Jump to content

Recommended Posts

Hello,

I'm having issues that are similar to several posts I've seen on this forum. The problems started Thursday 10/20, but I knew I was going to be away from my computer all weekend so I haven't posted until today.

The main symptom is disabling MalwareBytes. I was able to update and start running MalwareBytes after I first noticed the infection (based on the other symptoms described below), but about 5 seconds into the search the program abruptly closed. Trying to reopen the program resulted in the message "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". I tried to uninstall and reinstall MalwareBytes, in regular mode as well as in safe mode, and the same thing happens.

I have noticed a few other symptoms as well. First, search engine results are being redirected to spam websites - in both Firefox and IE any search (I tested google.com, yahoo.com, and ask.com) will get rerouted with domains like "uncommonsearchsystems" and "get-answers-fast". Second, there are occasionally many processes for svchost.exe shown in the Task Manager, with unusually high memory and CPU use. Third, there is sometimes a process shown in the Task Manager for "3230243669.exe" that I never noticed before this infection began. For this process memory usage is on the order of ~100k and CPU usage is always 0%.

I downloaded and ran DDS - the contents of DDS.txt are copied at the end of this post.

Thank you in advance for your time!

Kyle

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.7601.17514 BrowserJavaVersion: 1.6.0_23

Run by KAdams at 14:01:06 on 2011-10-24

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3572.2354 [GMT -4:00]

.

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

.

============== Running Processes ===============

.

C:\Users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgchsvx.exe

C:\Users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgrsx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\System32\svchost.exe -k HPZ12

c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\taskhost.exe

C:\Program Files\IDT\WDM\sttray.exe

C:\Program Files\DellTPad\Apoint.exe

C:\Windows\System32\rundll32.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe

C:\Program Files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe

C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe

C:\Program Files\DellTPad\ApMsgFwd.exe

C:\Program Files\DellTPad\Apntex.exe

C:\Windows\system32\conhost.exe

C:\Program Files\DellTPad\HidFind.exe

C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://companyweb/Lists/Calendar/calendar.aspx

uDefault_Page_URL = hxxp://companyweb/Lists/Calendar/calendar.aspx

uWinlogon: Shell=c:\users\kyle adams\appdata\local\3f7664aa\X

BHO: {1857CD64-8612-440C-A698-AC8FFE7B91C3} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\users\kyle adams\desktop\security software\avg\avg 10\avgssie.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

mRun: [sysTrayApp] c:\program files\idt\wdm\sttray.exe

mRun: [Apoint] c:\program files\delltpad\Apoint.exe

mRun: [nwiz] nwiz.exe /install

mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup

mRun: [NVHotkey] rundll32.exe c:\windows\system32\nvHotkey.dll,Start

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG_TRAY] c:\users\kyle adams\desktop\security software\avg\avg 10\avgtray.exe

mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\solidw~1.lnk - c:\program files\common files\solidworks installation manager\backgrounddownloading\sldBgDwld.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\start3~1.lnk - c:\program files\3dconnexion\3dconnexion 3dxsoftware\3dxware\3dxsrv.exe

uPolicies-explorer: HideSCAHealth = 1 (0x1)

mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)

mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)

mPolicies-system: EnableLUA = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

mPolicies-system: PromptOnSecureDesktop = 0 (0x0)

mPolicies-system: RunStartupScriptSync = 1 (0x1)

IE: E&xport to Microsoft Excel - c:\progra~1\micros~1\office12\EXCEL.EXE/3000

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~1\office12\REFIEBAR.DLL

LSP: mswsock.dll

DPF: {254AA86E-5655-4518-AA87-185D7CC41801} - hxxps://secure.logmeinrescue.com/TechConsole/x86/RescueControl.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.54.2

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739} : DhcpNameServer = 192.168.54.2

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\14175716D4F6E6B65697D27657563747 : DhcpNameServer = 192.168.0.1

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\44963736F667562797145747F6D27657563747 : DhcpNameServer = 66.133.170.2 66.133.150.12

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\4596E697C496F6E6D27657563747 : DhcpNameServer = 209.18.47.61 209.18.47.62 192.168.33.1

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\7596E64675966496 : DhcpNameServer = 192.168.54.2

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\7596E6467596649623 : DhcpNameServer = 192.168.54.2

TCP: Interfaces\{DEBF5928-6914-4F91-B09D-8C328D3B2739}\C696E6B6379737 : DhcpNameServer = 209.18.47.61 209.18.47.62

TCP: Interfaces\{FEA40BB8-70DC-4879-AF81-DED0FC91964E} : DhcpNameServer = 192.168.54.2

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\users\kyle adams\desktop\security software\avg\avg 10\avgpp.dll

Hosts: 127.0.0.1 www.spywareinfo.com

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\kyle adams\appdata\roaming\mozilla\firefox\profiles\8hg77bc1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\users\kyle adams\desktop\security software\avg\avg 10\firefox4\components\avgssff4.dll

FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

.

---- FIREFOX POLICIES ----

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-3-16 32592]

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-7-9 64288]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]

R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-4-5 297168]

R1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\drivers\vwififlt.sys [2009-7-13 48128]

R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-5-27 134480]

R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]

R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 21968]

R3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\drivers\e1y6232.sys [2009-6-13 221912]

R3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\drivers\vwifimp.sys [2009-7-13 14336]

S2 AVGIDSAgent;AVGIDSAgent;c:\users\kyle adams\desktop\security software\avg\avg 10\identity protection\agent\bin\AVGIDSAgent.exe [2011-8-18 7390560]

S2 avgwd;AVG WatchDog;c:\users\kyle adams\desktop\security software\avg\avg 10\avgwdsvc.exe [2011-2-8 269520]

S2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;"c:\program files\nvidia corporation\performance drivers\nvpdsvc.exe" --> c:\program files\nvidia corporation\performance drivers\nvPDsvc.exe [?]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\solidworks corp\solidworks\swscheduler\DTSCoordinatorService.exe [2011-10-1 89160]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\lavasoft\ad-aware\aawservice.exe" --> c:\program files\lavasoft\ad-aware\AAWService.exe [?]

S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2010-8-12 15232]

S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2010-2-2 43520]

S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2010-2-16 63488]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-3-11 52224]

S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2009-7-13 17920]

S4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\microsoft visual studio 8\common7\ide\remote debugger\x86\msvsmon.exe [2005-9-23 2799808]

.

=============== Created Last 30 ================

.

2011-10-24 13:49:42 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-20 23:19:16 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2011-10-20 15:07:36 -------- d-sh--w- c:\users\kyle adams\appdata\local\3f7664aa

2011-10-12 20:47:37 75776 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-12 20:47:37 465408 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-12 20:47:27 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-12 20:47:27 233472 ----a-w- c:\windows\system32\oleacc.dll

2011-10-12 20:47:02 2334720 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 20:46:06 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-12 20:45:59 981504 ----a-w- c:\windows\system32\wininet.dll

2011-10-12 20:45:59 163328 ----a-w- c:\program files\internet explorer\ieproxy.dll

2011-10-12 20:45:55 860672 ----a-w- c:\program files\internet explorer\iedvtool.dll

2011-10-01 11:59:26 308296 ----a-w- c:\windows\system32\SRACAVIControl.ocx

.

==================== Find3M ====================

.

2011-10-20 18:29:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

.

============= FINISH: 14:01:56.43 ===============

Link to post
Share on other sites

:welcome:

Whether you wish to continue with cleaning or not, you should be aware that you may have been infected by a backdoor trojan. This type of program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

  • Use another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
  • Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
  • Consider what other private information could possibly have been taken from your computer and take appropriate steps
  • Removing this infection can also disable the ability to connect to the internet.

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

Please post back to let me know how you wish to proceed.

Link to post
Share on other sites

First I want you to create a new restore point.

To create a restore point for windows 7 Start / Control Panel / System / System Protection / At bottom of screen last button on right says create. Click it and it will ask you to create a restore point discription for the restore.

Let me know when that's done.

Link to post
Share on other sites

Next:

Note: if the Cure option is not there, please select 'Skip'.

Please read carefully and follow these steps.

  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    TDSSKillermain.png
  • If an infected file is detected, the default action will be Cure, click on Continue.
    TDSSKillerMal-1.png
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
    TDSSKillerSuspicious.png
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    TDSSKillerCompleted.png
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

please post the contents of that log TDSSKiller log.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

TDSSKiller found and two items, by default it deleted one and cured the second. The log is copied below.

The computer seems to be behaving better at this point. Search engine redirects are gone as far as I can tell. I haven't checked MBAM functionality because I didn't want to interfere with the cleaning process. The runaway svchost problem that I described in my initial post was always intermittent and typically acted up after the computer has been on for a couple hours - I have not seen anything like that yet, but I will monitor it and report if it happens again.

14:00:04.0225 3084 TDSS rootkit removing tool 2.6.14.0 Oct 28 2011 11:11:01

14:00:04.0418 3084 ============================================================

14:00:04.0418 3084 Current date / time: 2011/10/29 14:00:04.0418

14:00:04.0418 3084 SystemInfo:

14:00:04.0418 3084

14:00:04.0419 3084 OS Version: 6.1.7601 ServicePack: 1.0

14:00:04.0419 3084 Product type: Workstation

14:00:04.0419 3084 ComputerName: WT-KADAMS

14:00:04.0419 3084 UserName: KAdams

14:00:04.0419 3084 Windows directory: C:\Windows

14:00:04.0420 3084 System windows directory: C:\Windows

14:00:04.0420 3084 Processor architecture: Intel x86

14:00:04.0420 3084 Number of processors: 2

14:00:04.0420 3084 Page size: 0x1000

14:00:04.0420 3084 Boot type: Normal boot

14:00:04.0420 3084 ============================================================

14:00:05.0608 3084 Initialize success

14:00:13.0076 1580 ============================================================

14:00:13.0076 1580 Scan started

14:00:13.0076 1580 Mode: Manual;

14:00:13.0076 1580 ============================================================

14:00:14.0106 1580 1394ohci (1b133875b8aa8ac48969bd3458afe9f5) C:\Windows\system32\DRIVERS\1394ohci.sys

14:00:14.0111 1580 1394ohci - ok

14:00:14.0182 1580 3f7664aa (8f2bb1827cac01aee6a16e30a1260199) C:\Windows\2858710591:3230243669.exe

14:00:14.0183 1580 Suspicious file (Hidden): C:\Windows\2858710591:3230243669.exe. md5: 8f2bb1827cac01aee6a16e30a1260199

14:00:14.0184 1580 3f7664aa ( Rootkit.Win32.PMax.gen ) - infected

14:00:14.0184 1580 3f7664aa - detected Rootkit.Win32.PMax.gen (0)

14:00:14.0225 1580 ACPI (cea80c80bed809aa0da6febc04733349) C:\Windows\system32\drivers\ACPI.sys

14:00:14.0232 1580 ACPI - ok

14:00:14.0250 1580 AcpiPmi (1efbc664abff416d1d07db115dcb264f) C:\Windows\system32\drivers\acpipmi.sys

