19:16.0875 3872 perc2hib - ok

12:19:16.0984 3872 PfModNT (d9ed17ac15720096a9f92ff4ea587b09) C:\WINDOWS\system32\drivers\PfModNT.sys

12:19:17.0046 3872 PfModNT - ok

12:19:17.0109 3872 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

12:19:17.0359 3872 PptpMiniport - ok

12:19:17.0375 3872 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

12:19:17.0625 3872 PSched - ok

12:19:17.0671 3872 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

12:19:17.0906 3872 Ptilink - ok

12:19:17.0953 3872 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys

12:19:18.0031 3872 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning

12:19:18.0031 3872 PxHelp20 - detected UnsignedFile.Multi.Generic (1)

12:19:18.0046 3872 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

12:19:18.0281 3872 ql1080 - ok

12:19:18.0312 3872 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

12:19:18.0609 3872 Ql10wnt - ok

12:19:18.0625 3872 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

12:19:18.0890 3872 ql12160 - ok

12:19:18.0921 3872 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

12:19:19.0140 3872 ql1240 - ok

12:19:19.0171 3872 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

12:19:19.0406 3872 ql1280 - ok

12:19:19.0453 3872 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

12:19:19.0687 3872 RasAcd - ok

12:19:19.0750 3872 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

12:19:20.0000 3872 Rasl2tp - ok

12:19:20.0031 3872 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

12:19:20.0281 3872 RasPppoe - ok

12:19:20.0296 3872 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

12:19:20.0531 3872 Raspti - ok

12:19:20.0593 3872 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

12:19:20.0890 3872 Rdbss - ok

12:19:20.0906 3872 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

12:19:21.0140 3872 RDPCDD - ok

12:19:21.0218 3872 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

12:19:21.0500 3872 rdpdr - ok

12:19:21.0562 3872 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

12:19:21.0671 3872 RDPWD - ok

12:19:21.0718 3872 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

12:19:21.0953 3872 redbook - ok

12:19:22.0078 3872 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys

12:19:22.0109 3872 rspndr ( UnsignedFile.Multi.Generic ) - warning

12:19:22.0109 3872 rspndr - detected UnsignedFile.Multi.Generic (1)

12:19:22.0328 3872 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

12:19:22.0375 3872 SASDIFSV - ok

12:19:22.0421 3872 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

12:19:22.0484 3872 SASKUTIL - ok

12:19:22.0593 3872 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

12:19:22.0843 3872 Secdrv - ok

12:19:22.0890 3872 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

12:19:23.0156 3872 serenum - ok

12:19:23.0187 3872 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

12:19:23.0437 3872 Serial - ok

12:19:23.0578 3872 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys

12:19:23.0859 3872 Sfloppy - ok

12:19:23.0875 3872 Simbad - ok

12:19:23.0921 3872 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

12:19:24.0171 3872 sisagp - ok

12:19:24.0187 3872 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

12:19:24.0421 3872 SLIP - ok

12:19:24.0531 3872 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

12:19:24.0703 3872 Sparrow - ok

12:19:24.0734 3872 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

12:19:24.0953 3872 splitter - ok

12:19:24.0984 3872 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

12:19:25.0234 3872 sr - ok

12:19:25.0250 3872 srescan - ok

12:19:25.0359 3872 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

12:19:25.0468 3872 Srv - ok

12:19:25.0546 3872 sscdbhk5 (7c0c9bdca2d351ff3b4f9b69f99aa995) C:\WINDOWS\system32\drivers\sscdbhk5.sys

12:19:25.0625 3872 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning

12:19:25.0625 3872 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)

12:19:25.0656 3872 ssrtln (31726706d54894d5059f7471111a87bb) C:\WINDOWS\system32\drivers\ssrtln.sys

12:19:25.0687 3872 ssrtln ( UnsignedFile.Multi.Generic ) - warning

12:19:25.0687 3872 ssrtln - detected UnsignedFile.Multi.Generic (1)

