• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
casualuser

IP address will not renew

103 posts in this topic

I have Avast installed on my computer. It detected and removed a rootkit virus, but now I cannot get online due to the ip address not renewing. The modem and router are fine. I have two othe computers connected to them and no problems with those. I do not know if the rootkit has been totally removed or not. The symptoms were a "Google Redirect" problem. the log reqested are below.

 

Malwarebytes Anti-Malware 1.61.0.1400

www.malwarebytes.org

 

Database version: v2012.04.10.01

 

Windows XP Service Pack 3 x86 NTFS

Internet Explorer 8.0.6001.18702

Mark Smith :: MEDIAPC [administrator]

 

4/11/2012 9:23:54 AM

mbam-log-2012-04-11 (09-23-54).txt

 

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 211965

Time elapsed: 6 minute(s), 16 second(s)

 

Memory Processes Detected: 0

(No malicious items detected)

 

Memory Modules Detected: 0

(No malicious items detected)

 

Registry Keys Detected: 0

(No malicious items detected)

 

Registry Values Detected: 0

(No malicious items detected)

 

Registry Data Items Detected: 0

(No malicious items detected)

 

Folders Detected: 0

(No malicious items detected)

 

Files Detected: 0

(No malicious items detected)

 

(end)

 

 

 

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 8.0.6001.18702

Run by Mark Smith at 11:01:10 on 2012-04-11

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1558 [GMT -4:00]

.

AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}

FW: ActiveArmor Firewall *Disabled*

.

============== Running Processes ===============

.

J:\WINDOWS\system32\Ati2evxx.exe

J:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

J:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

J:\Program Files\Alwil Software\Avast5\AvastSvc.exe

J:\WINDOWS\system32\Ati2evxx.exe

J:\WINDOWS\system32\spoolsv.exe

svchost.exe

J:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

J:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

J:\Program Files\Bonjour\mDNSResponder.exe

J:\WINDOWS\system32\svchost.exe -k hpdevmgmt

J:\Program Files\Java\jre6\bin\jqs.exe

J:\WINDOWS\System32\svchost.exe -k HPZ12

J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

J:\WINDOWS\System32\svchost.exe -k HPZ12

J:\Program Files\CyberLink\Shared Files\RichVideo.exe

J:\WINDOWS\system32\svchost.exe -k imgsvc

J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

J:\WINDOWS\Explorer.EXE

J:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe

J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

J:\WINDOWS\SOUNDMAN.EXE

J:\Program Files\Alwil Software\Avast5\avastUI.exe

J:\Program Files\Logitech\SetPointP\SetPoint.exe

J:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe

J:\Program Files\iTunes\iTunesHelper.exe

J:\WINDOWS\system32\ctfmon.exe

J:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

svchost.exe

J:\Program Files\iPod\bin\iPodService.exe

J:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe

J:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

J:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

J:\Documents and Settings\Mark Smith\Desktop\SecurityCheck.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.nascar.com/

uSearch Page = hxxp://www.google.com

uSearch Bar = hxxp://www.google.com/ie

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

mSearchAssistant = hxxp://www.google.com/ie

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - j:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - j:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: KTBho Class: {25edc164-41a6-47c3-80bd-5e4fbe1ba7ab} - j:\progra~1\kaboodle\kabood~1\KTBar.dll

BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - j:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll

BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - j:\program files\alwil software\avast5\aswWebRepIE.dll

BHO: WinZip Courier BHO: {a8fb70fa-0fdf-4601-9dc4-bfa1b357204f} - j:\progra~1\winzip~1\wzwmcie.dll

BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - j:\progra~1\micros~2\office14\URLREDIR.DLL

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - j:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - j:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - j:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

TB: Kaboodle Toolbar: {92857633-2441-4a14-8236-dfcb97ad3e87} - j:\progra~1\kaboodle\kabood~1\KTBar.dll

TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - j:\program files\alwil software\avast5\aswWebRepIE.dll

TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - j:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll

uRun: [ctfmon.exe] j:\windows\system32\ctfmon.exe

mRun: [startCCC] j:\program files\ati technologies\ati.ace\core-static\CLIStart.exe

mRun: [OpwareSE2] "j:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"

mRun: [MediaFace Integration] j:\program files\fellowes\mediaface 4.2\SetHook.exe

mRun: [NVMixerTray] "j:\program files\nvidia corporation\nvmixer\NVMixerTray.exe"

mRun: [nTrayFw] j:\program files\nvidia corporation\networkaccessmanager\bin\nTrayFw.exe

mRun: [hpqSRMon]

mRun: [soundMan] SOUNDMAN.EXE

mRun: [QuickTime Task] "j:\program files\quicktime\qttask.exe" -atboottime

mRun: [avast] "j:\program files\alwil software\avast5\avastUI.exe" /nogui

mRun: [saXsAQWSemKq.exe] j:\documents and settings\all users\application data\saXsAQWSemKq.exe

mRun: [EvtMgr6] j:\program files\logitech\setpointp\SetPoint.exe /launchGaming

mRun: [Adobe Reader Speed Launcher] "j:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [Adobe ARM] "j:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [APSDaemon] "j:\program files\common files\apple\apple application support\APSDaemon.exe"

mRun: [iTunesHelper] "j:\program files\itunes\iTunesHelper.exe"

dRunOnce: [RunNarrator] Narrator.exe

StartupFolder: j:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - j:\program files\hp\digital imaging\bin\hpqtra08.exe

StartupFolder: j:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - j:\program files\microsoft office\office10\OSA.EXE

IE: Add to Google Photos Screensa&ver - j:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - j:\progra~1\micros~2\office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - j:\progra~1\micros~2\office14\ONBttnIE.dll/105

IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://j:\program files\bitcomet\tools\BitCometBHO_1.5.4.11.dll/206

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - j:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - j:\program files\microsoft office\office14\ONBttnIE.dll

IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - j:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll

IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - j:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

TCP: DhcpNameServer = 192.168.2.1

TCP: Interfaces\{C1D78F9F-A1EE-411A-AC97-0734BD6B5AAF} : DhcpNameServer = 192.168.2.1

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - j:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL

Notify: AtiExtEvent - Ati2evxx.dll

Notify: LBTWlgn - j:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - j:\windows\system32\WPDShServiceObj.dll

.

============= SERVICES / DRIVERS ===============

.

R1 aswSnx;aswSnx;j:\windows\system32\drivers\aswSnx.sys [2011-6-14 612184]

R1 aswSP;aswSP;j:\windows\system32\drivers\aswSP.sys [2009-7-14 337880]

R1 eusk2par;EUTRON SmartKey Parallel Driver;j:\windows\system32\drivers\eusk2par.sys [2009-10-9 24786]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;j:\program files\adobe\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-9-6 169312]

R2 aswFsBlk;aswFsBlk;j:\windows\system32\drivers\aswFsBlk.sys [2009-7-14 20696]

R2 avast! Antivirus;avast! Antivirus;j:\program files\alwil software\avast5\AvastSvc.exe [2010-10-21 44768]

R2 LBeepKE;Logitech Beep Suppression Driver;j:\windows\system32\drivers\LBeepKE.sys [2011-12-29 12184]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;j:\windows\system32\drivers\LEqdUsb.sys [2011-9-2 42648]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;j:\windows\system32\drivers\LHidEqd.sys [2011-9-2 12184]

S3 eusk3usb;SmartKey 3 USB;j:\windows\system32\drivers\eusk3usb.sys [2009-10-9 45534]

S3 NPF;NetGroup Packet Filter Driver;j:\windows\system32\drivers\npf.sys [2003-6-13 30336]

S3 osppsvc;Office Software Protection Platform;j:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]

.

=============== Created Last 30 ================

.

2012-04-10 03:58:13 712 ----a-w- j:\documents and settings\all users\application data\wfsmaaa.tmp

2012-04-10 03:44:58 948 ----a-w- j:\documents and settings\all users\application data\acdmaaa.tmp

2012-04-10 03:39:22 0 --sha-w- j:\windows\system32\dds_trash_log.cmd

2012-04-10 03:14:04 22344 ----a-w- j:\windows\system32\drivers\mbam.sys

2012-04-10 02:44:28 577 ----a-w- j:\documents and settings\all users\application data\yyqlaaa.tmp

2012-04-10 02:44:17 -------- d-----w- j:\windows\system32\wbem\repository\FS

2012-04-10 02:44:17 -------- d-----w- j:\windows\system32\wbem\Repository

2012-03-23 13:53:20 21504 ----a-w- j:\windows\system32\drivers\hidserv.dll

2012-03-22 19:12:12 4435968 ----a-w- j:\windows\system32\GPhotos.scr

.

==================== Find3M ====================

.

2012-03-23 13:53:12 16400 ----a-w- j:\windows\system32\drivers\LNonPnP.sys

2012-03-06 23:15:19 41184 ----a-w- j:\windows\avastSS.scr

2012-03-06 23:03:51 612184 ----a-w- j:\windows\system32\drivers\aswSnx.sys

.

=================== ROOTKIT ====================

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: USB2.0__ rev.0.0> -> Harddisk1\DR2 -> \Device\00000083

.

device: opened successfully

user: error reading MBR

.

Disk trace:

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll

1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk1\DR2[0x8A484788]

kernel: MBR read successfully

_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV SI, SP; PUSH AX; POP ES; PUSH AX; POP DS; STI ; CLD ; MOV DI, 0x600; MOV CX, 0x100; REP MOVSW ; JMP FAR 0x0:0x61e; }

user != kernel MBR !!!

.

============= FINISH: 11:01:48.50 ===============

 

Results of screen317's Security Check version 0.99.32

Windows XP Service Pack 3 x86

Internet Explorer 8

``````````````````````````````

Antivirus/Firewall Check:

avast! Free Antivirus

```````````````````````````````

Anti-malware/Other Utilities Check:

Java 6 Update 20

Java version out of date!

Adobe Flash Player 10.0.45.2 Flash Player out of Date!

Adobe Reader 9 Adobe Reader out of date!

````````````````````````````````

Process Check:

objlist.exe by Laurent

Alwil Software Avast5 AvastSvc.exe

Alwil Software Avast5 avastUI.exe

``````````End of Log````````````

 

 

Thank you.

Share this post


Link to post
Share on other sites

Welcome casualuser to SpywareInfo. I am The Dark Knight and will be assisting you. Please ask questions if anything is unclear. :)

 

Just a few things before we begin:

 

:excl:Before proceeding:

  • In the upper right hand corner of this topic there is a button labelled Watch this topic. Please click this button, select Immediate E-Mail notification and then click Proceed to ensure you are notified when I reply.
  • Please back up your personal documents and files by copying them to a location other than your system drive.
  • Please open Notepad>Format and if Word Wrap is ticked, please select it to untick it.

 

:excl:For the duration of this topic:

Please DO NOT run, install and/or uninstall/remove any tools/ programs other than those I suggest to you in order to avoid conflicts and/or additional problems on your system. :thumbup:

 

 

:excl:When you receive new instructions:

  • Please read the whole post before carrying out any of the instructions.
  • All our tools must be downloaded to the Desktop and launched from there (unless I specify otherwise).
  • Please perform all steps in the received order and DO NOT proceed if you need clarification.
  • Please DO NOT re-run any program unless I ask you to.
  • Please DO NOT plug in any external devices like USBs and Hard Drives unless I ask you to.
  • If you encounter any problems please stop and let me know.

