Jump to content

XP slow, redirected websites and MBAM Blocking 89.114.9.97


Recommended Posts

I have an XP Desktop with redirected web searches, slow performance and MBAM reporting that it is blocking access to websites every couple of minutes.

Here is the DDS.txt

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20

Run by tjmakes at 20:35:31 on 2012-05-10

.

============== Running Processes ===============

.

.

============== Pseudo HJT Report ===============

.

uInternet Connection Wizard,ShellNext = iexplore

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.3.6\IPSBHO.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"

uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin

mRun: [ehTray] c:\windows\ehome\ehtray.exe

mRun: [sigmatelSysTrayApp] stsystra.exe

mRun: [iAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe

mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"

mRun: [intelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray

mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

StartupFolder: c:\docume~1\tjmakes\startm~1\programs\startup\startup.lnk - c:\program files\hook\myhook.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\sierra\planner\PLNRnote.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe

mPolicies-explorer: NoActiveDesktop = 1 (0x1)

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

TCP: DhcpNameServer = 192.168.1.1 71.242.0.12

TCP: Interfaces\{AF2BCFCC-E41D-41B9-83CD-E1E385AD5109} : DhcpNameServer = 192.168.1.1 71.242.0.12

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: LMIinit - LMIinit.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\tjmakes\application data\mozilla\firefox\profiles\ex69fmbj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12190&client_id=176448126eb8180a965b1d64&camp_id=2533&install_time=2011-05-21T01:15:38Z&tb_version=2.4.16500%28F%29&pr=auto&q=

FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\documents and settings\tjmakes\application data\mozilla\firefox\profiles\ex69fmbj.default\extensions\toolbar@alot.com\components\AlotXpcom.dll

FF - plugin: c:\documents and settings\tjmakes\application data\move networks\plugins\npqmp071500000347.dll

FF - plugin: c:\documents and settings\tjmakes\application data\move networks\plugins\npqmp071503000010.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

============= SERVICES / DRIVERS ===============

.

.

=============== Created Last 30 ================

.

2012-05-11 00:22:46 -------- d-----w- C:\cf

2012-05-10 02:29:50 711240 ----a-w- c:\windows\is-AV3HJ.exe

.

==================== Find3M ====================

.

2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

.

============= FINISH: 20:38:19.82 ===============

Here is the attach.txt:

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

.

==== Disk Partitions =========================

.

.

==== Disabled Device Manager Items =============

.

==== System Restore Points ===================

.

No restore point in system.

.

==== Installed Programs ======================

.

3100_3200_3300_Help

3100_3200_3300trb

3200

3D Christmas Cottage

Acrobat.com

Adobe AIR

Adobe Flash Player 10 ActiveX

Adobe Flash Player 10 Plugin

Adobe Reader 9.4.5

Adobe Shockwave Player 11.5

AiO_Scan_CDA

AiOSoftwareNPI

Apple Application Support

Apple Mobile Device Support

Apple Software Update

ATI Control Panel

ATI Display Driver

Bonjour

BufferChm

CCleaner

Chutes and Ladders

Compatibility Pack for the 2007 Office system

Complete Care Consumer Service Agreement

CP_AtenaShokunin1Config

CP_CalendarTemplates1

CP_Package_Basic1

CP_Package_Variety1

CP_Package_Variety2

CP_Package_Variety3

CP_Panorama1Config

CueTour

Dell Driver Reset Tool

Destinations

DeviceFunctionQFolder

DeviceManagementQFolder

DocProc

DocumentViewer

DocumentViewerQFolder

ESPNMotion

eSupportQFolder

Event Planner

Fax_CDA

FullDPAppQFolder

GemMaster Mystic

Hallmark Card Studio 2

High Definition Audio Driver Package - KB835221

HijackThis 1.99.1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 10 (KB903157)

Hotfix for Windows XP (KB2158563)

Hotfix for Windows XP (KB2443685)

Hotfix for Windows XP (KB2570791)

Hotfix for Windows XP (KB2633952)

Hotfix for Windows XP (KB952287)

Hotfix for Windows XP (KB954550-v5)

Hotfix for Windows XP (KB961118)

Hotfix for Windows XP (KB970653-v3)

Hotfix for Windows XP (KB976098-v2)

Hotfix for Windows XP (KB979306)

Hotfix for Windows XP (KB981793)

HP Document Viewer 5.3

HP Image Zone 5.3

HP Imaging Device Functions 5.3

HP PSC & OfficeJet 5.3.A

HP Software Update

HP Solution Center & Imaging Support Tools 5.3

HPProductAssistant

InstantShareDevices

Intel® Matrix Storage Manager

Intel® PRO Network Connections Drivers

Intel® PROSet for Wired Connections

iTunes

Jacquie Lawson Advent Calendar

Jacquie Lawson London Advent Calendar

Java Auto Updater

Java 6 Update 20

Java 6 Update 5

Learning in Toyland

LogMeIn

Malwarebytes Anti-Malware version 1.61.0.1400

Microsoft .NET Framework 1.0 Hotfix (KB2572066)

Microsoft .NET Framework 1.0 Hotfix (KB953295)

Microsoft .NET Framework 1.0 Hotfix (KB979904)

Microsoft .NET Framework 1.1

Microsoft .NET Framework 1.1 Security Update (KB2656353)

Microsoft .NET Framework 1.1 Security Update (KB979906)

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft National Language Support Downlevel APIs

Microsoft Office Small Business Edition 2003

Microsoft User-Mode Driver Framework Feature Pack 1.0

Microsoft Zoo Tycoon

Modem Event Monitor

Modem Helper

Modem On Hold

Move Media Player

Mozilla Firefox 10.0.2 (x86 en-US)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

MSXML 6 Service Pack 2 (KB954459)

NewCopy_CDA

Night Before Christmas

Norton AntiVirus

Otto

PanoStandAlone

PhotoGallery

PowerDVD 5.5

ProductContextNPI

Pronto 3.1.0-D

QualXServ Service Agreement

QuickTime

RandMap

Readme

Registry Mechanic 10.0

Safari

Scan

ScannerCopy

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft Windows (KB2564958)

Security Update for Windows Internet Explorer 7 (KB938127-v2)

Security Update for Windows Internet Explorer 7 (KB963027)

Security Update for Windows Internet Explorer 7 (KB969897)

Security Update for Windows Internet Explorer 7 (KB972260)

Security Update for Windows Internet Explorer 7 (KB974455)

Security Update for Windows Internet Explorer 7 (KB976325)

Security Update for Windows Internet Explorer 7 (KB978207)

Security Update for Windows Internet Explorer 8 (KB2183461)

Security Update for Windows Internet Explorer 8 (KB2360131)

Security Update for Windows Internet Explorer 8 (KB2416400)

Security Update for Windows Internet Explorer 8 (KB2482017)

Security Update for Windows Internet Explorer 8 (KB2497640)

Security Update for Windows Internet Explorer 8 (KB2510531)

Security Update for Windows Internet Explorer 8 (KB2530548)

Security Update for Windows Internet Explorer 8 (KB2544521)

Security Update for Windows Internet Explorer 8 (KB2559049)

Security Update for Windows Internet Explorer 8 (KB2586448)

Security Update for Windows Internet Explorer 8 (KB2618444)

Security Update for Windows Internet Explorer 8 (KB971961)

Security Update for Windows Internet Explorer 8 (KB981332)

Security Update for Windows Internet Explorer 8 (KB982381)

Security Update for Windows Media Player (KB2378111)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player (KB952069)

Security Update for Windows Media Player (KB954155)

Security Update for Windows Media Player (KB968816)

Security Update for Windows Media Player (KB973540)

Security Update for Windows Media Player (KB975558)

Security Update for Windows Media Player (KB978695)

Security Update for Windows Media Player 10 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows XP (KB2079403)

Security Update for Windows XP (KB2115168)

Security Update for Windows XP (KB2121546)

Security Update for Windows XP (KB2160329)

Security Update for Windows XP (KB2229593)

Security Update for Windows XP (KB2259922)

Security Update for Windows XP (KB2279986)

Security Update for Windows XP (KB2286198)

Security Update for Windows XP (KB2296011)

Security Update for Windows XP (KB2296199)

Security Update for Windows XP (KB2347290)

Security Update for Windows XP (KB2360937)

Security Update for Windows XP (KB2387149)

Security Update for Windows XP (KB2393802)

Security Update for Windows XP (KB2412687)