12:19:25.0750 3872 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

12:19:26.0015 3872 streamip - ok

12:19:26.0046 3872 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

12:19:26.0296 3872 swenum - ok

12:19:26.0328 3872 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

12:19:26.0562 3872 swmidi - ok

12:19:26.0640 3872 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

12:19:26.0875 3872 symc810 - ok

12:19:26.0890 3872 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

12:19:27.0125 3872 symc8xx - ok

12:19:27.0140 3872 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

12:19:27.0390 3872 sym_hi - ok

12:19:27.0406 3872 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

12:19:27.0640 3872 sym_u3 - ok

12:19:27.0656 3872 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

12:19:27.0890 3872 sysaudio - ok

12:19:27.0984 3872 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

12:19:28.0187 3872 Tcpip - ok

12:19:28.0281 3872 Tcpip6 (4e53bbcc4be37d7a4bd6ef1098c89ff7) C:\WINDOWS\system32\DRIVERS\tcpip6.sys

12:19:28.0390 3872 Tcpip6 - ok

12:19:28.0406 3872 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

12:19:28.0687 3872 TDPIPE - ok

12:19:28.0718 3872 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

12:19:29.0000 3872 TDTCP - ok

12:19:29.0031 3872 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

12:19:29.0296 3872 TermDD - ok

12:19:29.0375 3872 tfsnboio (1f6035dee9f748071c2a4cd0270edea5) C:\WINDOWS\system32\dla\tfsnboio.sys

12:19:29.0390 3872 tfsnboio ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0390 3872 tfsnboio - detected UnsignedFile.Multi.Generic (1)

12:19:29.0468 3872 tfsncofs (2e5b4d4281e78922d8f31c3392f14f25) C:\WINDOWS\system32\dla\tfsncofs.sys

12:19:29.0500 3872 tfsncofs ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0500 3872 tfsncofs - detected UnsignedFile.Multi.Generic (1)

12:19:29.0531 3872 tfsndrct (e12baa62a9746992e3ca6fd653af295d) C:\WINDOWS\system32\dla\tfsndrct.sys

12:19:29.0562 3872 tfsndrct ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0562 3872 tfsndrct - detected UnsignedFile.Multi.Generic (1)

12:19:29.0578 3872 tfsndres (87a31923f6ec5cf4bd2dd2557a0c4c2f) C:\WINDOWS\system32\dla\tfsndres.sys

12:19:29.0625 3872 tfsndres ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0625 3872 tfsndres - detected UnsignedFile.Multi.Generic (1)

12:19:29.0656 3872 tfsnifs (9e3b79db06b62222b3b2a9bf3d0cd4de) C:\WINDOWS\system32\dla\tfsnifs.sys

12:19:29.0687 3872 tfsnifs ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0687 3872 tfsnifs - detected UnsignedFile.Multi.Generic (1)

12:19:29.0718 3872 tfsnopio (af567c6b7d527e0d08352d25c11027fb) C:\WINDOWS\system32\dla\tfsnopio.sys

12:19:29.0750 3872 tfsnopio ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0750 3872 tfsnopio - detected UnsignedFile.Multi.Generic (1)

12:19:29.0765 3872 tfsnpool (d123ca23c33ff2dab456162d1d4f7d09) C:\WINDOWS\system32\dla\tfsnpool.sys

12:19:29.0796 3872 tfsnpool ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0796 3872 tfsnpool - detected UnsignedFile.Multi.Generic (1)

12:19:29.0812 3872 tfsnudf (14558f878b70e73a1800b257e5bbf2ae) C:\WINDOWS\system32\dla\tfsnudf.sys

12:19:29.0859 3872 tfsnudf ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0859 3872 tfsnudf - detected UnsignedFile.Multi.Generic (1)

12:19:29.0875 3872 tfsnudfa (2d06979d0c9d44090995bb09b4820c8d) C:\WINDOWS\system32\dla\tfsnudfa.sys

12:19:29.0906 3872 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning

12:19:29.0906 3872 tfsnudfa - detected UnsignedFile.Multi.Generic (1)

12:19:30.0015 3872 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

12:19:30.0234 3872 TosIde - ok

12:19:30.0328 3872 tunmp (8f861eda21c05857eb8197300a92501c) C:\WINDOWS\system32\DRIVERS\tunmp.sys

12:19:30.0640 3872 tunmp - ok

12:19:30.0703 3872 UBHelper (9e39dc3022e6d84bf974678011a1ea4c) C:\WINDOWS\system32\drivers\UBHelper.sys