 

:excl:When replying:

  • Please click the Add Reply button post-10-126012383895.gif so that my reply is not posted back to me. Thank you!
  • Please copy and paste your logs into your post unless I specifically ask you to attach one.

_________________________________________________________________________________________________________________________________

 

Please print out these instructions or copy them to a Notepad file for an easier reading,

 

Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

 

Please go here to see a list of programs that need to be disabled.

 

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

 

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

 

Please include the C:\ComboFix.txt in your next reply for further review.

==========

 

Please download MBRCheck by a_d_13 to your Desktop from one of these locations:

 

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

 

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

 

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

 

 

Then, please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

 

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
     
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue tdsskiller2.png
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
     
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.

===========

 

In your next post please provide the following:

  • ComboFix.txt.
  • MBRCheck log.
  • TDSSKiller log.

How si your computer running now?

Share this post


Link to post
Share on other sites

I am having issues with combofix. It runs for over an hour with what seems to be no progress. It installed the recovery console and shows the "badly infected computers... times may easily double", and then nothing. Popups state I am infected with "rootkit zero" and to be patient. I am going to let it run while I am at work, and see what happened when I get home tonight. Avast is permanently diabled so that shouldn't be the problem. I get home at 1:30AM, so I will post further tomorrow morning.

Share this post


Link to post
Share on other sites

Ok, so combofix ran for more than 12 hours while I was at work. Still no prgress shown, no log, nothing. I uninstalled Avast and ran combofix again and still no progress.

Any ideas?

Share this post


Link to post
Share on other sites

Ok, so combofix ran for more than 12 hours while I was at work. Still no prgress shown, no log, nothing. I uninstalled Avast and ran combofix again and still no progress.

Any ideas?

Share this post


Link to post
Share on other sites

Ok, so combofix ran for more than 12 hours while I was at work. Still no prgress shown, no log, nothing. I uninstalled Avast and ran combofix again and still no progress.

Any ideas?

Share this post


Link to post
Share on other sites

Ok, so combofix ran for more than 12 hours while I was at work. Still no prgress shown, no log, nothing. I uninstalled Avast and ran combofix again and still no progress.

Any ideas?

Share this post


Link to post
Share on other sites

Hello casualuser . :)

 

OK. Please stop ComboFix and restart your computer.

 

Then, please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com).


  •  
  • There are 3 different versions. If one of them won't run then download and try to run the other one.
  • Vista and Win7 users need to right click and choose Run as Admin.
  • You only need to get one of them to run, not all of them.

rkill.exe

rkill.com

rkill.scr

 

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the Desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

 

Before proceeding any further the processes that belong to Windows Recovery need to be terminated so that it does not interfere with the cleaning procedure.

 

Double-click on the RKill.exe icon in order to automatically attempt to stop any processes associated with Windows Recovery and other Rogue programs.

===

 

Please do not reboot your computer.

 

After running Rkill, please re-run ComboFix and then TDSSKiller.

=========

 

In your next post please post the logs from ComboFix and TDSSKiller. :thumbup:

Share this post


Link to post
Share on other sites

Ok. After many more attempts, I finally got it to work. I still cannot connect to the internet due to the ip address not renewing. Also I keep getting a error message over and over "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" Cancel/Try Again/Continue. I have to click any of the the three options 20 or more times to get the message to go away. Then in a few minutes it comes back and the same 20 clicks to clear it. Here are the logs.

 

ComboFix 12-04-14.02 - Mark Smith 04/14/2012 10:53:13.1.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1671 [GMT -4:00]

Running from: j:\documents and settings\Mark Smith\Desktop\ComboFix.exe

FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

j:\documents and settings\All Users\Application Data\acdmaaa.tmp

j:\documents and settings\All Users\Application Data\aimt.tmp

j:\documents and settings\All Users\Application Data\aoexp.tmp

j:\documents and settings\All Users\Application Data\emopts.dat

j:\documents and settings\All Users\Application Data\sacache

j:\documents and settings\All Users\Application Data\sacache\EI\1.log

j:\documents and settings\All Users\Application Data\sacache\EI\2.log

j:\documents and settings\All Users\Application Data\sacache\EI\3.log

j:\documents and settings\All Users\Application Data\sacache\EI\4.log

j:\documents and settings\All Users\Application Data\sacache\EI\5.log

j:\documents and settings\All Users\Application Data\sacache\skeys.log

j:\documents and settings\All Users\Application Data\sacache\skeys1.log

j:\documents and settings\All Users\Application Data\sacache\skeys2.log

j:\documents and settings\All Users\Application Data\sacache\ss\sslist.dat

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg1.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg10.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg100.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg101.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg102.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg103.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg104.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg105.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg106.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg107.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg108.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg109.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg11.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg110.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg111.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg112.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg113.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg114.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg115.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg116.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg117.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg118.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg119.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg12.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg120.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg121.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg122.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg123.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg124.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg125.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg126.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg127.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg128.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg129.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg13.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg130.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg131.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg132.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg133.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg134.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg135.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg136.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg137.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg138.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg139.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg14.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg140.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg141.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg142.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg143.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg144.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg145.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg146.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg147.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg148.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg149.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg15.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg150.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg151.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg152.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg153.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg154.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg155.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg156.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg157.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg158.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg159.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg16.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg160.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg161.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg162.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg163.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg164.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg165.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg166.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg167.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg168.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg169.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg17.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg170.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg171.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg172.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg173.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg174.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg175.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg176.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg177.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg178.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg179.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg18.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg180.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg181.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg182.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg183.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg184.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg185.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg186.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg187.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg188.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg189.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg19.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg190.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg191.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg192.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg193.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg194.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg195.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg196.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg197.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg198.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg199.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg2.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg20.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg200.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg201.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg202.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg203.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg204.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg205.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg206.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg207.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg208.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg209.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg21.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg210.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg211.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg212.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg213.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg214.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg215.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg216.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg217.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg218.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg219.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg22.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg220.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg221.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg222.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg223.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg224.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg225.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg226.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg227.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg228.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg229.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg23.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg230.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg231.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg232.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg233.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg234.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg235.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg236.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg237.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg238.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg239.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg24.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg240.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg241.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg242.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg243.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg244.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg245.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg246.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg247.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg248.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg249.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg25.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg250.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg251.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg252.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg253.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg254.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg255.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg256.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg257.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg258.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg259.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg26.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg260.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg261.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg262.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg263.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg264.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg265.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg266.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg267.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg268.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg269.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg27.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg270.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg271.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg272.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg273.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg274.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg275.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg276.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg277.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg278.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg279.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg28.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg280.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg281.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg282.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg283.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg284.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg285.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg286.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg287.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg288.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg289.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg29.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg290.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg291.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg292.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg293.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg294.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg295.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg296.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg297.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg298.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg299.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg3.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg30.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg300.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg301.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg302.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg303.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg304.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg305.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg306.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg307.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg308.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg309.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg31.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg310.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg311.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg312.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg313.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg314.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg315.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg316.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg317.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg318.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg319.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg32.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg320.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg321.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg322.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg323.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg324.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg325.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg326.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg327.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg328.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg329.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg33.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg330.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg331.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg332.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg333.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg334.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg335.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg336.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg337.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg338.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg339.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg34.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg340.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg341.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg342.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg343.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg344.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg345.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg346.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg347.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg348.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg349.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg35.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg350.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg351.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg352.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg353.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg354.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg355.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg356.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg357.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg358.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg359.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg36.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg360.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg361.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg362.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg363.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg364.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg365.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg366.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg367.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg368.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg369.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg37.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg370.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg371.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg372.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg373.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg374.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg375.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg376.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg377.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg378.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg379.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg38.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg380.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg381.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg382.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg383.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg384.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg385.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg386.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg387.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg388.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg389.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg39.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg390.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg391.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg392.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg393.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg394.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg395.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg396.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg397.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg398.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg399.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg4.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg40.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg400.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg401.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg402.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg403.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg404.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg405.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg406.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg407.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg408.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg409.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg41.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg410.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg411.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg412.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg413.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg414.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg415.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg416.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg417.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg418.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg419.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg42.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg420.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg421.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg422.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg423.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg424.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg425.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg426.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg427.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg428.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg429.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg43.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg430.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg431.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg432.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg433.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg434.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg435.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg436.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg437.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg438.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg439.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg44.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg440.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg441.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg442.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg443.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg444.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg445.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg446.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg447.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg448.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg449.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg45.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg450.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg451.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg452.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg453.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg454.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg455.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg456.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg457.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg458.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg459.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg46.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg460.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg461.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg462.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg463.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg464.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg465.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg466.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg467.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg468.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg469.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg47.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg470.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg471.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg472.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg473.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg474.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg475.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg476.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg48.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg49.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg5.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg50.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg51.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg52.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg53.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg54.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg55.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg56.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg57.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg58.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg59.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg6.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg60.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg61.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg62.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg63.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg64.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg65.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg66.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg67.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg68.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg69.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg7.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg70.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg71.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg72.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg73.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg74.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg75.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg76.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg77.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg78.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg79.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg8.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg80.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg81.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg82.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg83.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg84.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg85.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg86.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg87.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg88.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg89.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg9.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg90.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg91.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg92.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg93.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg94.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg95.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg96.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg97.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg98.ssf

j:\documents and settings\All Users\Application Data\sacache\ss\wincfg99.ssf

j:\documents and settings\All Users\Application Data\TEMP

j:\documents and settings\All Users\Application Data\TEMP\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\PostBuild.exe

j:\documents and settings\All Users\Application Data\TEMP\{DD0372C1-7BAC-4CF5-B53B-8DF4669D89EE}\PostBuild.exe

j:\documents and settings\All Users\Application Data\wfsmaaa.tmp

j:\documents and settings\All Users\Application Data\yyqlaaa.tmp

j:\documents and settings\Mark Smith\Local Settings\Application Data\assembly\tmp

j:\documents and settings\Mark Smith\Recent\Thumbs.db

j:\documents and settings\Mark Smith\System

j:\documents and settings\Mark Smith\System\win_qs8.jqx

j:\program files\WinConfig

j:\program files\WinConfig\npf_mgm.exe

j:\windows\expl.dat

j:\windows\system32\dds_trash_log.cmd

j:\windows\system32\drivers\etc\hosts.ics

j:\windows\system32\drivers\npf.sys

j:\windows\system32\Packet.dll

j:\windows\system32\SET5C.tmp

j:\windows\system32\SET60.tmp

j:\windows\system32\SET68.tmp

j:\windows\system32\svch.dat

j:\windows\system32\winl.dat

j:\windows\system32\wpcap.dll

.

j:\windows\system32\winlogon.exe . . . is infected!! . . .Failed to restore. Attempting to replace on reboot

.

Infected copy of j:\windows\system32\svchost.exe was found and disinfected

Restored copy from - j:\windows\ServicePackFiles\i386\svchost.exe

.

j:\windows\explorer.exe . . . is infected!!

.

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

-------\Legacy_NPF

-------\Service_NPF

.

.

((((((((((((((((((((((((( Files Created from 2012-03-14 to 2012-04-14 )))))))))))))))))))))))))))))))

.

.