14:00:14.0254 1580 AcpiPmi - ok

14:00:14.0304 1580 adp94xx (21e785ebd7dc90a06391141aac7892fb) C:\Windows\system32\DRIVERS\adp94xx.sys

14:00:14.0316 1580 adp94xx - ok

14:00:14.0398 1580 adpahci (0c676bc278d5b59ff5abd57bbe9123f2) C:\Windows\system32\DRIVERS\adpahci.sys

14:00:14.0407 1580 adpahci - ok

14:00:14.0435 1580 adpu320 (7c7b5ee4b7b822ec85321fe23a27db33) C:\Windows\system32\DRIVERS\adpu320.sys

14:00:14.0438 1580 adpu320 - ok

14:00:14.0506 1580 AFD (9ebbba55060f786f0fcaa3893bfa2806) C:\Windows\system32\drivers\afd.sys

14:00:14.0514 1580 AFD - ok

14:00:14.0561 1580 agp440 (507812c3054c21cef746b6ee3d04dd6e) C:\Windows\system32\drivers\agp440.sys

14:00:14.0565 1580 agp440 - ok

14:00:14.0609 1580 aic78xx (8b30250d573a8f6b4bd23195160d8707) C:\Windows\system32\DRIVERS\djsvs.sys

14:00:14.0613 1580 aic78xx - ok

14:00:14.0714 1580 aliide (0d40bcf52ea90fc7df2aeab6503dea44) C:\Windows\system32\drivers\aliide.sys

14:00:14.0717 1580 aliide - ok

14:00:14.0748 1580 amdagp (3c6600a0696e90a463771c7422e23ab5) C:\Windows\system32\drivers\amdagp.sys

14:00:14.0751 1580 amdagp - ok

14:00:14.0767 1580 amdide (cd5914170297126b6266860198d1d4f0) C:\Windows\system32\drivers\amdide.sys

14:00:14.0771 1580 amdide - ok

14:00:14.0788 1580 AmdK8 (00dda200d71bac534bf56a9db5dfd666) C:\Windows\system32\DRIVERS\amdk8.sys

14:00:14.0791 1580 AmdK8 - ok

14:00:14.0811 1580 AmdPPM (3cbf30f5370fda40dd3e87df38ea53b6) C:\Windows\system32\DRIVERS\amdppm.sys

14:00:14.0813 1580 AmdPPM - ok

14:00:14.0837 1580 amdsata (e7f4d42d8076ec60e21715cd11743a0d) C:\Windows\system32\drivers\amdsata.sys

14:00:14.0840 1580 amdsata - ok

14:00:14.0879 1580 amdsbs (ea43af0c423ff267355f74e7a53bdaba) C:\Windows\system32\DRIVERS\amdsbs.sys

14:00:14.0885 1580 amdsbs - ok

14:00:14.0927 1580 amdxata (146459d2b08bfdcbfa856d9947043c81) C:\Windows\system32\drivers\amdxata.sys

14:00:14.0931 1580 amdxata - ok

14:00:14.0984 1580 ApfiltrService (f45f2965c43cecfbd04b0d1674643522) C:\Windows\system32\DRIVERS\Apfiltr.sys

14:00:14.0991 1580 ApfiltrService - ok

14:00:15.0091 1580 AppID (aea177f783e20150ace5383ee368da19) C:\Windows\system32\drivers\appid.sys

14:00:15.0096 1580 AppID - ok

14:00:15.0152 1580 arc (2932004f49677bd84dbc72edb754ffb3) C:\Windows\system32\DRIVERS\arc.sys

14:00:15.0156 1580 arc - ok

14:00:15.0172 1580 arcsas (5d6f36c46fd283ae1b57bd2e9feb0bc7) C:\Windows\system32\DRIVERS\arcsas.sys

14:00:15.0177 1580 arcsas - ok

14:00:15.0210 1580 AsyncMac (add2ade1c2b285ab8378d2daaf991481) C:\Windows\system32\DRIVERS\asyncmac.sys

14:00:15.0213 1580 AsyncMac - ok

14:00:15.0243 1580 atapi (338c86357871c167a96ab976519bf59e) C:\Windows\system32\drivers\atapi.sys

14:00:15.0246 1580 atapi - ok

14:00:15.0319 1580 AVGIDSDriver (b9acb889ba1e0561868c025f95d63e25) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys

14:00:15.0325 1580 AVGIDSDriver - ok

14:00:15.0412 1580 AVGIDSEH (13256fc72fa5b3f6d6e8c5957e579b7c) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys

14:00:15.0415 1580 AVGIDSEH - ok

14:00:15.0431 1580 AVGIDSFilter (fa0685cc51de5cfd804e7deaa6488e0e) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys

14:00:15.0435 1580 AVGIDSFilter - ok

14:00:15.0478 1580 AVGIDSShim (f788b51100d0f40ea176798cce954a1a) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys

14:00:15.0481 1580 AVGIDSShim - ok

14:00:15.0538 1580 Avgldx86 (4e796d3d2c3182b13b3e3b5a2ad4ef0a) C:\Windows\system32\DRIVERS\avgldx86.sys

14:00:15.0546 1580 Avgldx86 - ok

14:00:15.0576 1580 Avgmfx86 (5639de66b37d02bd22df4cf3155fba60) C:\Windows\system32\DRIVERS\avgmfx86.sys

14:00:15.0580 1580 Avgmfx86 - ok

14:00:15.0617 1580 Avgrkx86 (d1baf652eda0ae70896276a1fb32c2d4) C:\Windows\system32\DRIVERS\avgrkx86.sys

14:00:15.0621 1580 Avgrkx86 - ok

14:00:15.0657 1580 Avgtdix (1a46936ef651154eb89b54a1d59f8403) C:\Windows\system32\DRIVERS\avgtdix.sys

14:00:15.0686 1580 Avgtdix ( Rootkit.Win32.ZAccess.g ) - infected

14:00:15.0687 1580 Avgtdix - detected Rootkit.Win32.ZAccess.g (0)

14:00:15.0793 1580 b06bdrv (1a231abec60fd316ec54c66715543cec) C:\Windows\system32\DRIVERS\bxvbdx.sys

14:00:15.0806 1580 b06bdrv - ok

14:00:15.0854 1580 b57nd60x (bd8869eb9cde6bbe4508d869929869ee) C:\Windows\system32\DRIVERS\b57nd60x.sys

14:00:15.0861 1580 b57nd60x - ok

14:00:15.0969 1580 BCM43XX (f9ce9b5e049efc66b8e6c73c18ee8438) C:\Windows\system32\DRIVERS\bcmwl6.sys

14:00:16.0024 1580 BCM43XX - ok

14:00:16.0112 1580 Beep (505506526a9d467307b3c393dedaf858) C:\Windows\system32\drivers\Beep.sys

14:00:16.0115 1580 Beep - ok

14:00:16.0147 1580 blbdrive (2287078ed48fcfc477b05b20cf38f36f) C:\Windows\system32\DRIVERS\blbdrive.sys

14:00:16.0150 1580 blbdrive - ok

14:00:16.0181 1580 bowser (8f2da3028d5fcbd1a060a3de64cd6506) C:\Windows\system32\DRIVERS\bowser.sys

14:00:16.0195 1580 bowser - ok

14:00:16.0222 1580 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\DRIVERS\BrFiltLo.sys

14:00:16.0225 1580 BrFiltLo - ok

14:00:16.0245 1580 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\DRIVERS\BrFiltUp.sys

14:00:16.0249 1580 BrFiltUp - ok

14:00:16.0283 1580 Brserid (845b8ce732e67f3b4133164868c666ea) C:\Windows\System32\Drivers\Brserid.sys

14:00:16.0291 1580 Brserid - ok

14:00:16.0310 1580 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\System32\Drivers\BrSerWdm.sys

14:00:16.0315 1580 BrSerWdm - ok

14:00:16.0335 1580 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\System32\Drivers\BrUsbMdm.sys

14:00:16.0338 1580 BrUsbMdm - ok

14:00:16.0361 1580 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\System32\Drivers\BrUsbSer.sys

14:00:16.0364 1580 BrUsbSer - ok

14:00:16.0409 1580 BTHMODEM (ed3df7c56ce0084eb2034432fc56565a) C:\Windows\system32\DRIVERS\bthmodem.sys

14:00:16.0414 1580 BTHMODEM - ok

14:00:16.0538 1580 cdfs (77ea11b065e0a8ab902d78145ca51e10) C:\Windows\system32\DRIVERS\cdfs.sys

14:00:16.0543 1580 cdfs - ok

14:00:16.0609 1580 cdrom (be167ed0fdb9c1fa1133953c18d5a6c9) C:\Windows\system32\drivers\cdrom.sys

14:00:16.0615 1580 cdrom - ok

14:00:16.0685 1580 circlass (3fe3fe94a34df6fb06e6418d0f6a0060) C:\Windows\system32\DRIVERS\circlass.sys

14:00:16.0689 1580 circlass - ok

14:00:16.0748 1580 CLFS (635181e0e9bbf16871bf5380d71db02d) C:\Windows\system32\CLFS.sys

14:00:16.0754 1580 CLFS - ok

14:00:16.0792 1580 CmBatt (dea805815e587dad1dd2c502220b5616) C:\Windows\system32\DRIVERS\CmBatt.sys

14:00:16.0796 1580 CmBatt - ok

14:00:16.0894 1580 cmdide (c537b1db64d495b9b4717b4d6d9edbf2) C:\Windows\system32\drivers\cmdide.sys

14:00:16.0898 1580 cmdide - ok

14:00:16.0938 1580 CNG (1b675691ed940766149c93e8f4488d68) C:\Windows\system32\Drivers\cng.sys

14:00:16.0948 1580 CNG - ok

14:00:16.0985 1580 Compbatt (a6023d3823c37043986713f118a89bee) C:\Windows\system32\DRIVERS\compbatt.sys

14:00:16.0988 1580 Compbatt - ok

14:00:17.0036 1580 CompositeBus (cbe8c58a8579cfe5fccf809e6f114e89) C:\Windows\system32\drivers\CompositeBus.sys

14:00:17.0039 1580 CompositeBus - ok

14:00:17.0074 1580 crcdisk (2c4ebcfc84a9b44f209dff6c6e6c61d1) C:\Windows\system32\DRIVERS\crcdisk.sys

14:00:17.0078 1580 crcdisk - ok

14:00:17.0159 1580 CSC (3c2177a897b4ca2788c6fb0c3fd81d4b) C:\Windows\system32\drivers\csc.sys

14:00:17.0169 1580 CSC - ok

14:00:17.0274 1580 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\Windows\system32\DRIVERS\CVirtA.sys

14:00:17.0277 1580 CVirtA - ok

14:00:17.0339 1580 dc3d (91c1736e77cff029302728b431d0eedb) C:\Windows\system32\DRIVERS\dc3d.sys

14:00:17.0344 1580 dc3d - ok

14:00:17.0395 1580 DfsC (f024449c97ec1e464aaffda18593db88) C:\Windows\system32\Drivers\dfsc.sys

14:00:17.0399 1580 DfsC - ok

14:00:17.0439 1580 discache (1a050b0274bfb3890703d490f330c0da) C:\Windows\system32\drivers\discache.sys