12:19:30.0750 3872 UBHelper - ok

12:19:30.0812 3872 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

12:19:31.0062 3872 Udfs - ok

12:19:31.0125 3872 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

12:19:31.0250 3872 ultra - ok

12:19:31.0296 3872 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

12:19:31.0609 3872 Update - ok

12:19:31.0671 3872 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys

12:19:31.0796 3872 usbbus - ok

12:19:31.0859 3872 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

12:19:32.0109 3872 usbccgp - ok

12:19:32.0187 3872 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys

12:19:32.0281 3872 UsbDiag - ok

12:19:32.0343 3872 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

12:19:32.0609 3872 usbehci - ok

12:19:32.0640 3872 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

12:19:32.0906 3872 usbhub - ok

12:19:32.0968 3872 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys

12:19:33.0046 3872 USBModem - ok

12:19:33.0078 3872 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

12:19:33.0343 3872 usbprint - ok

12:19:33.0390 3872 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

12:19:33.0640 3872 usbscan - ok

12:19:33.0703 3872 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

12:19:33.0968 3872 USBSTOR - ok

12:19:34.0000 3872 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

12:19:34.0265 3872 usbuhci - ok

12:19:34.0281 3872 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

12:19:34.0531 3872 VgaSave - ok

12:19:34.0625 3872 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

12:19:34.0890 3872 viaagp - ok

12:19:34.0937 3872 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

12:19:35.0187 3872 ViaIde - ok

12:19:35.0203 3872 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

12:19:35.0453 3872 VolSnap - ok

12:19:35.0593 3872 Vsdatant (558cee3d9c470651f1843d51b42d761b) C:\WINDOWS\system32\vsdatant.sys

12:19:35.0703 3872 Vsdatant - ok

12:19:35.0765 3872 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

12:19:36.0031 3872 Wanarp - ok

12:19:36.0046 3872 wanatw - ok

12:19:36.0062 3872 WDICA - ok

12:19:36.0109 3872 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

12:19:36.0343 3872 wdmaud - ok

12:19:36.0515 3872 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys

12:19:36.0656 3872 WpdUsb - ok

12:19:36.0734 3872 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

12:19:37.0015 3872 WSTCODEC - ok

12:19:37.0093 3872 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

12:19:37.0187 3872 WudfPf - ok

12:19:37.0218 3872 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

12:19:37.0296 3872 WudfRd - ok

12:19:37.0390 3872 MBR (0x1B8) (b16a2359f4962b0c622d81a1c1f4b703) \Device\Harddisk0\DR0

12:19:37.0484 3872 \Device\Harddisk0\DR0 - ok

12:19:37.0531 3872 Boot (0x1200) (759c158578a261ed5d14ddf6fa3fab99) \Device\Harddisk0\DR0\Partition0

12:19:37.0531 3872 \Device\Harddisk0\DR0\Partition0 - ok

12:19:37.0546 3872 ============================================================

12:19:37.0546 3872 Scan finished

12:19:37.0546 3872 ============================================================

12:19:37.0671 3104 Detected object count: 20

12:19:37.0671 3104 Actual detected object count: 20

12:20:04.0562 3104 ASCTRM ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:04.0562 3104 ASCTRM ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:04.0562 3104 Cinemsup ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:04.0562 3104 Cinemsup ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:04.0562 3104 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:04.0562 3104 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:04.0562 3104 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:04.0562 3104 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:04.0562 3104 MASPINT ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:04.0562 3104 MASPINT ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:04.0984 3104 Backup copy found, using it..

12:20:05.0046 3104 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot

12:20:06.0984 3104 NetBT ( Rootkit.Win32.ZAccess.k ) - User select action: Cure

12:20:06.0984 3104 omci ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:06.0984 3104 omci ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:06.0984 3104 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:06.0984 3104 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:06.0984 3104 rspndr ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:06.0984 3104 rspndr ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0000 3104 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0000 3104 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0000 3104 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0000 3104 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0000 3104 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0000 3104 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0000 3104 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0000 3104 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0015 3104 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0015 3104 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:07.0031 3104 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user

12:20:07.0031 3104 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip

12:20:14.0781 3828 Deinitialize success

Link to post
Share on other sites

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

i ran combofix and it installed microsoft recovery console successfully. While combofix was running it detected rootkit.zeroaccess and twice gave me a message that it was difficult to remove. Then, it detected rootkit activity and it restarted my computer. when it restarted, it immediately ran without my desktop fully loading. it showed a list of completed stages as it progressed but when it got to "completed stage 48" it stayed at this point with a blinking cursor. it has been in this state for about an hour. i am leaving it on but i don't know if it is still working.

Link to post
Share on other sites

This backdoor rootkit can really be hard to remove.