2012-04-10 03:14 . 2012-04-04 19:56 22344 ----a-w- j:\windows\system32\drivers\mbam.sys

2012-04-10 02:51 . 2012-04-10 02:51 -------- d-sh--w- j:\windows\system32\config\systemprofile\PrivacIE

2012-04-10 02:50 . 2012-04-10 02:50 -------- d-sh--w- j:\windows\system32\config\systemprofile\IETldCache

2012-04-10 02:44 . 2012-04-10 02:44 -------- d-----w- j:\windows\system32\wbem\Repository

2012-03-23 13:53 . 2008-04-13 23:11 21504 ----a-w- j:\windows\system32\drivers\hidserv.dll

2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- j:\windows\system32\GPhotos.scr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-23 13:53 . 2011-12-29 15:52 16400 ----a-w- j:\windows\system32\drivers\LNonPnP.sys

.

.

------- Sigcheck -------

Note: Unsigned files aren't necessarily malware.

.

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\atapi.sys

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . j:\windows\system32\drivers\atapi.sys

[7] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\atapi.sys

.

[7] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\asyncmac.sys

[7] 2008-04-13 . B153AFFAC761E7F5FCFA822B9C4E97BC . 14336 . . [5.1.2600.5512] . . j:\windows\system32\drivers\asyncmac.sys

[7] 2004-08-04 . 02000ABF34AF4C218C35D257024807D6 . 14336 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\asyncmac.sys

.

[7] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . j:\windows\system32\dllcache\beep.sys

[7] 2004-08-04 . DA1F27D85E0D1525F6621372E7B685E9 . 4224 . . [5.1.2600.0] . . j:\windows\system32\drivers\beep.sys

.

[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\kbdclass.sys

[7] 2008-04-13 . 463C1EC80CD17420A542B7F36A36F128 . 24576 . . [5.1.2600.5512] . . j:\windows\system32\drivers\kbdclass.sys

[7] 2004-08-04 . EBDEE8A2EE5393890A1ACEE971C4C246 . 24576 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\kbdclass.sys

.

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\ndis.sys

[7] 2008-04-13 . 1DF7F42665C94B825322FAE71721130D . 182656 . . [5.1.2600.5512] . . j:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 . 558635D3AF1C7546D26067D5D9B6959E . 182912 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\ndis.sys

.

[7] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\ntfs.sys

[7] 2008-04-13 . 78A08DD6A8D65E697C18E1DB01C5CDCA . 574976 . . [5.1.2600.5512] . . j:\windows\system32\drivers\ntfs.sys

[7] 2004-08-04 . B78BE402C3F63DD55521F73876951CDD . 574592 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\ntfs.sys

.

[7] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . j:\windows\system32\dllcache\null.sys

[7] 2004-08-04 . 73C1E1F395918BC2C6DD67AF7591A3AD . 2944 . . [5.1.2600.0] . . j:\windows\system32\drivers\null.sys

.

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . j:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys

[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . j:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . j:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . j:\windows\system32\dllcache\tcpip.sys

[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . j:\windows\system32\drivers\tcpip.sys

[7] 2008-06-20 . 2A5554FC5B1E04E131230E3CE035C3F9 . 360320 . . [5.1.2600.3394] . . j:\windows\$NtServicePackUninstall$\tcpip.sys

[7] 2008-06-20 . 744E57C99232201AE98C49168B918F48 . 360960 . . [5.1.2600.3394] . . j:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys

[7] 2008-04-13 . 93EA8D04EC73A85DB02EB8805988F733 . 361344 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\tcpip.sys

[7] 2004-08-04 . 9F4B36614A0FC234525BA224957DE55C . 359040 . . [5.1.2600.2180] . . j:\windows\$NtUninstallKB951748$\tcpip.sys

.

[7] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\browser.dll

[7] 2008-04-14 . A06CE3399D16DB864F55FAEB1F1927A9 . 77824 . . [5.1.2600.5512] . . j:\windows\system32\browser.dll

[7] 2004-08-04 . E3CFCCDDA4EDD1D0DC9168B2E18F27B8 . 77312 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\browser.dll

.

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\lsass.exe

[7] 2008-04-14 . BF2466B3E18E970D8A976FB95FC1CA85 . 13312 . . [5.1.2600.5512] . . j:\windows\system32\lsass.exe

[7] 2004-08-04 . 84885F9B82F4D55C6146EBF6065D75D2 . 13312 . . [5.1.2600.2180] . . j:\windows\$NtServicePackUninstall$\lsass.exe

.

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . j:\windows\ServicePackFiles\i386\netman.dll

[7] 2008-04-14 . 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE . 198144 . . [5.1.2600.5512] . . j:\wi

Share this post


Link to post
Share on other sites

Hello casualuser. :)

 

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please follow these instructions to remove the remaining malicious entries:

 

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
     
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.
     

    killall::
     
    DDS::
    uInternet Settings,ProxyOverride = *.local
     
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
     
    CFScriptB-4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

 

Please post the ComboFix.txt in your next reply.

==========

 

Next, please download to your Desktop SystemLook by jpshortstuff from here or here.

Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:

 

:filefind
explorer.exe
winlogon.exe

 

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt.

==========

 

Then, please download MBRCheck by a_d_13 to your Desktop from one of these locations:

 

http://ad13.geekstogo.com/MBRCheck.exe

http://download.bleepingcomputer.com/rootrepeal/MBRCheck.exe

http://www.kernelmode.info/MBRCheck.exe

 

Close all opened programs/ windows and double-click on MBRCheck.exe.

It will produce a log file saved automatically on your Desktop as "MBRCheck_[Date]_[Time].txt".

 

Press the "Enter" key to close the MBRCheck window and post the contents of the log file.

==========

 

In your next post please provide the following:

  • ComboFix.txt.
  • SystemLook.txt.
  • Log from MBRCheck.

Share this post


Link to post
Share on other sites

I did the CFScript and dragged into combofix. Combofix ran, detected rootkit again, rebooted again. When the reboot was finished I got the dreaded blue screen Serious Error... new software or hardware not installed correctly... "IRQL_NOT_LESS_OR_EQUAL" Technical information "Stop: 0x0000000A (0x0000FFDF,0X00000002,0X00000001,0X806E7A8E) Beginning Dump Physical Memory...

It did this each of the 3 times I tried. Never got passed it.

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

 

Next, please download to your Desktop SystemLook by jpshortstuff from here or here.

Note: You will need to use another computer to download SystemLook, if you haven't done so already, and transfer the file via a USB to your infected computer.

 

Double-click SystemLook.exe and copy and paste the content of the following codebox (starting with :filefind) into the main textfield and click the Look button to start the scan:

 

:filefind
explorer.exe
winlogon.exe

 

When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt.

==========

 

Please let me know if you run into any difficulties and please post the results from SystemLook in your next reply. :)

Share this post


Link to post
Share on other sites

Done. Here ie the log.

 

SystemLook 30.07.11 by jpshortstuff

Log created at 11:02 on 15/04/2012 by Mark Smith

Administrator - Elevation successful

 

========== filefind ==========

 

Searching for "explorer.exe"

J:\WINDOWS\explorer.exe --a---- 1058816 bytes [12:00 04/08/2004] [00:12 14/04/2008] 86B13BD2DAC4D331B0B6406E632AB086

J:\WINDOWS\$NtServicePackUninstall$\explorer.exe -----c- 1032192 bytes [19:48 01/12/2009] [12:00 04/08/2004] A0732187050030AE399B241436565E64

J:\WINDOWS\ServicePackFiles\i386\explorer.exe ------- 1033728 bytes [00:12 14/04/2008] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

 

Searching for "winlogon.exe"

J:\Program Files\Malwarebytes' Anti-Malware\Chameleon\winlogon.exe --a---- 199240 bytes [03:14 10/04/2012] [19:56 04/04/2012] 097D0E812D7A9A3101CE46CB2BE0474D

J:\WINDOWS\$NtServicePackUninstall$\winlogon.exe -----c- 502272 bytes [19:48 01/12/2009] [12:00 04/08/2004] 01C3346C241652F43AED8E2149881BFE

J:\WINDOWS\ServicePackFiles\i386\winlogon.exe ------- 507904 bytes [00:12 14/04/2008] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E

J:\WINDOWS\system32\winlogon.exe --a---- 545280 bytes [12:00 04/08/2004] [00:12 14/04/2008] E12A7DF6EFB606316DBC801C473F1FE7

 

-= EOF =-

Share this post


Link to post
Share on other sites

Hello casualuser. :)

 

Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).

 

Please go to Start>Run>write cmd and click OK...

 

In the command prompt write (or copy and right-click paste):

 

copy J:\WINDOWS\ServicePackFiles\i386\explorer.exe c:\explorer.exe

copy J:\WINDOWS\ServicePackFiles\i386\winlogon.exe c:\winlogon.exe

 

Then click Enter.

 

Close the command prompt and ensure these files have been created:

 

J:\winlogon.exe

J:\explorer.exe

 

If yes, please start the Recovery Console.

 

Once in the Recovery Console, please execute the following commands (watch the spaces) in bold - click Enter after every one of them:

 

ren J:\windows\system32\winlogon.exe c:\windows\system32\winlogon.old

copy J:\winlogon.exe c:\windows\system32\winlogon.exe

ren J:\windows\explorer.exe c:\windows\explorer.old

copy J:\explorer.exe c:\windows\explorer.exe

exit

 

It should reboot automatically - boot into Normal Mode... If these commands were executed properly, the infection should be removed now.

 

Then, please restart into Normal Mode and re-run ComboFix and pots its new log in your next reply. :thumbup:

Share this post


Link to post
Share on other sites

Ok, I got it. Your paramters were a little off on renaming the files in the recovery console but I figured it out. Below are the Combofix log and the MBRcheck log. Still no IP address though. And still get the "Windows No Disk" Error message "Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c" Cancel/Try Again/Continue.

 

ComboFix 12-04-14.02 - Mark Smith 04/15/2012 21:13:48.2.2 - x86

Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1673 [GMT -4:00]

Running from: j:\documents and settings\Mark Smith\Desktop\ComboFix.exe

FW: ActiveArmor Firewall *Disabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

J:\explorer.exe

j:\windows\expl.dat

j:\windows\system32\winl.dat

J:\winlogon.exe

.

Infected copy of j:\windows\system32\winlogon.exe was found and disinfected

Restored copy from - j:\windows\ServicePackFiles\i386\winlogon.exe

.

Infected copy of j:\windows\system32\svchost.exe was found and disinfected

Restored copy from - j:\windows\ServicePackFiles\i386\svchost.exe

.

Infected copy of j:\windows\explorer.exe was found and disinfected

Restored copy from - j:\system volume information\_restore{D3585242-2B71-46BC-A0A7-18A664EF8331}\RP6\A0013753.exe

.

Infected copy of j:\windows\system32\svchost.exe was found and disinfected

Restored copy from - j:\windows\ServicePackFiles\i386\svchost.exe

.

((((((((((((((((((((((((( Files Created from 2012-03-16 to 2012-04-16 )))))))))))))))))))))))))))))))

.

.