14:00:17.0442 1580 discache - ok

14:00:17.0482 1580 Disk (565003f326f99802e68ca78f2a68e9ff) C:\Windows\system32\DRIVERS\disk.sys

14:00:17.0486 1580 Disk - ok

14:00:17.0585 1580 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\Windows\system32\DRIVERS\dne2000.sys

14:00:17.0590 1580 DNE - ok

14:00:17.0646 1580 drmkaud (b918e7c5f9bf77202f89e1a9539f2eb4) C:\Windows\system32\drivers\drmkaud.sys

14:00:17.0649 1580 drmkaud - ok

14:00:17.0712 1580 DXGKrnl (23f5d28378a160352ba8f817bd8c71cb) C:\Windows\System32\drivers\dxgkrnl.sys

14:00:17.0732 1580 DXGKrnl - ok

14:00:17.0774 1580 e1yexpress (44a91d98d6719b49bcd649a863225b5c) C:\Windows\system32\DRIVERS\e1y6232.sys

14:00:17.0781 1580 e1yexpress - ok

14:00:18.0029 1580 ebdrv (024e1b5cac09731e4d868e64dbfb4ab0) C:\Windows\system32\DRIVERS\evbdx.sys

14:00:18.0098 1580 ebdrv - ok

14:00:18.0369 1580 elxstor (0ed67910c8c326796faa00b2bf6d9d3c) C:\Windows\system32\DRIVERS\elxstor.sys

14:00:18.0382 1580 elxstor - ok

14:00:18.0437 1580 ErrDev (8fc3208352dd3912c94367a206ab3f11) C:\Windows\system32\drivers\errdev.sys

14:00:18.0441 1580 ErrDev - ok

14:00:18.0488 1580 exfat (2dc9108d74081149cc8b651d3a26207f) C:\Windows\system32\drivers\exfat.sys

14:00:18.0494 1580 exfat - ok

14:00:18.0522 1580 fastfat (7e0ab74553476622fb6ae36f73d97d35) C:\Windows\system32\drivers\fastfat.sys

14:00:18.0529 1580 fastfat - ok

14:00:18.0555 1580 fdc (e817a017f82df2a1f8cfdbda29388b29) C:\Windows\system32\DRIVERS\fdc.sys

14:00:18.0558 1580 fdc - ok

14:00:18.0657 1580 FileInfo (6cf00369c97f3cf563be99be983d13d8) C:\Windows\system32\drivers\fileinfo.sys

14:00:18.0661 1580 FileInfo - ok

14:00:18.0684 1580 Filetrace (42c51dc94c91da21cb9196eb64c45db9) C:\Windows\system32\drivers\filetrace.sys

14:00:18.0687 1580 Filetrace - ok

14:00:18.0713 1580 flpydisk (87907aa70cb3c56600f1c2fb8841579b) C:\Windows\system32\DRIVERS\flpydisk.sys

14:00:18.0717 1580 flpydisk - ok

14:00:18.0747 1580 FltMgr (7520ec808e0c35e0ee6f841294316653) C:\Windows\system32\drivers\fltmgr.sys

14:00:18.0754 1580 FltMgr - ok

14:00:18.0785 1580 FsDepends (1a16b57943853e598cff37fe2b8cbf1d) C:\Windows\system32\drivers\FsDepends.sys

14:00:18.0789 1580 FsDepends - ok

14:00:18.0809 1580 Fs_Rec (a574b4360e438977038aae4bf60d79a2) C:\Windows\system32\drivers\Fs_Rec.sys

14:00:18.0812 1580 Fs_Rec - ok

14:00:18.0860 1580 FTDIBUS (7c17235845d5ae3fb33ead47b5881521) C:\Windows\system32\drivers\ftdibus.sys

14:00:18.0865 1580 FTDIBUS - ok

14:00:18.0887 1580 FTSER2K (23220a4709cc5785f9633ba71416145c) C:\Windows\system32\drivers\ftser2k.sys

14:00:18.0891 1580 FTSER2K - ok

14:00:19.0005 1580 fvevol (8a73e79089b282100b9393b644cb853b) C:\Windows\system32\DRIVERS\fvevol.sys

14:00:19.0011 1580 fvevol - ok

14:00:19.0048 1580 gagp30kx (65ee0c7a58b65e74ae05637418153938) C:\Windows\system32\DRIVERS\gagp30kx.sys

14:00:19.0053 1580 gagp30kx - ok

14:00:19.0080 1580 hcw85cir (c44e3c2bab6837db337ddee7544736db) C:\Windows\system32\drivers\hcw85cir.sys

14:00:19.0084 1580 hcw85cir - ok

14:00:19.0154 1580 HdAudAddService (a5ef29d5315111c80a5c1abad14c8972) C:\Windows\system32\drivers\HdAudio.sys

14:00:19.0162 1580 HdAudAddService - ok

14:00:19.0194 1580 HDAudBus (9036377b8a6c15dc2eec53e489d159b5) C:\Windows\system32\drivers\HDAudBus.sys

14:00:19.0199 1580 HDAudBus - ok

14:00:19.0223 1580 HidBatt (1d58a7f3e11a9731d0eaaaa8405acc36) C:\Windows\system32\DRIVERS\HidBatt.sys

14:00:19.0227 1580 HidBatt - ok

14:00:19.0249 1580 HidBth (89448f40e6df260c206a193a4683ba78) C:\Windows\system32\DRIVERS\hidbth.sys

14:00:19.0254 1580 HidBth - ok

14:00:19.0355 1580 HidIr (cf50b4cf4a4f229b9f3c08351f99ca5e) C:\Windows\system32\DRIVERS\hidir.sys

14:00:19.0359 1580 HidIr - ok

14:00:19.0406 1580 HidUsb (10c19f8290891af023eaec0832e1eb4d) C:\Windows\system32\drivers\hidusb.sys

14:00:19.0410 1580 HidUsb - ok

14:00:19.0446 1580 HpSAMD (295fdc419039090eb8b49ffdbb374549) C:\Windows\system32\drivers\HpSAMD.sys

14:00:19.0450 1580 HpSAMD - ok

14:00:19.0500 1580 HTTP (871917b07a141bff43d76d8844d48106) C:\Windows\system32\drivers\HTTP.sys

14:00:19.0514 1580 HTTP - ok

14:00:19.0536 1580 hwpolicy (0c4e035c7f105f1299258c90886c64c5) C:\Windows\system32\drivers\hwpolicy.sys

14:00:19.0538 1580 hwpolicy - ok

14:00:19.0637 1580 i8042prt (f151f0bdc47f4a28b1b20a0818ea36d6) C:\Windows\system32\drivers\i8042prt.sys

14:00:19.0642 1580 i8042prt - ok

14:00:19.0671 1580 iaStorV (934af4d7c5f457b9f0743f4299b77b67) C:\Windows\system32\drivers\iaStorV.sys

14:00:19.0677 1580 iaStorV - ok

14:00:19.0714 1580 iirsp (4173ff5708f3236cf25195fecd742915) C:\Windows\system32\DRIVERS\iirsp.sys

14:00:19.0718 1580 iirsp - ok

14:00:19.0769 1580 intelide (a0f12f2c9ba6c72f3987ce780e77c130) C:\Windows\system32\drivers\intelide.sys

14:00:19.0773 1580 intelide - ok

14:00:19.0803 1580 intelppm (3b514d27bfc4accb4037bc6685f766e0) C:\Windows\system32\DRIVERS\intelppm.sys

14:00:19.0807 1580 intelppm - ok

14:00:19.0856 1580 IpFilterDriver (709d1761d3b19a932ff0238ea6d50200) C:\Windows\system32\DRIVERS\ipfltdrv.sys

14:00:19.0860 1580 IpFilterDriver - ok

14:00:19.0969 1580 IPMIDRV (4bd7134618c1d2a27466a099062547bf) C:\Windows\system32\drivers\IPMIDrv.sys

14:00:19.0973 1580 IPMIDRV - ok

14:00:20.0008 1580 IPNAT (a5fa468d67abcdaa36264e463a7bb0cd) C:\Windows\system32\drivers\ipnat.sys

14:00:20.0013 1580 IPNAT - ok

14:00:20.0041 1580 IRENUM (42996cff20a3084a56017b7902307e9f) C:\Windows\system32\drivers\irenum.sys

14:00:20.0044 1580 IRENUM - ok

14:00:20.0066 1580 isapnp (1f32bb6b38f62f7df1a7ab7292638a35) C:\Windows\system32\drivers\isapnp.sys

14:00:20.0070 1580 isapnp - ok

14:00:20.0098 1580 iScsiPrt (cb7a9abb12b8415bce5d74994c7ba3ae) C:\Windows\system32\drivers\msiscsi.sys

14:00:20.0106 1580 iScsiPrt - ok

14:00:20.0152 1580 kbdclass (adef52ca1aeae82b50df86b56413107e) C:\Windows\system32\DRIVERS\kbdclass.sys

14:00:20.0156 1580 kbdclass - ok

14:00:20.0189 1580 kbdhid (9e3ced91863e6ee98c24794d05e27a71) C:\Windows\system32\DRIVERS\kbdhid.sys

14:00:20.0193 1580 kbdhid - ok

14:00:20.0245 1580 KSecDD (412cea1aa78cc02a447f5c9e62b32ff1) C:\Windows\system32\Drivers\ksecdd.sys

14:00:20.0249 1580 KSecDD - ok

14:00:20.0339 1580 KSecPkg (26c046977e85b95036453d7b88ba1820) C:\Windows\system32\Drivers\ksecpkg.sys

14:00:20.0345 1580 KSecPkg - ok

14:00:20.0456 1580 Lavasoft Kernexplorer - ok

14:00:20.0515 1580 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\Windows\system32\DRIVERS\Lbd.sys

14:00:20.0520 1580 Lbd - ok

14:00:20.0634 1580 lltdio (f7611ec07349979da9b0ae1f18ccc7a6) C:\Windows\system32\DRIVERS\lltdio.sys

14:00:20.0638 1580 lltdio - ok

14:00:20.0684 1580 LSI_FC (eb119a53ccf2acc000ac71b065b78fef) C:\Windows\system32\DRIVERS\lsi_fc.sys

14:00:20.0690 1580 LSI_FC - ok

14:00:20.0710 1580 LSI_SAS (8ade1c877256a22e49b75d1cc9161f9c) C:\Windows\system32\DRIVERS\lsi_sas.sys

14:00:20.0715 1580 LSI_SAS - ok

14:00:20.0745 1580 LSI_SAS2 (dc9dc3d3daa0e276fd2ec262e38b11e9) C:\Windows\system32\DRIVERS\lsi_sas2.sys

14:00:20.0749 1580 LSI_SAS2 - ok

14:00:20.0775 1580 LSI_SCSI (0a036c7d7cab643a7f07135ac47e0524) C:\Windows\system32\DRIVERS\lsi_scsi.sys

14:00:20.0780 1580 LSI_SCSI - ok

14:00:20.0814 1580 luafv (6703e366cc18d3b6e534f5cf7df39cee) C:\Windows\system32\drivers\luafv.sys