Security Update for Windows XP (KB2419632)

Security Update for Windows XP (KB2423089)

Security Update for Windows XP (KB2436673)

Security Update for Windows XP (KB2440591)

Security Update for Windows XP (KB2443105)

Security Update for Windows XP (KB2476490)

Security Update for Windows XP (KB2476687)

Security Update for Windows XP (KB2478960)

Security Update for Windows XP (KB2478971)

Security Update for Windows XP (KB2479628)

Security Update for Windows XP (KB2481109)

Security Update for Windows XP (KB2483185)

Security Update for Windows XP (KB2485376)

Security Update for Windows XP (KB2485663)

Security Update for Windows XP (KB2491683)

Security Update for Windows XP (KB2503658)

Security Update for Windows XP (KB2503665)

Security Update for Windows XP (KB2506212)

Security Update for Windows XP (KB2506223)

Security Update for Windows XP (KB2507618)

Security Update for Windows XP (KB2507938)

Security Update for Windows XP (KB2508272)

Security Update for Windows XP (KB2508429)

Security Update for Windows XP (KB2509553)

Security Update for Windows XP (KB2511455)

Security Update for Windows XP (KB2524375)

Security Update for Windows XP (KB2535512)

Security Update for Windows XP (KB2536276-v2)

Security Update for Windows XP (KB2536276)

Security Update for Windows XP (KB2544893-v2)

Security Update for Windows XP (KB2544893)

Security Update for Windows XP (KB2555917)

Security Update for Windows XP (KB2562937)

Security Update for Windows XP (KB2566454)

Security Update for Windows XP (KB2567053)

Security Update for Windows XP (KB2567680)

Security Update for Windows XP (KB2570222)

Security Update for Windows XP (KB2570947)

Security Update for Windows XP (KB2584146)

Security Update for Windows XP (KB2585542)

Security Update for Windows XP (KB2592799)

Security Update for Windows XP (KB2598479)

Security Update for Windows XP (KB2603381)

Security Update for Windows XP (KB2618451)

Security Update for Windows XP (KB2620712)

Security Update for Windows XP (KB2624667)

Security Update for Windows XP (KB2631813)

Security Update for Windows XP (KB2633171)

Security Update for Windows XP (KB2639417)

Security Update for Windows XP (KB2646524)

Security Update for Windows XP (KB923561)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB938464-v2)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB946648)

Security Update for Windows XP (KB950760)

Security Update for Windows XP (KB950762)

Security Update for Windows XP (KB950974)

Security Update for Windows XP (KB951066)

Security Update for Windows XP (KB951376-v2)

Security Update for Windows XP (KB951698)

Security Update for Windows XP (KB951748)

Security Update for Windows XP (KB952004)

Security Update for Windows XP (KB952954)

Security Update for Windows XP (KB954459)

Security Update for Windows XP (KB954600)

Security Update for Windows XP (KB955069)

Security Update for Windows XP (KB956572)

Security Update for Windows XP (KB956744)

Security Update for Windows XP (KB956802)

Security Update for Windows XP (KB956803)

Security Update for Windows XP (KB956841)

Security Update for Windows XP (KB956844)

Security Update for Windows XP (KB957097)

Security Update for Windows XP (KB958215)

Security Update for Windows XP (KB958644)

Security Update for Windows XP (KB958687)

Security Update for Windows XP (KB958690)

Security Update for Windows XP (KB958869)

Security Update for Windows XP (KB959426)

Security Update for Windows XP (KB960225)

Security Update for Windows XP (KB960714)

Security Update for Windows XP (KB960715)

Security Update for Windows XP (KB960803)

Security Update for Windows XP (KB960859)

Security Update for Windows XP (KB961371)

Security Update for Windows XP (KB961373)

Security Update for Windows XP (KB961501)

Security Update for Windows XP (KB968537)

Security Update for Windows XP (KB969059)

Security Update for Windows XP (KB969898)

Security Update for Windows XP (KB969947)

Security Update for Windows XP (KB970238)

Security Update for Windows XP (KB970430)

Security Update for Windows XP (KB971468)

Security Update for Windows XP (KB971486)

Security Update for Windows XP (KB971557)

Security Update for Windows XP (KB971633)

Security Update for Windows XP (KB971657)

Security Update for Windows XP (KB971961)

Security Update for Windows XP (KB972270)

Security Update for Windows XP (KB973346)

Security Update for Windows XP (KB973354)

Security Update for Windows XP (KB973507)

Security Update for Windows XP (KB973525)

Security Update for Windows XP (KB973869)

Security Update for Windows XP (KB973904)

Security Update for Windows XP (KB974112)

Security Update for Windows XP (KB974318)

Security Update for Windows XP (KB974392)

Security Update for Windows XP (KB974571)

Security Update for Windows XP (KB975025)

Security Update for Windows XP (KB975467)

Security Update for Windows XP (KB975560)

Security Update for Windows XP (KB975561)

Security Update for Windows XP (KB975562)

Security Update for Windows XP (KB975713)

Security Update for Windows XP (KB977816)

Security Update for Windows XP (KB977914)

Security Update for Windows XP (KB978037)

Security Update for Windows XP (KB978262)

Security Update for Windows XP (KB978338)

Security Update for Windows XP (KB978542)

Security Update for Windows XP (KB978601)

Security Update for Windows XP (KB978706)

Security Update for Windows XP (KB979309)

Security Update for Windows XP (KB979482)

Security Update for Windows XP (KB979559)

Security Update for Windows XP (KB979683)

Security Update for Windows XP (KB979687)

Security Update for Windows XP (KB980195)

Security Update for Windows XP (KB980218)

Security Update for Windows XP (KB980232)

Security Update for Windows XP (KB980436)

Security Update for Windows XP (KB981322)

Security Update for Windows XP (KB981349)

Security Update for Windows XP (KB981852)

Security Update for Windows XP (KB981957)

Security Update for Windows XP (KB981997)

Security Update for Windows XP (KB982132)

Security Update for Windows XP (KB982214)

Security Update for Windows XP (KB982665)

Security Update for Windows XP (KB982802)

SkinsHP1

Snowing

SolutionCenter

Sonic Encoders

Sonic_PrimoSDK

Spelling Dictionaries Support For Adobe Reader 9

Status

SUPERAntiSpyware Free Edition

The Game Of Life

TrayApp

Unload

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft Windows (KB971513)

Update for Windows Internet Explorer 7 (KB976749)

Update for Windows Internet Explorer 7 (KB980182)

Update for Windows Internet Explorer 8 (KB976662)

Update for Windows Internet Explorer 8 (KB980182)

Update for Windows Internet Explorer 8 (KB980302)

Update for Windows Media Player 10 (KB910393)

Update for Windows Media Player 10 (KB913800)

Update for Windows Media Player 10 (KB926251)

Update for Windows XP (KB2141007)

Update for Windows XP (KB2345886)

Update for Windows XP (KB2467659)

Update for Windows XP (KB2541763)

Update for Windows XP (KB2607712)

Update for Windows XP (KB2616676)

Update for Windows XP (KB2641690)

Update for Windows XP (KB951978)

Update for Windows XP (KB955759)

Update for Windows XP (KB955839)

Update for Windows XP (KB967715)

Update for Windows XP (KB968389)

Update for Windows XP (KB971029)

Update for Windows XP (KB971737)

Update for Windows XP (KB973687)

Update for Windows XP (KB973815)

Update Rollup 2 for Windows XP Media Center Edition 2005

Verizon Media Manager

VoiceOver Kit

Vz In Home Agent

WD SmartWare

WebFldrs XP

WebReg

Windows Genuine Advantage Validation Tool (KB892130)

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Internet Explorer 8

Windows Media Format 11 runtime

Windows Media Player 10 Hotfix [see EmeraldQFE2 for more information]

Windows XP Media Center Edition 2005 KB2502898

Windows XP Media Center Edition 2005 KB2619340

Windows XP Media Center Edition 2005 KB2628259

Windows XP Media Center Edition 2005 KB908246

Windows XP Media Center Edition 2005 KB912067

Windows XP Media Center Edition 2005 KB973768

Windows XP Service Pack 3

Zoo Vet

.

==== End Of File ===========================

I have run a MBAM scan and Norton AV scan.

Thanks! This is getting frustrating. I was also getting reports from people that said my verizon mail was sending them spam.

Link to post
Share on other sites

Hello and :welcome:

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

Link to post
Share on other sites

Thanks - All steps completed.