2012-04-15 23:42 . 2008-04-14 00:12 507904 ----a-w- j:\windows\system32\winlogon.exe

2012-04-15 23:42 . 2012-04-15 23:36 1033728 ----a-w- j:\windows\explorer.exe

2012-04-10 03:14 . 2012-04-04 19:56 22344 ----a-w- j:\windows\system32\drivers\mbam.sys

2012-04-10 02:51 . 2012-04-10 02:51 -------- d-sh--w- j:\windows\system32\config\systemprofile\PrivacIE

2012-04-10 02:50 . 2012-04-10 02:50 -------- d-sh--w- j:\windows\system32\config\systemprofile\IETldCache

2012-04-10 02:44 . 2012-04-10 02:44 -------- d-----w- j:\windows\system32\wbem\Repository

2012-03-23 13:53 . 2008-04-13 23:11 21504 ----a-w- j:\windows\system32\drivers\hidserv.dll

2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- j:\windows\system32\GPhotos.scr

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-03-23 13:53 . 2011-12-29 15:52 16400 ----a-w- j:\windows\system32\drivers\LNonPnP.sys

.

.

((((((((((((((((((((((((((((( SnapShot@2012-04-14_15.00.55 )))))))))))))))))))))))))))))))))))))))))

.

+ 2012-04-15 05:34 . 2012-04-15 05:34 16384 j:\windows\Temp\Perflib_Perfdata_53c.dat

+ 2012-04-16 01:20 . 2012-04-16 01:20 16384 j:\windows\Temp\Perflib_Perfdata_538.dat

+ 2004-08-04 12:00 . 2008-04-14 00:12 14336 j:\windows\system32\svchost.exe

+ 2012-04-16 01:17 . 2012-04-16 01:17 14336 j:\windows\system32\svch.dat

- 2004-08-04 12:00 . 2012-03-15 14:09 68638 j:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2012-04-14 15:06 68638 j:\windows\system32\perfc009.dat

+ 2004-08-04 12:00 . 2012-04-14 15:06 435742 j:\windows\system32\perfh009.dat

- 2004-08-04 12:00 . 2012-03-15 14:09 435742 j:\windows\system32\perfh009.dat

- 2008-04-14 00:12 . 2008-04-14 00:12 1033728 j:\windows\ServicePackFiles\i386\explorer.exe

+ 2008-04-14 00:12 . 2012-04-15 23:36 1033728 j:\windows\ServicePackFiles\i386\explorer.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"StartCCC"="j:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]

"OpwareSE2"="j:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]

"MediaFace Integration"="j:\program files\Fellowes\MediaFACE 4.2\SetHook.exe" [2005-03-28 53248]

"nTrayFw"="j:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-12-21 270336]

"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]

"QuickTime Task"="j:\program files\QuickTime\qttask.exe" [2010-11-29 421888]

"EvtMgr6"="j:\program files\Logitech\SetPointP\SetPoint.exe" [2011-10-07 1387288]

"Adobe Reader Speed Launcher"="j:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-04 37296]

"Adobe ARM"="j:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]

"APSDaemon"="j:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]

"iTunesHelper"="j:\program files\iTunes\iTunesHelper.exe" [2012-01-16 421736]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"RunNarrator"="Narrator.exe" [2008-04-14 53760]

.

j:\documents and settings\All Users\Start Menu\Programs\Startup\

HP Digital Imaging Monitor.lnk - j:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]

Microsoft Office.lnk - j:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]

2011-09-27 19:03 66328 ----a-w- j:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WZCSVC"=2 (0x2)

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"j:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"j:\\WINDOWS\\system32\\dpvsetup.exe"=

"j:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqcopy2.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=

"j:\\Program Files\\Common Files\\HP\\Digital Imaging\\bin\\hpqPhotoCrm.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqsudi.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpsapp.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxs08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqfxt08.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqpse.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgplgtupl.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqgpc01.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgm.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\bin\\hpqusgh.exe"=

"j:\\Program Files\\HP\\HP Software Update\\HPWUCli.exe"=

"j:\\Program Files\\HP\\Digital Imaging\\Smart Web Printing\\SmartWebPrintExe.exe"=

"j:\\WINDOWS\\system32\\sessmgr.exe"=

"j:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=

"j:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=

"j:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"j:\\Program Files\\BitComet\\BitComet.exe"=

"j:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"j:\\Program Files\\iTunes\\iTunes.exe"=

"j:\\WINDOWS\\system32\\mmc.exe"=

.

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"21936:TCP"= 21936:TCP:BitComet 21936 TCP

"21936:UDP"= 21936:UDP:BitComet 21936 UDP

.

R1 eusk2par;EUTRON SmartKey Parallel Driver;j:\windows\system32\drivers\eusk2par.sys [10/9/2009 11:03 PM 24786]

R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;j:\program files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [9/6/2009 7:06 AM 169312]

R2 LBeepKE;Logitech Beep Suppression Driver;j:\windows\system32\drivers\LBeepKE.sys [12/29/2011 11:51 AM 12184]

R3 LEqdUsb;Logitech SetPoint Unifying KMDF USB Filter;j:\windows\system32\drivers\LEqdUsb.sys [9/2/2011 2:31 AM 42648]

R3 LHidEqd;Logitech SetPoint Unifying KMDF HID Filter;j:\windows\system32\drivers\LHidEqd.sys [9/2/2011 2:31 AM 12184]

S3 eusk3usb;SmartKey 3 USB;j:\windows\system32\drivers\eusk3usb.sys [10/9/2009 11:03 PM 45534]

S3 osppsvc;Office Software Protection Platform;j:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

NetPipeActivator

bcoreusb

Sk9920nt

.

Contents of the 'Scheduled Tasks' folder

.

2011-12-23 j:\windows\Tasks\AppleSoftwareUpdate.job

- j:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:34]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.nascar.com/

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchAssistant = hxxp://www.google.com/ie

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - j:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - j:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000

IE: Se&nd to OneNote - j:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105

TCP: DhcpNameServer = 192.168.2.1

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-04-15 21:21

Windows 5.1.2600 Service Pack 3 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: USB2.0__ rev.0.0> -> Harddisk1\DR2 -> \Device\0000007a

.

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!

.

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (LocalSystem)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\

.

[HKEY_USERS\S-1-5-21-746137067-602609370-839522115-1004\Software\Microsoft\SystemCertificates\AddressBook*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'winlogon.exe'(372)

j:\windows\system32\Ati2evxx.dll

j:\program files\common files\logishrd\bluetooth\LBTWlgn.dll

.

- - - - - - - > 'explorer.exe'(2236)

j:\windows\system32\WININET.dll

j:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll

j:\windows\system32\ieframe.dll

j:\windows\system32\webcheck.dll

j:\windows\system32\WPDShServiceObj.dll

j:\windows\system32\PortableDeviceTypes.dll

j:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

j:\windows\system32\Ati2evxx.exe

j:\windows\system32\Ati2evxx.exe

j:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

j:\program files\Bonjour\mDNSResponder.exe

j:\program files\Java\jre6\bin\jqs.exe

j:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

j:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

j:\program files\CyberLink\Shared Files\RichVideo.exe

j:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

j:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE

j:\windows\SOUNDMAN.EXE

j:\program files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE

j:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

j:\program files\iPod\bin\iPodService.exe

j:\program files\HP\Digital Imaging\bin\hpqSTE08.exe

j:\program files\HP\Digital Imaging\bin\hpqbam08.exe

j:\program files\HP\Digital Imaging\bin\hpqgpc01.exe

.

**************************************************************************

.

Completion time: 2012-04-15 21:23:12 - machine was rebooted

ComboFix-quarantined-files.txt 2012-04-16 01:23

ComboFix2.txt 2012-04-14 15:07

.

Pre-Run: 870,143,479,808 bytes free

Post-Run: 870,137,049,088 bytes free

.

- - End Of File - - BF19EB1EFC97B670C4396554173DE453

 

 

 

MBRCheck, version 1.2.3

© 2010, AD

 

Command-line:

Windows Version: Windows XP Home Edition

Windows Information: Service Pack 3 (build 2600)

Logical Drives Mask: 0x000013ec

 

Kernel Drivers (total 132):