Give it another 15 mins.

If it hasn't moved try this.

bring up Task Manager using CTRL+ALT+DELETE. See if any of these processes are running, and End Task on them one at a time and see if it frees up CF:

pev

findstr

sed

grep

nircmd

swsc

* .. or any other process that has the .cfexe extension except for CFxxx.cfexe

Reboot and run CF again if it doesn't start on it's own.

Link to post
Share on other sites

it hung so i had to manually shut it down and restart. it booted back to my desktop and i restarted combofix. combofix then detected rootkit activity and rebooted my machine like it did before. when the machine restarted, combofix also restarted prior to the desktop loading my icons. it is currently running.

Link to post
Share on other sites

once again it stopped after completed stage 48. i looked in task manager but i see pev.3XE and nircmd.3XE but none with .cfexe. i tried to shut down both pev and nircmd but they did not shut down. task manager shows 99% idle. there are 8 instances of svchost.exe. i see avgcsrvx.exe, avgemc.exe, avgwdsvc.exe, avgrsx.exe - does this mean avg is not disabled? i did go through and turn off the items listed in the link...? don't know what to do next.

Link to post
Share on other sites

i disconnected the PC from the internet and while combofix still detected rootkit activity and restarted the PC, this time it ran all the way through when it rebooted.

here is the log:

ComboFix 12-01-06.03 - Anna 01/06/2012 19:21:22.3.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.966 [GMT -5:00]

Running from: c:\documents and settings\Anna\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: ZoneAlarm Free Firewall *Disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

* Created a new restore point

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Start Menu\HP Image Zone .lnk

c:\documents and settings\Anna\WINDOWS

c:\windows\system32\FE05DA0D.dll

c:\windows\system32\FE05F051.dll

c:\windows\system32\FE05F3D5.dll

c:\windows\system32\PowerToyReadme.htm

c:\windows\system32\SET4F.tmp

c:\windows\system32\SET5B.tmp

c:\windows\system32\SET64.tmp

c:\windows\system32\SET66.tmp

c:\windows\system32\SET69.tmp

.

.

((((((((((((((((((((((((( Files Created from 2011-12-07 to 2012-01-07 )))))))))))))))))))))))))))))))

.

.

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-12-31 17:20 . 2004-08-04 10:00 162816 ----a-w- c:\windows\system32\drivers\netbt.sys

2011-12-02 01:03 . 2011-12-02 01:03 1409 ----a-w- c:\windows\QTFont.for

2011-11-24 04:50 . 2011-11-24 04:50 6908648 ----a-w- c:\windows\system32\SpoonUninstall.exe

2011-10-27 15:54 . 2011-06-14 23:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-10 14:22 . 2004-08-04 10:00 692736 ----a-w- c:\windows\system32\inetcomm.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 68856]

"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-12-15 4616064]

"DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTAgent.exe" [2011-03-17 842048]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-05 53248]

"P17Helper"="P17.dll" [2005-05-03 64512]

"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-07 196608]

"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-03-25 122939]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-08-05 98304]

"MimBoot"="c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe" [2006-01-19 11776]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-10-18 2042208]

"SMSTray"="c:\program files\Samsung\EmoDio\SMSTray.exe" [2009-03-21 484888]

"BackupNowEZtray"="c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZtray.exe" [2009-05-08 552192]

"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2011-11-03 738944]

"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2011-11-10 73360]

"Garmin Lifetime Updater"="c:\program files\Garmin\Lifetime Updater\GarminLifetime.exe" [2011-10-03 1409384]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-08 68856]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [2005-7-16 200704]

Stardust Screen Saver Control 2003.lnk - c:\windows\SCMain.exe [2003-10-30 353280]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-08-14 113024]

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]

@=""

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

.

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk

backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]

2004-08-25 17:52 339968 ----a-w- c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]

2003-09-17 15:43 57344 ----a-w- c:\program files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

2004-07-19 12:51 306688 ----a-w- c:\program files\Dell Support\DSAgnt.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

2004-10-12 21:54 57344 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

2005-05-12 03:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelMeM]

2003-09-04 01:12 221184 ----a-w- c:\program files\Intel\Modem Event Monitor\IntelMEM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]

2006-01-19 15:06 11776 ----a-w- c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2005-08-05 01:17 98304 ----a-w- c:\program files\QuickTime\qttask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

2005-04-15 05:40 26112 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

2005-06-03 07:52 36975 -c--a-w- c:\program files\Java\jre1.5.0_04\bin\jusched.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]

2003-08-19 05:01 110592 ----a-w- c:\program files\Common Files\Sonic\Update Manager\sgtray.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

2006-03-30 20:45 313472 ----a-r- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

2000-05-11 06:00 90112 ------w- c:\windows\Updreg.EXE

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"wscsvc"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]

"DisableMonitoring"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\WINDOWS\\SYSTEM32\\muzapp.exe"=

"c:\\Program Files\\Vuze\\Azureus.exe"=

.

