Jump to content

Many unknown SSDT hooks found after malware, rootkit cleaning


Recommended Posts

I run malwarebytes as a routine check-up on a regular basis on my XP computer and this time it popped up a malware file called adware.domianIQ which it killed off.  So I ran spybot S&D to confirm nothing else was missed and it popped up a directory folder under my application data called "conduit", which it said was related to the win32.downloader.gen malware. It did not actually find that malware file, and the folder was deleted.  (The folder appeared to have been created around 2010)

 

I decided to run malwarebytes anti-rootkit as well to doublecheck everything was OK, and I've used it before even though it still says it's a beta version, it's never caused me any problems.  The report from that program came up clean, but I began reading other posts here and at other forums and decided to use the program "roguekiller" as a way to double-check the rootkit situation as I have seen having more than one program for each aspect of cleaning often is better than one. 

 

The roguekiller program found some questionable things and it corrected what it could. It removed all the local 127.0.0.1 website redirects which one of my security programs placed in my hosts file at some time to block access to all those sites, and I think this could have been left alone.  Nothing else terribly serious like an actual rootkit file.

 

But what really concerns me is all the unknown SSDT hooks it found which I thought it would correct, but it just removed the ones that refered to mbamchameleon after I hit the "delete button".  I only know a little bit about rootkits and I was told that they use these types of hooks to bury themselves into the windows kernel, and this many unknown hooks really looks suspicious to me.  Several other hooks were listed as related to symantec (which must be norton internet security finding a way to protect itself) and under the category "legit" it labeled these hooks as "true", so the only ones it prints in these reports are the hooks it labeled as "false" under their "legit" heading:

 

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A78B3A0)
[Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A7A3AC8)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8A785008)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A7AC080)
[Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AA5BB28)
[Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A05D680)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A7CB060)
[Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8A66F528)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A7AC160)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A0FE3F0)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A7C5148)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8A05D770)
[Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A78B2C0)
[Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8A820228)
[Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8A7C5068)
[Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A77D1A0)
[Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (C:\WINDOWS\SYSTEM32\DRIVERS\mbamchameleon.sys @ 0xB3F08C4C)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8A75F138)
[Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A7D81A0)
[Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (C:\WINDOWS\SYSTEM32\DRIVERS\mbamchameleon.sys @ 0xB3F08D3C)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A7CB150)
[Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A7A3BA8)
[Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A7D1110)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A7D1008)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A7D8078)
[Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A77D0E0)
[Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A77F0F0)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8A7D6050)
[Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A77F008)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8A7DE138)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A785098)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8AB9A158)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A7F3E50)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A7F3F00)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A75CB70)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8AB94518)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A79D530)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8ABFF900)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A01C220)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8AC0A098)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x89FCC6C8)

 

 

After the delete button, I see hooks to the mbamchameleon have been removed, but not all these others:

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A859118)
[Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A859008)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8A7D4150)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A89E0F8)
[Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AA39548)
[Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A839090)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A8510E8)
[Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8A7D6A00)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A844050)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A7F5108)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A850108)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8A839160)
[Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A859058)
[Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8AA39510)
[Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8A875008)
[Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A839058)
[Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (Unknown @ 0x8A7F92C0)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8A7F7198)
[Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A881058)
[Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (Unknown @ 0x8A7F5008)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A851008)
[Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A8430E0)
[Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A880160)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A875080)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A8440D0)
[Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A8810D8)
[Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A8431A0)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8A7F3320)
[Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A8800A0)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8A6EF198)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A850008)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A84AF00)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A03F0E0)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A057438)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A16D4D8)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A0574F8)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A057C88)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A057A60)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A057970)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A822758)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A09A830)

 

The MBR for my drive is intact and OK according to roguekiller.

 

 

I ran TDDSKiller next to see what that brought up and all it showed were 9 questionable unsigned files and I quarantined 7 of them before I delete them as I'd like to research them a bit further.

(The default option available was just "skip", not "cure" as I've been told comes up when a dangerous rootkit file is found.)

 

 

01:17:09.0328 0904  Scan finished
01:17:09.0328 0904  ============================================================
01:17:09.0437 0896  Detected object count: 9
01:17:09.0437 0896  Actual detected object count: 9
01:20:50.0390 0896  Adobe LM Service ( UnsignedFile.Multi.Generic ) - skipped by user
01:20:50.0390 0896  Adobe LM Service ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:20:50.0468 0896  C:\WINDOWS\system32\drivers\aslm75.sys - copied to quarantine
01:20:50.0468 0896  aslm75 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0562 0896  C:\WINDOWS\system32\HPZinw12.dll - copied to quarantine
01:20:50.0562 0896  Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0625 0896  C:\WINDOWS\system32\HPZipm12.dll - copied to quarantine
01:20:50.0625 0896  Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0703 0896  C:\WINDOWS\system32\Drivers\PxHelp20.sys - copied to quarantine
01:20:50.0703 0896  PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0750 0896  C:\WINDOWS\system32\Drivers\Scutum50.sys - copied to quarantine
01:20:50.0750 0896  Scutum50 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0828 0896  C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS - copied to quarantine
01:20:50.0828 0896  TVICHW32 ( UnsignedFile.Multi.Generic ) - User select action: Quarantine
01:20:50.0828 0896  yukonx86 ( UnsignedFile.Multi.Generic ) - skipped by user
01:20:50.0828 0896  yukonx86 ( UnsignedFile.Multi.Generic ) - User select action: Skip
01:20:50.0875 0896  \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
01:20:50.0875 0896  \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
01:20:50.0890 0896  \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
01:20:50.0890 0896  \Device\Harddisk0\DR0\TDLFS\bckfg.tmp - copied to quarantine
01:20:50.0890 0896  \Device\Harddisk0\DR0\TDLFS\tdlcmd.dll - copied to quarantine
01:20:50.0937 0896  \Device\Harddisk0\DR0\TDLFS\keywords - copied to quarantine
01:20:50.0937 0896  \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Quarantine
 

The two I left alone were an Adobe License manager file for Adobe software I purchased and a yukon86 file for the old yukon marvel ethernet card I still use.

 

But when I quarantined these 7 files, my Norton Internet Security popped up and suddenly said something related to the TDSS file system was malware, it flagged a file called tsk.0004.dta as something it calls ws.malware.2.  Looking at Symantec site, it describes this as a common threat signature which is dangerous, but does not say exactly what it is or was.  It's been tagged because of their "heuristic function" which thinks it looks like other knoww malware I guess.  It was removed from my computer.

 

 

So at this point I'm wondering if I'm OK or not.  I still run XP and the computer has been working fine, I have not noticed any pop up windows or misdirects on web pages, and if I never ran the RogueKiller program, I may have never even been concerned as the 2 other anti-rootkit removal programs did their thing and did not report finding any serious files that needed curing.

 

I'd appreciate any feedback from this forum, I know there are other programs out there that are supposed to identify the hooks and even give me a way to delete them, but I'm not sure where to turn or what software would be best to use.  If these hooks are somehow legit, I'd really like to confirm that too.  Thanks.

Link to post
Share on other sites

Hello distinct and welcome to Malwarebytes!

I am D-FRED-BROWN and I will be helping you. :)

Please print or save this topic. It will make it easier for you to follow the instructions and complete all of the necessary steps.

----------Step 1----------------

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.

    Vista/Windows 7 users right-click and select Run As Administrator.

  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Note: If Cure is not an option, Skip instead, do not choose Delete unless instructed.

  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.
----------Step 2----------------

Please download Malwarebytes Anti-Rootkit from HERE

  • Unzip the contents to a folder in a convenient location.
  • Open the folder where the contents were unzipped and run mbar.exe
  • Follow the instructions in the wizard to update and allow the program to scan your computer for threats.
  • Click on the Cleanup button to remove any threats and reboot if prompted to do so.
  • Wait while the system shuts down and the cleanup process is performed.
  • Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  • When done, please post the two logs produced they will be in the MBAR folder... mbar-log.txt and system-log.txt
----------Step 3----------------

Please download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingc...to-use-combofix

***IMPORTANT: save ComboFix to your Desktop***

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please go here to see a list of programs that should be disabled.

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall**

Please include the C:\ComboFix.txt in your next reply for further review.

NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.

----------Step 4----------------

Please download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
----------Step 5----------------

In your next reply, please include the following:

  • TDSSKiller's logfile
  • MBAR mbar-log.txt and system-log.txt
  • ComboFix's report (C:\ComboFix.txt)
  • Security Check checkup.txt
After that, please let me know: How is your computer running now? Do you have any questions or concerns you'd like me to address? Don't hesitate to ask. :)

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Note:

Please make sure you are subscribed to this topic: Click on the "Follow This Topic" Button (at the top right of this page), make sure that the "Receive notification" box is checked and that it is set to "Instantly"

 

-------> Your topic will be closed if you haven't replied within 3 days! <--------

(If I don't respond within 24 hours, please send me a PM)

-DFB

Link to post
Share on other sites

Hello D-Fred-Brown. Thanks for taking a look at my issues.  I have run the 4 reports you asked for, and here they are.  I have some comments for you at the end of this reply.

 