0x804D7000 \WINDOWS\system32\ntkrnlpa.exe

0x806E5000 \WINDOWS\system32\hal.dll

0xBA5A8000 \WINDOWS\system32\KDCOM.DLL

0xBA4B8000 \WINDOWS\system32\BOOTVID.dll

0xB9F79000 ACPI.sys

0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS

0xB9F68000 pci.sys

0xBA0A8000 isapnp.sys

0xBA0B8000 ohci1394.sys

0xBA0C8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS

0xBA670000 pciide.sys

0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS

0xBA0D8000 MountMgr.sys

0xB9F49000 ftdisk.sys

0xBA330000 PartMgr.sys

0xBA0E8000 VolSnap.sys

0xB9F31000 atapi.sys

0xBA0F8000 disk.sys

0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS

0xB9F11000 fltmgr.sys

0xB9EFF000 sr.sys

0xBA118000 PxHelp20.sys

0xB9EE8000 KSecDD.sys

0xB9E5B000 Ntfs.sys

0xB9E2E000 NDIS.sys

0xB9E14000 Mup.sys

0xBA188000 \SystemRoot\system32\DRIVERS\processr.sys

0xBA430000 \SystemRoot\system32\DRIVERS\usbohci.sys

0xB9D92000 \SystemRoot\system32\DRIVERS\USBPORT.SYS

0xBA438000 \SystemRoot\system32\DRIVERS\usbehci.sys

0xB99A3000 \SystemRoot\system32\drivers\ALCXWDM.SYS

0xB997F000 \SystemRoot\system32\drivers\portcls.sys

0xBA198000 \SystemRoot\system32\drivers\drmk.sys

0xB995C000 \SystemRoot\system32\drivers\ks.sys

0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys

0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys

0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys

0xBA440000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys

0xB9920000 \SystemRoot\system32\DRIVERS\RT2500.sys

0xBA580000 \SystemRoot\system32\DRIVERS\nvnetbus.sys

0xB98D5000 \SystemRoot\system32\DRIVERS\NVNRM.SYS

0xB989E000 \SystemRoot\system32\DRIVERS\NVSNPU.SYS

0xB9639000 \SystemRoot\system32\DRIVERS\ati2mtag.sys

0xB9625000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS

0xB95FD000 \SystemRoot\system32\DRIVERS\HDAudBus.sys

0xBA1E8000 \SystemRoot\system32\DRIVERS\serial.sys

0xBA584000 \SystemRoot\system32\DRIVERS\serenum.sys

0xB95E9000 \SystemRoot\system32\DRIVERS\parport.sys

0xBA7FD000 \SystemRoot\system32\drivers\msmpu401.sys

0xBA588000 \SystemRoot\system32\DRIVERS\gameenum.sys

0xBA7FE000 \SystemRoot\system32\DRIVERS\audstub.sys

0xBA1F8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys

0xBA58C000 \SystemRoot\system32\DRIVERS\ndistapi.sys

0xB95D2000 \SystemRoot\system32\DRIVERS\ndiswan.sys

0xBA208000 \SystemRoot\system32\DRIVERS\raspppoe.sys

0xBA218000 \SystemRoot\system32\DRIVERS\raspptp.sys

0xBA448000 \SystemRoot\system32\DRIVERS\TDI.SYS

0xB9599000 \SystemRoot\system32\DRIVERS\psched.sys

0xBA228000 \SystemRoot\system32\DRIVERS\msgpc.sys

0xBA450000 \SystemRoot\system32\DRIVERS\ptilink.sys

0xBA458000 \SystemRoot\system32\DRIVERS\raspti.sys

0xBA238000 \SystemRoot\system32\DRIVERS\termdd.sys

0xBA460000 \SystemRoot\system32\DRIVERS\kbdclass.sys

0xBA468000 \SystemRoot\system32\DRIVERS\mouclass.sys

0xBA5D0000 \SystemRoot\system32\DRIVERS\swenum.sys

0xB949B000 \SystemRoot\system32\DRIVERS\update.sys

0xBA59C000 \SystemRoot\system32\DRIVERS\mssmbios.sys

0xBA248000 \SystemRoot\system32\DRIVERS\usbhub.sys

0xBA5D2000 \SystemRoot\system32\DRIVERS\USBD.SYS

0xBA258000 \SystemRoot\System32\Drivers\NDProxy.SYS

0xAC6A0000 \SystemRoot\system32\drivers\AtiHdmi.sys

0xBA5D8000 \SystemRoot\System32\Drivers\Fs_Rec.SYS

0xBA706000 \SystemRoot\System32\Drivers\Null.SYS

0xBA5DA000 \SystemRoot\System32\Drivers\Beep.SYS

0xBA488000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS

0xBA490000 \SystemRoot\System32\drivers\vga.sys

0xBA5DC000 \SystemRoot\System32\Drivers\mnmdd.SYS

0xBA5DE000 \SystemRoot\System32\DRIVERS\RDPCDD.sys

0xBA498000 \SystemRoot\System32\Drivers\Msfs.SYS

0xBA4A0000 \SystemRoot\System32\Drivers\Npfs.SYS

0xBA558000 \SystemRoot\system32\DRIVERS\rasacd.sys

0xAC645000 \SystemRoot\system32\DRIVERS\ipsec.sys

0xAC5EC000 \SystemRoot\system32\DRIVERS\tcpip.sys

0xBA564000 \SystemRoot\System32\drivers\ws2ifsl.sys

0xAC5C6000 \SystemRoot\system32\DRIVERS\ipnat.sys

0xAC5A4000 \SystemRoot\System32\drivers\afd.sys

0xBA2A8000 \SystemRoot\system32\DRIVERS\wanarp.sys

0xBA2B8000 \SystemRoot\system32\DRIVERS\netbios.sys

0xAC579000 \SystemRoot\system32\DRIVERS\rdbss.sys

0xAC509000 \SystemRoot\system32\DRIVERS\mrxsmb.sys

0xBA2C8000 \SystemRoot\System32\Drivers\Fips.SYS

0xBA4A8000 \SystemRoot\system32\DRIVERS\usbccgp.sys

0xBA57C000 \SystemRoot\system32\drivers\iMON_PAD.sys

0xBA4B0000 \??\J:\WINDOWS\system32\Drivers\eusk2par.sys

0xBA340000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS

0xB95BA000 \SystemRoot\system32\DRIVERS\hidusb.sys

0xBA2E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS

0xBA2F8000 \SystemRoot\System32\Drivers\LEqdUsb.Sys

0xBA308000 \SystemRoot\System32\Drivers\WDFLDR.SYS

0xAC3D0000 \SystemRoot\System32\Drivers\wdf01000.sys

0xB95B2000 \SystemRoot\system32\DRIVERS\kbdhid.sys

0xB95AA000 \SystemRoot\system32\DRIVERS\mouhid.sys

0xBA6B9000 \SystemRoot\System32\Drivers\LHidEqd.Sys

0xB9569000 \SystemRoot\System32\Drivers\Cdfs.SYS

0xBA380000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys

0xBA388000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys

0xAC3B8000 \SystemRoot\System32\Drivers\dump_atapi.sys

0xBA5E6000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS

0xBF800000 \SystemRoot\System32\win32k.sys

0xB8739000 \SystemRoot\System32\drivers\Dxapi.sys

0xBA398000 \SystemRoot\System32\watchdog.sys

0xBF000000 \SystemRoot\System32\drivers\dxg.sys

0xBA787000 \SystemRoot\System32\drivers\dxgthk.sys

0xBF012000 \SystemRoot\System32\ati2dvag.dll

0xBF058000 \SystemRoot\System32\ati2cqag.dll

0xBF0B4000 \SystemRoot\System32\atikvmag.dll

0xBF105000 \SystemRoot\System32\atiok3x2.dll

0xBF130000 \SystemRoot\System32\ati3duag.dll

0xBF3FF000 \SystemRoot\System32\ativvaxx.dll

0xBF573000 \SystemRoot\System32\ATMFD.DLL

0xBA3E8000 \SystemRoot\system32\DRIVERS\AegisP.sys

0xAA09F000 \SystemRoot\system32\DRIVERS\ndisuio.sys

0xA9E0A000 \SystemRoot\system32\DRIVERS\mrxdav.sys

0xBA60C000 \SystemRoot\System32\Drivers\ParVdm.SYS

0xA9D1E000 \SystemRoot\System32\Drivers\Fastfat.SYS

0xBA745000 \SystemRoot\System32\Drivers\LBeepKE.sys

0xA9B86000 \SystemRoot\system32\DRIVERS\srv.sys

0xA98C9000 \SystemRoot\system32\drivers\wdmaud.sys

0xA9DBA000 \SystemRoot\system32\drivers\sysaudio.sys

0xA9130000 \SystemRoot\System32\Drivers\HTTP.sys

0xA8D1D000 \SystemRoot\system32\drivers\kmixer.sys

0x7C900000 \WINDOWS\system32\ntdll.dll

 

Processes (total 48):

0 System Idle Process

4 System

292 J:\WINDOWS\system32\smss.exe

340 csrss.exe

368 J:\WINDOWS\system32\winlogon.exe

412 J:\WINDOWS\system32\services.exe

424 J:\WINDOWS\system32\lsass.exe

584 J:\WINDOWS\system32\ati2evxx.exe

604 J:\WINDOWS\system32\svchost.exe

652 svchost.exe

700 J:\WINDOWS\system32\svchost.exe

748 svchost.exe

852 J:\WINDOWS\system32\ati2evxx.exe

948 J:\WINDOWS\system32\spoolsv.exe

1036 svchost.exe

1068 J:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

1120 J:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

1212 J:\Program Files\Bonjour\mDNSResponder.exe

1292 J:\WINDOWS\system32\svchost.exe

1340 J:\Program Files\Java\jre6\bin\jqs.exe

1396 J:\WINDOWS\system32\svchost.exe

1420 J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

1452 J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

1500 J:\WINDOWS\system32\svchost.exe

1528 J:\Program Files\CyberLink\Shared Files\RichVideo.exe

1588 J:\WINDOWS\system32\svchost.exe

1648 J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

164 J:\WINDOWS\explorer.exe

744 J:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe

808 J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

892 J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe

1008 J:\WINDOWS\soundman.exe

1148 J:\Program Files\Logitech\SetPointP\SetPoint.exe

1172 J:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe

1144 J:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

1204 J:\Program Files\iTunes\iTunesHelper.exe

1388 J:\WINDOWS\system32\ctfmon.exe

1948 wmiprvse.exe

1920 J:\Program Files\Common Files\Logishrd\KHAL3\KHALMNPR.exe

2120 J:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe

2820 wmiprvse.exe

2916 svchost.exe

3040 J:\Program Files\iPod\bin\iPodService.exe

3292 alg.exe

3384 J:\Program Files\HP\Digital Imaging\bin\hpqste08.exe

3420 J:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe

3452 J:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe

3664 J:\Documents and Settings\Mark Smith\Desktop\MBRCheck.exe

 

\\.\J: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

 

PhysicalDrive0 Model Number: ST31000528AS, Rev: CC34

 

Size Device Name MBR Status

--------------------------------------------

931 GB \\.\PhysicalDrive0 Windows XP MBR code detected

SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

 

 

Done!

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please follow these instructions to remove the remaining malicious entries:

 

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
     
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.
     

    killall::
     
    DDS::
    uInternet Settings,ProxyOverride = *.local
     
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
     
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
     
    CFScriptB-4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

 

Please post the ComboFix.txt in your next reply.

==========

 

  • Then, please download MBRScan and save it to your Desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your Desktop and post its content in your next reply.

==========

 

In your next reply please post the following:

  • ComboFix.txt.
  • MBRScan log.

Share this post


Link to post
Share on other sites

Got the same Blue screen error message as before, when running combofix. "IRQL_NOT_LESS_OR_EQUAL" Technical information "Stop: 0x0000000A (0x0000FFDF,0X00000002,0X00000001,0X806E7A8E) Beginning Dump Physical Memory...

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

OK. Something is keeping the rootkit alive.

 

For the following steps please make sure you are in Safe Mode.

 

 

Please download GMER from one of the following locations and save it to your Desktop:

  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your Desktop.

  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.
     
    gmer_zip.gif
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress).
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, firewall and any other security programs you had disabled.

-- If you encounter any problems, try running GMER in Safe Mode.

-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning.

===========

 

  • Next, please download MBRScan and save it to your Desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on Run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your Desktop and post its content in your next reply.

===========

 

Finally, please delete your current copy of ComboFix. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

 

Please go here to see a list of programs that need to be disabled.

 

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

 

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

 

Please include the C:\ComboFix.txt in your next reply for further review.

==========

 

In your next post please provide the following:

  • Log from GMER.
  • MBRScan log.
  • ComboFix.txt.

How is your computer running now?

Share this post


Link to post
Share on other sites

I ran the Gmer and MBRscan, The logs are below. But the Cobofix still hangs. It gives me one popup message that Rootkit Zero Access has inserted itself into my tcp/ip stack. I click ok and a few minutes later it gives me another message that a rootkit was detedted please be patient.I click ok, and it never progresses from there.