After reboot it's already running "snappier" :) I havent seen any blocked access IP messages yet. Opening windows explorer seemed a little slow, but not horrible.

Log file:

13:52:57.0678 5996 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18

13:52:58.0350 5996 ============================================================

13:52:58.0350 5996 Current date / time: 2012/05/11 13:52:58.0350

13:52:58.0350 5996 SystemInfo:

13:52:58.0350 5996

13:52:58.0350 5996 OS Version: 5.1.2600 ServicePack: 3.0

13:52:58.0350 5996 Product type: Workstation

13:52:58.0350 5996 ComputerName: D4Z3MZ81

13:52:58.0350 5996 UserName: tjmakes

13:52:58.0350 5996 Windows directory: C:\WINDOWS

13:52:58.0350 5996 System windows directory: C:\WINDOWS

13:52:58.0350 5996 Processor architecture: Intel x86

13:52:58.0350 5996 Number of processors: 2

13:52:58.0350 5996 Page size: 0x1000

13:52:58.0350 5996 Boot type: Normal boot

13:52:58.0350 5996 ============================================================

13:53:02.0506 5996 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

13:53:02.0506 5996 ============================================================

13:53:02.0506 5996 \Device\Harddisk0\DR0:

13:53:02.0584 5996 MBR partitions:

13:53:02.0584 5996 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x11F301F9

13:53:02.0584 5996 ============================================================

13:53:02.0975 5996 C: <-> \Device\Harddisk0\DR0\Partition0

13:53:02.0975 5996 ============================================================

13:53:02.0975 5996 Initialize success

13:53:02.0975 5996 ============================================================

13:53:12.0085 4344 ============================================================

13:53:12.0085 4344 Scan started

13:53:12.0085 4344 Mode: Manual;

13:53:12.0085 4344 ============================================================

13:53:13.0819 4344 Abiosdsk - ok

13:53:14.0038 4344 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS

13:53:14.0179 4344 abp480n5 - ok

13:53:14.0288 4344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys

13:53:14.0335 4344 ACPI - ok

13:53:14.0476 4344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys

13:53:14.0507 4344 ACPIEC - ok

13:53:14.0695 4344 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys

13:53:14.0773 4344 adpu160m - ok

13:53:14.0820 4344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys

13:53:15.0007 4344 aec - ok

13:53:15.0070 4344 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys

13:53:15.0085 4344 AFD - ok

13:53:15.0226 4344 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys

13:53:15.0273 4344 agp440 - ok

13:53:15.0429 4344 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

13:53:15.0460 4344 agpCPQ - ok

13:53:15.0804 4344 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys

13:53:15.0991 4344 Aha154x - ok

13:53:16.0460 4344 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys

13:53:16.0632 4344 aic78u2 - ok

13:53:16.0632 4344 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys

13:53:16.0695 4344 aic78xx - ok

13:53:17.0413 4344 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll

13:53:17.0492 4344 Alerter - ok

13:53:17.0523 4344 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe

13:53:17.0523 4344 ALG - ok

13:53:17.0585 4344 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys

13:53:17.0617 4344 AliIde - ok

13:53:17.0726 4344 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys

13:53:17.0742 4344 alim1541 - ok

13:53:17.0867 4344 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys

13:53:17.0898 4344 amdagp - ok

13:53:18.0038 4344 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys

13:53:18.0179 4344 amsint - ok

13:53:18.0335 4344 Apple Mobile Device (2e3e53a6aef23e24f402c7855b9b1542) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

13:53:18.0789 4344 Apple Mobile Device - ok

13:53:18.0914 4344 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll

13:53:18.0945 4344 AppMgmt - ok

13:53:19.0085 4344 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys

13:53:19.0117 4344 asc - ok

13:53:19.0132 4344 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys

13:53:19.0132 4344 asc3350p - ok

13:53:19.0367 4344 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys

13:53:19.0398 4344 asc3550 - ok

13:53:19.0617 4344 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

13:53:19.0664 4344 aspnet_state - ok

13:53:19.0710 4344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys

13:53:19.0726 4344 AsyncMac - ok

13:53:19.0789 4344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys

13:53:19.0835 4344 atapi - ok

13:53:19.0867 4344 Atdisk - ok

13:53:19.0929 4344 Ati HotKey Poller (abc57a6f6070baf9786c318f59f29f0b) C:\WINDOWS\system32\Ati2evxx.exe

13:53:20.0164 4344 Ati HotKey Poller - ok

13:53:20.0367 4344 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

13:53:20.0445 4344 ati2mtag - ok

13:53:20.0554 4344 atinewp2 (34e74fab657dc47031330dfa30ee7e38) C:\WINDOWS\system32\DRIVERS\atinewp2.sys

13:53:20.0601 4344 atinewp2 - ok

13:53:20.0679 4344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys

13:53:20.0711 4344 Atmarpc - ok

13:53:20.0804 4344 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll

13:53:20.0820 4344 AudioSrv - ok

13:53:20.0929 4344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys

13:53:20.0976 4344 audstub - ok

13:53:21.0039 4344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys

13:53:21.0039 4344 Beep - ok

13:53:21.0726 4344 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\NAV\1008030.006\BHDrvx86.sys

13:53:21.0820 4344 BHDrvx86 - ok

13:53:21.0961 4344 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll

13:53:22.0383 4344 BITS - ok

13:53:22.0508 4344 Bonjour Service (5ab58c337ac65837fe404462ad6265ab) C:\Program Files\Bonjour\mDNSResponder.exe

13:53:22.0679 4344 Bonjour Service - ok

13:53:22.0789 4344 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll

13:53:22.0789 4344 Browser - ok

13:53:22.0789 4344 bvrp_pci - ok

13:53:23.0039 4344 catchme - ok

13:53:23.0101 4344 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys

13:53:23.0164 4344 cbidf - ok

13:53:23.0164 4344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys

13:53:23.0179 4344 cbidf2k - ok

13:53:23.0242 4344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys

13:53:23.0273 4344 CCDECODE - ok

13:53:23.0492 4344 ccHP (3182b846490dc4d71fabd4a8cb6b73ea) C:\WINDOWS\System32\Drivers\NAV\1008030.006\ccHPx86.sys

13:53:23.0523 4344 ccHP - ok

13:53:23.0664 4344 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys

13:53:23.0742 4344 cd20xrnt - ok

13:53:23.0804 4344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys

13:53:23.0804 4344 Cdaudio - ok

13:53:23.0851 4344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys

13:53:23.0898 4344 Cdfs - ok

13:53:23.0961 4344 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys

13:53:24.0039 4344 Cdrom - ok

13:53:24.0039 4344 Changer - ok

13:53:24.0883 4344 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe

13:53:24.0930 4344 CiSvc - ok

13:53:24.0961 4344 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe

13:53:24.0976 4344 ClipSrv - ok

13:53:25.0336 4344 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

13:53:25.0789 4344 clr_optimization_v2.0.50727_32 - ok

13:53:26.0039 4344 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys

13:53:26.0242 4344 CmdIde - ok

13:53:26.0258 4344 COMSysApp - ok

13:53:26.0508 4344 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys

13:53:26.0523 4344 Cpqarray - ok

13:53:26.0586 4344 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll

13:53:27.0039 4344 CryptSvc - ok

13:53:27.0398 4344 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys

13:53:27.0570 4344 dac2w2k - ok

13:53:27.0617 4344 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys

13:53:27.0633 4344 dac960nt - ok

13:53:27.0680 4344 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll

13:53:27.0899 4344 DcomLaunch - ok

13:53:27.0961 4344 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll

13:53:27.0961 4344 Dhcp - ok

13:53:28.0024 4344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys

13:53:28.0102 4344 Disk - ok

13:53:28.0102 4344 dmadmin - ok

13:53:28.0555 4344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys

13:53:28.0680 4344 dmboot - ok

13:53:28.0789 4344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys

13:53:28.0914 4344 dmio - ok

13:53:28.0945 4344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys

13:53:28.0992 4344 dmload - ok

13:53:29.0086 4344 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll

13:53:29.0086 4344 dmserver - ok

13:53:29.0149 4344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys

13:53:29.0149 4344 DMusic - ok

13:53:29.0274 4344 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll

13:53:29.0274 4344 Dnscache - ok

13:53:29.0336 4344 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll

13:53:29.0461 4344 Dot3svc - ok

13:53:29.0539 4344 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys

13:53:29.0617 4344 dpti2o - ok

13:53:29.0633 4344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys

13:53:29.0633 4344 drmkaud - ok

13:53:29.0680 4344 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys

13:53:29.0977 4344 E100B - ok

13:53:30.0211 4344 e1express (5b75bbf89d8341f424171df7ad9dc465) C:\WINDOWS\system32\DRIVERS\e1e5132.sys