20:01:11.0796 2604  TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42
20:01:12.0187 2604  ============================================================
20:01:12.0187 2604  Current date / time: 2013/07/01 20:01:12.0187
20:01:12.0187 2604  SystemInfo:
20:01:12.0187 2604  
20:01:12.0187 2604  OS Version: 5.1.2600 ServicePack: 2.0
20:01:12.0187 2604  Product type: Workstation
20:01:12.0187 2604  ComputerName: NEWP4
20:01:12.0187 2604  UserName: Chris 
20:01:12.0187 2604  Windows directory: C:\WINDOWS
20:01:12.0187 2604  System windows directory: C:\WINDOWS
20:01:12.0187 2604  Processor architecture: Intel x86
20:01:12.0187 2604  Number of processors: 2
20:01:12.0187 2604  Page size: 0x1000
20:01:12.0187 2604  Boot type: Normal boot
20:01:12.0187 2604  ============================================================
20:01:14.0031 2604  Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
20:01:14.0031 2604  ============================================================
20:01:14.0031 2604  \Device\Harddisk0\DR0:
20:01:14.0031 2604  MBR partitions:
20:01:14.0031 2604  \Device\Harddisk0\DR0\Partition1: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0x12A18A82
20:01:14.0031 2604  ============================================================
20:01:14.0031 2604  C: <-> \Device\Harddisk0\DR0\Partition1
20:01:14.0031 2604  ============================================================
20:01:14.0031 2604  Initialize success
20:01:14.0031 2604  ============================================================
20:01:17.0718 1036  ============================================================
20:01:17.0718 1036  Scan started
20:01:17.0718 1036  Mode: Manual;
20:01:17.0718 1036  ============================================================
20:01:18.0828 1036  ================ Scan system memory ========================
20:01:18.0828 1036  System memory - ok
20:01:18.0828 1036  ================ Scan services =============================
20:01:19.0000 1036  Abiosdsk - ok
20:01:19.0015 1036  abp480n5 - ok
20:01:19.0062 1036  [ A10C7534F7223F4A73A948967D00E69B ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:01:19.0078 1036  ACPI - ok
20:01:19.0109 1036  [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
20:01:19.0109 1036  ACPIEC - ok
20:01:19.0203 1036  [ F3463E6967C3C396921551C0CDC633C1 ] Adobe LM Service C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
20:01:19.0203 1036  Adobe LM Service - ok
20:01:19.0218 1036  adpu160m - ok
20:01:19.0265 1036  [ E696E749BEDCDA8B23757B8B5EA93780 ] aeaudio         C:\WINDOWS\system32\drivers\aeaudio.sys
20:01:19.0265 1036  aeaudio - ok
20:01:19.0328 1036  [ 1EE7B434BA961EF845DE136224C30FEC ] aec             C:\WINDOWS\system32\drivers\aec.sys
20:01:19.0328 1036  aec - ok
20:01:19.0359 1036  [ 55E6E1C51B6D30E54335750955453702 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
20:01:19.0359 1036  AFD - ok
20:01:19.0375 1036  [ 2C428FA0C3E3A01ED93C9B2A27D8D4BB ] agp440          C:\WINDOWS\system32\DRIVERS\agp440.sys
20:01:19.0375 1036  agp440 - ok
20:01:19.0390 1036  Aha154x - ok
20:01:19.0406 1036  aic78u2 - ok
20:01:19.0406 1036  aic78xx - ok
20:01:19.0484 1036  [ C7AE0FD3867DB0D42B03B73C18F3D671 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
20:01:19.0484 1036  Alerter - ok
20:01:19.0531 1036  [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG             C:\WINDOWS\System32\alg.exe
20:01:19.0546 1036  ALG - ok
20:01:19.0546 1036  AliIde - ok
20:01:19.0562 1036  amsint - ok
20:01:19.0625 1036  AppMgmt - ok
20:01:19.0656 1036  [ F0D692B0BFFB46E30EB3CEA168BBC49F ] Arp1394         C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:01:19.0671 1036  Arp1394 - ok
20:01:19.0671 1036  asc - ok
20:01:19.0687 1036  asc3350p - ok
20:01:19.0703 1036  asc3550 - ok
20:01:19.0734 1036  [ 71356A1370739E25375A1D17B6AE318F ] aslm75          C:\WINDOWS\system32\drivers\aslm75.sys
20:01:19.0734 1036  aslm75 - ok
20:01:19.0859 1036  [ 4EABF511B1AF176A971C3271E48FA3A8 ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
20:01:19.0859 1036  aspnet_state - ok
20:01:19.0890 1036  [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:01:19.0890 1036  AsyncMac - ok
20:01:19.0921 1036  [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
20:01:19.0921 1036  atapi - ok
20:01:19.0937 1036  Atdisk - ok
20:01:19.0953 1036  [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:01:19.0953 1036  Atmarpc - ok
20:01:19.0984 1036  [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
20:01:19.0984 1036  AudioSrv - ok
20:01:20.0015 1036  [ D9F724AA26C010A217C97606B160ED68 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
20:01:20.0015 1036  audstub - ok
20:01:20.0031 1036  [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
20:01:20.0031 1036  Beep - ok
20:01:20.0328 1036  [ 6C6AC7CA8A034C15C52B35189BAD58EE ] BHDrvx86        C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20130620.001\BHDrvx86.sys
20:01:20.0343 1036  BHDrvx86 - ok
20:01:20.0421 1036  [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS            C:\WINDOWS\system32\qmgr.dll
20:01:20.0421 1036  BITS - ok
20:01:20.0484 1036  [ E3CFCCDDA4EDD1D0DC9168B2E18F27B8 ] Browser         C:\WINDOWS\System32\browser.dll
20:01:20.0484 1036  Browser - ok
20:01:20.0625 1036  catchme - ok
20:01:20.0656 1036  [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
20:01:20.0656 1036  cbidf2k - ok
20:01:20.0765 1036  [ 3BEE52611F22C9C0023A98A4425E084F ] ccSet_NIS       C:\WINDOWS\system32\drivers\NIS\1404000.028\ccSetx86.sys
20:01:20.0765 1036  ccSet_NIS - ok
20:01:20.0796 1036  cd20xrnt - ok
20:01:20.0828 1036  [ C1B486A7658353D33A10CC15211A873B ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
20:01:20.0828 1036  Cdaudio - ok
20:01:20.0875 1036  [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
20:01:20.0875 1036  Cdfs - ok
20:01:20.0906 1036  [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:01:20.0906 1036  Cdrom - ok
20:01:20.0921 1036  Changer - ok
20:01:20.0953 1036  [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc           C:\WINDOWS\system32\cisvc.exe
20:01:20.0953 1036  CiSvc - ok
20:01:21.0000 1036  [ C8DEC22C4137D7A90F8BDF41CA4B82AE ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
20:01:21.0000 1036  ClipSrv - ok
20:01:21.0093 1036  [ 234B1BC2796483E1F5C3F26649FB3388 ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
20:01:21.0093 1036  clr_optimization_v2.0.50727_32 - ok
20:01:21.0093 1036  CmdIde - ok
20:01:21.0156 1036  COMSysApp - ok
20:01:21.0171 1036  Cpqarray - ok
20:01:21.0218 1036  [ 10654F9DDCEA9C46CFB77554231BE73B ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
20:01:21.0218 1036  CryptSvc - ok
20:01:21.0234 1036  dac2w2k - ok
20:01:21.0234 1036  dac960nt - ok
20:01:21.0281 1036  [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
20:01:21.0296 1036  DcomLaunch - ok
20:01:21.0343 1036  [ EF545E1A4B043DA4C84E230DD471C55F ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
20:01:21.0343 1036  Dhcp - ok
20:01:21.0375 1036  [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
20:01:21.0375 1036  Disk - ok
20:01:21.0406 1036  dmadmin - ok
20:01:21.0468 1036  [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
20:01:21.0484 1036  dmboot - ok
20:01:21.0500 1036  [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
20:01:21.0515 1036  dmio - ok
20:01:21.0531 1036  [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
20:01:21.0546 1036  dmload - ok
20:01:21.0578 1036  [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver        C:\WINDOWS\System32\dmserver.dll
20:01:21.0578 1036  dmserver - ok
20:01:21.0609 1036  [ A6F881284AC1150E37D9AE47FF601267 ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
20:01:21.0625 1036  DMusic - ok
20:01:21.0656 1036  [ AAC8FFBFD61E784FA3BAC851D4A0BD5F ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
20:01:21.0656 1036  Dnscache - ok
20:01:21.0671 1036  dpti2o - ok
20:01:21.0687 1036  [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
20:01:21.0687 1036  drmkaud - ok
20:01:21.0843 1036  [ 85B8B4032A895A746D46A288A9B30DED ] eeCtrl          C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
20:01:21.0859 1036  eeCtrl - ok
20:01:21.0875 1036  [ B5A8A04A6E5B4E86B95B1553AA918F5F ] EraserUtilRebootDrv C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
20:01:21.0875 1036  EraserUtilRebootDrv - ok
20:01:21.0906 1036  [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc           C:\WINDOWS\System32\ersvc.dll
20:01:21.0906 1036  ERSvc - ok
20:01:21.0968 1036  [ 37561F8D4160D62DA86D24AE41FAE8DE ] Eventlog        C:\WINDOWS\system32\services.exe
20:01:21.0984 1036  Eventlog - ok
20:01:22.0015 1036  [ 60D1A6342238378BFB7545C81EE3606C ] EventSystem     C:\WINDOWS\system32\es.dll
20:01:22.0015 1036  EventSystem - ok
20:01:22.0046 1036  [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
20:01:22.0046 1036  Fastfat - ok
20:01:22.0078 1036  [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
20:01:22.0093 1036  FastUserSwitchingCompatibility - ok
20:01:22.0109 1036  [ CED2E8396A8838E59D8FD529C680E02C ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
20:01:22.0109 1036  Fdc - ok
20:01:22.0140 1036  [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
20:01:22.0140 1036  Fips - ok
20:01:22.0171 1036  [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:01:22.0171 1036  Flpydisk - ok
20:01:22.0203 1036  [ 3D234FB6D6EE875EB009864A299BEA29 ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:01:22.0203 1036  FltMgr - ok
20:01:22.0218 1036  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:01:22.0218 1036  Fs_Rec - ok
20:01:22.0234 1036  [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:01:22.0250 1036  Ftdisk - ok
20:01:22.0265 1036  [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:01:22.0265 1036  Gpc - ok
20:01:22.0328 1036  [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
20:01:22.0328 1036  helpsvc - ok
20:01:22.0343 1036  HidServ - ok
20:01:22.0375 1036  [ 1DE6783B918F540149AA69943BDFEBA8 ] HidUsb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:01:22.0375 1036  HidUsb - ok
20:01:22.0390 1036  hpn - ok
20:01:22.0500 1036  [ 97AAC45A375168C6A2297BEEB9692E31 ] hpqcxs08        C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
20:01:22.0500 1036  hpqcxs08 - ok
20:01:22.0515 1036  [ 19A4FB67B1C97EA18EDFF44340973CD9 ] hpqddsvc        C:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll
20:01:22.0515 1036  hpqddsvc - ok
20:01:22.0593 1036  [ 56FC98F1014EA8DC51B92839C32759EC ] HPSLPSVC        C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
20:01:22.0593 1036  HPSLPSVC - ok
20:01:22.0640 1036  [ D03D10F7DED688FECF50F8FBF1EA9B8A ] HPZid412        C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:01:22.0640 1036  HPZid412 - ok
20:01:22.0656 1036  [ 89F41658929393487B6B7D13C8528CE3 ] HPZipr12        C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:01:22.0656 1036  HPZipr12 - ok
20:01:22.0687 1036  [ ABCB05CCDBF03000354B9553820E39F8 ] HPZius12        C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:01:22.0687 1036  HPZius12 - ok
20:01:22.0734 1036  [ 9F8B0F4276F618964FD118BE4289B7CD ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
20:01:22.0734 1036  HTTP - ok
20:01:22.0781 1036  [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
20:01:22.0781 1036  HTTPFilter - ok
20:01:22.0796 1036  i2omgmt - ok
20:01:22.0812 1036  i2omp - ok
20:01:22.0843 1036  [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt        C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:01:22.0843 1036  i8042prt - ok
20:01:23.0046 1036  [ C19BF2A07BE972A110220DF6B1E89D14 ] IDSxpx86        C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20130628.001\IDSxpx86.sys
20:01:23.0046 1036  IDSxpx86 - ok
20:01:23.0062 1036  [ F8AA320C6A0409C0380E5D8A99D76EC6 ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
20:01:23.0062 1036  Imapi - ok
20:01:23.0125 1036  [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService    C:\WINDOWS\system32\imapi.exe
20:01:23.0125 1036  ImapiService - ok
20:01:23.0140 1036  ini910u - ok
20:01:23.0187 1036  [ 2D722B2B54AB55B2FA475EB58D7B2AAD ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
20:01:23.0187 1036  IntelIde - ok