 

GMER 1.0.15.15641 - http://www.gmer.net

Rootkit scan 2012-04-16 12:30:40

Windows 5.1.2600 Service Pack 3

Running: p5vd6op3.exe; Driver: J:\DOCUME~1\MARKSM~1\LOCALS~1\Temp\uxtdypod.sys

 

 

---- Kernel code sections - GMER 1.0.15 ----

 

init J:\WINDOWS\system32\drivers\iMON_PAD.sys entry point in "init" section [0xBA7BDCC0]

 

---- Registry - GMER 1.0.15 ----

 

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1

 

---- Disk sectors - GMER 1.0.15 ----

 

Disk \Device\Harddisk1\DR2 sector 00: rootkit-like behavior

 

---- EOF - GMER 1.0.15 ----

 

MBRScan v1.1.1

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 15 Model 35 Stepping 2, AuthenticAMD
BOOT           : Safe Boot
DATE           : 2012/04/16 (ISO 8601) at 12:32:48
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __ST31000528AS (Ì4)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk5\DR14 __JetFlash Transcend 8GB (8.07)
BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0	931.5 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : 45E23835597B6A0B4128DFB9747AFDA0
MBR_SHA1  : 12812A7D6E029EEEB3A201A37C5EBDFC73B1A283

Device\Harddisk0\Partition1	931.5 Go  	0x07 NTFS / HPFS __ BOOTABLE __
________________________________________________________________________________

Device\Harddisk5\DR14	7.48 Go  [Removable] ==> Unknown MBR Code

MBR_MD5   : 977E55D9969DCE8C190369CAE6AE7C44
MBR_SHA1  : 22F836B72E4AC84C7CE82712C9E123FA3AB7B7AA

Device\Harddisk5\Partition1	7.48 Go
________________________________________________________________________________

############################### Additional scan ################################

DRIVER  : J:\WINDOWS\System32\Drivers\dump_atapi.sys => Invisible on the disk
ADDRESS : 0xBA4B5000
SIZE    : 96.0 Ko

DRIVER  : J:\WINDOWS\System32\Drivers\dump_WMILIB.SYS => Invisible on the disk
ADDRESS : 0xF79B7000
SIZE    : 8.0 Ko

DRIVER  : J:\DOCUME~1\MARKSM~1\LOCALS~1\Temp\uxtdypod.sys => Invisible on the disk
ADDRESS : 0xB9CE0000
SIZE    : 100.0 Ko

SystemStartOptions : NOEXECUTE=OPTIN  FASTDETECT SAFEBOOT:MINIMAL SOS BOOTLOG NOGUIBOOT

________________________________________________________________________________

_______MBR   \Device\Harddisk0\DR0  

0x00000000   33 C0 8E D0 BC 00 7C FB 50 07 50 1F FC BE 1B 7C   3À.м.|ûP.P.ü¾.|
0x00000010   BF 1B 06 50 57 B9 E5 01 F3 A4 CB BD BE 07 B1 04   ¿..PW¹å.ó¤Ë½¾.±.
0x00000020   38 6E 00 7C 09 75 13 83 C5 10 E2 F4 CD 18 8B F5   8n.|.u..Å.âôÍ..õ
0x00000030   83 C6 10 49 74 19 38 2C 74 F6 A0 B5 07 B4 07 8B   .Æ.It.8,tö.µ.´..
0x00000040   F0 AC 3C 00 74 FC BB 07 00 B4 0E CD 10 EB F2 88   ð¬<.tü»..´.Í.ëò.
0x00000050   4E 10 E8 46 00 73 2A FE 46 10 80 7E 04 0B 74 0B   N.èF.s*þF..~..t.
0x00000060   80 7E 04 0C 74 05 A0 B6 07 75 D2 80 46 02 06 83   .~..t..¶.uÒ.F...
0x00000070   46 08 06 83 56 0A 00 E8 21 00 73 05 A0 B6 07 EB   F...V..è!.s..¶.ë
0x00000080   BC 81 3E FE 7D 55 AA 74 0B 80 7E 10 00 74 C8 A0   ¼.>þ}Uªt..~..tÈ.
0x00000090   B7 07 EB A9 8B FC 1E 57 8B F5 CB BF 05 00 8A 56   ·.ë©.ü.W.õË¿...V
0x000000A0   00 B4 08 CD 13 72 23 8A C1 24 3F 98 8A DE 8A FC   .´.Í.r#.Á$?..Þ.ü
0x000000B0   43 F7 E3 8B D1 86 D6 B1 06 D2 EE 42 F7 E2 39 56   C÷ã.Ñ.Ö±.ÒîB÷â9V
0x000000C0   0A 77 23 72 05 39 46 08 73 1C B8 01 02 BB 00 7C   .w#r.9F.s.¸..».|
0x000000D0   8B 4E 02 8B 56 00 CD 13 73 51 4F 74 4E 32 E4 8A   .N..V.Í.sQOtN2ä.
0x000000E0   56 00 CD 13 EB E4 8A 56 00 60 BB AA 55 B4 41 CD   V.Í.ëä.V.`»ªU´AÍ
0x000000F0   13 72 36 81 FB 55 AA 75 30 F6 C1 01 74 2B 61 60   .r6.ûUªu0öÁ.t+a`
0x00000100   6A 00 6A 00 FF 76 0A FF 76 08 6A 00 68 00 7C 6A   j.j..v..v.j.h.|j
0x00000110   01 6A 10 B4 42 8B F4 CD 13 61 61 73 0E 4F 74 0B   .j.´B.ôÍ.aas.Ot.
0x00000120   32 E4 8A 56 00 CD 13 EB D6 61 F9 C3 49 6E 76 61   2ä.V.Í.ëÖaùÃInva
0x00000130   6C 69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61   lid partition ta
0x00000140   62 6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E   ble.Error loadin
0x00000150   67 20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74   g operating syst
0x00000160   65 6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61   em.Missing opera
0x00000170   74 69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00   ting system.....
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 2C 44 63 7C DB 7C DB 00 00 80 01   .....,Dc|Û|Û....
0x000001C0   01 00 07 FE FF FF 3F 00 00 00 C1 1A 70 74 00 00   ...þ..?...Á.pt..
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

_______MBR   \Device\Harddisk5\DR14  

0x00000000   FA B8 00 00 8E D0 BC 00 7C 8B F4 50 07 50 1F FB   ú¸...м.|.ôP.P.û
0x00000010   FC BF 00 06 B9 00 01 F3 A5 EA 1E 06 00 00 BE BE   ü¿..¹..ó¥ê....¾¾
0x00000020   07 80 3C 80 74 02 CD 18 56 53 06 BB 00 7C B9 01   ..<.t.Í.VS.».|¹.
0x00000030   00 BA 00 00 B8 01 02 CD 13 07 5B 5E B2 80 72 0B   .º..¸..Í..[^².r.
0x00000040   BF BC 7D 81 3D 55 53 75 02 B2 00 BF EB 06 88 15   ¿¼}.=USu.².¿ë...
0x00000050   8A 74 01 8B 4C 02 8B EE EB 15 BE 9B 06 AC 3C 00   .t..L..îë.¾..¬<.
0x00000060   74 0B 56 BB 07 00 B4 0E CD 10 5E EB F0 EB FE BB   t.V»..´.Í.^ëðëþ»
0x00000070   00 7C B8 01 02 CD 13 73 05 BE B3 06 EB DF BE D2   .|¸..Í.s.¾³.ëß¾Ò
0x00000080   06 BF FE 7D 81 3D 55 AA 75 D3 BF 24 7C BE EB 06   .¿þ}.=UªuÓ¿$|¾ë.
0x00000090   8A 04 88 05 8B F5 EA 00 7C 00 00 49 6E 76 61 6C   .....õê.|..Inval
0x000000A0   69 64 20 70 61 72 74 69 74 69 6F 6E 20 74 61 62   id partition tab
0x000000B0   6C 65 00 45 72 72 6F 72 20 6C 6F 61 64 69 6E 67   le.Error loading
0x000000C0   20 6F 70 65 72 61 74 69 6E 67 20 73 79 73 74 65    operating syste
0x000000D0   6D 00 4D 69 73 73 69 6E 67 20 6F 70 65 72 61 74   m.Missing operat
0x000000E0   69 6E 67 20 73 79 73 74 65 6D 00 00 00 00 00 00   ing system......
0x000000F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000100   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000110   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000120   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000130   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000140   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000150   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000160   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000170   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000180   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x00000190   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001A0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001B0   00 00 00 00 00 00 00 00 09 19 0A 19 00 00 00 82   ................
0x000001C0   03 00 0B 82 F2 D0 00 20 00 00 00 40 EF 00 00 00   ....òÐ. ...@ï...
0x000001D0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001E0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x000001F0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 AA   ..............Uª

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

At least we know what we are dealing with now. :thumbup:

 

Please download maxlook, saving the file to your Desktop.

Double click maxlook.exe to run it. Note - you must run it only once!.

As instructed when the tool runs, restart the computer and logon to the Recovery Console.

Execute the following bolded command at the J:\windows> command prompt:

 

batch look.bat

 

 

lookXP.gif

 

You will see 1 file copied many times then return to the x:\windows> prompt.

Type Exit to restart your computer then logon in Normal Mode.

Note: If you are unable to run in Normal Mode please reboot to Safe Mode and run it in this mode instead.

Please run maxlook.exe again now. Note - you must run it only once!.

It will produce looklog.txt on the Desktop and open it.

Please post the results here.

==========

 

Finally, please delete your current copy of ComboFix. Then, please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool (when you download it please rename it to Commy.exe):

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

 

Please go here to see a list of programs that need to be disabled.

 

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

 

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

 

Please include the C:\ComboFix.txt in your next reply for further review.

==========

 

In your next post please provide the following:

  • Log from maxlook.
  • ComboFix.txt.

Edited by The Dark Knight

Share this post


Link to post
Share on other sites

Combofix is still freezing up after the second message. Here is the maxlook log.

 

 

Run from J:\Documents and Settings\Mark Smith\Desktop\maxlook.exe on Mon 04/16/2012 at 20:26:16.89

 

No infected file found

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Your logs indicate that a ZeroAccess infection is present on your computer:

 

  • Please download
AntiZeroAccess by Webroot to your Desktop.
Double-click antizeroaccess.exe to run the program.
  • NOTE: If running Vista or Windows 7, make sure to Right-click on it and select Run as an Administrator.

 

webroot-1.png

[*]At the black window, type y and then press Enter.

[*]Once AntiZeroAccess has finished scanning, a report AntiZeroAccess_Log.txt will be created in the same location as the program.

[*]Please post the contents of the report in your next reply. :thumbup:

===========

 

Then, please re-run ComboFix and post its log, along with AntiZeroAccess_Log.txt, in your next reply. :thumbup:

Share this post


Link to post
Share on other sites

AntiZeroAccess says it is fixed, but Combofix does the same thing. It gives me the same two messages about Rootkit Zero Access being present and to be patient, and then it never progresses.

 

Webroot AntiZeroAccess 0.8 Log File

Execution time: 17/04/2012 - 09:10

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

09:10:28 - CheckSystem - Begin to check system...

09:10:28 - OpenRootDrive - Opening system root volume and physical drive....

09:10:28 - J Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x74701AC1 sectors.

09:10:28 - PrevX Main driver extracted in "J:\WINDOWS\system32\drivers\ZeroAccess.sys".

09:10:28 - InstallAndStartDriver - Main driver was installed and now is running.

09:10:28 - CheckSystem - Disk class driver state is OK.

09:10:31 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

09:10:31 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

09:10:31 - Execution Ended!

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please download the latest version of Kaspersky Virus Removal Tool.

  • Close all other applications and double-click and run the installer.
  • When the Kaspersky Virus Removal Tool starts, to the right of Security Level click Recommended, and select Settings.
  • In the window that opens (Autoscan), in the Scope tab place a checkmark to the left of Parse email formats.
  • Click the Additional tab and click to place a checkmark to the left of Deep scan, and click OK.
  • Select all the scanable items except for CD-ROM drives and click the Start scan button.
    6zvqld.gif
  • If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button.
  • In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
  • If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
  • In the Scan window click the Reports button and select Save to file.
  • Name the report AVPT.txt, and save it to the Desktop.
  • Close the AVPTool.
  • You will be prompted if you want to uninstall the program; click Yes.
  • You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
  • Copy and paste the first part of the report (Detected) that you saved in your next reply.

==========

 

Then, please re-run Webroot's AntiZeroAccess and post its new log in your next reply.

==========

 

In your next reply please provide the following:

  • AVP Log.
  • AntiZeroAccess_Log.txt.

Share this post


Link to post
Share on other sites

I must have dpwnloaded a newer version of AVPT. The instructions didn't match up and it did not ask me to uninstall or reboot. Also had to save the detected log and the autoscan log seperately. But here is the detected part and the antizeroaccess logs.