14:00:20.0819 1580 luafv - ok

14:00:20.0849 1580 megasas (0fff5b045293002ab38eb1fd1fc2fb74) C:\Windows\system32\DRIVERS\megasas.sys

14:00:20.0853 1580 megasas - ok

14:00:20.0888 1580 MegaSR (dcbab2920c75f390caf1d29f675d03d6) C:\Windows\system32\DRIVERS\MegaSR.sys

14:00:20.0896 1580 MegaSR - ok

14:00:20.0923 1580 Modem (f001861e5700ee84e2d4e52c712f4964) C:\Windows\system32\drivers\modem.sys

14:00:20.0927 1580 Modem - ok

14:00:21.0023 1580 monitor (79d10964de86b292320e9dfe02282a23) C:\Windows\system32\DRIVERS\monitor.sys

14:00:21.0026 1580 monitor - ok

14:00:21.0091 1580 mouclass (fb18cc1d4c2e716b6b903b0ac0cc0609) C:\Windows\system32\drivers\mouclass.sys

14:00:21.0095 1580 mouclass - ok

14:00:21.0139 1580 mouhid (2c388d2cd01c9042596cf3c8f3c7b24d) C:\Windows\system32\DRIVERS\mouhid.sys

14:00:21.0143 1580 mouhid - ok

14:00:21.0186 1580 mountmgr (fc8771f45ecccfd89684e38842539b9b) C:\Windows\system32\drivers\mountmgr.sys

14:00:21.0190 1580 mountmgr - ok

14:00:21.0236 1580 mpio (2d699fb6e89ce0d8da14ecc03b3edfe0) C:\Windows\system32\drivers\mpio.sys

14:00:21.0242 1580 mpio - ok

14:00:21.0264 1580 mpsdrv (ad2723a7b53dd1aacae6ad8c0bfbf4d0) C:\Windows\system32\drivers\mpsdrv.sys

14:00:21.0269 1580 mpsdrv - ok

14:00:21.0350 1580 MRxDAV (ceb46ab7c01c9f825f8cc6babc18166a) C:\Windows\system32\drivers\mrxdav.sys

14:00:21.0356 1580 MRxDAV - ok

14:00:21.0403 1580 mrxsmb (5d16c921e3671636c0eba3bbaac5fd25) C:\Windows\system32\DRIVERS\mrxsmb.sys

14:00:21.0409 1580 mrxsmb - ok

14:00:21.0456 1580 mrxsmb10 (6d17a4791aca19328c685d256349fefc) C:\Windows\system32\DRIVERS\mrxsmb10.sys

14:00:21.0463 1580 mrxsmb10 - ok

14:00:21.0486 1580 mrxsmb20 (b81f204d146000be76651a50670a5e9e) C:\Windows\system32\DRIVERS\mrxsmb20.sys

14:00:21.0491 1580 mrxsmb20 - ok

14:00:21.0524 1580 msahci (4326d168944123f38dd3b2d9c37a0b12) C:\Windows\system32\drivers\msahci.sys

14:00:21.0528 1580 msahci - ok

14:00:21.0563 1580 msdsm (455029c7174a2dbb03dba8a0d8bddd9a) C:\Windows\system32\drivers\msdsm.sys

14:00:21.0568 1580 msdsm - ok

14:00:21.0598 1580 Msfs (daefb28e3af5a76abcc2c3078c07327f) C:\Windows\system32\drivers\Msfs.sys

14:00:21.0601 1580 Msfs - ok

14:00:21.0625 1580 mshidkmdf (3e1e5767043c5af9367f0056295e9f84) C:\Windows\System32\drivers\mshidkmdf.sys

14:00:21.0628 1580 mshidkmdf - ok

14:00:21.0666 1580 msisadrv (0a4e5757ae09fa9622e3158cc1aef114) C:\Windows\system32\drivers\msisadrv.sys

14:00:21.0669 1580 msisadrv - ok

14:00:21.0769 1580 MSKSSRV (8c0860d6366aaffb6c5bb9df9448e631) C:\Windows\system32\drivers\MSKSSRV.sys

14:00:21.0772 1580 MSKSSRV - ok

14:00:21.0800 1580 MSPCLOCK (3ea8b949f963562cedbb549eac0c11ce) C:\Windows\system32\drivers\MSPCLOCK.sys

14:00:21.0803 1580 MSPCLOCK - ok

14:00:21.0820 1580 MSPQM (f456e973590d663b1073e9c463b40932) C:\Windows\system32\drivers\MSPQM.sys

14:00:21.0823 1580 MSPQM - ok

14:00:21.0847 1580 MsRPC (0e008fc4819d238c51d7c93e7b41e560) C:\Windows\system32\drivers\MsRPC.sys

14:00:21.0854 1580 MsRPC - ok

14:00:21.0885 1580 mssmbios (fc6b9ff600cc585ea38b12589bd4e246) C:\Windows\system32\drivers\mssmbios.sys

14:00:21.0888 1580 mssmbios - ok

14:00:21.0930 1580 MSTEE (b42c6b921f61a6e55159b8be6cd54a36) C:\Windows\system32\drivers\MSTEE.sys

14:00:21.0933 1580 MSTEE - ok

14:00:21.0968 1580 MTConfig (33599130f44e1f34631cea241de8ac84) C:\Windows\system32\DRIVERS\MTConfig.sys

14:00:21.0971 1580 MTConfig - ok

14:00:21.0993 1580 Mup (159fad02f64e6381758c990f753bcc80) C:\Windows\system32\Drivers\mup.sys

14:00:21.0997 1580 Mup - ok

14:00:22.0097 1580 NativeWifiP (26384429fcd85d83746f63e798ab1480) C:\Windows\system32\DRIVERS\nwifi.sys

14:00:22.0105 1580 NativeWifiP - ok

14:00:22.0176 1580 NDIS (e7c54812a2aaf43316eb6930c1ffa108) C:\Windows\system32\drivers\ndis.sys

14:00:22.0195 1580 NDIS - ok

14:00:22.0233 1580 NdisCap (0e1787aa6c9191d3d319e8bafe86f80c) C:\Windows\system32\DRIVERS\ndiscap.sys

14:00:22.0237 1580 NdisCap - ok

14:00:22.0321 1580 NdisTapi (e4a8aec125a2e43a9e32afeea7c9c888) C:\Windows\system32\DRIVERS\ndistapi.sys

14:00:22.0324 1580 NdisTapi - ok

14:00:22.0365 1580 Ndisuio (d8a65dafb3eb41cbb622745676fcd072) C:\Windows\system32\DRIVERS\ndisuio.sys

14:00:22.0369 1580 Ndisuio - ok

14:00:22.0413 1580 NdisWan (38fbe267e7e6983311179230facb1017) C:\Windows\system32\DRIVERS\ndiswan.sys

14:00:22.0417 1580 NdisWan - ok

14:00:22.0457 1580 NDProxy (a4bdc541e69674fbff1a8ff00be913f2) C:\Windows\system32\drivers\NDProxy.sys

14:00:22.0461 1580 NDProxy - ok

14:00:22.0512 1580 NetBIOS (80b275b1ce3b0e79909db7b39af74d51) C:\Windows\system32\DRIVERS\netbios.sys

14:00:22.0517 1580 NetBIOS - ok

14:00:22.0573 1580 NetBT (280122ddcf04b378edd1ad54d71c1e54) C:\Windows\system32\DRIVERS\netbt.sys

14:00:22.0580 1580 NetBT - ok

14:00:22.0677 1580 nfrd960 (1d85c4b390b0ee09c7a46b91efb2c097) C:\Windows\system32\DRIVERS\nfrd960.sys

14:00:22.0682 1580 nfrd960 - ok

14:00:22.0713 1580 Npfs (1db262a9f8c087e8153d89bef3d2235f) C:\Windows\system32\drivers\Npfs.sys

14:00:22.0717 1580 Npfs - ok

14:00:22.0744 1580 nsiproxy (e9a0a4d07e53d8fea2bb8387a3293c58) C:\Windows\system32\drivers\nsiproxy.sys

14:00:22.0747 1580 nsiproxy - ok

14:00:22.0826 1580 Ntfs (33c3093d09017cfe2e219f2472bff6eb) C:\Windows\system32\drivers\Ntfs.sys

14:00:22.0858 1580 Ntfs - ok

14:00:22.0882 1580 Null (f9756a98d69098dca8945d62858a812c) C:\Windows\system32\drivers\Null.sys

14:00:22.0885 1580 Null - ok

14:00:23.0214 1580 nvlddmkm (8fe5350fa6a9f0b6633aee811c468954) C:\Windows\system32\DRIVERS\nvlddmkm.sys

14:00:23.0484 1580 nvlddmkm - ok

14:00:23.0574 1580 nvraid (af2eec9580c1d32fb7eaf105d9784061) C:\Windows\system32\drivers\nvraid.sys

14:00:23.0579 1580 nvraid - ok

14:00:23.0618 1580 nvstor (9283c58ebaa2618f93482eb5dabcec82) C:\Windows\system32\drivers\nvstor.sys

14:00:23.0625 1580 nvstor - ok

14:00:23.0674 1580 nv_agp (5a0983915f02bae73267cc2a041f717d) C:\Windows\system32\drivers\nv_agp.sys

14:00:23.0679 1580 nv_agp - ok

14:00:23.0717 1580 ohci1394 (08a70a1f2cdde9bb49b885cb817a66eb) C:\Windows\system32\drivers\ohci1394.sys

14:00:23.0722 1580 ohci1394 - ok

14:00:23.0782 1580 Parport (2ea877ed5dd9713c5ac74e8ea7348d14) C:\Windows\system32\DRIVERS\parport.sys

14:00:23.0786 1580 Parport - ok

14:00:23.0878 1580 partmgr (bf8f6af06da75b336f07e23aef97d93b) C:\Windows\system32\drivers\partmgr.sys

14:00:23.0883 1580 partmgr - ok

14:00:23.0904 1580 Parvdm (eb0a59f29c19b86479d36b35983daadc) C:\Windows\system32\DRIVERS\parvdm.sys

14:00:23.0907 1580 Parvdm - ok

14:00:23.0960 1580 pci (673e55c3498eb970088e812ea820aa8f) C:\Windows\system32\drivers\pci.sys

14:00:23.0966 1580 pci - ok

14:00:23.0986 1580 pciide (afe86f419014db4e5593f69ffe26ce0a) C:\Windows\system32\drivers\pciide.sys

14:00:23.0990 1580 pciide - ok

14:00:24.0019 1580 pcmcia (f396431b31693e71e8a80687ef523506) C:\Windows\system32\DRIVERS\pcmcia.sys

14:00:24.0025 1580 pcmcia - ok

14:00:24.0050 1580 pcw (250f6b43d2b613172035c6747aeeb19f) C:\Windows\system32\drivers\pcw.sys

14:00:24.0053 1580 pcw - ok

14:00:24.0087 1580 PEAUTH (9e0104ba49f4e6973749a02bf41344ed) C:\Windows\system32\drivers\peauth.sys