20:01:23.0218 1036  [ 279FB78702454DFF2BB445F238C048D2 ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:01:23.0218 1036  intelppm - ok
20:01:23.0250 1036  [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:01:23.0250 1036  Ip6Fw - ok
20:01:23.0281 1036  [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:01:23.0281 1036  IpFilterDriver - ok
20:01:23.0312 1036  [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:01:23.0312 1036  IpInIp - ok
20:01:23.0359 1036  [ E2168CBC7098FFE963C6F23F472A3593 ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:01:23.0359 1036  IpNat - ok
20:01:23.0375 1036  [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:01:23.0375 1036  IPSec - ok
20:01:23.0406 1036  [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
20:01:23.0406 1036  IRENUM - ok
20:01:23.0437 1036  [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:01:23.0437 1036  isapnp - ok
20:01:23.0546 1036  [ F9F07EB6FD08B8F777DC96CE7AC66BE4 ] JCard Service   C:\ICVERIFY\ICWin404\Jcard\JCardService.exe
20:01:23.0546 1036  JCard Service - ok
20:01:23.0578 1036  [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:01:23.0578 1036  Kbdclass - ok
20:01:23.0609 1036  [ BA5DEDA4D934E6288C2F66CAF58D2562 ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
20:01:23.0609 1036  kmixer - ok
20:01:23.0625 1036  [ 674D3E5A593475915DC6643317192403 ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
20:01:23.0625 1036  KSecDD - ok
20:01:23.0703 1036  [ 0CB3AF149A0BAC0836022CA307C7A0F8 ] lanmanserver    C:\WINDOWS\System32\srvsvc.dll
20:01:23.0703 1036  lanmanserver - ok
20:01:23.0750 1036  [ E1F27CFCD114EC9F1E1F44674B2FF9F0 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
20:01:23.0750 1036  lanmanworkstation - ok
20:01:23.0765 1036  lbrtfdc - ok
20:01:23.0796 1036  [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
20:01:23.0812 1036  LmHosts - ok
20:01:23.0843 1036  [ 95FD808E4AC22ABA025A7B3EAC0375D2 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
20:01:23.0843 1036  Messenger - ok
20:01:23.0875 1036  [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
20:01:23.0875 1036  mnmdd - ok
20:01:23.0921 1036  [ F6415361201915B9FE3896B0E4E724FF ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
20:01:23.0921 1036  mnmsrvc - ok
20:01:23.0953 1036  [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
20:01:23.0953 1036  Modem - ok
20:01:23.0968 1036  [ 34E1F0031153E491910E12551400192C ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:01:23.0968 1036  Mouclass - ok
20:01:24.0000 1036  [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:01:24.0000 1036  mouhid - ok
20:01:24.0031 1036  [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
20:01:24.0046 1036  MountMgr - ok
20:01:24.0156 1036  [ 825BF0E46B4470A463AEB641480C5FCA ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
20:01:24.0156 1036  MozillaMaintenance - ok
20:01:24.0171 1036  mraid35x - ok
20:01:24.0203 1036  [ 29414447EB5BDE2F8397DC965DBB3156 ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:01:24.0203 1036  MRxDAV - ok
20:01:24.0250 1036  [ FB6C89BB3CE282B08BDB1E3C179E1C39 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:01:24.0250 1036  MRxSmb - ok
20:01:24.0296 1036  [ C7C3D89EB0A6F3DBA622EA737FA335B1 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
20:01:24.0296 1036  MSDTC - ok
20:01:24.0312 1036  [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
20:01:24.0312 1036  Msfs - ok
20:01:24.0343 1036  MSIServer - ok
20:01:24.0375 1036  [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:01:24.0375 1036  MSKSSRV - ok
20:01:24.0421 1036  [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:01:24.0421 1036  MSPCLOCK - ok
20:01:24.0437 1036  [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
20:01:24.0453 1036  MSPQM - ok
20:01:24.0468 1036  [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:01:24.0484 1036  mssmbios - ok
20:01:24.0578 1036  MSSQL$ICV - ok
20:01:24.0625 1036  [ ADAF062116B4E6D96E44D26486A87AF6 ] MSSQLServerADHelper C:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
20:01:24.0625 1036  MSSQLServerADHelper - ok
20:01:24.0640 1036  [ 82035E0F41C2DD05AE41D27FE6CF7DE1 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
20:01:24.0656 1036  Mup - ok
20:01:24.0828 1036  [ CE2156DF796D41614AB60E68D107D573 ] NAVENG          C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20130701.009\NAVENG.SYS
20:01:24.0828 1036  NAVENG - ok
20:01:24.0921 1036  [ 19CEB8F4EC8C800A53D0B67E658E0367 ] NAVEX15         C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20130701.009\NAVEX15.SYS
20:01:24.0937 1036  NAVEX15 - ok
20:01:24.0968 1036  [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
20:01:24.0968 1036  NDIS - ok
20:01:25.0015 1036  [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:01:25.0031 1036  NdisTapi - ok
20:01:25.0062 1036  [ 34D6CD56409DA9A7ED573E1C90A308BF ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:01:25.0078 1036  Ndisuio - ok
20:01:25.0093 1036  [ 0B90E255A9490166AB368CD55A529893 ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:01:25.0093 1036  NdisWan - ok
20:01:25.0109 1036  [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
20:01:25.0109 1036  NDProxy - ok
20:01:25.0234 1036  [ 69C503C004F49AEE8B8E3067CC047BA7 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
20:01:25.0234 1036  Net Driver HPZ12 - ok
20:01:25.0265 1036  [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
20:01:25.0265 1036  NetBIOS - ok
20:01:25.0296 1036  [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
20:01:25.0296 1036  NetBT - ok
20:01:25.0343 1036  [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE          C:\WINDOWS\system32\netdde.exe
20:01:25.0343 1036  NetDDE - ok
20:01:25.0359 1036  [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
20:01:25.0359 1036  NetDDEdsdm - ok
20:01:25.0406 1036  [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon        C:\WINDOWS\system32\lsass.exe
20:01:25.0406 1036  Netlogon - ok
20:01:25.0453 1036  [ 36739B39267914BA69AD0610A0299732 ] Netman          C:\WINDOWS\System32\netman.dll
20:01:25.0453 1036  Netman - ok
20:01:25.0484 1036  [ 5C5C53DB4FEF16CF87B9911C7E8C6FBC ] NIC1394         C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:01:25.0484 1036  NIC1394 - ok
20:01:25.0625 1036  [ 1BF9D6476061B31CD7FC2BF848529A56 ] NIS             C:\Program Files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe
20:01:25.0625 1036  NIS - ok
20:01:25.0687 1036  [ 097722F235A1FB698BF9234E01B52637 ] Nla             C:\WINDOWS\System32\mswsock.dll
20:01:25.0687 1036  Nla - ok
20:01:25.0703 1036  [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
20:01:25.0703 1036  Npfs - ok
20:01:25.0765 1036  [ 19A811EF5F1ED5C926A028CE107FF1AF ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
20:01:25.0765 1036  Ntfs - ok
20:01:25.0796 1036  [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
20:01:25.0796 1036  NtLmSsp - ok
20:01:25.0859 1036  [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
20:01:25.0859 1036  NtmsSvc - ok
20:01:25.0890 1036  [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null            C:\WINDOWS\system32\drivers\Null.sys
20:01:25.0890 1036  Null - ok
20:01:26.0078 1036  [ 2B298519EDBFCF451D43E0F1E8F1006D ] nv              C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:01:26.0093 1036  nv - ok
20:01:26.0125 1036  [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:01:26.0125 1036  NwlnkFlt - ok
20:01:26.0140 1036  [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:01:26.0140 1036  NwlnkFwd - ok
20:01:26.0171 1036  [ 0951DB8E5823EA366B0E408D71E1BA2A ] ohci1394        C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:01:26.0171 1036  ohci1394 - ok
20:01:26.0203 1036  [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
20:01:26.0203 1036  Parport - ok
20:01:26.0218 1036  [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
20:01:26.0218 1036  PartMgr - ok
20:01:26.0265 1036  [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
20:01:26.0265 1036  ParVdm - ok
20:01:26.0281 1036  [ 8086D9979234B603AD5BC2F5D890B234 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
20:01:26.0281 1036  PCI - ok
20:01:26.0312 1036  PCIDump - ok
20:01:26.0328 1036  [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde          C:\WINDOWS\system32\drivers\PCIIde.sys
20:01:26.0328 1036  PCIIde - ok
20:01:26.0359 1036  [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
20:01:26.0359 1036  Pcmcia - ok
20:01:26.0453 1036  [ 0275215D01C3985E682A661B8826F371 ] Pctspk          C:\WINDOWS\system32\pctspk.exe
20:01:26.0453 1036  Pctspk - ok
20:01:26.0468 1036  PDCOMP - ok
20:01:26.0484 1036  PDFRAME - ok
20:01:26.0500 1036  PDRELI - ok
20:01:26.0500 1036  PDRFRAME - ok
20:01:26.0515 1036  perc2 - ok
20:01:26.0531 1036  perc2hib - ok
20:01:26.0593 1036  [ 37561F8D4160D62DA86D24AE41FAE8DE ] PlugPlay        C:\WINDOWS\system32\services.exe
20:01:26.0609 1036  PlugPlay - ok
20:01:26.0671 1036  [ 12B4549D515CB26BB8D375038017CA65 ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
20:01:26.0671 1036  Pml Driver HPZ12 - ok
20:01:26.0718 1036  [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
20:01:26.0718 1036  PolicyAgent - ok
20:01:26.0734 1036  [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:01:26.0734 1036  PptpMiniport - ok
20:01:26.0750 1036  [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
20:01:26.0765 1036  ProtectedStorage - ok
20:01:26.0781 1036  [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:01:26.0781 1036  Ptilink - ok
20:01:26.0796 1036  [ ACE8FE0E920CB8FBA057C024EAD33F84 ] Ptserlp         C:\WINDOWS\system32\DRIVERS\ptserlp.sys
20:01:26.0796 1036  Ptserlp - ok
20:01:26.0828 1036  [ 86724469CD077901706854974CD13C3E ] PxHelp20        C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:01:26.0828 1036  PxHelp20 - ok
20:01:26.0828 1036  ql1080 - ok
20:01:26.0843 1036  Ql10wnt - ok
20:01:26.0859 1036  ql12160 - ok
20:01:26.0859 1036  ql1240 - ok
20:01:26.0875 1036  ql1280 - ok
20:01:27.0000 1036  [ 583608EE65AABF971117A61AEE4BCAAE ] RalinkRegistryWriter C:\Program Files\Tenda\Common\RaRegistry.exe
20:01:27.0000 1036  RalinkRegistryWriter - ok
20:01:27.0015 1036  [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:01:27.0031 1036  RasAcd - ok
20:01:27.0062 1036  [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto         C:\WINDOWS\System32\rasauto.dll
20:01:27.0062 1036  RasAuto - ok
20:01:27.0093 1036  [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:01:27.0093 1036  Rasl2tp - ok
20:01:27.0171 1036  [ D4BD2EEAB07FEF323F0A0CEECC954F51 ] RasMan          C:\WINDOWS\System32\rasmans.dll
20:01:27.0171 1036  RasMan - ok
20:01:27.0187 1036  [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:01:27.0187 1036  RasPppoe - ok
20:01:27.0203 1036  [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
20:01:27.0203 1036  Raspti - ok
20:01:27.0250 1036  [ 03B965B1CA47F6EF60EB5E51CB50E0AF ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:01:27.0250 1036  Rdbss - ok
20:01:27.0265 1036  [ 4912D5B403614CE99C28420F75353332 ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:01:27.0265 1036  RDPCDD - ok
20:01:27.0328 1036  [ B54CD38A9EBFBF2B3561426E3FE26F62 ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
20:01:27.0343 1036  RDPWD - ok
20:01:27.0375 1036  [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
20:01:27.0390 1036  RDSessMgr - ok
20:01:27.0421 1036  [ B31B4588E4086D8D84ADBF9845C2402B ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
20:01:27.0421 1036  redbook - ok
20:01:27.0468 1036  [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
20:01:27.0468 1036  RemoteAccess - ok
20:01:27.0515 1036  [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator      C:\WINDOWS\system32\locator.exe
20:01:27.0515 1036  RpcLocator - ok
20:01:27.0578 1036  [ 01095FEBF33BEEA00C2A0730B9B3EC28 ] RpcSs           C:\WINDOWS\System32\rpcss.dll
20:01:27.0578 1036  RpcSs - ok
20:01:27.0625 1036  [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP            C:\WINDOWS\system32\rsvp.exe
20:01:27.0625 1036  RSVP - ok
20:01:27.0718 1036  [ 487FC03649653349ACE757571EFC3EC9 ] rt2870          C:\WINDOWS\system32\DRIVERS\rt2870.sys