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\SYSTEM32\DRIVERS\avgldx86.sys [5/25/2008 5:48 AM 335240]

R1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\SYSTEM32\DRIVERS\dtsoftbus01.sys [3/22/2011 4:27 PM 233024]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2/17/2010 1:25 PM 12880]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67664]

R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [6/29/2010 12:48 PM 116608]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [7/2/2008 11:46 AM 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [7/2/2008 11:46 AM 297752]

R2 Iprip;RIP Listener;c:\windows\System32\svchost.exe -k netsvcs [8/4/2004 5:00 AM 14336]

R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [11/3/2011 9:44 AM 27016]

R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [11/3/2011 9:44 AM 497280]

R2 NTI BackupNowEZSvr;NTI BackupNowEZSvr;c:\program files\NewTech Infosystems\Backup Now EZ\BackupNowEZSvr.exe [5/8/2009 5:20 PM 45312]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]

S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 10:14 AM 135664]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2/10/2010 10:14 AM 135664]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:14]

.

2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-10 15:14]

.

.

------- Supplementary Scan -------

.

uStart Page = https://www.google.com/

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000

IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html

Trusted Zone: musicmatch.com\online

DPF: Garmin Communicator Plug-In - hxxps://static.garmincdn.com/gcp/ie/3.0.1.0/GarminAxControl.CAB

DPF: {96816368-C1E3-414D-A193-63C3CC921990} - hxxp://photoweb-radissonaruba.remotemanager.co.uk/common/activex/MJPEGRender.ocx

.

- - - - ORPHANS REMOVED - - - -

.

SafeBoot-67681228.sys

MSConfigStartUp-HPHUPD08 - c:\program files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe

MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe

MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe

MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\McUpdate.exe

MSConfigStartUp-mmtask - c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe

MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe

MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe

MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-01-06 19:34

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{3610eda5-77ef-11d2-8dc5-00c04fa31a66}]

@DACL=(02 0000)

@="Microsoft Disk Quota"

"NoMachinePolicy"=dword:00000000

"NoUserPolicy"=dword:00000001

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"RequiresSuccessfulRegistry"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000000

"DllName"=expand:"dskquota.dll"

"ProcessGroupPolicy"="ProcessGroupPolicy"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{4CFB60C1-FAA6-47f1-89AA-0B18730C9FD3}]

@DACL=(02 0000)

@="Internet Explorer Zonemapping"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"ProcessGroupPolicy"="ProcessGroupPolicyForZoneMap"

"NoGPOListChanges"=dword:00000001

"RequiresSucessfulRegistry"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{7B849a69-220F-451E-B3FE-2CB811AF94AE}]

@DACL=(02 0000)

@="Internet Explorer User Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{827D319E-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessSecurityPolicyGPO"

"GenerateGroupPolicy"="SceGenerateGroupPolicy"

"ExtensionRsopPlanningDebugLevel"=dword:00000001

"ProcessGroupPolicyEx"="SceProcessSecurityPolicyGPOEx"

"ExtensionDebugLevel"=dword:00000001

"DllName"=expand:"scecli.dll"

@="Security"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"EnableAsynchronousProcessing"=dword:00000001

"MaxNoGPOListChangesInterval"=dword:000003c0

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B}]

@DACL=(02 0000)

"ProcessGroupPolicyEx"="ProcessGroupPolicyEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"ProcessGroupPolicy"="ProcessGroupPolicy"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

@="Internet Explorer Branding"

"NoSlowLink"=dword:00000001

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000001

"NoMachinePolicy"=dword:00000001

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3014"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}]

@DACL=(02 0000)

"ProcessGroupPolicy"="SceProcessEFSRecoveryGPO"

"DllName"=expand:"scecli.dll"

@="EFS recovery"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{B587E2B1-4D59-4e7e-AED9-22B9DF11D053}]

@DACL=(02 0000)