14:00:24.0104 1580 PEAUTH - ok

14:00:24.0260 1580 PptpMiniport (631e3e205ad6d86f2aed6a4a8e69f2db) C:\Windows\system32\DRIVERS\raspptp.sys

14:00:24.0264 1580 PptpMiniport - ok

14:00:24.0286 1580 Processor (85b1e3a0c7585bc4aae6899ec6fcf011) C:\Windows\system32\DRIVERS\processr.sys

14:00:24.0290 1580 Processor - ok

14:00:24.0337 1580 Psched (6270ccae2a86de6d146529fe55b3246a) C:\Windows\system32\DRIVERS\pacer.sys

14:00:24.0341 1580 Psched - ok

14:00:24.0412 1580 ql2300 (ab95ecf1f6659a60ddc166d8315b0751) C:\Windows\system32\DRIVERS\ql2300.sys

14:00:24.0448 1580 ql2300 - ok

14:00:24.0482 1580 ql40xx (b4dd51dd25182244b86737dc51af2270) C:\Windows\system32\DRIVERS\ql40xx.sys

14:00:24.0487 1580 ql40xx - ok

14:00:24.0568 1580 QWAVEdrv (584078ca1b95ca72df2a27c336f9719d) C:\Windows\system32\drivers\qwavedrv.sys

14:00:24.0572 1580 QWAVEdrv - ok

14:00:24.0590 1580 RasAcd (30a81b53c766d0133bb86d234e5556ab) C:\Windows\system32\DRIVERS\rasacd.sys

14:00:24.0593 1580 RasAcd - ok

14:00:24.0631 1580 RasAgileVpn (57ec4aef73660166074d8f7f31c0d4fd) C:\Windows\system32\DRIVERS\AgileVpn.sys

14:00:24.0634 1580 RasAgileVpn - ok

14:00:24.0669 1580 Rasl2tp (d9f91eafec2815365cbe6d167e4e332a) C:\Windows\system32\DRIVERS\rasl2tp.sys

14:00:24.0672 1580 Rasl2tp - ok

14:00:24.0711 1580 RasPppoe (0fe8b15916307a6ac12bfb6a63e45507) C:\Windows\system32\DRIVERS\raspppoe.sys

14:00:24.0715 1580 RasPppoe - ok

14:00:24.0737 1580 RasSstp (44101f495a83ea6401d886e7fd70096b) C:\Windows\system32\DRIVERS\rassstp.sys

14:00:24.0741 1580 RasSstp - ok

14:00:24.0790 1580 rdbss (d528bc58a489409ba40334ebf96a311b) C:\Windows\system32\DRIVERS\rdbss.sys

14:00:24.0798 1580 rdbss - ok

14:00:24.0820 1580 rdpbus (0d8f05481cb76e70e1da06ee9f0da9df) C:\Windows\system32\DRIVERS\rdpbus.sys

14:00:24.0824 1580 rdpbus - ok

14:00:24.0839 1580 RDPCDD (23dae03f29d253ae74c44f99e515f9a1) C:\Windows\system32\DRIVERS\RDPCDD.sys

14:00:24.0841 1580 RDPCDD - ok

14:00:24.0939 1580 RDPDR (b973fcfc50dc1434e1970a146f7e3885) C:\Windows\system32\drivers\rdpdr.sys

14:00:24.0945 1580 RDPDR - ok

14:00:24.0984 1580 RDPENCDD (5a53ca1598dd4156d44196d200c94b8a) C:\Windows\system32\drivers\rdpencdd.sys

14:00:24.0987 1580 RDPENCDD - ok

14:00:25.0009 1580 RDPREFMP (44b0a53cd4f27d50ed461dae0c0b4e1f) C:\Windows\system32\drivers\rdprefmp.sys

14:00:25.0012 1580 RDPREFMP - ok

14:00:25.0035 1580 RDPWD (288b06960d78428ff89e811632684e20) C:\Windows\system32\drivers\RDPWD.sys

14:00:25.0041 1580 RDPWD - ok

14:00:25.0101 1580 rdyboost (518395321dc96fe2c9f0e96ac743b656) C:\Windows\system32\drivers\rdyboost.sys

14:00:25.0108 1580 rdyboost - ok

14:00:25.0179 1580 rspndr (032b0d36ad92b582d869879f5af5b928) C:\Windows\system32\DRIVERS\rspndr.sys

14:00:25.0184 1580 rspndr - ok

14:00:25.0275 1580 s3cap (7fa7f2e249a5dcbb7970630e15e1f482) C:\Windows\system32\drivers\vms3cap.sys

14:00:25.0278 1580 s3cap - ok

14:00:25.0308 1580 sbp2port (05d860da1040f111503ac416ccef2bca) C:\Windows\system32\drivers\sbp2port.sys

14:00:25.0314 1580 sbp2port - ok

14:00:25.0371 1580 scfilter (0693b5ec673e34dc147e195779a4dcf6) C:\Windows\system32\DRIVERS\scfilter.sys

14:00:25.0374 1580 scfilter - ok

14:00:25.0407 1580 sdbus (0328be1c7f1cba23848179f8762e391c) C:\Windows\system32\DRIVERS\sdbus.sys

14:00:25.0412 1580 sdbus - ok

14:00:25.0453 1580 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

14:00:25.0457 1580 secdrv - ok

14:00:25.0513 1580 Serenum (9ad8b8b515e3df6acd4212ef465de2d1) C:\Windows\system32\DRIVERS\serenum.sys

14:00:25.0516 1580 Serenum - ok

14:00:25.0536 1580 Serial (5fb7fcea0490d821f26f39cc5ea3d1e2) C:\Windows\system32\DRIVERS\serial.sys

14:00:25.0541 1580 Serial - ok

14:00:25.0644 1580 sermouse (79bffb520327ff916a582dfea17aa813) C:\Windows\system32\DRIVERS\sermouse.sys

14:00:25.0648 1580 sermouse - ok

14:00:25.0691 1580 sffdisk (9f976e1eb233df46fce808d9dea3eb9c) C:\Windows\system32\drivers\sffdisk.sys

14:00:25.0694 1580 sffdisk - ok

14:00:25.0712 1580 sffp_mmc (932a68ee27833cfd57c1639d375f2731) C:\Windows\system32\drivers\sffp_mmc.sys

14:00:25.0716 1580 sffp_mmc - ok

14:00:25.0730 1580 sffp_sd (6d4ccaedc018f1cf52866bbbaa235982) C:\Windows\system32\drivers\sffp_sd.sys

14:00:25.0733 1580 sffp_sd - ok

14:00:25.0756 1580 sfloppy (db96666cc8312ebc45032f30b007a547) C:\Windows\system32\DRIVERS\sfloppy.sys

14:00:25.0760 1580 sfloppy - ok

14:00:25.0810 1580 silabenm (4bd319bf5a4a273ae776afb9f1107d25) C:\Windows\system32\DRIVERS\silabenm.sys

14:00:25.0814 1580 silabenm - ok

14:00:25.0836 1580 silabser (12c48d71cfd011d59fba28027341cc12) C:\Windows\system32\DRIVERS\silabser.sys

14:00:25.0841 1580 silabser - ok

14:00:25.0866 1580 sisagp (2565cac0dc9fe0371bdce60832582b2e) C:\Windows\system32\drivers\sisagp.sys

14:00:25.0870 1580 sisagp - ok

14:00:25.0895 1580 SiSRaid2 (a9f0486851becb6dda1d89d381e71055) C:\Windows\system32\DRIVERS\SiSRaid2.sys

14:00:25.0900 1580 SiSRaid2 - ok

14:00:25.0919 1580 SiSRaid4 (3727097b55738e2f554972c3be5bc1aa) C:\Windows\system32\DRIVERS\sisraid4.sys

14:00:25.0924 1580 SiSRaid4 - ok

14:00:25.0990 1580 Smb (3e21c083b8a01cb70ba1f09303010fce) C:\Windows\system32\DRIVERS\smb.sys

14:00:25.0995 1580 Smb - ok

14:00:26.0052 1580 spldr (95cf1ae7527fb70f7816563cbc09d942) C:\Windows\system32\drivers\spldr.sys

14:00:26.0056 1580 spldr - ok

14:00:26.0155 1580 srv (e4c2764065d66ea1d2d3ebc28fe99c46) C:\Windows\system32\DRIVERS\srv.sys

14:00:26.0164 1580 srv - ok

14:00:26.0198 1580 srv2 (03f0545bd8d4c77fa0ae1ceedfcc71ab) C:\Windows\system32\DRIVERS\srv2.sys

14:00:26.0207 1580 srv2 - ok

14:00:26.0231 1580 srvnet (be6bd660caa6f291ae06a718a4fa8abc) C:\Windows\system32\DRIVERS\srvnet.sys

14:00:26.0236 1580 srvnet - ok

14:00:26.0285 1580 stexstor (db32d325c192b801df274bfd12a7e72b) C:\Windows\system32\DRIVERS\stexstor.sys

14:00:26.0289 1580 stexstor - ok

14:00:26.0377 1580 STHDA (666954876b4c973eee61b1b2332b58c4) C:\Windows\system32\DRIVERS\stwrt.sys

14:00:26.0388 1580 STHDA - ok

14:00:26.0427 1580 storflt (472af0311073dceceaa8fa18ba2bdf89) C:\Windows\system32\drivers\vmstorfl.sys

14:00:26.0431 1580 storflt - ok

14:00:26.0458 1580 storvsc (dcaffd62259e0bdb433dd67b5bb37619) C:\Windows\system32\drivers\storvsc.sys

14:00:26.0462 1580 storvsc - ok

14:00:26.0484 1580 swenum (e58c78a848add9610a4db6d214af5224) C:\Windows\system32\drivers\swenum.sys

14:00:26.0487 1580 swenum - ok

14:00:26.0578 1580 Tcpip (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\drivers\tcpip.sys

14:00:26.0613 1580 Tcpip - ok

14:00:26.0714 1580 TCPIP6 (04e4a7d53a7ace02e8c55b17a498f631) C:\Windows\system32\DRIVERS\tcpip.sys

14:00:26.0734 1580 TCPIP6 - ok

14:00:26.0778 1580 tcpipreg (cca24162e055c3714ce5a88b100c64ed) C:\Windows\system32\drivers\tcpipreg.sys

14:00:26.0782 1580 tcpipreg - ok

14:00:26.0831 1580 TDPIPE (1cb91b2bd8f6dd367dfc2ef26fd751b2) C:\Windows\system32\drivers\tdpipe.sys

14:00:26.0835 1580 TDPIPE - ok

14:00:26.0856 1580 TDTCP (2c10395baa4847f83042813c515cc289) C:\Windows\system32\drivers\tdtcp.sys

14:00:26.0860 1580 TDTCP - ok

14:00:26.0907 1580 tdx (b459575348c20e8121d6039da063c704) C:\Windows\system32\DRIVERS\tdx.sys

14:00:26.0911 1580 tdx - ok

14:00:26.0949 1580 TermDD (04dbf4b01ea4bf25a9a3e84affac9b20) C:\Windows\system32\drivers\termdd.sys