 

Status: Deleted (events: 2)

4/18/2012 2:25:19 AM Deleted Trojan program Trojan.Win32.Menti.nfkz J:\System Volume Information\_restore{D3585242-2B71-46BC-A0A7-18A664EF8331}\RP2\A0000129.exe High

4/18/2012 2:25:27 AM Deleted Trojan program Trojan-Clicker.Win32.Vizita.bee J:\System Volume Information\_restore{D3585242-2B71-46BC-A0A7-18A664EF8331}\RP2\A0000130.dll High

 

 

 

 

 

 

 

Webroot AntiZeroAccess 0.8 Log File

Execution time: 18/04/2012 - 03:23

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

03:23:31 - CheckSystem - Begin to check system...

03:23:31 - OpenRootDrive - Opening system root volume and physical drive....

03:23:31 - J Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x74701AC1 sectors.

03:23:31 - PrevX Main driver extracted in "J:\WINDOWS\system32\drivers\ZeroAccess.sys".

03:23:32 - InstallAndStartDriver - Main driver was installed and now is running.

03:23:32 - CheckSystem - Disk class driver state is OK.

03:23:35 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

03:23:35 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

03:23:35 - Execution Ended!

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please run these tools. I think this may be a tougher variant so hopefully we have some luck this time. :thumbup:

 

  • Please download the Rootkit.Sirefef removal tool by BitDefender, and save it to your Desktop.
  • Locate and run the tool.
  • Once it has completed, please reboot your computer.

 

Next, please re-run Webroot's AntiZeroAccess once BitDefender's tool has been run.

==========

 

Then, please re-run TDSSKiller and post its log, along with Webroot's, in your next reply. :thumbup:

Share this post


Link to post
Share on other sites

That didn't seem to do much. And my "windows no disk" error message is back again.

 

Webroot AntiZeroAccess 0.8 Log File

Execution time: 18/04/2012 - 11:29

Host operation System: Windows Xp X86 version 5.1.2600 Service Pack 3

11:29:18 - CheckSystem - Begin to check system...

11:29:18 - OpenRootDrive - Opening system root volume and physical drive....

11:29:19 - J Root Drive: Disk number: 0 Start sector: 0x0000003F Partition Size: 0x74701AC1 sectors.

11:29:19 - PrevX Main driver extracted in "J:\WINDOWS\system32\drivers\ZeroAccess.sys".

11:29:19 - InstallAndStartDriver - Main driver was installed and now is running.

11:29:19 - CheckSystem - Disk class driver state is OK.

11:29:22 - StopAndRemoveDriver - AntiZeroAccess Driver is stopped and removed.

11:29:22 - StopAndRemoveDriver - File "ZeroAccess.sys" was deleted!

11:29:22 - Execution Ended!

 

11:29:53.0046 2780 TDSS rootkit removing tool 2.7.28.0 Apr 10 2012 16:54:05

11:29:53.0093 2780 ============================================================

11:29:53.0093 2780 Current date / time: 2012/04/18 11:29:53.0093

11:29:53.0093 2780 SystemInfo:

11:29:53.0093 2780

11:29:53.0093 2780 OS Version: 5.1.2600 ServicePack: 3.0

11:29:53.0093 2780 Product type: Workstation

11:29:53.0093 2780 ComputerName: MEDIAPC

11:29:53.0093 2780 UserName: Mark Smith

11:29:53.0093 2780 Windows directory: J:\WINDOWS

11:29:53.0093 2780 System windows directory: J:\WINDOWS

11:29:53.0093 2780 Processor architecture: Intel x86

11:29:53.0093 2780 Number of processors: 2

11:29:53.0093 2780 Page size: 0x1000

11:29:53.0093 2780 Boot type: Normal boot

11:29:53.0093 2780 ============================================================

11:29:54.0343 2780 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

11:29:54.0359 2780 \Device\Harddisk0\DR0:

11:29:54.0359 2780 MBR used

11:29:54.0359 2780 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74701AC1

11:29:54.0390 2780 Initialize success

11:29:54.0390 2780 ============================================================

11:30:02.0750 1288 ============================================================

11:30:02.0750 1288 Scan started

11:30:02.0750 1288 Mode: Manual;

11:30:02.0750 1288 ============================================================

11:30:03.0140 1288 61883 (914a9709fc3bf419ad2f85547f2a4832) J:\WINDOWS\system32\DRIVERS\61883.sys

11:30:03.0140 1288 61883 - ok

11:30:03.0156 1288 Abiosdsk - ok

11:30:03.0156 1288 abp480n5 - ok

11:30:03.0218 1288 ACPI (8fd99680a539792a30e97944fdaecf17) J:\WINDOWS\system32\DRIVERS\ACPI.sys

11:30:03.0218 1288 ACPI - ok

11:30:03.0265 1288 ACPIEC (9859c0f6936e723e4892d7141b1327d5) J:\WINDOWS\system32\drivers\ACPIEC.sys

11:30:03.0265 1288 ACPIEC - ok

11:30:03.0375 1288 AdobeActiveFileMonitor8.0 (4451cc2275b04043ec2bcc757af97291) J:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

11:30:03.0375 1288 AdobeActiveFileMonitor8.0 - ok

11:30:03.0390 1288 adpu160m - ok

11:30:03.0406 1288 aec (8bed39e3c35d6a489438b8141717a557) J:\WINDOWS\system32\drivers\aec.sys

11:30:03.0406 1288 aec - ok

11:30:03.0468 1288 AegisP (8d155386b3b032ea7513e19f8c8f80a7) J:\WINDOWS\system32\DRIVERS\AegisP.sys

11:30:03.0468 1288 AegisP - ok

11:30:03.0500 1288 AFD (1e44bc1e83d8fd2305f8d452db109cf9) J:\WINDOWS\System32\drivers\afd.sys

11:30:03.0500 1288 AFD - ok

11:30:03.0515 1288 Aha154x - ok

11:30:03.0515 1288 aic78u2 - ok

11:30:03.0531 1288 aic78xx - ok

11:30:03.0656 1288 ALCXWDM (dd8520280304b6145a6be31008748c7c) J:\WINDOWS\system32\drivers\ALCXWDM.SYS

11:30:03.0734 1288 ALCXWDM - ok

11:30:03.0765 1288 Alerter (a9a3daa780ca6c9671a19d52456705b4) J:\WINDOWS\system32\alrsvc.dll

11:30:03.0765 1288 Alerter - ok

11:30:03.0812 1288 ALG (8c515081584a38aa007909cd02020b3d) J:\WINDOWS\System32\alg.exe

11:30:03.0812 1288 ALG - ok

11:30:03.0812 1288 AliIde - ok

11:30:03.0828 1288 amsint - ok

11:30:03.0890 1288 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) J:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

11:30:03.0890 1288 Apple Mobile Device - ok

11:30:03.0890 1288 AppMgmt - ok

11:30:03.0906 1288 Arp1394 (b5b8a80875c1dededa8b02765642c32f) J:\WINDOWS\system32\DRIVERS\arp1394.sys

11:30:03.0906 1288 Arp1394 - ok

11:30:03.0921 1288 asc - ok

11:30:03.0937 1288 asc3350p - ok

11:30:03.0937 1288 asc3550 - ok

11:30:04.0015 1288 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

11:30:04.0046 1288 aspnet_state - ok

11:30:04.0062 1288 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) J:\WINDOWS\system32\DRIVERS\asyncmac.sys

11:30:04.0062 1288 AsyncMac - ok

11:30:04.0078 1288 atapi (9f3a2f5aa6875c72bf062c712cfa2674) J:\WINDOWS\system32\DRIVERS\atapi.sys

11:30:04.0078 1288 atapi - ok

11:30:04.0093 1288 Atdisk - ok

11:30:04.0140 1288 Ati HotKey Poller (960c1a7a04b5b029fc1584f8ce708f20) J:\WINDOWS\system32\Ati2evxx.exe

11:30:04.0140 1288 Ati HotKey Poller - ok

11:30:04.0218 1288 ATI Smart (ca2033c7c5491b12c628a1cfdb99d75e) J:\WINDOWS\system32\ati2sgag.exe

11:30:04.0218 1288 ATI Smart - ok

11:30:04.0328 1288 ati2mtag (9a6bfd014090c96a2f3708d98e5a3f40) J:\WINDOWS\system32\DRIVERS\ati2mtag.sys

11:30:04.0343 1288 ati2mtag - ok

11:30:04.0390 1288 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) J:\WINDOWS\system32\drivers\AtiHdmi.sys

11:30:04.0390 1288 AtiHdmiService - ok

11:30:04.0421 1288 Atmarpc (9916c1225104ba14794209cfa8012159) J:\WINDOWS\system32\DRIVERS\atmarpc.sys

11:30:04.0421 1288 Atmarpc - ok

11:30:04.0468 1288 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) J:\WINDOWS\System32\audiosrv.dll

11:30:04.0468 1288 AudioSrv - ok

11:30:04.0484 1288 audstub (d9f724aa26c010a217c97606b160ed68) J:\WINDOWS\system32\DRIVERS\audstub.sys

11:30:04.0484 1288 audstub - ok

11:30:04.0515 1288 Avc (f8e6956a614f15a0860474c5e2a7de6b) J:\WINDOWS\system32\DRIVERS\avc.sys

11:30:04.0515 1288 Avc - ok

11:30:04.0531 1288 bcoreusb - ok

11:30:04.0531 1288 Beep (da1f27d85e0d1525f6621372e7b685e9) J:\WINDOWS\system32\drivers\Beep.sys

11:30:04.0531 1288 Beep - ok

11:30:04.0578 1288 BITS (574738f61fca2935f5265dc4e5691314) J:\WINDOWS\system32\qmgr.dll

11:30:04.0593 1288 BITS - ok

11:30:04.0640 1288 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) J:\Program Files\Bonjour\mDNSResponder.exe

11:30:04.0656 1288 Bonjour Service - ok

11:30:04.0703 1288 Browser (a06ce3399d16db864f55faeb1f1927a9) J:\WINDOWS\System32\browser.dll

11:30:04.0703 1288 Browser - ok

11:30:04.0843 1288 catchme - ok

11:30:04.0890 1288 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) J:\WINDOWS\system32\drivers\cbidf2k.sys

11:30:04.0890 1288 cbidf2k - ok

11:30:04.0906 1288 CCDECODE (0be5aef125be881c4f854c554f2b025c) J:\WINDOWS\system32\DRIVERS\CCDECODE.sys

11:30:04.0906 1288 CCDECODE - ok

11:30:04.0906 1288 cd20xrnt - ok

11:30:04.0921 1288 Cdaudio (c1b486a7658353d33a10cc15211a873b) J:\WINDOWS\system32\drivers\Cdaudio.sys

11:30:04.0921 1288 Cdaudio - ok

11:30:04.0937 1288 Cdfs (c885b02847f5d2fd45a24e219ed93b32) J:\WINDOWS\system32\drivers\Cdfs.sys

11:30:04.0937 1288 Cdfs - ok

11:30:04.0953 1288 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) J:\WINDOWS\system32\DRIVERS\cdrom.sys

11:30:04.0953 1288 Cdrom - ok

11:30:04.0968 1288 Changer - ok

11:30:05.0015 1288 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) J:\WINDOWS\system32\cisvc.exe