13:53:30.0430 4344 e1express - ok

13:53:30.0492 4344 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll

13:53:30.0508 4344 EapHost - ok

13:53:30.0680 4344 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

13:53:30.0742 4344 eeCtrl - ok

13:53:31.0102 4344 ehRecvr (d039a0c347632622934906bd59a4e1ea) C:\WINDOWS\eHome\ehRecvr.exe

13:53:31.0117 4344 ehRecvr - ok

13:53:31.0321 4344 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe

13:53:31.0321 4344 ehSched - ok

13:53:31.0555 4344 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

13:53:31.0774 4344 EraserUtilRebootDrv - ok

13:53:31.0868 4344 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll

13:53:31.0868 4344 ERSvc - ok

13:53:31.0914 4344 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

13:53:31.0914 4344 Eventlog - ok

13:53:32.0039 4344 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll

13:53:32.0055 4344 EventSystem - ok

13:53:33.0602 4344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys

13:53:33.0836 4344 Fastfat - ok

13:53:34.0008 4344 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

13:53:34.0040 4344 FastUserSwitchingCompatibility - ok

13:53:34.0118 4344 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe

13:53:34.0133 4344 Fax - ok

13:53:34.0196 4344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys

13:53:34.0227 4344 Fdc - ok

13:53:34.0258 4344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys

13:53:34.0258 4344 Fips - ok

13:53:34.0555 4344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys

13:53:34.0680 4344 Flpydisk - ok

13:53:34.0743 4344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys

13:53:34.0790 4344 FltMgr - ok

13:53:35.0024 4344 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

13:53:35.0086 4344 FontCache3.0.0.0 - ok

13:53:35.0165 4344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys

13:53:35.0165 4344 Fs_Rec - ok

13:53:35.0227 4344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys

13:53:35.0477 4344 Ftdisk - ok

13:53:35.0524 4344 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys

13:53:35.0665 4344 GEARAspiWDM - ok

13:53:35.0774 4344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys

13:53:36.0008 4344 Gpc - ok

13:53:36.0055 4344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

13:53:36.0368 4344 HDAudBus - ok

13:53:36.0540 4344 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

13:53:36.0555 4344 helpsvc - ok

13:53:36.0805 4344 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll

13:53:36.0805 4344 HidServ - ok

13:53:36.0930 4344 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys

13:53:37.0055 4344 HidUsb - ok

13:53:37.0759 4344 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll

13:53:38.0055 4344 hkmsvc - ok

13:53:38.0321 4344 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys

13:53:38.0540 4344 hpn - ok

13:53:38.0602 4344 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys

13:53:38.0759 4344 HPZid412 - ok

13:53:38.0774 4344 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys

13:53:38.0821 4344 HPZipr12 - ok

13:53:38.0946 4344 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys

13:53:39.0024 4344 HPZius12 - ok

13:53:39.0071 4344 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys

13:53:39.0071 4344 HTTP - ok

13:53:39.0368 4344 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll

13:53:39.0602 4344 HTTPFilter - ok

13:53:39.0634 4344 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys

13:53:39.0665 4344 i2omgmt - ok

13:53:39.0712 4344 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys

13:53:39.0993 4344 i2omp - ok

13:53:40.0024 4344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys

13:53:40.0040 4344 i8042prt - ok

13:53:40.0806 4344 IAANTMON (b122be74e283a2bc7febc180bfd2efd5) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

13:53:41.0118 4344 IAANTMON - ok

13:53:41.0384 4344 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sys

13:53:41.0384 4344 iaStor - ok

13:53:42.0368 4344 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

13:53:42.0478 4344 idsvc - ok

13:53:42.0743 4344 IDSxpx86 (c924bf6d42b3d9292268ff1998596bd1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120510.001\IDSxpx86.sys

13:53:43.0149 4344 IDSxpx86 - ok

13:53:43.0743 4344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys

13:53:43.0759 4344 Imapi - ok

13:53:43.0821 4344 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe

13:53:43.0837 4344 ImapiService - ok

13:53:44.0118 4344 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys

13:53:44.0493 4344 ini910u - ok

13:53:44.0493 4344 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys

13:53:44.0728 4344 IntelIde - ok

13:53:44.0775 4344 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys

13:53:44.0806 4344 intelppm - ok

13:53:44.0993 4344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys

13:53:45.0150 4344 Ip6Fw - ok

13:53:45.0447 4344 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

13:53:45.0462 4344 IpFilterDriver - ok

13:53:45.0556 4344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys

13:53:45.0603 4344 IpInIp - ok

13:53:45.0697 4344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys

13:53:45.0962 4344 IpNat - ok

13:53:46.0259 4344 iPod Service (8f610078437a459948480407f4db91ea) C:\Program Files\iPod\bin\iPodService.exe

13:53:46.0462 4344 iPod Service - ok

13:53:46.0478 4344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys

13:53:46.0478 4344 IPSec - ok

13:53:46.0978 4344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys

13:53:47.0072 4344 IRENUM - ok

13:53:47.0478 4344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys

13:53:47.0556 4344 isapnp - ok

13:53:47.0681 4344 JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) C:\Program Files\Java\jre6\bin\jqs.exe

13:53:47.0869 4344 JavaQuickStarterService - ok

13:53:47.0884 4344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys

13:53:47.0915 4344 Kbdclass - ok

13:53:47.0931 4344 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys

13:53:47.0931 4344 kbdhid - ok

13:53:48.0009 4344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys

13:53:48.0009 4344 kmixer - ok

13:53:48.0103 4344 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys

13:53:48.0103 4344 KSecDD - ok

13:53:48.0150 4344 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll

13:53:48.0165 4344 lanmanserver - ok

13:53:48.0681 4344 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll

13:53:48.0728 4344 lanmanworkstation - ok

13:53:48.0728 4344 lbrtfdc - ok

13:53:48.0853 4344 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll

13:53:48.0884 4344 LmHosts - ok

13:53:49.0775 4344 LMIGuardianSvc (2375e7e01635fbccde2f796a9e078e07) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe

13:53:50.0025 4344 LMIGuardianSvc - ok

13:53:50.0056 4344 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys

13:53:50.0087 4344 LMIInfo - ok

13:53:50.0212 4344 LMIMaint (b9c127273eaba403311854a8dcb6d0aa) C:\Program Files\LogMeIn\x86\RaMaint.exe

13:53:50.0306 4344 LMIMaint - ok

13:53:50.0416 4344 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys

13:53:50.0478 4344 lmimirr - ok

13:53:50.0494 4344 LMIRfsClientNP - ok

13:53:50.0509 4344 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys

13:53:50.0541 4344 LMIRfsDriver - ok

13:53:50.0650 4344 LogMeIn (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe

13:53:50.0791 4344 LogMeIn - ok

13:53:50.0900 4344 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys

13:53:50.0900 4344 MBAMProtector - ok

13:53:51.0087 4344 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

13:53:51.0166 4344 MBAMService - ok

13:53:51.0416 4344 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe

13:53:51.0416 4344 McrdSvc - ok

13:53:51.0416 4344 MCSTRM - ok

13:53:51.0509 4344 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll

13:53:51.0556 4344 Messenger - ok

13:53:51.0681 4344 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll

13:53:51.0728 4344 MHN - ok

13:53:52.0119 4344 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys

13:53:52.0447 4344 MHNDRV - ok

13:53:52.0525 4344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys

13:53:52.0525 4344 mnmdd - ok

13:53:52.0603 4344 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe

13:53:52.0791 4344 mnmsrvc - ok

13:53:53.0885 4344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys

13:53:54.0416 4344 Modem - ok

13:53:54.0494 4344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys

13:53:54.0510 4344 Mouclass - ok

13:53:54.0588 4344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys

13:53:54.0619 4344 mouhid - ok

13:53:54.0635 4344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys

13:53:54.0666 4344 MountMgr - ok

13:53:54.0775 4344 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys

13:53:54.0869 4344 mraid35x - ok

13:53:54.0900 4344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys

13:53:55.0338 4344 MRxDAV - ok

13:53:55.0557 4344 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

13:53:55.0900 4344 MRxSmb - ok

13:53:55.0978 4344 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe

13:53:56.0010 4344 MSDTC - ok

13:53:56.0119 4344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys

13:53:56.0119 4344 Msfs - ok

13:53:56.0119 4344 MSIServer - ok

13:53:56.0322 4344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys

13:53:57.0619 4344 MSKSSRV - ok

13:53:57.0650 4344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys

13:53:57.0791 4344 MSPCLOCK - ok

13:53:57.0869 4344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys

13:53:57.0869 4344 MSPQM - ok

13:53:57.0916 4344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys

13:53:57.0916 4344 mssmbios - ok

13:53:58.0213 4344 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys

13:53:58.0244 4344 MSTEE - ok

13:53:58.0369 4344 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys

13:53:58.0588 4344 Mup - ok

13:53:58.0885 4344 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

13:53:59.0447 4344 NABTSFEC - ok

13:53:59.0713 4344 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll

13:54:00.0041 4344 napagent - ok

13:54:00.0651 4344 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120510.033\NAVENG.SYS

13:54:00.0807 4344 NAVENG - ok

13:54:02.0635 4344 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120510.033\NAVEX15.SYS

13:54:02.0729 4344 NAVEX15 - ok

13:54:03.0151 4344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys

13:54:03.0323 4344 NDIS - ok

13:54:03.0635 4344 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys

13:54:03.0760 4344 NdisIP - ok

13:54:03.0791 4344 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys

13:54:03.0807 4344 NdisTapi - ok

13:54:03.0838 4344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys

13:54:03.0838 4344 Ndisuio - ok

13:54:03.0932 4344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys

13:54:03.0932 4344 NdisWan - ok

13:54:04.0229 4344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys

13:54:04.0229 4344 NDProxy - ok

13:54:04.0229 4344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys

13:54:04.0245 4344 NetBIOS - ok

13:54:04.0323 4344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys

13:54:04.0370 4344 NetBT - ok

13:54:04.0432 4344 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

13:54:04.0495 4344 NetDDE - ok

13:54:04.0495 4344 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe

13:54:04.0495 4344 NetDDEdsdm - ok

13:54:04.0541 4344 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

13:54:04.0541 4344 Netlogon - ok

13:54:04.0620 4344 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll

13:54:04.0776 4344 Netman - ok

13:54:05.0276 4344 NetSvc (9da26b773bd04b867a8e9f427cd048fc) C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

13:54:05.0495 4344 NetSvc - ok

13:54:06.0073 4344 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

13:54:06.0229 4344 NetTcpPortSharing - ok

13:54:06.0432 4344 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll

13:54:06.0432 4344 Nla - ok

13:54:06.0510 4344 Norton AntiVirus (64c89db40949fd0e7c8ff303676a91f1) C:\Program Files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe

13:54:06.0526 4344 Norton AntiVirus - ok

13:54:06.0573 4344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys

13:54:06.0573 4344 Npfs - ok

13:54:06.0682 4344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys

13:54:06.0995 4344 Ntfs - ok

13:54:07.0120 4344 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

13:54:07.0120 4344 NtLmSsp - ok

13:54:07.0182 4344 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll

13:54:07.0385 4344 NtmsSvc - ok

13:54:07.0432 4344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys

13:54:07.0432 4344 Null - ok

13:54:07.0792 4344 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys

13:54:08.0026 4344 nv - ok

13:54:08.0667 4344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

13:54:08.0682 4344 NwlnkFlt - ok

13:54:08.0729 4344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

13:54:08.0760 4344 NwlnkFwd - ok

13:54:08.0839 4344 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

13:54:09.0089 4344 ose - ok

13:54:09.0682 4344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys

13:54:09.0714 4344 Parport - ok

13:54:09.0776 4344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys

13:54:09.0792 4344 PartMgr - ok

13:54:09.0823 4344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys

13:54:09.0823 4344 ParVdm - ok

13:54:09.0839 4344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys

13:54:09.0839 4344 PCI - ok

13:54:09.0870 4344 PCIDump - ok

13:54:09.0870 4344 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys

13:54:09.0901 4344 PCIIde - ok

13:54:09.0979 4344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys

13:54:10.0011 4344 Pcmcia - ok

13:54:10.0136 4344 PCToolsSSDMonitorSvc (e6e503845208a148a9e3e7faa63b97a4) C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe

13:54:10.0276 4344 PCToolsSSDMonitorSvc - ok

13:54:10.0292 4344 PDCOMP - ok

13:54:10.0292 4344 PDFRAME - ok

13:54:10.0307 4344 PDRELI - ok

13:54:10.0323 4344 PDRFRAME - ok

13:54:10.0370 4344 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys

13:54:10.0401 4344 perc2 - ok

13:54:10.0542 4344 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys

13:54:10.0573 4344 perc2hib - ok

13:54:10.0667 4344 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe

13:54:10.0682 4344 PlugPlay - ok

13:54:10.0714 4344 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe

13:54:11.0042 4344 Pml Driver HPZ12 - ok

13:54:11.0261 4344 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

13:54:11.0261 4344 PolicyAgent - ok

13:54:11.0323 4344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys

13:54:11.0323 4344 PptpMiniport - ok

13:54:11.0323 4344 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

13:54:11.0339 4344 ProtectedStorage - ok

13:54:11.0370 4344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys

13:54:11.0386 4344 PSched - ok

13:54:11.0417 4344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys

13:54:11.0433 4344 Ptilink - ok

13:54:11.0511 4344 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys

13:54:11.0526 4344 PxHelp20 - ok

13:54:11.0745 4344 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys

13:54:11.0745 4344 ql1080 - ok

13:54:11.0776 4344 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys

13:54:11.0776 4344 Ql10wnt - ok

13:54:11.0792 4344 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys

13:54:11.0823 4344 ql12160 - ok

13:54:11.0823 4344 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys

13:54:11.0839 4344 ql1240 - ok

13:54:11.0839 4344 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys

13:54:11.0854 4344 ql1280 - ok

13:54:11.0917 4344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys

13:54:11.0948 4344 RasAcd - ok

13:54:12.0042 4344 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll

13:54:12.0089 4344 RasAuto - ok

13:54:12.0120 4344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

13:54:12.0136 4344 Rasl2tp - ok

13:54:12.0667 4344 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll

13:54:12.0776 4344 RasMan - ok

13:54:12.0948 4344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys

13:54:13.0714 4344 RasPppoe - ok

13:54:13.0745 4344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys

13:54:13.0761 4344 Raspti - ok

13:54:13.0823 4344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys

13:54:13.0839 4344 Rdbss - ok

13:54:13.0870 4344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

13:54:13.0870 4344 RDPCDD - ok

13:54:13.0901 4344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys

13:54:13.0901 4344 rdpdr - ok

13:54:13.0964 4344 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys

13:54:14.0089 4344 RDPWD - ok

13:54:14.0214 4344 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe

13:54:14.0276 4344 RDSessMgr - ok

13:54:14.0323 4344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys

13:54:14.0355 4344 redbook - ok

13:54:14.0417 4344 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll

13:54:14.0448 4344 RemoteAccess - ok

13:54:14.0511 4344 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll

13:54:14.0511 4344 RemoteRegistry - ok

13:54:14.0558 4344 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe

13:54:14.0589 4344 RpcLocator - ok

13:54:14.0667 4344 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll

13:54:14.0683 4344 RpcSs - ok

13:54:14.0745 4344 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe

13:54:14.0777 4344 RSVP - ok

13:54:14.0808 4344 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe

13:54:14.0808 4344 SamSs - ok

13:54:14.0886 4344 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

13:54:14.0902 4344 SASDIFSV - ok

13:54:14.0902 4344 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS

13:54:14.0948 4344 SASENUM - ok

13:54:14.0995 4344 SASKUTIL (f81ea209a3e43c33f99ff89ebab82d93) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