14:00:26.0953 1580 TermDD - ok

14:00:27.0011 1580 tssecsrv (254bb140eee3c59d6114c1a86b636877) C:\Windows\system32\DRIVERS\tssecsrv.sys

14:00:27.0014 1580 tssecsrv - ok

14:00:27.0122 1580 TsUsbFlt (fd1d6c73e6333be727cbcc6054247654) C:\Windows\system32\drivers\tsusbflt.sys

14:00:27.0126 1580 TsUsbFlt - ok

14:00:27.0194 1580 tunnel (b2fa25d9b17a68bb93d58b0556e8c90d) C:\Windows\system32\DRIVERS\tunnel.sys

14:00:27.0199 1580 tunnel - ok

14:00:27.0228 1580 uagp35 (750fbcb269f4d7dd2e420c56b795db6d) C:\Windows\system32\DRIVERS\uagp35.sys

14:00:27.0233 1580 uagp35 - ok

14:00:27.0265 1580 udfs (ee43346c7e4b5e63e54f927babbb32ff) C:\Windows\system32\DRIVERS\udfs.sys

14:00:27.0274 1580 udfs - ok

14:00:27.0348 1580 uliagpkx (44e8048ace47befbfdc2e9be4cbc8880) C:\Windows\system32\drivers\uliagpkx.sys

14:00:27.0353 1580 uliagpkx - ok

14:00:27.0463 1580 umbus (d295bed4b898f0fd999fcfa9b32b071b) C:\Windows\system32\drivers\umbus.sys

14:00:27.0468 1580 umbus - ok

14:00:27.0487 1580 UmPass (7550ad0c6998ba1cb4843e920ee0feac) C:\Windows\system32\DRIVERS\umpass.sys

14:00:27.0490 1580 UmPass - ok

14:00:27.0527 1580 usbccgp (7e72e7d7e0757d59481d530fd2b0bfae) C:\Windows\system32\DRIVERS\usbccgp.sys

14:00:27.0533 1580 usbccgp - ok

14:00:27.0562 1580 usbcir (04ec7cec62ec3b6d9354eee93327fc82) C:\Windows\system32\drivers\usbcir.sys

14:00:27.0567 1580 usbcir - ok

14:00:27.0593 1580 usbehci (1c333bfd60f2fed2c7ad5daf533cb742) C:\Windows\system32\DRIVERS\usbehci.sys

14:00:27.0597 1580 usbehci - ok

14:00:27.0639 1580 usbhub (9d22aad9ac6a07c691a1113e5f860868) C:\Windows\system32\drivers\usbhub.sys

14:00:27.0648 1580 usbhub - ok

14:00:27.0680 1580 usbohci (a6fb7957ea7afb1165991e54ce934b74) C:\Windows\system32\DRIVERS\usbohci.sys

14:00:27.0684 1580 usbohci - ok

14:00:27.0714 1580 usbprint (797d862fe0875e75c7cc4c1ad7b30252) C:\Windows\system32\DRIVERS\usbprint.sys

14:00:27.0718 1580 usbprint - ok

14:00:27.0811 1580 usbscan (576096ccbc07e7c4ea4f5e6686d6888f) C:\Windows\system32\DRIVERS\usbscan.sys

14:00:27.0814 1580 usbscan - ok

14:00:27.0856 1580 USBSTOR (bf63ebfc6979fefb2bc03df7989a0c1a) C:\Windows\system32\drivers\USBSTOR.SYS

14:00:27.0861 1580 USBSTOR - ok

14:00:27.0887 1580 usbuhci (78780c3ebce17405b1ccd07a3a8a7d72) C:\Windows\system32\DRIVERS\usbuhci.sys

14:00:27.0890 1580 usbuhci - ok

14:00:27.0933 1580 vdrvroot (a059c4c3edb09e07d21a8e5c0aabd3cb) C:\Windows\system32\drivers\vdrvroot.sys

14:00:27.0938 1580 vdrvroot - ok

14:00:27.0969 1580 vga (17c408214ea61696cec9c66e388b14f3) C:\Windows\system32\DRIVERS\vgapnp.sys

14:00:27.0973 1580 vga - ok

14:00:27.0999 1580 VgaSave (8e38096ad5c8570a6f1570a61e251561) C:\Windows\System32\drivers\vga.sys

14:00:28.0003 1580 VgaSave - ok

14:00:28.0035 1580 vhdmp (5461686cca2fda57b024547733ab42e3) C:\Windows\system32\drivers\vhdmp.sys

14:00:28.0041 1580 vhdmp - ok

14:00:28.0095 1580 viaagp (c829317a37b4bea8f39735d4b076e923) C:\Windows\system32\drivers\viaagp.sys

14:00:28.0100 1580 viaagp - ok

14:00:28.0130 1580 ViaC7 (e02f079a6aa107f06b16549c6e5c7b74) C:\Windows\system32\DRIVERS\viac7.sys

14:00:28.0135 1580 ViaC7 - ok

14:00:28.0237 1580 viaide (e43574f6a56a0ee11809b48c09e4fd3c) C:\Windows\system32\drivers\viaide.sys

14:00:28.0241 1580 viaide - ok

14:00:28.0291 1580 vmbus (c2f2911156fdc7817c52829c86da494e) C:\Windows\system32\drivers\vmbus.sys

14:00:28.0298 1580 vmbus - ok

14:00:28.0325 1580 VMBusHID (d4d77455211e204f370d08f4963063ce) C:\Windows\system32\drivers\VMBusHID.sys

14:00:28.0329 1580 VMBusHID - ok

14:00:28.0353 1580 volmgr (4c63e00f2f4b5f86ab48a58cd990f212) C:\Windows\system32\drivers\volmgr.sys

14:00:28.0357 1580 volmgr - ok

14:00:28.0393 1580 volmgrx (b5bb72067ddddbbfb04b2f89ff8c3c87) C:\Windows\system32\drivers\volmgrx.sys

14:00:28.0402 1580 volmgrx - ok

14:00:28.0436 1580 volsnap (f497f67932c6fa693d7de2780631cfe7) C:\Windows\system32\drivers\volsnap.sys

14:00:28.0444 1580 volsnap - ok

14:00:28.0467 1580 vsmraid (9dfa0cc2f8855a04816729651175b631) C:\Windows\system32\DRIVERS\vsmraid.sys

14:00:28.0474 1580 vsmraid - ok

14:00:28.0506 1580 vwifibus (90567b1e658001e79d7c8bbd3dde5aa6) C:\Windows\system32\DRIVERS\vwifibus.sys

14:00:28.0510 1580 vwifibus - ok

14:00:28.0553 1580 vwififlt (7090d3436eeb4e7da3373090a23448f7) C:\Windows\system32\DRIVERS\vwififlt.sys

14:00:28.0557 1580 vwififlt - ok

14:00:28.0665 1580 vwifimp (a3f04cbea6c2a10e6cb01f8b47611882) C:\Windows\system32\DRIVERS\vwifimp.sys

14:00:28.0668 1580 vwifimp - ok

14:00:28.0691 1580 WacomPen (de3721e89c653aa281428c8a69745d90) C:\Windows\system32\DRIVERS\wacompen.sys

14:00:28.0695 1580 WacomPen - ok

14:00:28.0748 1580 WANARP (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

14:00:28.0753 1580 WANARP - ok

14:00:28.0760 1580 Wanarpv6 (3c3c78515f5ab448b022bdf5b8ffdd2e) C:\Windows\system32\DRIVERS\wanarp.sys

14:00:28.0763 1580 Wanarpv6 - ok

14:00:28.0796 1580 Wd (1112a9badacb47b7c0bb0392e3158dff) C:\Windows\system32\DRIVERS\wd.sys

14:00:28.0801 1580 Wd - ok

14:00:28.0838 1580 Wdf01000 (9950e3d0f08141c7e89e64456ae7dc73) C:\Windows\system32\drivers\Wdf01000.sys

14:00:28.0853 1580 Wdf01000 - ok

14:00:28.0923 1580 WfpLwf (8b9a943f3b53861f2bfaf6c186168f79) C:\Windows\system32\DRIVERS\wfplwf.sys

14:00:28.0926 1580 WfpLwf - ok

14:00:29.0005 1580 WIMMount (5cf95b35e59e2a38023836fff31be64c) C:\Windows\system32\drivers\wimmount.sys

14:00:29.0009 1580 WIMMount - ok

14:00:29.0100 1580 WinUsb (a67e5f9a400f3bd1be3d80613b45f708) C:\Windows\system32\drivers\WinUSB.sys

14:00:29.0104 1580 WinUsb - ok

14:00:29.0130 1580 WmiAcpi (0217679b8fca58714c3bf2726d2ca84e) C:\Windows\system32\drivers\wmiacpi.sys

14:00:29.0133 1580 WmiAcpi - ok

14:00:29.0171 1580 ws2ifsl (6db3276587b853bf886b69528fdb048c) C:\Windows\system32\drivers\ws2ifsl.sys

14:00:29.0174 1580 ws2ifsl - ok

14:00:29.0207 1580 WSDPrintDevice (553f6ccd7c58eb98d4a8fbdaf283d7a9) C:\Windows\system32\DRIVERS\WSDPrint.sys

14:00:29.0210 1580 WSDPrintDevice - ok

14:00:29.0263 1580 WudfPf (e714a1c0354636837e20ccbf00888ee7) C:\Windows\system32\drivers\WudfPf.sys

14:00:29.0267 1580 WudfPf - ok

14:00:29.0309 1580 WUDFRd (1023ee888c9b47178c5293ed5336ab69) C:\Windows\system32\drivers\WUDFRd.sys

14:00:29.0316 1580 WUDFRd - ok

14:00:29.0376 1580 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0

14:00:29.0387 1580 \Device\Harddisk0\DR0 - ok

14:00:29.0390 1580 Boot (0x1200) (e137e03c88ec3adebdeb13675c781053) \Device\Harddisk0\DR0\Partition0

14:00:29.0391 1580 \Device\Harddisk0\DR0\Partition0 - ok

14:00:29.0392 1580 ============================================================

14:00:29.0392 1580 Scan finished

14:00:29.0392 1580 ============================================================

14:00:29.0402 0356 Detected object count: 2

14:00:29.0402 0356 Actual detected object count: 2

14:01:14.0141 0356 HKLM\SYSTEM\ControlSet001\services\3f7664aa - will be deleted on reboot

14:01:14.0186 0356 HKLM\SYSTEM\ControlSet002\services\3f7664aa - will be deleted on reboot

14:01:14.0196 0356 C:\Windows\2858710591:3230243669.exe - will be deleted on reboot

14:01:14.0196 0356 3f7664aa ( Rootkit.Win32.PMax.gen ) - User select action: Delete

14:01:14.0301 0356 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\Windows\system32\drivers\avgtdix.sys) error 1813

14:01:16.0661 0356 Backup copy not found, trying to cure infected file..

14:01:16.0681 0356 Cure success, using it..