@="802.3 Group Policy"

"DisplayName"=expand:"@dot3gpclnt.dll,-100"

"ProcessGroupPolicyEx"="ProcessLANPolicyEx"

"GenerateGroupPolicy"="GenerateLANPolicy"

"DllName"=expand:"dot3gpclnt.dll"

"NoUserPolicy"=dword:00000001

"NoGPOListChanges"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{C631DF4C-088F-4156-B058-4375F0853CD8}]

@DACL=(02 0000)

@="Microsoft Offline Files"

"DllName"=expand:"%SystemRoot%\\System32\\cscui.dll"

"EnableAsynchronousProcessing"=dword:00000000

"NoBackgroundPolicy"=dword:00000000

"NoGPOListChanges"=dword:00000000

"NoMachinePolicy"=dword:00000000

"NoSlowLink"=dword:00000000

"NoUserPolicy"=dword:00000001

"PerUserLocalSettings"=dword:00000000

"ProcessGroupPolicy"="ProcessGroupPolicy"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{c6dc5466-785a-11d2-84d0-00c04fb169f7}]

@DACL=(02 0000)

@="Software Installation"

"DllName"=expand:"appmgmts.dll"

"ProcessGroupPolicyEx"="ProcessGroupPolicyObjectsEx"

"GenerateGroupPolicy"="GenerateGroupPolicy"

"NoBackgroundPolicy"=dword:00000000

"RequiresSucessfulRegistry"=dword:00000000

"NoSlowLink"=dword:00000001

"PerUserLocalSettings"=dword:00000001

"EventSources"=multi:"(Application Management,Application)\00(MsiInstaller,Application)\00\00"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{CF7639F3-ABA2-41DB-97F2-81E2C5DBFC5D}]

@DACL=(02 0000)

@="Internet Explorer Machine Accelerators"

"DisplayName"="@c:\\WINDOWS\\system32\\iedkcs32.dll.mui,-3051"

"DllName"="c:\\WINDOWS\\system32\\iedkcs32.dll"

"NoGPOListChanges"=dword:00000001

"ProcessGroupPolicy"="ProcessGroupPolicyForActivities"

"ProcessGroupPolicyEx"="ProcessGroupPolicyForActivitiesEx"

"RequiresSuccessfulRegistry"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

@DACL=(02 0000)

"DllName"="c:\\Program Files\\SUPERAntiSpyware\\SASWINLO.DLL"

"Logon"="SABWINLOLogon"

"Logoff"="SABWINLOLogoff"

"Startup"="SABWINLOStartup"

"Shutdown"="SABWINLOShutdown"

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

@DACL=(02 0000)

"DLLName"="avgrsstx.dll"

"Startup"="AvgStartup"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"crypt32.dll"

"Logoff"="ChainWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"Impersonate"=dword:00000000

"DllName"=expand:"cryptnet.dll"

"Logoff"="CryptnetWlxLogoffEvent"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]

@DACL=(02 0000)

"DLLName"="cscdll.dll"

"Logon"="WinlogonLogonEvent"

"Logoff"="WinlogonLogoffEvent"

"ScreenSaver"="WinlogonScreenSaverEvent"

"Startup"="WinlogonStartupEvent"

"Shutdown"="WinlogonShutdownEvent"

"StartShell"="WinlogonStartShellEvent"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]

@DACL=(02 0000)

"Asynchronous"=dword:00000001

"DllName"=expand:"%SystemRoot%\\System32\\dimsntfy.dll"

"Startup"="WlDimsStartup"

"Shutdown"="WlDimsShutdown"

"Logon"="WlDimsLogon"

"Logoff"="WlDimsLogoff"

"StartShell"="WlDimsStartShell"

"Lock"="WlDimsLock"

"Unlock"="WlDimsUnlock"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="SCardStartCertProp"

"Logoff"="SCardStopCertProp"

"Lock"="SCardSuspendCertProp"

"Unlock"="SCardResumeCertProp"

"Enabled"=dword:00000001

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"StartShell"="SchedStartShell"

"Logoff"="SchedEventLogOff"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]

@DACL=(02 0000)

"Logoff"="WLEventLogoff"

"Impersonate"=dword:00000000

"Asynchronous"=dword:00000001

"DllName"=expand:"sclgntfy.dll"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]

@DACL=(02 0000)

"DLLName"="WlNotify.dll"

"Lock"="SensLockEvent"