13:54:14.0995 4344 SASKUTIL - ok

13:54:15.0073 4344 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe

13:54:15.0448 4344 SCardSvr - ok

13:54:15.0511 4344 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll

13:54:15.0542 4344 Schedule - ok

13:54:15.0870 4344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys

13:54:15.0933 4344 Secdrv - ok

13:54:16.0027 4344 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll

13:54:16.0058 4344 seclogon - ok

13:54:16.0120 4344 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll

13:54:16.0152 4344 SENS - ok

13:54:16.0214 4344 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys

13:54:16.0245 4344 serenum - ok

13:54:16.0355 4344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys

13:54:16.0355 4344 Serial - ok

13:54:16.0573 4344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys

13:54:16.0589 4344 Sfloppy - ok

13:54:16.0714 4344 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll

13:54:16.0792 4344 SharedAccess - ok

13:54:16.0839 4344 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

13:54:16.0855 4344 ShellHWDetection - ok

13:54:16.0886 4344 Simbad - ok

13:54:16.0933 4344 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys

13:54:16.0964 4344 sisagp - ok

13:54:16.0980 4344 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys

13:54:16.0980 4344 SLIP - ok

13:54:17.0105 4344 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys

13:54:17.0370 4344 Sparrow - ok

13:54:17.0433 4344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys

13:54:17.0433 4344 splitter - ok

13:54:17.0464 4344 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe

13:54:17.0480 4344 Spooler - ok

13:54:17.0511 4344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys

13:54:17.0902 4344 sr - ok

13:54:17.0964 4344 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll

13:54:18.0027 4344 srservice - ok

13:54:18.0464 4344 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SRTSP.SYS

13:54:18.0558 4344 SRTSP - ok

13:54:18.0699 4344 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\NAV\1008030.006\SRTSPX.SYS

13:54:18.0996 4344 SRTSPX - ok

13:54:19.0292 4344 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys

13:54:19.0730 4344 Srv - ok

13:54:19.0792 4344 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll

13:54:19.0792 4344 SSDPSRV - ok

13:54:20.0074 4344 STHDA (0aa91bbe468b3f46072091f18003ecaa) C:\WINDOWS\system32\drivers\sthda.sys

13:54:20.0136 4344 STHDA - ok

13:54:20.0246 4344 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll

13:54:20.0292 4344 stisvc - ok

13:54:20.0417 4344 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys

13:54:20.0433 4344 streamip - ok

13:54:20.0464 4344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys

13:54:20.0464 4344 swenum - ok

13:54:20.0496 4344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys

13:54:20.0542 4344 swmidi - ok

13:54:20.0542 4344 SwPrv - ok

13:54:20.0668 4344 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys

13:54:20.0683 4344 symc810 - ok

13:54:20.0964 4344 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys

13:54:21.0277 4344 symc8xx - ok

13:54:21.0699 4344 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\NAV\1008030.006\SYMEFA.SYS

13:54:22.0183 4344 SymEFA - ok

13:54:22.0261 4344 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

13:54:22.0261 4344 SymEvent - ok

13:54:22.0418 4344 SYMFW (a8c45c36309ee066f9191e511f88ed76) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMFW.SYS

13:54:22.0464 4344 SYMFW - ok

13:54:22.0496 4344 SYMIDS (f4db00bc0c25be3e05d4bbb8637cc3a3) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMIDS.SYS

13:54:22.0496 4344 SYMIDS - ok

13:54:22.0543 4344 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys

13:54:22.0574 4344 SymIM - ok

13:54:22.0574 4344 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys

13:54:22.0590 4344 SymIMMP - ok

13:54:22.0840 4344 SYMNDIS (06a8ecfc68d61a26a67f0e96ff1ca9cc) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMNDIS.SYS

13:54:22.0840 4344 SYMNDIS - ok

13:54:22.0933 4344 SYMTDI (26bc80ec79d7ba478249c266cbdf17b4) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMTDI.SYS

13:54:23.0730 4344 SYMTDI - ok

13:54:23.0746 4344 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys

13:54:23.0996 4344 sym_hi - ok

13:54:24.0027 4344 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys

13:54:24.0246 4344 sym_u3 - ok

13:54:24.0324 4344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys

13:54:24.0324 4344 sysaudio - ok

13:54:24.0465 4344 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe

13:54:24.0855 4344 SysmonLog - ok

13:54:25.0168 4344 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll

13:54:25.0168 4344 TapiSrv - ok

13:54:25.0652 4344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys

13:54:25.0683 4344 Tcpip - ok

13:54:25.0730 4344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys

13:54:26.0262 4344 TDPIPE - ok

13:54:26.0293 4344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys

13:54:26.0387 4344 TDTCP - ok

13:54:26.0465 4344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys

13:54:26.0480 4344 TermDD - ok

13:54:26.0590 4344 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll

13:54:26.0809 4344 TermService - ok

13:54:26.0934 4344 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll

13:54:26.0949 4344 Themes - ok

13:54:26.0980 4344 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe

13:54:27.0152 4344 TlntSvr - ok

13:54:27.0449 4344 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys

13:54:27.0559 4344 TosIde - ok

13:54:27.0621 4344 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll

13:54:27.0652 4344 TrkWks - ok

13:54:27.0668 4344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys

13:54:27.0730 4344 Udfs - ok

13:54:27.0777 4344 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys

13:54:27.0809 4344 ultra - ok

13:54:27.0871 4344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys

13:54:27.0934 4344 Update - ok

13:54:28.0059 4344 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll

13:54:28.0105 4344 upnphost - ok

13:54:28.0199 4344 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe

13:54:28.0215 4344 UPS - ok

13:54:28.0262 4344 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys

13:54:28.0340 4344 USBAAPL - ok

13:54:28.0574 4344 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys

13:54:28.0918 4344 usbaudio - ok

13:54:28.0981 4344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys

13:54:29.0027 4344 usbccgp - ok

13:54:29.0059 4344 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys

13:54:29.0106 4344 usbehci - ok

13:54:29.0199 4344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys

13:54:29.0340 4344 usbhub - ok

13:54:29.0434 4344 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys

13:54:29.0434 4344 usbprint - ok

13:54:29.0496 4344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys

13:54:29.0496 4344 usbscan - ok

13:54:29.0496 4344 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

13:54:29.0512 4344 USBSTOR - ok

13:54:29.0527 4344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys

13:54:29.0543 4344 usbuhci - ok

13:54:29.0606 4344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys

13:54:29.0606 4344 VgaSave - ok

13:54:29.0652 4344 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys

13:54:29.0668 4344 viaagp - ok

13:54:29.0684 4344 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys

13:54:29.0684 4344 ViaIde - ok

13:54:29.0715 4344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys

13:54:29.0762 4344 VolSnap - ok

13:54:30.0043 4344 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe

13:54:30.0418 4344 VSS - ok

13:54:30.0496 4344 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll

13:54:30.0559 4344 w32time - ok

13:54:30.0606 4344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys

13:54:30.0606 4344 Wanarp - ok

13:54:30.0668 4344 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys

13:54:30.0715 4344 WDC_SAM - ok

13:54:31.0059 4344 WDDMService (300b4847e1157bdd7a306b18ed65a97e) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe

13:54:31.0340 4344 WDDMService - ok

13:54:31.0356 4344 WDICA - ok

13:54:31.0371 4344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys

13:54:31.0371 4344 wdmaud - ok

13:54:31.0465 4344 WDSmartWareBackgroundService (138ab06adbbf300aa804d7974a5aec82) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe

13:54:31.0465 4344 WDSmartWareBackgroundService - ok

13:54:31.0559 4344 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll

13:54:31.0606 4344 WebClient - ok

13:54:31.0731 4344 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll

13:54:31.0965 4344 winmgmt - ok

13:54:32.0184 4344 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll

13:54:32.0231 4344 WmdmPmSN - ok

13:54:32.0465 4344 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll

13:54:32.0559 4344 Wmi - ok

13:54:32.0621 4344 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe

13:54:32.0653 4344 WmiApSrv - ok

13:54:32.0700 4344 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys

13:54:32.0731 4344 WpdUsb - ok

13:54:32.0887 4344 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll

13:54:32.0887 4344 wscsvc - ok

13:54:32.0918 4344 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

13:54:32.0950 4344 WSTCODEC - ok

13:54:33.0028 4344 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll

13:54:33.0043 4344 wuauserv - ok

13:54:33.0106 4344 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys

13:54:33.0246 4344 WudfPf - ok

13:54:33.0293 4344 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys

13:54:33.0434 4344 WudfRd - ok

13:54:33.0528 4344 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll

13:54:33.0528 4344 WudfSvc - ok

13:54:33.0700 4344 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll

13:54:33.0746 4344 WZCSVC - ok

13:54:33.0809 4344 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll

13:54:33.0934 4344 xmlprov - ok

13:54:34.0012 4344 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0

13:54:34.0106 4344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected

13:54:34.0106 4344 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)