14:01:16.0719 0356 C:\Windows\system32\DRIVERS\avgtdix.sys - will be cured on reboot

14:01:16.0719 0356 Avgtdix ( Rootkit.Win32.ZAccess.g ) - User select action: Cure

14:01:28.0998 2464 Deinitialize success

Link to post
Share on other sites

I was able to update and run MBMA without issue, log is below. It found two files and a registry value - does this mean that the infection is still active or is it just cleaning out the what's left of it?

Computer behavior is the same as I described in my last post: search redirects are still gone and there are still no runaway svchost processes.

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8042

Windows 6.1.7601 Service Pack 1

Internet Explorer 8.0.7601.17514

10/29/2011 4:30:06 PM

mbam-log-2011-10-29 (16-30-06).txt

Scan type: Full scan (C:\|)

Objects scanned: 322118

Time elapsed: 41 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 1

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Backdoor.Agent) -> Value: Shell -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\kyle adams\AppData\Local\3f7664aa\X (Backdoor.0Access) -> Quarantined and deleted successfully.

c:\Users\kyle adams\AppData\LocalLow\Sun\Java\deployment\cache\6.0\1\3045b041-73cd6121 (Backdoor.0Access) -> Quarantined and deleted successfully.

Link to post
Share on other sites

Well I don't like that backdoor.

Please do not attach the scan results from Combofx. Use copy/paste.

Vista and Windows 7 users:

1. These tools MUST be run from the executable. (.exe) every time you run them

2. With Admin Rights (Right click, choose "Run as Administrator")

Download ComboFix from one of these locations:

Link 1

Link 2 If using this link, Right Click and select Save As.

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
  • Double click on ComboFix.exe & follow the prompts.
    Notes: Combofix will run without the Recovery Console installed. Skip the Recovery Console part if you're running Vista or Windows 7.
    Note: If you have XP SP3, use the XP SP2 package.
    If Vista or Windows 7, skip the Recovery Console part
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RC1.png

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt using Copy / Paste in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Give it atleast 20-30 minutes to finish if needed.

Please do not attach the scan results from Combofx. Use copy/paste.

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I turned off my AVG protection and ran ComboFix. A warning popped up that AVG antivirus and antispyware was still active, but when I went to go disable it again ComboFix started running. Soon after a warning popped up saying something about a rootkit in the tcp/ip stack, but that was quickly followed by a message that said rootkit activity was detected and a reboot was required. ComboFix automatically restarted the computer and ran on restart. It ran for about ten minutes and restarted the computer. When it started up again it said it was making the log report, which took about three minutes. The log opened automatically, but when I went to AVG to turn protection back on, I got the message "illegal operation attempted on a registry key that has been marked for deletion". I got the same message when I tried to open Firefox and IE. so I can no longer access the internet from the infected computer. Please see the log copied below and advise on what do to from here.

ComboFix 11-10-29.05 - KAdams 10/29/2011 17:01:09.1.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3572.2677 [GMT -4:00]

Running from: c:\users\Kyle Adams\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

C:\feed.txt

c:\users\Kyle Adams\AppData\Local\Windows Server

c:\users\Kyle Adams\AppData\Local\Windows Server\flags.ini

c:\users\Kyle Adams\AppData\Local\Windows Server\uses32.dat

c:\windows\$NtUninstallKB42019$

c:\windows\$NtUninstallKB42019$\1064723626\@

c:\windows\$NtUninstallKB42019$\1064723626\L\xadqgnnk

c:\windows\$NtUninstallKB42019$\1064723626\loader.tlb

c:\windows\$NtUninstallKB42019$\1064723626\U\@00000001

c:\windows\$NtUninstallKB42019$\1064723626\U\@000000c0

c:\windows\$NtUninstallKB42019$\1064723626\U\@000000cb

c:\windows\$NtUninstallKB42019$\1064723626\U\@000000cf

c:\windows\$NtUninstallKB42019$\1064723626\U\@80000000

c:\windows\$NtUninstallKB42019$\1064723626\U\@800000c0

c:\windows\$NtUninstallKB42019$\1064723626\U\@800000cb

c:\windows\$NtUninstallKB42019$\1064723626\U\@800000cf

c:\windows\$NtUninstallKB42019$\4213635861

c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}

c:\windows\2858710591

c:\windows\Downloaded Program Files\x64

c:\windows\Downloaded Program Files\x64\racodec.ax

c:\windows\Downloaded Program Files\x86

c:\windows\Downloaded Program Files\x86\racodec.ax

c:\windows\system32\

c:\windows\system32\c_15126.nls

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-29 )))))))))))))))))))))))))))))))

.

.

2011-10-29 21:06 . 2011-10-29 21:08 -------- d-----w- c:\users\Kyle Adams\AppData\Local\temp

2011-10-26 16:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-20 15:07 . 2011-10-29 20:30 -------- d-sh--w- c:\users\Kyle Adams\AppData\Local\3f7664aa

2011-10-12 20:47 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-12 20:47 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-12 20:47 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-12 20:47 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll

2011-10-12 20:47 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 20:46 . 2011-10-01 02:42 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-12 20:45 . 2011-08-20 04:31 981504 ----a-w- c:\windows\system32\wininet.dll

2011-10-12 20:45 . 2011-08-20 04:26 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll

2011-10-12 20:45 . 2011-08-20 04:26 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2011-10-01 11:59 . 2011-10-01 11:59 308296 ----a-w- c:\windows\system32\SRACAVIControl.ocx

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-29 18:02 . 2011-04-05 04:59 297168 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2011-10-20 18:29 . 2011-05-17 13:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-08-30 11:31 . 2011-08-27 19:13 0 ----a-w- c:\users\Kyle Adams\AppData\Local\Mwivilexex.bin

2011-10-06 18:19 . 2011-05-07 16:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-29 458844]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]

"nwiz"="nwiz.exe" [2009-06-11 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"AVG_TRAY"="c:\users\Kyle Adams\Desktop\Security Software\AVG\AVG 10\avgtray.exe" [2011-09-10 2338656]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

SolidWorks Background Downloader.lnk - c:\program files\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2011-10-17 1836104]

Start 3DxWare.lnk - c:\program files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2009-7-27 119296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0c:\users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgchsvx.exe /sync\0c:\users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgrsx.exe /sync /restart

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 AVGIDSAgent;AVGIDSAgent;c:\users\Kyle Adams\Desktop\Security Software\AVG\AVG 10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [2011-08-18 7390560]

R2 avgwd;AVG WatchDog;c:\users\Kyle Adams\Desktop\Security Software\AVG\AVG 10\avgwdsvc.exe [2011-10-20 269520]

R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [x]

R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-10-01 89160]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2010-02-02 43520]

R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2010-02-17 63488]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]

R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

S0 AVGIDSEH;AVGIDSEH;c:\windows\system32\DRIVERS\AVGIDSEH.Sys [2011-02-22 22992]

S0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\DRIVERS\avgrkx86.sys [2011-03-16 32592]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-06 64288]

S1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\DRIVERS\avgldx86.sys [2011-01-07 248656]

S1 Avgtdix;AVG TDI Driver;c:\windows\system32\DRIVERS\avgtdix.sys [2011-10-29 297168]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\DRIVERS\AVGIDSDriver.Sys [2011-05-27 134480]

S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\DRIVERS\AVGIDSFilter.Sys [2011-02-10 24144]

S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\DRIVERS\AVGIDSShim.Sys [2011-02-10 21968]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

GPSvcGroup REG_MULTI_SZ GPSvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb/Lists/Calendar/calendar.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

FF - ProfilePath - c:\users\Kyle Adams\AppData\Roaming\Mozilla\Firefox\Profiles\8hg77bc1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

- - - - ORPHANS REMOVED - - - -

.

BHO-{1857CD64-8612-440C-A698-AC8FFE7B91C3} - (no file)

SafeBoot-59836853.sys

SafeBoot-mcmscsvc

SafeBoot-MCODS

AddRemove-{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1 - c:\users\Kyle Adams\Desktop\Security Software\Spybot\Spybot - Search & Destroy\unins000.exe

.

.

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

@Denied: (Full) (Everyone)

.

------------------------ Other Running Processes ------------------------

.

c:\users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgchsvx.exe

c:\users\KYLEAD~1\Desktop\SECURI~1\AVG\AVG10~1\avgrsx.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\System32\rundll32.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\system32\conhost.exe

c:\program files\DellTPad\HidFind.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2011-10-29 17:12:01 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-29 21:11

.

Pre-Run: 186,198,642,688 bytes free

Post-Run: 186,891,915,264 bytes free

.

- - End Of File - - 936E827A301AD3B39FC1057E57934A2F

Link to post
Share on other sites

Looks like you're running 2 anti-virus programs.

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

Never install more than one Antivirus and Firewall! Rather than giving you extra protection, it will decrease the reliability of it seriously!

The reason for this is that if both products have their automatic (Real-Time) protection switched on, your system may lock up due to both software products attempting to access the same file at the same time.

Also because more than one Antivirus and Firewall installed are not compatible with each other, it can cause system performance problems and a serious system slowdown.

You need to uninstall one of them

Copy/paste the text in the Codebox below into notepad:

Here's how to do that:

Click Start > Run type Notepad click OK.

This will open an empty notepad file:

Take your mouse, and place your cursor at the beginning of the text in the box below, then click and hold the left mouse button, while pulling your mouse over the text. This should highlight the text. Now release the left mouse button. Now, with the cursor over the highlighted text, right click the mouse for options, and select 'copy'. Now over the empty Notepad box, right click your mouse again, and select 'paste' and you will have copied and pasted the text.

KillAll::

File::
c:\users\Kyle Adams\AppData\Local\Mwivilexex.bin

Folder::
c:\users\Kyle Adams\AppData\Local\3f7664aa

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]

Save this file to your desktop, Save this as "CFScript"

Here's how to do that:

1.Click File;

2.Click Save As... Change the directory to your desktop;

3.Change the Save as type to "All Files";

4.Type in the file name: CFScript

5.Click Save ...

CFScriptB-4.gif

Drag CFScript.txt into ComboFix.exe

Then post the results log using Copy / Paste

Also please describe how your computer behaves at the moment.

Link to post
Share on other sites

I always had the real time portion of AdAware turned off, and I actually uninstalled the whole thing via Add/Remove Programs a couple weeks ago. I'm surprised it came up in the scan. Please let me know how to completely uninstall it so that it's safe to proceed with the CFScript.

Link to post
Share on other sites

I restarted the computer and it eliminated those error messages. I uninstalled AVG from Add/Remove Programs to avoid the warnings I got the first time I ran ComboFix, but I got the same two warnings regardless. The log from the scan is copied below.

ComboFix 11-10-30.02 - KAdams 10/30/2011 11:10:24.2.2 - x86

Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.3572.2530 [GMT -4:00]

Running from: c:\users\Kyle Adams\Desktop\ComboFix.exe

Command switches used :: c:\users\Kyle Adams\Desktop\CFScript.txt

AV: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}

AV: Lavasoft Ad-Watch Live! Anti-Virus *Disabled/Updated* {9FF26384-70D4-CE6B-3ECB-E759A6A40116}

SP: AVG Anti-Virus Free Edition 2011 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}

SP: Lavasoft Ad-Watch Live! *Disabled/Updated* {24938260-56EE-C1E5-047B-DC2BDD234BAB}

SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

FILE ::

"c:\users\Kyle Adams\AppData\Local\Mwivilexex.bin"

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

c:\users\Kyle Adams\AppData\Local\3f7664aa

c:\users\Kyle Adams\AppData\Local\3f7664aa\@

c:\users\Kyle Adams\AppData\Local\Mwivilexex.bin

.