"Logon"="SensLogonEvent"

"Logoff"="SensLogoffEvent"

"Safe"=dword:00000001

"MaxWait"=dword:00000258

"StartScreenSaver"="SensStartScreenSaverEvent"

"StopScreenSaver"="SensStopScreenSaverEvent"

"Startup"="SensStartupEvent"

"Shutdown"="SensShutdownEvent"

"StartShell"="SensStartShellEvent"

"PostShell"="SensPostShellEvent"

"Disconnect"="SensDisconnectEvent"

"Reconnect"="SensReconnectEvent"

"Unlock"="SensUnlockEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]

@DACL=(02 0000)

"Asynchronous"=dword:00000000

"DllName"=expand:"wlnotify.dll"

"Impersonate"=dword:00000000

"Logoff"="TSEventLogoff"

"Logon"="TSEventLogon"

"PostShell"="TSEventPostShell"

"Shutdown"="TSEventShutdown"

"StartShell"="TSEventStartShell"

"Startup"="TSEventStartup"

"MaxWait"=dword:00000258

"Reconnect"="TSEventReconnect"

"Disconnect"="TSEventDisconnect"

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]

@DACL=(02 0000)

"DLLName"="wlnotify.dll"

"Logon"="RegisterTicketExpiredNotificationEvent"

"Logoff"="UnregisterTicketExpiredNotificationEvent"

"Impersonate"=dword:00000001

"Asynchronous"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList]

@DACL=(02 0000)

"HelpAssistant"=dword:00000000

"TsInternetUser"=dword:00000000

"SQLAgentCmdExec"=dword:00000000

"NetShowServices"=dword:00000000

"IWAM_"=dword:00010000

"IUSR_"=dword:00010000

"VUSR_"=dword:00010000

"ASPNET"=dword:00000000

.

Completion time: 2012-01-06 19:36:39

ComboFix-quarantined-files.txt 2012-01-07 00:36

.

Pre-Run: 39,670,349,824 bytes free

Post-Run: 40,074,948,608 bytes free

.

- - End Of File - - 624DA71A73394111569B11A36621CF81

Link to post
Share on other sites

aswMBR version 0.9.9.1297 Copyright© 2011 AVAST Software

Run date: 2012-01-06 20:40:49

-----------------------------

20:40:49.140 OS Version: Windows 5.1.2600 Service Pack 3

20:40:49.140 Number of processors: 2 586 0x401

20:40:49.140 ComputerName: ANNADESKXP UserName: Anna

20:40:49.859 Initialize success

20:41:05.875 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e

20:41:05.875 Disk 0 Vendor: WDC_WD1600JD-75HBB0 08.02D08 Size: 152587MB BusType: 3

20:41:05.906 Disk 0 MBR read successfully

20:41:05.906 Disk 0 MBR scan

20:41:05.906 Disk 0 unknown MBR code

20:41:05.906 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 47 MB offset 63

20:41:05.906 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 149519 MB offset 96390

20:41:05.968 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3020 MB offset 306311355

20:41:05.968 Disk 0 scanning sectors +312496380

20:41:06.046 Disk 0 scanning C:\WINDOWS\system32\drivers

20:41:12.390 Service scanning

20:41:13.437 Modules scanning

20:41:46.406 Module: C:\WINDOWS\system32\dla\tfsndres.sys **SUSPICIOUS**

20:42:02.140 Disk 0 trace - called modules:

20:42:02.171 ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys hal.dll pciide.sys PCIIDEX.SYS

20:42:02.187 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a687ab8]

20:42:02.187 3 CLASSPNP.SYS[ba168fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP1T0L0-e[0x8a703b00]

20:42:02.187 Scan finished successfully

20:42:39.406 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Anna\Desktop\MBR.dat"

20:42:39.406 The log file has been saved successfully to "C:\Documents and Settings\Anna\Desktop\aswMBR Log.txt"

Link to post
Share on other sites

well i just updated all my antivirus stuff and surfed the web a little and so far nothing out of the ordinary. i'll check back with you in a few days and see how things run from here on out. thanks for all your help and hopefully nothing is lurking.

Link to post
Share on other sites

Be sure to uninstall Combofix

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.
  • Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.
    •Free browser plug-in for Internet Explorer and Firefox
    •Real-time safety ratings
    •Ideal for Facebook, Twitter and LinkedIn
  • JAVA Click this link and click on the Free JAVA Download
  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.