13:54:34.0325 4344 Boot (0x1200) (8710d73d0e8dfde59d12630ee99dfff2) \Device\Harddisk0\DR0\Partition0

13:54:34.0325 4344 \Device\Harddisk0\DR0\Partition0 - ok

13:54:34.0325 4344 ============================================================

13:54:34.0325 4344 Scan finished

13:54:34.0325 4344 ============================================================

13:54:34.0340 4336 Detected object count: 1

13:54:34.0340 4336 Actual detected object count: 1

13:55:01.0514 4336 \Device\Harddisk0\DR0\# - copied to quarantine

13:55:01.0545 4336 \Device\Harddisk0\DR0 - copied to quarantine

13:55:02.0170 4336 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot

13:55:02.0248 4336 \Device\Harddisk0\DR0 - ok

13:55:02.0248 4336 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure

13:55:07.0045 5056 Deinitialize success

Link to post
Share on other sites

I'm glad to hear that, however, this is a nasty rootkit. While its main component is gone, please read the following information before continuing the cleaning process.

BACKDOOR WARNING

------------------------------

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.

Close out all other open programs and windows.

Double click the file to run it and follow any prompts.

If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.

Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.

Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.

Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !

When it completes, a log will open.

Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Link to post
Share on other sites

  • 4 weeks later...
I'm glad to hear that, however, this is a nasty rootkit. While its main component is gone, please read the following information before continuing the cleaning process. BACKDOOR WARNING ------------------------------ One or more of the identified infections is known to use a backdoor. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps. Please download HelpAsst_mebroot_fix.exe and save it to your desktop. Close out all other open programs and windows. Double click the file to run it and follow any prompts. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter. helpasst -mbrt Make sure you leave a space between helpasst and -mbrt ! When it completes, a log will open. Please post the contents of that log. *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter. mbr -f Now, please do the Start>Run>mbr -f command a second time. Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up. Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter. helpasst -mbrt Make sure you leave a space between helpasst and -mbrt ! When it completes, a log will open. Please post the contents of that log. **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Why are the same commands run even if there is no detected infection?

I have a Dell computer - when you say there are a couple of known fixes - are they fixes for restoring the system so it can be recovered. I think there is a partition on the hard drive that allows me to re-image the computer back to factory state. Is this what breaks when running mbr -f ?

Link to post
Share on other sites

It depends a bit, but yes, that might be broken. that doesn't mean the information is lost though, it does mean however that it might be difficult to access the recovery image (you would have to manually alter the partition table to set it to boot straight into recovery if you wanted that). If you have a Dell reinstall CD there is no need to worry about that though.

This is a tricky infection and sometimes the command does not outright detect the infection. It is also possible that the main components is not there, however other parts are still present and need to be removed (which will be done by this tool).

Link to post
Share on other sites

Thanks - So I guess I should run the tool.

This Dell didn't come with any CDs it's all on a recovery partition. I suppose I am willing to risk breaking that to further ensure getting rid of this infection. Worst case I can use an XP Dell CD and re-install Office from CD

Link to post
Share on other sites

Yes, usually nothing goes wrong with it, this is merely a warning for users who see a fix posted somewhere and decide to try out things on their own. :)

With this infection the risks are a lot bigger just leaving things as they are than risking to lose access to a recovery partition (which can always be manually restored).

Link to post
Share on other sites

<p>here is the helpasst.log:</p>

<p> </p>

<div>C:\Documents and Settings\tjmakes\Desktop\HelpAsst_mebroot_fix.exe</div>

<div>Wed 06/06/2012 at  1:36:49.98</div>

<div> </div>

<div>HelpAssistant account Inactive</div>

<div> </div>

<div> ~~ Checking for termsrv32.dll ~~</div>

<div> </div>

<div>termsrv32.dll not found</div>

<div> </div>

<div> ~~ Checking firewall ports ~~</div>

<div> </div>

<div>HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list</div>

<div> </div>

<div>HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list</div>

<div> </div>

<div> ~~ Checking profile list ~~</div>

<div> </div>

<div>No HelpAssistant profile in registry</div>

<div> </div>

<div> ~~ Checking mbr ~~</div>

<div> </div>

<div>user & kernel MBR OK</div>

<div> </div>

<div> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</div>

<div> </div>

<div>Status check on Thu 06/07/2012 at  2:15:15.59</div>

<div> </div>

<div>Account active               No</div>

<div>Local Group Memberships      </div>

<div> </div>

<div> ~~ Checking mbr ~~</div>

<div> </div>

<div>Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net</div>

<div> </div>

<div>device: opened successfully</div>

<div>user: MBR read successfully</div>

<div>called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll </div>

<div>kernel: MBR read successfully</div>

<div>user & kernel MBR OK </div>

<div>copy of MBR has been found in sector 0x012A050FC </div>

<div>malicious code @ sector 0x012A050FF !</div>

<div> </div>

<div> ~~ Checking for termsrv32.dll ~~</div>

<div> </div>

<div>termsrv32.dll not found</div>

<div> </div>

<div> </div>

<div>HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters</div>

<div>   ServiceDll<span class="Apple-tab-span" style="white-space:pre"> </span>REG_EXPAND_SZ  <span class="Apple-tab-span" style="white-space:pre"> </span>%systemroot%\System32\termsrv.dll</div>

<div> </div>

<div> ~~ Checking profile list ~~</div>

<div> </div>

<div>No HelpAssistant profile in registry</div>

<div> </div>

<div> ~~ Checking for HelpAssistant directories ~~</div>

<div> </div>

<div>none found</div>

<div> </div>

<div> ~~ Checking firewall ports ~~</div>

<div> </div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]</div>

<div> </div>

<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div>

<div> </div>

<div> </div>

<div> ~~ EOF ~~</div>

<div> </div>

Link to post
Share on other sites

let me try again:

C:\Documents and Settings\tjmakes\Desktop\HelpAsst_mebroot_fix.exe

Wed 06/06/2012 at 1:36:49.98

HelpAssistant account Inactive

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Thu 06/07/2012 at 2:15:15.59

Account active No

Local Group Memberships

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll

kernel: MBR read successfully

user & kernel MBR OK

copy of MBR has been found in sector 0x012A050FC

malicious code @ sector 0x012A050FF !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters

ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in registry

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

Link to post
Share on other sites

Hi, that looks good, fortunately the infection was no longer completely active.

COMBOFIX

---------------

Please download ComboFix from one of these locations:


Bleepingcomputer
ForoSpyware

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Query_RC.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

Link to post
Share on other sites

Here is the combofix log:

ComboFix 12-06-08.02 - tjmakes 06/08/2012 18:25:27.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.305 [GMT -4:00]

Running from: c:\documents and settings\tjmakes\Desktop\ComboFix.exe

AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\documents and settings\All Users\Application Data\TEMP

c:\documents and settings\tjmakes\Application Data\8E3EFC

c:\documents and settings\tjmakes\GoToAssistDownloadHelper.exe

c:\documents and settings\tjmakes\My Documents\~WRL0189.tmp

c:\documents and settings\tjmakes\My Documents\~WRL0599.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1195.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1215.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1216.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1234.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1338.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1478.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1836.tmp

c:\documents and settings\tjmakes\My Documents\~WRL1862.tmp

c:\documents and settings\tjmakes\My Documents\~WRL2023.tmp

c:\documents and settings\tjmakes\My Documents\~WRL2275.tmp

c:\documents and settings\tjmakes\My Documents\~WRL2389.tmp

c:\documents and settings\tjmakes\My Documents\~WRL2956.tmp

c:\documents and settings\tjmakes\My Documents\~WRL3063.tmp

c:\documents and settings\tjmakes\My Documents\~WRL3697.tmp

c:\documents and settings\tjmakes\My Documents\~WRL3789.tmp

c:\documents and settings\tjmakes\My Documents\~WRL3861.tmp

c:\documents and settings\tjmakes\My Documents\~WRL3990.tmp

c:\documents and settings\tjmakes\My Documents\~WRL4098.tmp

c:\documents and settings\tjmakes\WINDOWS

c:\windows\TEMP\nscC8.tmp\MBR.DAT

c:\windows\TEMP\nscC8.tmp\System.dll

.