20:01:27.0718 1036  rt2870 - ok
20:01:27.0765 1036  [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs           C:\WINDOWS\system32\lsass.exe
20:01:27.0765 1036  SamSs - ok
20:01:27.0812 1036  [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
20:01:27.0812 1036  SCardSvr - ok
20:01:27.0859 1036  [ 92360854316611F6CC471612213C3D92 ] Schedule        C:\WINDOWS\system32\schedsvc.dll
20:01:27.0859 1036  Schedule - ok
20:01:27.0890 1036  [ F34C06D1C706A6D9433570B087A18B02 ] Scutum50        C:\WINDOWS\system32\Drivers\Scutum50.sys
20:01:27.0890 1036  Scutum50 - ok
20:01:27.0937 1036  [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:01:27.0937 1036  Secdrv - ok
20:01:27.0968 1036  [ B1E0CE09895376871746F36DC5773B4F ] seclogon        C:\WINDOWS\System32\seclogon.dll
20:01:27.0968 1036  seclogon - ok
20:01:28.0000 1036  [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS            C:\WINDOWS\system32\sens.dll
20:01:28.0000 1036  SENS - ok
20:01:28.0046 1036  [ A2D868AEEFF612E70E213C451A70CAFB ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
20:01:28.0046 1036  serenum - ok
20:01:28.0078 1036  [ CD9404D115A00D249F70A371B46D5A26 ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
20:01:28.0078 1036  Serial - ok
20:01:28.0203 1036  [ C9CCB7FC0B0C1117BB7ABE79B3A3C5F3 ] ServicepointService C:\Program Files\Verizon\VSP\ServicepointService.exe
20:01:28.0203 1036  ServicepointService - ok
20:01:28.0234 1036  [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
20:01:28.0234 1036  Sfloppy - ok
20:01:28.0281 1036  [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
20:01:28.0281 1036  SharedAccess - ok
20:01:28.0312 1036  [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
20:01:28.0328 1036  ShellHWDetection - ok
20:01:28.0343 1036  Simbad - ok
20:01:28.0406 1036  [ 7D9B50329AF9FD94B0529282530D2CB7 ] smwdm           C:\WINDOWS\system32\drivers\smwdm.sys
20:01:28.0406 1036  smwdm - ok
20:01:28.0421 1036  Sparrow - ok
20:01:28.0468 1036  [ 0CE218578FFF5F4F7E4201539C45C78F ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
20:01:28.0468 1036  splitter - ok
20:01:28.0531 1036  [ DA81EC57ACD4CDC3D4C51CF3D409AF9F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
20:01:28.0546 1036  Spooler - ok
20:01:28.0578 1036  sprtsvc_verizondm - ok
20:01:28.0671 1036  [ D2B096CD2F56FAC6EEEED9A77DDF6DC8 ] SQLBrowser      C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
20:01:28.0671 1036  SQLBrowser - ok
20:01:28.0703 1036  [ 54902536AAD0E9B99BC65F89C0CAF93F ] SQLWriter       C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
20:01:28.0703 1036  SQLWriter - ok
20:01:28.0750 1036  [ E41B6D037D6CD08461470AF04500DC24 ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
20:01:28.0750 1036  sr - ok
20:01:28.0796 1036  [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice       C:\WINDOWS\system32\srsvc.dll
20:01:28.0796 1036  srservice - ok
20:01:28.0953 1036  [ C743E384E9EFCA10B41C60D406DE39C0 ] SRTSP           C:\WINDOWS\System32\Drivers\NIS\1404000.028\SRTSP.SYS
20:01:28.0968 1036  SRTSP - ok
20:01:29.0015 1036  [ FE9BD381778A344F0E39AE2D5E607D7F ] SRTSPX          C:\WINDOWS\system32\drivers\NIS\1404000.028\SRTSPX.SYS
20:01:29.0015 1036  SRTSPX - ok
20:01:29.0046 1036  [ 7A4F147CC6B133F905F6E65E2F8669FB ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
20:01:29.0046 1036  Srv - ok
20:01:29.0109 1036  [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
20:01:29.0109 1036  SSDPSRV - ok
20:01:29.0171 1036  [ B6763F8534AC547CF1AF98AFDFF2EDC8 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
20:01:29.0171 1036  stisvc - ok
20:01:29.0234 1036  [ 03C1BAE4766E2450219D20B993D6E046 ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
20:01:29.0234 1036  swenum - ok
20:01:29.0281 1036  [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
20:01:29.0281 1036  swmidi - ok
20:01:29.0328 1036  SwPrv - ok
20:01:29.0437 1036  [ 267C914667C94E5F47D342311C1C577F ] Symantec RemoteAssist C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
20:01:29.0437 1036  Symantec RemoteAssist - ok
20:01:29.0453 1036  symc810 - ok
20:01:29.0468 1036  symc8xx - ok
20:01:29.0578 1036  [ 5A193E5E0F0A776430E5D62A051C1E16 ] SymDS           C:\WINDOWS\system32\drivers\NIS\1404000.028\SYMDS.SYS
20:01:29.0578 1036  SymDS - ok
20:01:29.0718 1036  [ 1773FB2920EBB3A8BAD0360618091470 ] SymEFA          C:\WINDOWS\system32\drivers\NIS\1404000.028\SYMEFA.SYS
20:01:29.0734 1036  SymEFA - ok
20:01:29.0765 1036  [ F50D81D3E0C7A353F205562B89CD06D6 ] SymEvent        C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
20:01:29.0765 1036  SymEvent - ok
20:01:29.0828 1036  [ 8C9B9036E301A9965CF15BEC91C58A12 ] SymIRON         C:\WINDOWS\system32\drivers\NIS\1404000.028\Ironx86.SYS
20:01:29.0843 1036  SymIRON - ok
20:01:29.0937 1036  [ E9C316262C48BF299E02FC8B1CE2B925 ] SYMTDI          C:\WINDOWS\System32\Drivers\NIS\1404000.028\SYMTDI.SYS
20:01:29.0937 1036  SYMTDI - ok
20:01:29.0968 1036  sym_hi - ok
20:01:29.0984 1036  sym_u3 - ok
20:01:30.0015 1036  [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
20:01:30.0015 1036  sysaudio - ok
20:01:30.0125 1036  [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
20:01:30.0125 1036  SysmonLog - ok
20:01:30.0171 1036  [ FB78839B36025AA286A51289ED28B73E ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
20:01:30.0171 1036  TapiSrv - ok
20:01:30.0234 1036  [ 2A5554FC5B1E04E131230E3CE035C3F9 ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:01:30.0234 1036  Tcpip - ok
20:01:30.0281 1036  [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
20:01:30.0281 1036  TDPIPE - ok
20:01:30.0296 1036  [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
20:01:30.0296 1036  TDTCP - ok
20:01:30.0343 1036  [ A540A99C281D933F3D69D55E48727F47 ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
20:01:30.0343 1036  TermDD - ok
20:01:30.0406 1036  [ B60C877D16D9C880B952FDA04ADF16E6 ] TermService     C:\WINDOWS\System32\termsrv.dll
20:01:30.0406 1036  TermService - ok
20:01:30.0468 1036  tgsrvc_verizondm - ok
20:01:30.0515 1036  [ 6815DEF9B810AEFAC107EEAF72DA6F82 ] Themes          C:\WINDOWS\System32\shsvcs.dll
20:01:30.0515 1036  Themes - ok
20:01:30.0531 1036  TosIde - ok
20:01:30.0562 1036  [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks          C:\WINDOWS\system32\trkwks.dll
20:01:30.0578 1036  TrkWks - ok
20:01:30.0609 1036  [ E266683FC95ABDEC17CD378564E1B54B ] TVICHW32        C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
20:01:30.0625 1036  TVICHW32 - ok
20:01:30.0656 1036  [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
20:01:30.0656 1036  Udfs - ok
20:01:30.0671 1036  ultra - ok
20:01:30.0734 1036  [ C81B8635DEE0D3EF5F64B3DD643023A5 ] UMWdf           C:\WINDOWS\system32\wdfmgr.exe
20:01:30.0750 1036  UMWdf - ok
20:01:30.0781 1036  [ CED744117E91BDC0BEB810F7D8608183 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
20:01:30.0781 1036  Update - ok
20:01:30.0828 1036  [ ACA5D98663D879C6BAAFCEA7E2F1B710 ] upnphost        C:\WINDOWS\System32\upnphost.dll
20:01:30.0843 1036  upnphost - ok
20:01:30.0890 1036  [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS             C:\WINDOWS\System32\ups.exe
20:01:30.0890 1036  UPS - ok
20:01:30.0921 1036  [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:01:30.0921 1036  usbccgp - ok
20:01:30.0968 1036  [ 2825E0E294686A26506690059E1F437A ] USBCCID         C:\WINDOWS\system32\DRIVERS\usbccid.sys
20:01:30.0968 1036  USBCCID - ok
20:01:31.0000 1036  [ 15E993BA2F6946B2BFBBFCD30398621E ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:01:31.0000 1036  usbehci - ok
20:01:31.0031 1036  [ C72F40947F92CEA56A8FB532EDF025F1 ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:01:31.0031 1036  usbhub - ok
20:01:31.0046 1036  [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:01:31.0046 1036  usbprint - ok
20:01:31.0078 1036  [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan         C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:01:31.0078 1036  usbscan - ok
20:01:31.0109 1036  [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:01:31.0109 1036  USBSTOR - ok
20:01:31.0156 1036  [ F8FD1400092E23C8F2F31406EF06167B ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:01:31.0156 1036  usbuhci - ok
20:01:31.0187 1036  [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
20:01:31.0187 1036  VgaSave - ok
20:01:31.0187 1036  ViaIde - ok
20:01:31.0250 1036  [ B289D19DF6103352D3C4B13C0ED79331 ] Vmodem          C:\WINDOWS\system32\DRIVERS\vmodem.sys
20:01:31.0250 1036  Vmodem - ok
20:01:31.0265 1036  [ EE4660083DEBA849FF6C485D944B379B ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
20:01:31.0265 1036  VolSnap - ok
20:01:31.0312 1036  [ 4A4448332075C5A909DF123C21616B2A ] Vpctcom         C:\WINDOWS\system32\DRIVERS\vpctcom.sys
20:01:31.0312 1036  Vpctcom - ok
20:01:31.0375 1036  [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS             C:\WINDOWS\System32\vssvc.exe
20:01:31.0390 1036  VSS - ok
20:01:31.0406 1036  [ 120E61AAC05F00C867A32DE493DAB9B4 ] Vvoice          C:\WINDOWS\system32\DRIVERS\vvoice.sys
20:01:31.0406 1036  Vvoice - ok
20:01:31.0468 1036  [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time         C:\WINDOWS\system32\w32time.dll
20:01:31.0468 1036  W32Time - ok
20:01:31.0500 1036  [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:01:31.0500 1036  Wanarp - ok
20:01:31.0515 1036  WDICA - ok
20:01:31.0531 1036  [ EFD235CA22B57C81118C1AEB4798F1C1 ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
20:01:31.0531 1036  wdmaud - ok
20:01:31.0578 1036  [ 265F534EF76832435AFBF771EC97176D ] WebClient       C:\WINDOWS\System32\webclnt.dll
20:01:31.0578 1036  WebClient - ok
20:01:31.0640 1036  [ F399242A80C4066FD155EFA4CF96658E ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
20:01:31.0640 1036  winmgmt - ok
20:01:31.0718 1036  [ A477391B7A8B0A0DAABADB17CF533A4B ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
20:01:31.0718 1036  WmdmPmSN - ok
20:01:31.0781 1036  [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
20:01:31.0781 1036  WmiApSrv - ok
20:01:31.0812 1036  [ C1B3D9D75C3FB735F5FA3A5806ADED57 ] WpdUsb          C:\WINDOWS\system32\Drivers\wpdusb.sys
20:01:31.0812 1036  WpdUsb - ok
20:01:31.0875 1036  [ 4D59DAA66C60858CDF4F67A900F42D4A ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
20:01:31.0875 1036  wscsvc - ok
20:01:31.0906 1036  [ 13D72740963CBA12D9FF76A7F218BCD8 ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
20:01:31.0906 1036  wuauserv - ok
20:01:31.0968 1036  [ 5A91E6FEAB9F901302FA7FF768C0120F ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
20:01:31.0968 1036  WZCSVC - ok
20:01:32.0031 1036  [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
20:01:32.0031 1036  xmlprov - ok
20:01:32.0078 1036  [ 87F126D0F8DC176B282924DF0417075E ] yukonwxp        C:\WINDOWS\system32\DRIVERS\yk51x86.sys
20:01:32.0093 1036  yukonwxp - ok
20:01:32.0125 1036  [ 24143E06D15DB866DEA29258F77FD89D ] yukonx86        C:\WINDOWS\system32\DRIVERS\yukonx86.sys
20:01:32.0125 1036  yukonx86 - ok
20:01:32.0140 1036  ================ Scan global ===============================
20:01:32.0203 1036  [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll
20:01:32.0250 1036  [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
20:01:32.0296 1036  [ 3D21B3BE0C5768E76FD9780E9CF9E07C ] C:\WINDOWS\system32\winsrv.dll
20:01:32.0328 1036  [ 37561F8D4160D62DA86D24AE41FAE8DE ] C:\WINDOWS\system32\services.exe
20:01:32.0328 1036  [Global] - ok
20:01:32.0328 1036  ================ Scan MBR ==================================
20:01:32.0343 1036  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
20:01:32.0484 1036  \Device\Harddisk0\DR0 - ok
20:01:32.0484 1036  ================ Scan VBR ==================================
20:01:32.0500 1036  [ 1188B65AF53B9400EBBF3FD952C4AD3C ] \Device\Harddisk0\DR0\Partition1
20:01:32.0500 1036  \Device\Harddisk0\DR0\Partition1 - ok
20:01:32.0500 1036  ============================================================
20:01:32.0500 1036  Scan finished
20:01:32.0500 1036  ============================================================
20:01:32.0515 3524  Detected object count: 0
20:01:32.0515 3524  Actual detected object count: 0
 