Infected copy of c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe was found and disinfected

Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!Microsoft.NET!Framework!v2.0.50727!mscorsvw.exe

.

Infected copy of c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe was found and disinfected

Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Program Files!Microsoft Small Business!Business Contact Manager!BcmSqlStartupSvc.exe

.

Infected copy of c:\windows\system32\nvvsvc.exe was found and disinfected

Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!System32!nvvsvc.exe

.

Infected copy of c:\windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_b8f542503f95f21b\STacSV.exe was found and disinfected

Restored copy from - c:\combofix\HarddiskVolumeShadowCopy3_!Windows!System32!DriverStore!FileRepository!stwrt.inf_x86_neutral_b8f542503f95f21b!STacSV.exe

.

.

((((((((((((((((((((((((( Files Created from 2011-09-28 to 2011-10-30 )))))))))))))))))))))))))))))))

.

.

2011-10-30 15:23 . 2011-10-30 15:25 -------- d-----w- c:\users\Kyle Adams\AppData\Local\temp

2011-10-30 15:23 . 2011-10-30 15:23 -------- d-----w- c:\users\pwybron\AppData\Local\temp

2011-10-30 15:23 . 2011-10-30 15:23 -------- d-----w- c:\users\KAdams\AppData\Local\temp

2011-10-30 15:23 . 2011-10-30 15:23 -------- d-----w- c:\users\hnayar\AppData\Local\temp

2011-10-30 15:23 . 2011-10-30 15:23 -------- d-----w- c:\users\Default\AppData\Local\temp

2011-10-30 15:23 . 2011-10-30 15:23 -------- d-----w- c:\users\CURRENT_USER\AppData\Local\temp

2011-10-29 20:58 . 2009-07-13 23:11 80896 ----a-w- c:\windows\system32\drivers\i8042prt.sys

2011-10-26 16:24 . 2011-08-31 21:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys

2011-10-12 20:47 . 2011-08-17 04:24 465408 ----a-w- c:\windows\system32\psisdecd.dll

2011-10-12 20:47 . 2011-08-17 04:19 75776 ----a-w- c:\windows\system32\psisrndr.ax

2011-10-12 20:47 . 2011-08-27 04:26 571904 ----a-w- c:\windows\system32\oleaut32.dll

2011-10-12 20:47 . 2011-08-27 04:26 233472 ----a-w- c:\windows\system32\oleacc.dll

2011-10-12 20:47 . 2011-09-06 02:28 2334720 ----a-w- c:\windows\system32\win32k.sys

2011-10-12 20:46 . 2011-10-01 02:42 1638912 ----a-w- c:\windows\system32\mshtml.tlb

2011-10-12 20:45 . 2011-08-20 04:31 981504 ----a-w- c:\windows\system32\wininet.dll

2011-10-12 20:45 . 2011-08-20 04:26 163328 ----a-w- c:\program files\Internet Explorer\ieproxy.dll

2011-10-12 20:45 . 2011-08-20 04:26 860672 ----a-w- c:\program files\Internet Explorer\iedvtool.dll

2011-10-01 11:59 . 2011-10-01 11:59 308296 ----a-w- c:\windows\system32\SRACAVIControl.ocx

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2011-10-20 18:29 . 2011-05-17 13:24 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-10-06 18:19 . 2011-05-07 16:26 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-06-29 458844]

"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-06-19 249856]

"nwiz"="nwiz.exe" [2009-06-11 1657376]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-16 13793824]

"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2009-06-16 92704]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]

"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]

"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2010-07-21 1778064]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg&inst=NzctNDc2OTM3MDk4LUZQOSs2LUJBUjlPKzEtVEI5KzItRkwrOS1GMTBNKzUtUUlYMSszLUYxME0xMEQrMS1MSUMrNy1GTDEwKzEtU1AxKzEtU1AxVEIrMS1TVVArMS1ERFQrMzE4MzQtREQxMEYrMS1TVDEwRkFQUCsxLUYxME0xMkFUKzItRjEwTTEyQSsxLUYxME0xMkFCKzEtVTEwKzEtRjEwTTEyQVRCTisx∏=90&ver=10.0.1411" [?]

.

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

SolidWorks Background Downloader.lnk - c:\program files\Common Files\SolidWorks Installation Manager\BackgroundDownloading\sldBgDwld.exe [2011-10-17 1836104]

Start 3DxWare.lnk - c:\program files\3Dconnexion\3Dconnexion 3DxSoftware\3DxWare\3dxsrv.exe [2009-7-27 119296]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"ConsentPromptBehaviorAdmin"= 0 (0x0)

"ConsentPromptBehaviorUser"= 3 (0x3)

"EnableLUA"= 0 (0x0)

"EnableUIADesktopToggle"= 0 (0x0)

"PromptOnSecureDesktop"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

R2 NVIDIA Performance Driver Service;NVIDIA Performance Driver Service;c:\program files\NVIDIA Corporation\Performance Drivers\nvPDsvc.exe [x]

R3 CoordinatorServiceHost;SW Distributed TS Coordinator Service;c:\program files\SolidWorks Corp\SolidWorks\swScheduler\DTSCoordinatorService.exe [2011-10-01 89160]

R3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys [2010-07-07 44432]

R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [x]

R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [x]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [x]

R3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\DRIVERS\silabenm.sys [2010-02-02 43520]

R3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\DRIVERS\silabser.sys [2010-02-17 63488]

R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]

R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 17920]

R4 msvsmon80;Visual Studio 2005 Remote Debugger;c:\program files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe [2005-09-23 2799808]

S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2010-07-06 64288]

S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]

S3 e1yexpress;Intel® Gigabit Network Connections Driver;c:\windows\system32\DRIVERS\e1y6232.sys [2009-06-13 221912]

S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-13 14336]

.

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

GPSvcGroup REG_MULTI_SZ GPSvc

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://companyweb/Lists/Calendar/calendar.aspx

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~1\Office12\EXCEL.EXE/3000

TCP: DhcpNameServer = 209.18.47.61 209.18.47.62

FF - ProfilePath - c:\users\Kyle Adams\AppData\Roaming\Mozilla\Firefox\Profiles\8hg77bc1.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - user.js: network.cookie.cookieBehavior - 0

FF - user.js: privacy.clearOnShutdown.cookies - false

FF - user.js: security.warn_viewing_mixed - false

FF - user.js: security.warn_viewing_mixed.show_once - false

FF - user.js: security.warn_submit_insecure - false

FF - user.js: security.warn_submit_insecure.show_once - false

.

.

------------------------ Other Running Processes ------------------------

.

c:\windows\system32\nvvsvc.exe

c:\windows\system32\nvvsvc.exe

c:\program files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe

c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe

c:\windows\system32\taskhost.exe

c:\windows\system32\conhost.exe

c:\windows\System32\rundll32.exe

c:\program files\DellTPad\ApMsgFwd.exe

c:\program files\Microsoft IntelliType Pro\dpupdchk.exe

c:\program files\DellTPad\Apntex.exe

c:\windows\system32\conhost.exe

c:\program files\DellTPad\HidFind.exe

c:\windows\system32\sppsvc.exe

.

**************************************************************************

.

Completion time: 2011-10-30 11:29:23 - machine was rebooted

ComboFix-quarantined-files.txt 2011-10-30 15:29

.

Pre-Run: 187,621,453,824 bytes free

Post-Run: 187,536,662,528 bytes free

.

- - End Of File - - B0F5C0262468E715EF2E1826D6197120

Link to post
Share on other sites

Seems to be running fine. Search redirects are still gone, and it feels like the internet is faster in general. I still haven't seen a runaway svchost process as I described earlier. I ran a quick scan with MBAM to test functionality and it came up clean. Should I reinstall AVG at this point?

Link to post
Share on other sites

You can re-install AVG after doing this:

Good job thumbup.gif

The following will implement some cleanup procedures as well as reset System Restore points:

For XP:

  • Click START run
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

For Vista / Windows 7

  • Click START Search
  • Now type ComboFix /Uninstall in the runbox and click OK. Note the space between the X and the /, it needs to be there.

If you used DeFogger

To re-enable your Emulation drivers, double click DeFogger to run the tool.

  • The application window will appear
  • Click the Re-enable button to re-enable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Here's my usual all clean post

To be on the safe side, I would also change all my passwords.

This infection appears to have been cleaned, but as the malware could be configured to run any program a remote attacker requires, it's impossible to be 100% sure that any machine is clean.

Log looks good :D

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
    5. Change the Download signed ActiveX controls to Prompt
    6. Change the Download unsigned ActiveX controls to Disable
    7. Change the Initialize and script ActiveX controls not marked as safe to Disable
    8. Change the Installation of desktop items to Prompt
    9. Change the Launching programs and files in an IFRAME to Prompt
    10. Change the Navigate sub-frames across different domains to Prompt
    11. When all these settings have been made, click on the OK button.
    12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    13. Next press the Apply button and then the OK to exit the Internet Properties page.

    [*]Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week

    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

    [*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.

    Without a firewall your computer is succeptible to being hacked and taken over.

    I am very serious about this and see it happen almost every day with my clients.

    Simply using a Firewall in its default configuration can lower your risk greatly.

    [*]Using a secure browser plugin M86 SecureBrowsing makes it safe to search, surf and socialize online. This free browser plug-in displays security icons next to links on search engines and social networking sites like Facebook, Twitter and LinkedIn, so you'll know which pages are safe and which ones to avoid.

    •Free browser plug-in for Internet Explorer and Firefox

    •Real-time safety ratings

    •Ideal for Facebook, Twitter and LinkedIn

    [*] JAVA Click this link and click on the Free JAVA Download

    [*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.

    This will ensure your computer has always the latest security updates available installed on your computer.

    If there are new updates to install, install them immediately, reboot your computer, and revisit the site

    until there are no more critical updates.

Only run one Anti-Virus and Firewall program.

I would suggest you read:

PC Safety and Security--What Do I Need?.

How to Prevent Malware:

The full version of Malwarebytes' Anti-Malware could have helped protect your computer against this threat.

We use different ways of protecting your computer(s):

  • Dynamically Blocks Malware Sites & Servers
  • Malware Execution Prevention

Save yourself the hassle and get protected.

Link to post
Share on other sites

I uninstalled ComboFix, updated my settings in IE, and updated Java. I then reinstalled AVG and ran a full scan. It found and healed a Win32/Katusha.A infection in C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_b8f542503f95f21b\AEstSrv.exe. After the reboot I ran an MBAM full scan and another AVG scan, and both came up clean. Is this a separate issue or related to what we have already removed?

To clarify, do you recommend using the full version of MBAM in conjunction with an antivirus program like AVG?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.