.

((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))

.

.

2012-06-08 22:22 . 2012-06-08 22:22 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll

2012-06-08 22:22 . 2012-06-08 22:22 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll

2012-06-06 05:36 . 2012-06-06 05:35 476960 ----a-w- c:\windows\system32\npdeployJava1.dll

2012-06-06 05:31 . 2012-06-06 06:04 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2012-06-06 05:31 . 2012-06-06 06:04 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2012-06-05 12:42 . 2012-06-05 12:42 -------- d-----w- C:\HelpAsst_backup

2012-05-12 07:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll

2012-05-12 07:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll

2012-05-11 17:54 . 2012-05-11 17:54 -------- d-----w- C:\TDSSKiller_Quarantine

2012-05-11 00:22 . 2012-06-07 06:16 -------- d-----w- C:\cf

2012-05-10 23:48 . 2012-06-08 00:29 -------- d-----w- c:\documents and settings\LogMeInRemoteUser

2012-05-10 02:29 . 2012-05-10 02:29 711240 ----a-w- c:\windows\is-AV3HJ.exe

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-06-06 05:36 . 2006-03-07 13:42 73728 ----a-w- c:\windows\system32\javacpl.cpl

2012-06-06 05:35 . 2010-04-15 01:56 472864 ----a-w- c:\windows\system32\deployJava1.dll

2012-05-31 13:22 . 2005-08-16 10:18 599040 ----a-w- c:\windows\system32\crypt32.dll

2012-05-21 17:46 . 2010-05-05 11:30 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll

2012-05-21 17:46 . 2010-05-05 11:30 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll

2012-05-21 17:46 . 2010-05-05 11:30 30592 ----a-w- c:\windows\system32\LMIport.dll

2012-05-21 17:46 . 2010-05-05 11:30 87424 ----a-w- c:\windows\system32\LMIinit.dll

2012-04-11 13:14 . 2005-08-16 10:18 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe

2012-04-11 13:12 . 2005-08-16 10:18 1862272 ----a-w- c:\windows\system32\win32k.sys

2012-04-11 12:35 . 2004-08-04 04:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe

2012-04-04 19:56 . 2009-04-06 23:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-06-08 22:22 . 2012-01-24 01:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]

"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]

"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]

"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]

"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]

"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]

"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]

.

c:\documents and settings\tjmakes\Start Menu\Programs\Startup\

startup.lnk - c:\program files\hook\myhook.exe [2009-3-31 856882]

.

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2009-6-11 172032]

HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]

HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]

WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]

WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]

.

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]

2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

2012-05-21 17:46 87424 ----a-w- c:\windows\system32\LMIinit.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]

@="FSFilter Activity Monitor"

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

.

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008030.006\SymEFA.sys [10/10/2011 8:45 PM 310320]

R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008030.006\BHDrvx86.sys [10/10/2011 8:45 PM 259632]

R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008030.006\cchpx86.sys [10/10/2011 8:45 PM 467592]

R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20120607.001\IDSXpx86.sys [6/7/2012 6:49 PM 356792]

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 61440]

R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2/27/2011 2:56 PM 374152]

R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]

R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/6/2009 7:48 PM 654408]

R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe [10/10/2011 8:45 PM 117648]

R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2/16/2011 9:23 PM 583640]

R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [8/17/2009 10:52 AM 98304]

R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]

R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [3/27/2009 12:57 PM 485888]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/5/2012 2:20 AM 106656]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/6/2009 7:48 PM 22344]

S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/6/2012 1:31 AM 257696]

S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]

S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

Contents of the 'Scheduled Tasks' folder

.

2012-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job

- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-06 06:04]

.

2012-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

.

2012-06-07 c:\windows\Tasks\RMSchedule.job

- c:\program files\Registry Mechanic\RegMech.exe [2011-02-17 13:46]

.

2012-06-08 c:\windows\Tasks\RMSmartUpdate.job

- c:\program files\Registry Mechanic\Update.exe [2011-02-17 13:46]

.

.

------- Supplementary Scan -------

.

uInternet Connection Wizard,ShellNext = iexplore

TCP: DhcpNameServer = 192.168.1.1 71.242.0.12

FF - ProfilePath - c:\documents and settings\tjmakes\Application Data\Mozilla\Firefox\Profiles\ex69fmbj.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12190&client_id=176448126eb8180a965b1d64&camp_id=2533&install_time=2011-05-21T01:15Z&tb_version=2.4.16500%28F%29&pr=auto&q=

.

- - - - ORPHANS REMOVED - - - -

.

Toolbar-Locked - (no file)

AddRemove-Toyland - D:\setup.exe

.

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-06-08 18:43

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]

"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(980)

c:\program files\SUPERAntiSpyware\SASWINLO.dll

c:\windows\system32\WININET.dll

c:\windows\system32\LMIinit.dll

c:\windows\system32\LMIRfsClientNP.dll

.

- - - - - - - > 'explorer.exe'(2988)

c:\windows\system32\WININET.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\Ati2evxx.exe

c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\windows\eHome\ehRecvr.exe

c:\windows\eHome\ehSched.exe

c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\LogMeIn\x86\RaMaint.exe

c:\program files\LogMeIn\x86\LogMeIn.exe

c:\windows\system32\HPZipm12.exe

c:\windows\ehome\mcrdsvc.exe

c:\windows\system32\wscntfy.exe

c:\windows\stsystra.exe

c:\program files\iPod\bin\iPodService.exe

c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

c:\program files\HP\Digital Imaging\bin\hpqimzone.exe

.

**************************************************************************

.

Completion time: 2012-06-08 18:49:02 - machine was rebooted

ComboFix-quarantined-files.txt 2012-06-08 22:48

ComboFix2.txt 2010-04-21 02:52

.

Pre-Run: 40,133,505,024 bytes free

Post-Run: 44,190,363,648 bytes free

.

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

.

- - End Of File - - FF4B21C8B85F585DA13C78D4849A9687

Link to post
Share on other sites

Hi, that is looking quite good! :) Do you have any problem left at this point?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

  • Download the latest version of Adobe Reader Version X. and save it to your desktop.
  • Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
  • Click the download button at the bottom.
  • If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
  • Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
    If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
  • Then from your desktop double-click on Adobe Reader to install the newest version.
    If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the "Adobe Setup - Welcome" window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

  • Download the latest version of Java Runtime Environment (JRE) Version 7u4.
  • Look for "JDK 7u4 (JDK or JRE).
  • Click the "Download JRE" button at the right.
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Select "Windows x86 Offline" and click on jre-7-windows-i586.exe

    [*]Save it to your desktop

    [*]Close any programs you may have running - especially your web browser.

    [*]Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).

    [*]Reboot your computer once all Java components are removed.

    [*]Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

Link to post
Share on other sites

Hi, that is looking quite good! :) Do you have any problem left at this point?

No, I would say it's running fine. Thanks for all the help!

Your version of Adobe Reader is out of date

This has been updated.

Your version of Java is out of date.

This has been updated.

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

Updated and here is the log:

Malwarebytes Anti-Malware (PRO) 1.61.0.1400

www.malwarebytes.org

Database version: v2012.06.09.05

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

tjmakes :: D4Z3MZ81 [administrator]

Protection: Enabled

6/9/2012 1:11:56 PM

mbam-log-2012-06-09 (13-11-56).txt

Scan type: Full scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 398429

Time elapsed: 1 hour(s), 10 minute(s), 19 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Link to post
Share on other sites

That looks excellent! :)

ALL CLEAN

--------------

Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean :)

Please do the following to remove the remaining programs from your PC:

  • Delete the tools used during the disinfection:
    • Press windows key Windows_Logo_key.gif + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.
      run-box.jpg
    • This will remove Combofix and other tools we used from your computer.

    [*]You can delete any other tool or log by simply deleting them.

Please read the following advice on how to prevent reinfecting your PC:

  1. Install and update the following programs regularly:
    • an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.

[*]Keep Windows (and your other Microsoft software) up to date!

I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

[*]Keep your other software up to date as well

Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

[*]Stay up to date!

The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.