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1004
www.malwarebytes.org

Database version: v2013.07.01.08

Windows XP Service Pack 2 x86 FAT32
Internet Explorer 8.0.6001.18702
Chris  :: NEWP4 [administrator]

07/01/2013 8:03:38 PM
mbar-log-2013-07-01 (20-03-38).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: PUP
Objects scanned: 265825
Time elapsed: 23 minute(s), 37 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 

 

---------------------------------------
Malwarebytes Anti-Rootkit BETA 1.06.0.1004

© Malwarebytes Corporation 2011-2012

OS version: 5.1.2600 Windows XP Service Pack 2 x86

Account is Administrative

Internet Explorer version: 8.0.6001.18702

File system is: FAT32
Disk drives: C:\ DRIVE_FIXED
CPU speed: 3.006000 GHz
Memory total: 3220418560, free: 2591657984

Downloaded database version: v2013.07.01.08
Initializing...
------------ Kernel report ------------
     07/01/2013 20:03:22
------------ Loaded modules -----------
\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
ohci1394.sys
\WINDOWS\system32\DRIVERS\1394BUS.SYS
PCIIde.sys
\WINDOWS\System32\Drivers\PCIIDEX.SYS
intelide.sys
MountMgr.sys
ftdisk.sys
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
fltMgr.sys
SYMDS.SYS
sr.sys
SYMEFA.SYS
PxHelp20.sys
Fastfat.sys
KSecDD.sys
NDIS.sys
vvoice.sys
vpctcom.sys
vmodem.sys
Mup.sys
agp440.sys
\SystemRoot\system32\DRIVERS\intelppm.sys
\SystemRoot\system32\DRIVERS\nv4_mini.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\yk51x86.sys
\SystemRoot\system32\DRIVERS\ptserlp.sys
\SystemRoot\System32\Drivers\Modem.SYS
\SystemRoot\system32\DRIVERS\nic1394.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\redbook.sys
\SystemRoot\system32\DRIVERS\ks.sys
\SystemRoot\system32\drivers\smwdm.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\aeaudio.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\usbhub.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\system32\drivers\NIS\1404000.028\ccSetx86.sys
\SystemRoot\System32\Drivers\NIS\1404000.028\SRTSP.SYS
\SystemRoot\system32\drivers\NIS\1404000.028\SRTSPX.SYS
\SystemRoot\system32\drivers\NIS\1404000.028\Ironx86.SYS
\??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
\SystemRoot\system32\DRIVERS\usbprint.sys
\SystemRoot\system32\DRIVERS\usbccgp.sys
\SystemRoot\system32\DRIVERS\HPZius12.sys
\SystemRoot\system32\DRIVERS\HPZid412.sys
\SystemRoot\system32\DRIVERS\HPZipr12.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\System32\Drivers\NIS\1404000.028\SYMTDI.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\system32\DRIVERS\wanarp.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20130628.001\IDSxpx86.sys
\SystemRoot\system32\DRIVERS\arp1394.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
\??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20130620.001\BHDrvx86.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\nv4_disp.dll
\SystemRoot\System32\ATMFD.DLL
\SystemRoot\System32\Drivers\Scutum50.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\??\C:\WINDOWS\system32\drivers\aslm75.sys
\SystemRoot\system32\DRIVERS\srv.sys
\??\c:\documents and settings\chris\local settings\temp\58B085C33B22.sys
\??\c:\documents and settings\chris\local settings\temp\58B8F8598456.sys
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20130701.009\NAVEX15.SYS
\??\C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\VirusDefs\20130701.009\NAVENG.SYS
\SystemRoot\system32\drivers\kmixer.sys
\??\C:\WINDOWS\system32\drivers\mbamchameleon.sys
\??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys
\WINDOWS\System32\ntdll.dll
----------- End -----------
Done!
<<<1>>>
Upper Device Name: \Device\Harddisk0\DR0
Upper Device Object: 0xffffffff8ac7bab8
Upper Device Driver Name: \Driver\Disk\
Lower Device Name: \Device\Ide\IdeDeviceP0T0L0-3\
Lower Device Object: 0xffffffff8ac4cd98
Lower Device Driver Name: \Driver\atapi\
<<<2>>>
Device number: 0, partition: 1
Physical Sector Size: 512
Drive: 0, DevicePointer: 0xffffffff8ac7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
--------- Disk Stack ------
DevicePointer: 0xffffffff8acba298, DeviceName: Unknown, DriverName: \Driver\PartMgr\
DevicePointer: 0xffffffff8ac7bab8, DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
DevicePointer: 0xffffffff8ac7c3b8, DeviceName: \Device\00000066\, DriverName: \Driver\ACPI\
DevicePointer: 0xffffffff8ac4cd98, DeviceName: \Device\Ide\IdeDeviceP0T0L0-3\, DriverName: \Driver\atapi\
------------ End ----------
Alternate DeviceName: \Device\Harddisk0\DR0\, DriverName: \Driver\Disk\
Upper DeviceData: 0x0, 0x0, 0x0
Lower DeviceData: 0x0, 0x0, 0x0
<<<3>>>
Volume: C:
File system type: FAT
SectorSize = 512, ClusterSize = 16384 bytes
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: FAT
SectorSize = 512, ClusterSize = 16384 bytes
Scanning drivers directory: C:\WINDOWS\system32\drivers...
<<<2>>>
Device number: 0, partition: 1
<<<3>>>
Volume: C:
File system type: FAT
SectorSize = 512, ClusterSize = 16384 bytes
Done!
Drive 0
Scanning MBR on drive 0...
Inspecting partition table:
MBR Signature: 55AA
Disk Signature: C50BC50B

Partition information:

    Partition 0 type is Other (0xc)
    Partition is ACTIVE.
    Partition starts at LBA: 63  Numsec = 312576642
    Partition file system is FAT32
    Partition is bootable

    Partition 1 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 2 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

    Partition 3 type is Empty (0x0)
    Partition is NOT ACTIVE.
    Partition starts at LBA: 0  Numsec = 0

Disk Size: 160041885696 bytes
Sector size: 512 bytes

Scanning physical sectors of unpartitioned space on drive 0 (1-62-312561808-312581808)...
Done!
Scan finished
=======================================


Removal queue found; removal started
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\bootstrap_0_0_63_i.mbam...
Removing c:\documents and settings\all users\application data\malwarebytes' anti-malware (portable)\mbr_0_r.mbam...
Removal finished
 

 

ComboFix 13-06-30.01 - Chris 07/01/2013  20:36:09.3.2 - FAT32x86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.3071.2444 [GMT -4:00]
Running from: c:\documents and settings\Chris\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *Enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Chris\g2mdlhlpx.exe
c:\windows\_detmp.2
.
.
(((((((((((((((((((((((((   Files Created from 2013-06-02 to 2013-07-02  )))))))))))))))))))))))))))))))
.
.
2013-07-02 00:03 . 2013-07-02 00:03    35144    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2013-07-01 21:14 . 2013-07-01 21:14    --------    d-----w-    c:\documents and settings\Chris\Doctor Web
2013-06-30 02:50 . 2013-06-30 02:50    --------    d-----w-    c:\documents and settings\Administrator.NEWP4.000
2013-06-29 05:20 . 2013-06-29 05:20    --------    d-----w-    C:\TDSSKiller_Quarantine
2013-06-29 03:25 . 2013-06-29 03:25    --------    d-----w-    c:\windows\snack
2013-06-29 03:03 . 2013-06-29 03:03    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes' Anti-Malware (portable)
2013-06-29 00:08 . 2013-06-29 00:08    --------    d-----w-    c:\documents and settings\Chris\Local Settings\Application Data\NPE
2013-06-19 23:11 . 2013-06-19 23:11    --------    d-----w-    c:\windows\system32\drivers\NIS\1404000.028
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-06-30 03:28 . 2012-05-08 01:26    692104    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2013-06-30 03:28 . 2011-12-31 20:51    71048    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2013-06-28 22:09 . 2005-04-05 19:07    23    ----a-w-    c:\windows\Fonts\AdobeFnt.lst
2013-06-19 23:12 . 2012-06-04 03:33    142496    ----a-w-    c:\windows\system32\drivers\SYMEVENT.SYS
2013-04-04 18:50 . 2010-07-21 19:33    22856    ----a-w-    c:\windows\system32\drivers\mbam.sys
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-07-03 12:16    8454656    ----a-w-    c:\windows\SYSTEM32\shell32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2013-04-04 958576]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2008-12-08 54576]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 4.0\Distillr\AcroTray.exe [2003-10-16 43520]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2000-1-13 113664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=c:\windows\pss\MacName.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Tenda Wireless Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Tenda Wireless Utility.lnk
backup=c:\windows\pss\Tenda Wireless Utility.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Chris^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Chris\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2008-12-08 19:50    54576    ----a-w-    c:\program files\HP\HP Software Update\hpwuschd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 03:08    417792    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VERIZONDM]
2010-07-20 05:29    206120    ----a-w-    c:\program files\VERIZONDM\bin\sprtcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VerizonServicepoint.exe]
2009-11-18 14:50    4269296    ----a-w-    c:\program files\Verizon\VSP\VerizonServicepoint.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"tgsrvc_verizondm"=2 (0x2)
"sprtsvc_verizondm"=2 (0x2)
"ServicepointService"=2 (0x2)
"RalinkRegistryWriter"=2 (0x2)
"Pctspk"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"TCASUTIEXE"=TCAUDIAG.EXE -off
"ATIGART"=c:\ati\gart\atigart.exe
"AtiPTA"=Atiptaaa.exe
"NPROTECT"=c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
"Norton Auto-Protect"=c:\progra~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
"CLMFrontPanel"=
"MacLicense"="c:\program files\MacOpener\MacLic.exe"
"shutdownaware"=c:\windows\shutdownaware.exe
"LexStart"=Lexstart.exe
"a-winpoet-service"="c:\program files\Verizon Online\WinPoET\winpppoverethernet.exe"
"PLoader"=c:\ufd2.0\ufd.exe sys_auto_run C:\UFD2.0
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpoews01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqgplgtupl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\BIN\\hpqgpc01.exe"=
"c:\\Program Files\\HP\\HP Software Update\\hpwucli.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=
.
R0 SymDS;Symantec Data Store;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\SymDS.sys [06/19/2013 7:12 PM 367704]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\SymEFA.sys [06/19/2013 7:12 PM 934488]
R1 BHDrvx86;BHDrvx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\BASHDefs\20130620.001\BHDrvx86.sys [06/24/2013 3:26 PM 1002072]
R1 ccSet_NIS;Norton Internet Security Settings Manager;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\ccSetx86.sys [06/19/2013 7:12 PM 134744]
R1 SymIRON;Symantec Iron Driver;c:\windows\SYSTEM32\DRIVERS\NIS\1404000.028\Ironx86.sys [06/19/2013 7:12 PM 175264]
R2 JCard Service;JCard Service;c:\icverify\ICWin404\Jcard\JCardService.exe [01/14/2011 6:49 PM 148776]
R2 MSSQL$ICV;SQL Server (ICV);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [02/10/2007 8:29 AM 29178224]
R2 NIS;Norton Internet Security;c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe [06/19/2013 7:11 PM 144368]
R2 Scutum50;Scutum50 NDIS Protocol Driver;c:\windows\SYSTEM32\DRIVERS\Scutum50.sys [01/04/2011 6:45 PM 19072]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/05/2012 8:20 AM 106656]
R3 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_20.4.0.40\Definitions\IPSDefs\20130629.001\IDSXpx86.sys [07/01/2013 8:15 PM 373728]
R3 mbamchameleon;mbamchameleon;c:\windows\SYSTEM32\DRIVERS\mbamchameleon.sys [07/01/2013 8:03 PM 35144]
S3 yukonx86;NDIS5.1 Miniport Driver for Marvell Yukon Gigabit Ethernet Adapter;c:\windows\SYSTEM32\DRIVERS\yukonx86.sys [04/05/2005 10:23 PM 176256]
S4 ServicepointService;ServicepointService;c:\program files\Verizon\VSP\ServicepointService.exe [08/26/2010 12:29 PM 668912]
S4 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [07/20/2010 1:29 AM 206120]
S4 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [07/20/2010 1:29 AM 185640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 18402636
*NewlyCreated* - 519C390032C5CD24
*NewlyCreated* - 58723795
*NewlyCreated* - 58B8F8598456
*NewlyCreated* - MBAMCHAMELEON
*Deregistered* - 18402636
*Deregistered* - 519C390032C5CD24
*Deregistered* - 58723795
*Deregistered* - 58B8F8598456
*Deregistered* - TrueSight
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12    REG_MULTI_SZ       Pml Driver HPZ12 Net Driver HPZ12
HPService    REG_MULTI_SZ       HPSLPSVC
hpdevmgmt    REG_MULTI_SZ       hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2009-03-08 08:32    128512    ----a-w-    c:\windows\SYSTEM32\advpack.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2009-03-08 08:32    128512    ----a-w-    c:\windows\SYSTEM32\advpack.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17    7168    ----a-w-    c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
.
2010-07-21 c:\windows\Tasks\Spybot - Search & Destroy -  Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2009-09-11 19:31]
.
.
------- Supplementary Scan -------
.

uInternet Connection Wizard,ShellNext = iexplore


Trusted Zone: aol.com\free
Trusted Zone: istockphoto.com\secure
Trusted Zone: schmidt.com\insite
Trusted Zone: schwab.com\www
Trusted Zone: schwabon.com\promo
Trusted Zone: vectorvest.com\www
Trusted Zone: websitetonight.com\app
Trusted Zone: websitetonight.com\app4
TCP: DhcpNameServer = 167.206.245.130 167.206.245.129
TCP: Interfaces\{C2BDF5CE-9A61-462E-904B-6C05BDFC68FD}: NameServer = 192.168.1.1
DPF: DirectAnimation Java Classes


FF - ProfilePath - c:\documents and settings\Chris\Application Data\Mozilla\Firefox\Profiles\erongvl3.default\
FF - ExtSQL: 2013-05-18 00:38; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF - ExtSQL: !HIDDEN! 2013-05-18 00:38; smartwebprinting@hp.com; c:\program files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-70152834.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-07-01 20:51
Windows 5.1.2600 Service Pack 2 FAT NTAPI
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\20.4.0.40\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\20.4.0.40\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_6_602_180_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
   bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
Completion time: 2013-07-01  20:55:25
ComboFix-quarantined-files.txt  2013-07-02 00:55
ComboFix2.txt  2010-08-05 18:13
ComboFix3.txt  2010-08-05 16:42
.
Pre-Run: 14,886,109,184 bytes free
Post-Run: 27,070,021,632 bytes free
.
- - End Of File - - 9A511D3877E7A691E5AD991E78BC5EF9
8F558EB6672622401DA993E1E865C861
 

 

 Results of screen317's Security Check version 0.99.68  
 Windows XP Service Pack 2 x86   
 Out of date service pack!!
 Internet Explorer 8 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Disabled!  
 ESET Online Scanner v3   
 Norton Internet Security    
`````````Anti-malware/Other Utilities Check:`````````
 Spybot - Search & Destroy
 Malwarebytes Anti-Malware version 1.75.0.1300  
 Java 6 Update 7  
 Java version out of Date!
 Adobe Flash Player     11.7.700.224  
 Adobe Reader XI  
 Mozilla Firefox 21.0 Firefox out of Date!  
````````Process Check: objlist.exe by Laurent````````  
 Norton ccSvcHst.exe
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 21% Defragment your hard drive soon! (Do NOT defrag if SSD!)
````````````````````End of Log``````````````````````
 

 

1) Regarding the TDSSKiller report, I ran that with the default setting that does not check off any of the "other parameters" that are available.  When I ran TDSSKiller on my own the other day, I checked off everything, it did a reboot and then it found the 9 questionable unsigned files that were of concern.  Without those parameters checked, the report I posted above does not show anything to me.

 

2) What is up with that folder under windows that is named "snack" ?  I notice that the time created ties in with my first "RogueKiller" scan, so that program must have created this folder and placed all the files into it for some reason...

It seems like there are all my .sys files in there and when I look at the properties of any of them, they all say "date created" as June 28th which was Friday night when I first started doing some scans on my own.  The "date modified" columns all have their original dates intact, so something in the "RogueKiller" program must need to make copies of all these .sys files for some reason.

 

3) I ran combofix with norton internet security and spybot disabled, but I did not disable the Norton smart firewall, because I did not think that was an antivirus program.  If I should have disabled that firewall app I can run combofix again.  I do notice the combofix reports mentions this "snack" file as newly created too. Not sure how to interpret anything else in that report.

 

4) The newly created files also mention a directory for "Doctor web" which is another rootkit and hook program I downloaded today, but did not yet run.  They have a program called "Dr.webCureit" which other forums have recommended using to analyze SSDT hooks, but once it started to setup today, I cancelled it's scan to wait to hear from this forum first.  It also wants me to agree to send all kinds of scan info to their server in order to use the free trial version, which concerns me.  It created a log file that is in that new folder which says nothing.

 

My main concern is still all these "unknown SSDT hooks" which the "RogueKiller" rootkit scan showed me over the weekend.  I know that legitimate programs tap into these areas to run, but having so many listed as "unknown" led me to believe a very stealthy rootkit might be at work on my machine.  If they were windows or adobe or norton operations that were hooked into these places, wouldn't they give the publisher's name?  These are all the unknown hooks:

 

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A81C080)
[Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A81C160)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8A794270)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A7EA118)
[Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AAA2A68)
[Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A78F150)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A791110)
[Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8A7AC588)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A8001E8)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A811280)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A80E008)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8A81D080)
[Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A81D160)
[Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8AA6C838)
[Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8A80E0D8)
[Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A78F070)
[Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (Unknown @ 0x8A7D4350)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8A794360)
[Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A8D0EC0)
[Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (Unknown @ 0x8A811350)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A791008)
[Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A81E080)
[Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A7FC160)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A7B20B0)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A7CD6A0)
[Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A81A160)
[Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A81E160)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8A812738)
[Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A7FC080)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8A7B21A0)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A7932C8)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A823BC0)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A797E30)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A797A28)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A7E8F00)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A7DE360)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A010538)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8A00FFC0)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A00FF30)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A0834C0)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8A011438)
 

When I see things are hooked into my "keyboard state", "raw input", "key state", etc., it really looks like something is reading everything I enter into my computer.  Maybe these things are normal?  They definitely look like some kind of spying to me.

 

 

5) As for the security check report, I am aware of how overdue I am to update to windows XP SP3, and java as well.  I had such a bad time with SP3 on another computer of mine that I have avoided updating it onto this machine because it slowed down my other machine so terribly. Many XP users reported the same issue when XP3 first came out, it was like putting sand in the gears.   I depend on this computer for my home office work and my other machine is pretty useless now since getting XP SP3 on it.

 

I also don't want to go to Win7 or 8 because they are 64 bit and I still depend on several specialized DOS programs everyday to get work done, and it's questionable if they will work properly or even interface with their print drivers once I get out of the 32 bit architecture.  If a program has been bulletproof and served me well for 20 years, I can't see discarding it just because windows has moved on and wants everyone to do the same.  That may sound ridiculous, but I just went through a nightmare getting win7 SP1 installed on my wife's new laptop because Microsoft throws out these gigantic updates that don't always work.  I spent 12 hours on the phone with the MS tech people in India one night going through downloading the entire win7 image file, and SP1 file, then completely re-installing win7 from scratch and manually installing SP1 because the SP1 update had totally corrupted the win7 system while trying to update itself through Automatic Updates.  So I am not a big fan of these Service Packs, or even win7 or 8 with so many changes I need to relearn and adapt to.  I'm quite comfortable with XP and will stick with it as long as I can.  But I know I do need to put in the SP3 update sooner or later and live with the consequences just to get back to getting the security updates for XP that still come out all the time.

 

I have given up on IE 8 because it is so slow at most times and most websites now.  I can't go to ie9 with XP, so I don't care if I have an outdated IE version.  I have abandoned IE completely in favor of Firefox (which needs an update now as well, they update it every few weeks it seems). Java is another story which goes back to win98 (remember those good old days?).  I need to interface with an online offset press print proofing system that requires java, but no java update past the one I have now installed would work via ie8.  (It's the only time I even use ie8, when I go to this one website).  My only conclusion was that this version of java was the last to work with win98, and because my XP was an upgrade from win98, not a fresh install, somehow java and/or other website codes "think" this is still a win98 computer knocking on the door.  So a later version of java did install and run for me, but did not actually work correctly at the most important website I go to.  I had to reintsall the older version 6 that still worked for me at the time and I've left it alone for sevearl years.  I never figured out any other explanation for this, but I can't risk cutting myself off again from this job site I use.  If I do a good restore point, I guess I can upgrade java and see if java via Firefox then works at the site I need.  If it does not, I can roll the computer back and hopefully still have my currently functioning way to see online print proofs from home.  (Anybody reading this must think I'm some kind of dinosaur, but I don't believe in fixing things that aren't broke, and I don't do any gaming or other high-intensity operations where I need to have the latest and fastest OS).  But I do see where these things are vulnerable and if I'm certain this PC is clean of any rootkit, keylogger or malware, I can start with XP SP3 and go from there moving myself into the newer versions of everything I can, but just one small step at a time all the while making sure each update actually functions as intended. 

 

Thanks for your help today, I look forward to your response about those unknown SSDT hooks and the combofix report.  The computer seems to be working fine, but it was fine last Friday too, when my routine malwarebytes and spybot scans turned up some things that were definitely not good, and then RogueKiller really got me worried.

 

 

Link to post
Share on other sites

 

1) Regarding the TDSSKiller report, I ran that with the default setting that does not check off any of the "other parameters" that are available.  When I ran TDSSKiller on my own the other day, I checked off everything, it did a reboot and then it found the 9 questionable unsigned files that were of concern.  Without those parameters checked, the report I posted above does not show anything to me.

Do you happen to have that log saved? If so, please post it.

 

2) What is up with that folder under windows that is named "snack" ?  I notice that the time created ties in with my first "RogueKiller" scan, so that program must have created this folder and placed all the files into it for some reason...

It seems like there are all my .sys files in there and when I look at the properties of any of them, they all say "date created" as June 28th which was Friday night when I first started doing some scans on my own.  The "date modified" columns all have their original dates intact, so something in the "RogueKiller" program must need to make copies of all these .sys files for some reason.

I believe it's related to RogueKiller.

 

 

3) I ran combofix with norton internet security and spybot disabled, but I did not disable the Norton smart firewall, because I did not think that was an antivirus program.  If I should have disabled that firewall app I can run combofix again.  I do notice the combofix reports mentions this "snack" file as newly created too. Not sure how to interpret anything else in that report.

Don't worry about it, it appears to have run just fine.

 

 

4) The newly created files also mention a directory for "Doctor web" which is another rootkit and hook program I downloaded today, but did not yet run.  They have a program called "Dr.webCureit" which other forums have recommended using to analyze SSDT hooks, but once it started to setup today, I cancelled it's scan to wait to hear from this forum first.  It also wants me to agree to send all kinds of scan info to their server in order to use the free trial version, which concerns me.  It created a log file that is in that new folder which says nothing.

Please avoid running any programs without my supervision as I help you, the reason being that it makes it impossible for me to keep track of what we're currently doing to your PC.

 

 

When I see things are hooked into my "keyboard state", "raw input", "key state", etc., it really looks like something is reading everything I enter into my computer.  Maybe these things are normal?  They definitely look like some kind of spying to me.

Some legitimate programs do this, yes. It's tough to say at this point what is causing it.

 

----------

 

Please do the following:

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

KILLALL::

 

Driver::

18402636

58723795

58B8F8598456

58B085C33B22

519C390032C5CD24

File::

C:\Windows\System32\Drivers\18402636.sys

C:\Windows\System32\Drivers\58723795.sys

c:\documents and settings\chris\local settings\temp\58B8F8598456.sys

c:\documents and settings\chris\local settings\temp\58B085C33B22.sys

C:\Windows\System32\Drivers\519C390032C5CD24.sys

 

Reboot::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I shall require in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Please include the newly-created C:\ComboFix.txt in your next reply, and let me know how things are running now

 

Link to post
Share on other sites

Here is the earlier TDDSKiller report I ran Friday night before posting to the forum.  Every time I try to post it here, I get a message from the forum saying "post too long", so I have attached it as a TXT document.
 

I have tried to rerun combofix twice this morning with the script you gave me, but both times it completed the first 50 stages, then just hangs on the line that says "deleting folders: c:\documents and settings\all users\application data\temp"  This temp folder still exists but it is empty.  I let the scans run for several hours and did not touch the mouse or screen, so I don't think it's because I did not give them enough time to complete.  After I decided to abort, I clicked on the tab in my taskbar and that's when I saw both times it got hung up at the same point of deleting folders.  Both times there is a lot of hard drive activity in the first few minutes, monitor goes on and off, then just an occasional red light blinking showing some hard drive activity over the course of the next couple hours.  But I think that may just be from Windows accessing the drive, not from the combofix continuing to process anything. What should we do next?  Thanks.

TDDSKiller report 6-29-13.txt

Link to post
Share on other sites

I have rebooted the computer twice today after the CF got hung up, and now notice that none of the 5 .sys files you reference in your script are currently in those folders.  (Unless they are completely hidden to me in some way).  So maybe that part of the script has done its work, but CF still gets hung up after completing the 50 stages.  Just sits there at "deleting folders: c:\documents and settings\all users\application data\temp".  Right at the start of the first attempt this AM, CF did pop up a notice that "a newer version is available", and then I chose to have it update itself.  Could something have gone wrong with the ComboFix update process so that this file version on my desktop is no longer any good?  Maybe I should not have allowed it to update itself on the fly?  Thanks.

Link to post
Share on other sites

No success in safe mode. I tried combofix with the script you gave me in safe mode.  (no networking, no command prompt, just the first option in recovery console that says only "safe mode".  The scan started quick and seemed to be humming along for 15 minutes or more but then my screen went all black (all the desktop icons I could see in safe mode disappeared), but the little white text messages that say "safe mode" were still visible on screen.  Then it sat there for almost an hour this way with absolutely no hard drive movements or red blinks on the HD light.  So I figured it was not going to get going again. 

 

I looked for a report under the C:\ drive in case it had actually completed it's scan without rebooting or notifying me, and I notice I now have some kind of mirror image of My Computer inside a folder that says "combofix".  Instead of a folder icon, I actually see the My Computer icon in the explorer tree next to the folder labeled "combofix" and then when I open this folder I see everything else that is usually found under My Computer; drives, folders, etc.  Maybe combofix is creating this and fails to clean it all up because it never finishes the scan?

 

Do I download a new copy of CF, or try scan again without the script? 

Link to post
Share on other sites

I just noticed when I open that "combofix" folder there is another "combofix" folder inside under the C:\ directory and when I open that there is another C:\ directory showing with another "combofix" folder, and it looks like an endless loop of mirrored files and/or file directories that goes on and on.  Could this all be mixing up the combofix scan and causing the hang ups?  Should I just delete that first "combofix" folder from the explorer directory tree to see if combofix can then complete a scan?  Thanks.

Link to post
Share on other sites

Go ahead and rename your current version of ComboFix.exe to Uninstall.exe. Run that- ComboFix will uninstall itself.

 

Next, download a new copy of ComboFix.exe, and rename it to Cheese.exe. Please run that (scan only, no script this time) in Safe Mode. Please post the new ComboFix.txt it creates.

Link to post
Share on other sites

I'm having nothing but trouble with Combofix.  Renaming it to "uninstall.exe" would not uninstall it in normal Windows mode, it just started doing the usual autoscan, completes the 50 steps, then just hangs on the line that says "deleting folders: c:\documents and settings\all users\application data\temp".

 

I then used the run command "combofix /uninstall" and that seemed to have removed it, but it never gave me a final pop up telling me it was successfully uninstalled. The icon was still on my desktop, but there was no folder anymore in my C:\ directory that was called combofix, so I just deleted the icon on my desktop.  Then I downloaded new combofix file, renamed it cheese.exe and ran that in safe mode.  Exactly the same result, it just hangs on the line that says "deleting folders: c:\documents and settings\all users\application data\temp".  I went to bed and let it run all night thinking maybe it would get past this stage while in safe mode if I just gave it enough time, even though I saw no HD activity or CPU usage going on.  It never went further when I looked this AM.  I used the run command to uninstall it in safe mode, and got the complete message that says "combofix is uninstalled", and the desktop icon for it disappeared.  I rebooted to normal mode, turned norton back on, and then downloaded combofix again, turned norton off and rebooted to safe mode.  Then tried everything again with the file again renamed as cheese.exe but exactly the same result.  It just hangs on the line that says "deleting folders: c:\documents and settings\all users\application data\temp".  I uninstalled it again in safe mode and I'm now waiting for your advice. I see I have lost all my restore points, so I can't go back a couple days to when combofix actually successfully ran and try all over from that point. 

 

I have always had spybot installed, it's caught lots of bad things for me, and the teatimer file does not run in safe mode, so I don't think that's a problem here.  But I do remember when I first ran the 4 different reports and scans you requested at the start of this issue, spybot's teatimer function popped up when I rebooted the next morning (I turn off the computer every evening to further reduce the risk of any hacking going on) and I recall it giving me about 5 prompts notifying me about changes to my system, and asking me if I want to deny or accept each one.  I'm trying to figure out how to access those records, they are not under "log files" which are scan reports, because I always ask spybot to remember each change, but I don't know how to find the records of those individual changes made and recorded.  I remember allowing most of them but I did not allow my browser home page to be reset to microsoft or allow microsoft to become my default search provider, which is something I think combofix does to make sure you get away from any spoofed search malware. So even if I managed to disallow something that affects combofix, I would think that running in safe mode would completely eliminate any possible interference from spybot with a new scan by a new combofix file.

 

I also notice when I boot to safe mode, it gives me 2 users, myself and administrator, but I am the administrator so maybe safe mode routinely does this in case you want to work from a completely clean point or something?  The other concern of mine is when I see combofix unpacking itself and backing up my registry right at the start of each attempt, I notice that it lists very quickly that it is saving system info on 4 users, which I do not have, there is just me.  Unless there is something going on here with more user profiles being created by some malware.?

 

I could try to run combofix all over again in safe mode using the default administrator profile, but then I have to figure out how to get combofix onto that desktop, since I never see a separate user profile just for administrator when I boot in normal mode.  I don't think I want to go onto the internet from safe mode, and I'm not sure I even can in that limited environment.  So how would I download a copy of combofix directly to that profile?  and would it make any difference in the scan results since I am the administrator and have full access to the system under my current profile any way?  Many thanks for your help here, this is starting to get a lot more involved than I expected. 

Link to post
Share on other sites

Try uninstalling both Norton and Spybot for now. After that, see if ComboFix will run this time. If not, we'll move on to something else.

 

In the meantime, please also run this:

 

Please download RogueKiller to your desktop

  • Quit all running programs
  • For Vista/Seven, right click -> run as administrator, for XP simply run RogueKiller.exe
  • When prompted, type 1 and validate
  • The RKreport.txt shall be generated next to the executable.
  • If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

Link to post
Share on other sites

Just getting to your post now, but what has me worried is one of the 4 user profiles I see on my computer.  My own under my name, and an "administrator" profile were created in 2005.  Those are the only 2 that should be there.

 

But there is a third profile called "administrator.newP4" which was created on June 3, 2013.  (NewP4 is the name my computer had when it was part of a network a few years ago, but this machine is on it's own right now.)   I work at home and never would have knowingly created this profile, and I don't recall running any in-depth scans at that time.  This is suspicious to me, and do you know if there are malware programs that work this way, by creating a copy of an administrator account to do bad things?

 

The 4th user profile was just created on June 29th, and the time of day relates to when I ran RogueKiller on my own last Saturday night, so that program copied the 3rd Administrator account as a base and named itself "administrator.newP4.000".

I definitely think I should delete these last 2 profiles.  I know when I run RogueKiller again now as per your instructions above, it will create another new profile for itself anyway.

 

I'll see about removing spybot and norton to see if I can ever get a complete scan from Combofix and get back to you on that.  Thanks.

Link to post
Share on other sites

 

Just getting to your post now, but what has me worried is one of the 4 user profiles I see on my computer.  My own under my name, and an "administrator" profile were created in 2005.  Those are the only 2 that should be there.

 

But there is a third profile called "administrator.newP4" which was created on June 3, 2013.  (NewP4 is the name my computer had when it was part of a network a few years ago, but this machine is on it's own right now.)   I work at home and never would have knowingly created this profile, and I don't recall running any in-depth scans at that time.  This is suspicious to me, and do you know if there are malware programs that work this way, by creating a copy of an administrator account to do bad things?

Today's malware doesn't really need to make new administrator accounts to survive on an infected machine. It's possible, but I have yet to see it. I wouldn't worry.

Link to post
Share on other sites

Here's the RogueKiller report which came out the same as when I did it on my own this weekend.  It again shows all the unknown SSDT hooks which prompted me to post on this forum in the first place, but no bad files or bad process.  I recognize 3 of the 5 registry entries as harmless: combofix turned off system restore and I can turn it back on, and the last 2 refer to my desktop layout, I don't want or need Internet Explorer and My Computer icons on my desktop.  The 2 that refer to disable registry tools you can probably tell me more about.

 

RogueKiller V8.6.2 [Jul  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com


Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Chris [Admin rights]
Mode : Scan -- Date : 07/03/2013 17:44:14
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 5 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ] HKLM\[...]\SystemRestore : DisableSR (1) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
[Address] SSDT[12] : NtAlertResumeThread @ 0x80635F32 -> HOOKED (Unknown @ 0x8A82A9C8)
[Address] SSDT[13] : NtAlertThread @ 0x80581F8C -> HOOKED (Unknown @ 0x8A82B960)
[Address] SSDT[17] : NtAllocateVirtualMemory @ 0x8056FBB6 -> HOOKED (Unknown @ 0x8ABB0508)
[Address] SSDT[19] : NtAssignProcessToJobObject @ 0x805A975C -> HOOKED (Unknown @ 0x8A783BD8)
[Address] SSDT[31] : NtConnectPort @ 0x80591DCA -> HOOKED (Unknown @ 0x8AB2C4F8)
[Address] SSDT[43] : NtCreateMutant @ 0x8057D470 -> HOOKED (Unknown @ 0x8A807588)
[Address] SSDT[52] : NtCreateSymbolicLinkObject @ 0x805A86E8 -> HOOKED (Unknown @ 0x8A8AAA80)
[Address] SSDT[53] : NtCreateThread @ 0x805840DD -> HOOKED (Unknown @ 0x8ABD2CF0)
[Address] SSDT[57] : NtDebugActiveProcess @ 0x80660711 -> HOOKED (Unknown @ 0x8A783CB8)
[Address] SSDT[68] : NtDuplicateObject @ 0x8057E299 -> HOOKED (Unknown @ 0x8A894348)
[Address] SSDT[83] : NtFreeVirtualMemory @ 0x805700B0 -> HOOKED (Unknown @ 0x8A9C72A8)
[Address] SSDT[89] : NtImpersonateAnonymousToken @ 0x80599621 -> HOOKED (Unknown @ 0x8AA0A2A8)
[Address] SSDT[91] : NtImpersonateThread @ 0x80586AD6 -> HOOKED (Unknown @ 0x8A82A908)
[Address] SSDT[97] : NtLoadDriver @ 0x805B9849 -> HOOKED (Unknown @ 0x8AA6C288)
[Address] SSDT[108] : unknown @ 0x8057C120 -> HOOKED (Unknown @ 0x8AA3EE50)
[Address] SSDT[114] : NtOpenEvent @ 0x8058F5DD -> HOOKED (Unknown @ 0x8A8074C8)
[Address] SSDT[122] : NtOpenProcess @ 0x8057964C -> HOOKED (Unknown @ 0x8A9B6280)
[Address] SSDT[123] : NtOpenProcessToken @ 0x805774B2 -> HOOKED (Unknown @ 0x8AA07CF8)
[Address] SSDT[125] : NtOpenSection @ 0x8057CF33 -> HOOKED (Unknown @ 0x8A782488)
[Address] SSDT[128] : NtOpenThread @ 0x805B13C6 -> HOOKED (Unknown @ 0x8A7B9D58)
[Address] SSDT[137] : NtProtectVirtualMemory @ 0x80583D91 -> HOOKED (Unknown @ 0x8A85CD58)
[Address] SSDT[206] : NtResumeThread @ 0x80584754 -> HOOKED (Unknown @ 0x8A784BD8)
[Address] SSDT[213] : NtSetContextThread @ 0x806340DB -> HOOKED (Unknown @ 0x8A776800)
[Address] SSDT[228] : NtSetInformationProcess @ 0x80573B37 -> HOOKED (Unknown @ 0x8A74F2C8)
[Address] SSDT[240] : NtSetSystemInformation @ 0x805E5EDD -> HOOKED (Unknown @ 0x8A9B5898)
[Address] SSDT[253] : NtSuspendProcess @ 0x80635E77 -> HOOKED (Unknown @ 0x8A782568)
[Address] SSDT[254] : NtSuspendThread @ 0x80635D93 -> HOOKED (Unknown @ 0x8A784CB8)
[Address] SSDT[257] : NtTerminateProcess @ 0x8058C3F5 -> HOOKED (Unknown @ 0x8AACFAC8)
[Address] SSDT[258] : unknown @ 0x805815E5 -> HOOKED (Unknown @ 0x8A776720)
[Address] SSDT[267] : NtUnmapViewOfSection @ 0x8057BCA8 -> HOOKED (Unknown @ 0x8AA2ECE8)
[Address] SSDT[277] : NtWriteVirtualMemory @ 0x805869E5 -> HOOKED (Unknown @ 0x8A9BDD78)
[Address] Shadow SSDT[307] : NtUserAttachThreadInput -> HOOKED (Unknown @ 0x8A8F69B8)
[Address] Shadow SSDT[383] : NtUserGetAsyncKeyState -> HOOKED (Unknown @ 0x8A9FB998)
[Address] Shadow SSDT[414] : NtUserGetKeyboardState -> HOOKED (Unknown @ 0x8A7A0F48)
[Address] Shadow SSDT[416] : NtUserGetKeyState -> HOOKED (Unknown @ 0x8A87B998)
[Address] Shadow SSDT[428] : NtUserGetRawInputData -> HOOKED (Unknown @ 0x8A8669A8)
[Address] Shadow SSDT[460] : NtUserMessageCall -> HOOKED (Unknown @ 0x8A89BA78)
[Address] Shadow SSDT[475] : NtUserPostMessage -> HOOKED (Unknown @ 0x8ABBFF38)
[Address] Shadow SSDT[476] : NtUserPostThreadMessage -> HOOKED (Unknown @ 0x8A9AA508)
[Address] Shadow SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x8A9339A8)
[Address] Shadow SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x8ABD1758)

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600AAJB-00PVA0 +++++
--- User ---
[MBR] 9212c60488c379c3477db500875b8ba1
[bSP] ea9314568ec1aceb9d460933d5472acb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07032013_174414.txt >>


I uninstalled spybot before running this report, but only disabled norton.  I need to find my paperwork on norton before I uninstall it so I will be able to reinstall it again without having to pay for it all over.  I can try combofix again without spybot on the machine and maybe it will work without removing norton at all.  Please get back to me about any next steps.
 

Link to post
Share on other sites

Are we uninstalling norton just to see if RogueKiller or Combofix find something else malicious.? Or just to see if the SSDT hooks go with Norton?  The RogueKiller report I just sent you does not show the symantec (norton) hooks which were there, I guess RK considers them benign since they are identified.  (There were about 4 of those, not sure at which points they attached).

 

But the actual TXT report that RogueKiller produces only reports the unknown ones, which is what it produces for upload to you.  So I don't think norton will be responsible for any of the unknown hooks as they seem to be OK with identifying themselves on the other hooks.  Just trying to minimize my problems tonight, I think I need to download a special norton uninstaller which is supposed to take care of a lot more remnants and orphans that the regular uninstall function provided with the program leaves behind.  I remember I had to do the special Macafee uninstall tool when I got rid of that on my wife's computer, these big AnitVirus programs dig themselves in everywhere in the hopes of stopping more attacks I guess.

Link to post
Share on other sites

Help!  I removed norton using their removal tool.  Upon reboot, a Windows Installer comes up looking to install something, not sure what, via a temp directrory that is empty.  Asks me to browse to correct location.   I have to end the process through task manager as it keeps re-popping open.  Once gone, things look normal.  But when I click on any desktop icon or folder, another Windows installer pops up to install "Smart Web Printing", which I believe is related to my HP Printer software.  Smart web printing was not compatible with newer versions of firefox and I have not seen anything about Smart Web printing in quite a while on my machine.  However, if I cancel out of this Smart Web printing install via task manager, I lose my desktop and taskbar.  Nothing but a big blank green screen (my default background color).  Computer is still functioning underneath the blank screen.

 

I am able to operate through task manager by using browse function, and open files and even open firefox to post this.  I have rebooted twice and get same problem with losing the desktop completely.

 

However, I just ran RogueKiller and the report shows no hooks at all in any drivers, which I find unbelievable.  Norton would tunnel in to every function of my computer and not even identify their hooks?? But would identify 4 out of about 25?? Why not identify them all so folks like us would know what we had attached to the kernel.?

 

This is all RK report shows, the 4 questionable registry entries.  Last 2 are fine, I disabled some desktop icons I don't want, but what do the first 2 refer to?  Are they risky? Should I have RK fix them?  Will I be unable to modify my registry if these are left as is? Not sure what "registry tools" are.

 

RogueKiller V8.6.2 [Jul  3 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com


Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 2) 32 bits version
Started in : Normal mode
User : Chris [Admin rights]
Mode : Scan -- Date : 07/03/2013 22:36:41
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 4 ¤¤¤
[HJ POL] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ DESK] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection :  ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts


127.0.0.1       localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD1600AAJB-00PVA0 +++++
--- User ---
[MBR] 9212c60488c379c3477db500875b8ba1
[bSP] ea9314568ec1aceb9d460933d5472acb : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 63 | Size: 152625 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_07032013_223641.txt >>


I have not yet tried to run combofix because I'm very concerned about this lost desktop.

Is there an easy way around this, to restore my desktop as the computer appears to be working OK otherwise....?

 

Something has gotten corrupted in some way that I don't understand.  Some kind of registry entry that is trying to run these installers at boot up?  I did see the first installer onscreen right after the norton removal tool completed and then it told me to finish removal by restarting computer.  It flashed by and then computer shut down before I could read it.  Task manager is able to kill the process off at reboot, it's this second installer window that comes up asking about Smart web printing that knocks my desktop out as soon as I try to kill it off.

 

Unless we've somehow uncovered a lurking piece of malware that is the cause of this problem I have right now?  Thanks, I'll watch my phone for a notice that you've posted to this forum as it's hard to operate this way with no desktop or taskbar.  

Link to post
Share on other sites

However, I just ran RogueKiller and the report shows no hooks at all in any drivers, which I find unbelievable.  Norton would tunnel in to every function of my computer and not even identify their hooks?? But would identify 4 out of about 25?? Why not identify them all so folks like us would know what we had attached to the kernel.?

Yep, that's Norton for you. <_< I had a feeling those hooks were due to their software (I've seen it before)... It's not malicious, but it sure is a huge pain in the butt to sort through. For now, I suggest you leave both it and Spybot uninstalled as we attempt to run some of our tools.

 

 

However, if I cancel out of this Smart Web printing install via task manager, I lose my desktop and taskbar.  Nothing but a big blank green screen (my default background color).  Computer is still functioning underneath the blank screen.

Are you able to boot to Safe Mode without this happening? If so, go ahead and run ComboFix there.

Link to post
Share on other sites

Hey D-Fred:  Got my desktop back.  The problem has to do with registry changes that were made when uninstalling norton that affect HP Printer Digital Imaging software.  There is all kinds of documentation on the web, (I'm not thrilled surfing naked, but I'm only going to google and MS or HP web domains).  Seems there are now "autoruns" getting turned on and looking to install components of the HP printing suite.  I am in the process of uninstalling them piece by piece.  Got rid of the main culprit which was a BHO called Smart Web Printing and it crashed the desktop for some reason.  These are several of the sources I've found documenting all this BS.  Amazing that hundreds (thousands? millions?) of other Windows users have seen this same thing at different times especially after using a registry cleaner app. which inadvertently mixes up HP installs.  Maybe HP is writing sloppy code?

 

http://h30434.www3.hp.com/t5/Printer-All-in-One-Install-Setup-e-g-Windows-8/SmartWebPrinting-msi/td-p/228523/page/5

 

http://answers.microsoft.com/en-us/windows/forum/windows_7-performance/program-called-trayapp-is-trying-to-install-on-my/e5c54757-da47-e011-90b6-1cc1de79d2e2?msgId=2b0e7297-1a51-e011-8dfc-68b599b31bf5

 

 

I may decide to install this item below from sysinternals at microsoft which is an app that shows you everything that wants to start at bootup, and it gives you the option to uncheck many, so some people in my shoes have used this as a workaround to stop these HP installer windows popping up all the time.  Just uncheck the offending autoruns.  But I'd prefer not to do any new installs now in the middle of analyzing my whole system.  (I'm sure you agree).

 

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

 

I'd rather remove the offending software and re-install it clean, and I have found my HP install CD but the thing is about 2 years old already, so hopefully it works if I get all the latest software uninstalled.  I actually spent a long 8 hour night on the phone with HP support recently when my printer stopped printing correctly.  The problem started with only the black cartridge not printing, but 3 cartridge changes later, still no black.  I decided to do some testing and I noticed the black ink did print (along with the other 3 colors) in certain programs such as acrobat, but not in photoshop or others.  They were going to ship me a new printhead but I told them no way, it had to be software or firmware related.  When I tried to reinstall using the latest HP software download from their site, it would get all the way to the end and pop up "fatal error -the software install cannot be completed". 

 

Even though they claim the entire software package was XP compatible, the answer from the tech people in India was "sorry, it won't work with XP all the time, you need to upgrade to win7 to use that printer".  WTF? It all worked fine the day before and either its compatible or not, don't tell me the printer won't work with XP when it did for 2 years.  Just get me a download from an earlier version (like on my CD which I finally found the other day).  Even with this "fatal error", it started printing fine again and I just tested it now and it still works, so all I really need to keep is the basic driver going, not all the ink monitoring and other functions they jam into the package which have not worked for a few weeks already.  This is why I am so hesitant to dump XP and move into a new 64 bit world.  I've got better things to do than spend all day sorting out incompatibilities like this which will come in droves once I try to move everything that now works fine (and was built for 32 bit systems) onto a new OS.  If I had an IT guy like you as a neighbor, maybe I'd be less hesitant.  If everything now prints, I can distill PDFs, upload work files at home, etc. right now, why jump into win7 or 8 ? 

 

Enough of my rant, it's real late here and I'll try combofix again, maybe tomorrow.  At least my stress is down now that I have a desktop and everything other than my HP printer add-ons is working, plus those hooks all disappeared.  So I think I'm close to clean (and now knowing more about norton hooks), I don't feel like I had a severe hack going on behind my back.  I'll post again when I get combofix done, but if it does not run even in Safe mode, then there still is some registry issue there too and hopefully not malware blocking it.  Since it ran fine the other day, I'm starting to think spybot or norton reacted to it, made some changes to my system and that's why I could not get a second run to work at all.  I'll be in touch. Thanks for watching out for me the night before a holiday.

Link to post
Share on other sites

Happy 4th of July.   No luck getting combofix to run in safe mode on computer with no AV or spybot.  Still gets through all 50 stages and then completes this step: "deleting folders: c:\documents and settings\all users\application data\temp".

The command prompt curser is blinking below this line, so I guess it means combofix is able to delete this first folder but go no further.

 

Any idea what the next folder to delete would be?  maybe that would give us an idea of where the problem lies.  I think this has to do with spybot locking a register key or something after it warned me of changes made by the first successful completion of combofix that went through my machine with no problems when we first starting working together.  Spybot is no longer installed, but maybe the changes it made or blocked were left in my registry.?  I wish I wrote down each warning it gave me on that boot up after combofix ran, as I recall denying it to change my default search and home page which would have only been affecting IE8.  But maybe I denied something else important, and there are no logs that would tell us which registry keys or changes were of concern to spybot.

 

What do you suggest we do now?  Thanks.

Link to post
Share on other sites

 

Happy 4th of July.

Thanks! And likewise. :)

 

I think I know what the problem may be...

 

Please download ATF Cleaner

Save it to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.

If you use Firefox browser, do this also:

  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser, do this also:

  • Click Opera at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE: : If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

 

------------

 

After that, try running ComboFix again. Let me know how things go.

Link to post
Share on other sites

Hello again.  Sorry, no fireworks here.  Ran ATFcleaner as instructed, then I downloaded a fresh combofix file, renamed it cheese.txt and ran it in safe mode.  Combofix still hangs at the same spot.  (Unless I had to download combofix before running ATFcleaner?)

 

I did notice that combofix did ask me to accept their usage agreement at first menu, which I had not seen in last few attempts.  That step has been bypassed recently and combofix would just dive right into its scanning.  So ATFcleaner did unload some temporary file that gave combofix the impression I had already agreed to the use of there tool.   I guess that ATFcleaner did have some effect, but not quite what we needed.  Let me know what the next steps should be.  Thanks.

Link to post
Share on other sites

For now, let's move on:

 

----------Step 1----------------
Please download AdwCleaner by Xplode onto your desktop.

  • Double click on AdwCleaner.exe to run the tool.
  • Click on Search.
  • A logfile will automatically open after the scan has finished.
  • Please post the contents of that logfile with your next reply.
  • You can find the logfile at C:\AdwCleaner[R1].txt as well.

----------Step 2----------------
We need to create a New FULL OTL Report

  • Please download OTL from here if you have not done so already:
  • Save it to your desktop.
  • Double click on the OTL icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Change the "Extra Registry" option to "SafeList"
  • Push the Run Scan button.
  • Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

----------Step 3 (note: this scan may take a little time)----------------
I'd like us to scan your machine with ESET OnlineScan

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the esetOnline.png button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetSmartInstall.png to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetSmartInstallDesktopIcon.png icon on your desktop.
  • Check esetAcceptTerms.png
  • Click the esetStart.png button.
  • Accept any security warnings from your browser.
  • Check esetScanArchives.png
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push esetListThreats.png
  • Push esetExport.png, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the esetBack.png button.
  • Push esetFinish.png

A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt


----------Step 4----------------
Please post the AdwCleaner logfile, the OTL.txt and Extras.txt, and the ESET online scan log in your next reply.

Let me know how things go.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.