11:30:05.0015 1288 CiSvc - ok

11:30:05.0015 1288 ClipSrv (34cbe729f38138217f9c80212a2a0c82) J:\WINDOWS\system32\clipsrv.exe

11:30:05.0015 1288 ClipSrv - ok

11:30:05.0078 1288 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

11:30:05.0140 1288 clr_optimization_v2.0.50727_32 - ok

11:30:05.0140 1288 CmdIde - ok

11:30:05.0156 1288 COMSysApp - ok

11:30:05.0171 1288 Cpqarray - ok

11:30:05.0218 1288 CryptSvc (3d4e199942e29207970e04315d02ad3b) J:\WINDOWS\System32\cryptsvc.dll

11:30:05.0218 1288 CryptSvc - ok

11:30:05.0218 1288 dac2w2k - ok

11:30:05.0234 1288 dac960nt - ok

11:30:05.0296 1288 DcomLaunch (6b27a5c03dfb94b4245739065431322c) J:\WINDOWS\system32\rpcss.dll

11:30:05.0296 1288 DcomLaunch - ok

11:30:05.0312 1288 Dhcp (5e38d7684a49cacfb752b046357e0589) J:\WINDOWS\System32\dhcpcsvc.dll

11:30:05.0328 1288 Dhcp - ok

11:30:05.0328 1288 Disk (044452051f3e02e7963599fc8f4f3e25) J:\WINDOWS\system32\DRIVERS\disk.sys

11:30:05.0328 1288 Disk - ok

11:30:05.0343 1288 dmadmin - ok

11:30:05.0375 1288 dmboot (d992fe1274bde0f84ad826acae022a41) J:\WINDOWS\system32\drivers\dmboot.sys

11:30:05.0390 1288 dmboot - ok

11:30:05.0406 1288 dmio (7c824cf7bbde77d95c08005717a95f6f) J:\WINDOWS\system32\drivers\dmio.sys

11:30:05.0406 1288 dmio - ok

11:30:05.0421 1288 dmload (e9317282a63ca4d188c0df5e09c6ac5f) J:\WINDOWS\system32\drivers\dmload.sys

11:30:05.0421 1288 dmload - ok

11:30:05.0453 1288 dmserver (57edec2e5f59f0335e92f35184bc8631) J:\WINDOWS\System32\dmserver.dll

11:30:05.0453 1288 dmserver - ok

11:30:05.0484 1288 DMusic (8a208dfcf89792a484e76c40e5f50b45) J:\WINDOWS\system32\drivers\DMusic.sys

11:30:05.0484 1288 DMusic - ok

11:30:05.0515 1288 Dnscache (5f7e24fa9eab896051ffb87f840730d2) J:\WINDOWS\System32\dnsrslvr.dll

11:30:05.0515 1288 Dnscache - ok

11:30:05.0562 1288 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) J:\WINDOWS\System32\dot3svc.dll

11:30:05.0562 1288 Dot3svc - ok

11:30:05.0578 1288 dpti2o - ok

11:30:05.0593 1288 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) J:\WINDOWS\system32\drivers\drmkaud.sys

11:30:05.0593 1288 drmkaud - ok

11:30:05.0625 1288 EapHost (2187855a7703adef0cef9ee4285182cc) J:\WINDOWS\System32\eapsvc.dll

11:30:05.0625 1288 EapHost - ok

11:30:05.0640 1288 ERSvc (bc93b4a066477954555966d77fec9ecb) J:\WINDOWS\System32\ersvc.dll

11:30:05.0656 1288 ERSvc - ok

11:30:05.0703 1288 eusk2par (f7955f5273f7ca5da13ebeef4f736c44) J:\WINDOWS\system32\Drivers\eusk2par.sys

11:30:05.0703 1288 eusk2par - ok

11:30:05.0734 1288 eusk3usb (988e553a4fe340c281376bee5b5c6222) J:\WINDOWS\system32\Drivers\eusk3usb.sys

11:30:05.0734 1288 eusk3usb - ok

11:30:05.0765 1288 Eventlog (65df52f5b8b6e9bbd183505225c37315) J:\WINDOWS\system32\services.exe

11:30:05.0781 1288 Eventlog - ok

11:30:05.0812 1288 EventSystem (d4991d98f2db73c60d042f1aef79efae) J:\WINDOWS\system32\es.dll

11:30:05.0828 1288 EventSystem - ok

11:30:05.0828 1288 Fastfat (38d332a6d56af32635675f132548343e) J:\WINDOWS\system32\drivers\Fastfat.sys

11:30:05.0828 1288 Fastfat - ok

11:30:05.0875 1288 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

11:30:05.0875 1288 FastUserSwitchingCompatibility - ok

11:30:05.0890 1288 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) J:\WINDOWS\system32\drivers\Fdc.sys

11:30:05.0890 1288 Fdc - ok

11:30:05.0890 1288 Fips (d45926117eb9fa946a6af572fbe1caa3) J:\WINDOWS\system32\drivers\Fips.sys

11:30:05.0890 1288 Fips - ok

11:30:06.0000 1288 FLEXnet Licensing Service (abedfd48ac042c6aaad32452e77217a1) J:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

11:30:06.0000 1288 FLEXnet Licensing Service - ok

11:30:06.0015 1288 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) J:\WINDOWS\system32\drivers\Flpydisk.sys

11:30:06.0015 1288 Flpydisk - ok

11:30:06.0046 1288 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) J:\WINDOWS\system32\drivers\fltmgr.sys

11:30:06.0046 1288 FltMgr - ok

11:30:06.0078 1288 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) j:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

11:30:06.0093 1288 FontCache3.0.0.0 - ok

11:30:06.0156 1288 ForceWare Intelligent Application Manager (IAM) (d22de8ef4077699837c07d47eb843a38) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

11:30:06.0171 1288 ForceWare Intelligent Application Manager (IAM) - ok

11:30:06.0171 1288 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) J:\WINDOWS\system32\drivers\Fs_Rec.sys

11:30:06.0171 1288 Fs_Rec - ok

11:30:06.0187 1288 Ftdisk (6ac26732762483366c3969c9e4d2259d) J:\WINDOWS\system32\DRIVERS\ftdisk.sys

11:30:06.0187 1288 Ftdisk - ok

11:30:06.0250 1288 gameenum (065639773d8b03f33577f6cdaea21063) J:\WINDOWS\system32\DRIVERS\gameenum.sys

11:30:06.0250 1288 gameenum - ok

11:30:06.0296 1288 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) J:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

11:30:06.0296 1288 GEARAspiWDM - ok

11:30:06.0343 1288 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) J:\WINDOWS\system32\DRIVERS\msgpc.sys

11:30:06.0343 1288 Gpc - ok

11:30:06.0390 1288 GTNDIS5 (fc80052194d5708254a346568f0e77c0) J:\WINDOWS\system32\GTNDIS5.SYS

11:30:06.0390 1288 GTNDIS5 - ok

11:30:06.0437 1288 gusvc (cc839e8d766cc31a7710c9f38cf3e375) J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

11:30:06.0437 1288 gusvc - ok

11:30:06.0500 1288 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) J:\WINDOWS\system32\drivers\AtiHdAud.sys

11:30:06.0500 1288 HdAudAddService - ok

11:30:06.0515 1288 HDAudBus (573c7d0a32852b48f3058cfd8026f511) J:\WINDOWS\system32\DRIVERS\HDAudBus.sys

11:30:06.0515 1288 HDAudBus - ok

11:30:06.0546 1288 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) J:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

11:30:06.0546 1288 helpsvc - ok

11:30:06.0562 1288 HidServ (deb04da35cc871b6d309b77e1443c796) J:\WINDOWS\System32\hidserv.dll

11:30:06.0562 1288 HidServ - ok

11:30:06.0578 1288 hidusb (ccf82c5ec8a7326c3066de870c06daf1) J:\WINDOWS\system32\DRIVERS\hidusb.sys

11:30:06.0578 1288 hidusb - ok

11:30:06.0609 1288 hkmsvc (8878bd685e490239777bfe51320b88e9) J:\WINDOWS\System32\kmsvc.dll

11:30:06.0609 1288 hkmsvc - ok

11:30:06.0609 1288 hpn - ok

11:30:06.0734 1288 hpqcxs08 (0a3c6aa4a9fc38c20ba4eac2c3351c05) J:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll

11:30:06.0734 1288 hpqcxs08 - ok

11:30:06.0765 1288 hpqddsvc (df446ba625cc441617843e87798ce048) J:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll

11:30:06.0765 1288 hpqddsvc - ok

11:30:06.0796 1288 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) J:\WINDOWS\system32\DRIVERS\HPZid412.sys

11:30:06.0796 1288 HPZid412 - ok

11:30:06.0828 1288 HPZipr12 (89f41658929393487b6b7d13c8528ce3) J:\WINDOWS\system32\DRIVERS\HPZipr12.sys

11:30:06.0828 1288 HPZipr12 - ok

11:30:06.0875 1288 HPZius12 (abcb05ccdbf03000354b9553820e39f8) J:\WINDOWS\system32\DRIVERS\HPZius12.sys

11:30:06.0890 1288 HPZius12 - ok

11:30:06.0937 1288 HTTP (f80a415ef82cd06ffaf0d971528ead38) J:\WINDOWS\system32\Drivers\HTTP.sys

11:30:06.0937 1288 HTTP - ok

11:30:06.0984 1288 HTTPFilter (6100a808600f44d999cebdef8841c7a3) J:\WINDOWS\System32\w3ssl.dll

11:30:06.0984 1288 HTTPFilter - ok

11:30:07.0000 1288 i2omgmt - ok

11:30:07.0015 1288 i2omp - ok

11:30:07.0031 1288 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) J:\WINDOWS\system32\drivers\i8042prt.sys

11:30:07.0031 1288 i8042prt - ok

11:30:07.0078 1288 IDriverT (1cf03c69b49acb70c722df92755c0c8c) J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

11:30:07.0078 1288 IDriverT - ok

11:30:07.0156 1288 idsvc (c01ac32dc5c03076cfb852cb5da5229c) j:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

11:30:07.0171 1288 idsvc - ok

11:30:07.0187 1288 Imapi (083a052659f5310dd8b6a6cb05edcf8e) J:\WINDOWS\system32\DRIVERS\imapi.sys

11:30:07.0187 1288 Imapi - ok

11:30:07.0218 1288 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) J:\WINDOWS\system32\imapi.exe

11:30:07.0218 1288 ImapiService - ok

11:30:07.0234 1288 ini910u - ok

11:30:07.0250 1288 IntelIde - ok

11:30:07.0265 1288 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) J:\WINDOWS\system32\drivers\ip6fw.sys

11:30:07.0265 1288 Ip6Fw - ok

11:30:07.0312 1288 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) J:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

11:30:07.0312 1288 IpFilterDriver - ok

11:30:07.0328 1288 IpInIp (b87ab476dcf76e72010632b5550955f5) J:\WINDOWS\system32\DRIVERS\ipinip.sys

11:30:07.0328 1288 IpInIp - ok

11:30:07.0343 1288 IpNat (cc748ea12c6effde940ee98098bf96bb) J:\WINDOWS\system32\DRIVERS\ipnat.sys

11:30:07.0343 1288 IpNat - ok

11:30:07.0437 1288 iPod Service (49918803b661367023bf325cf602afdc) J:\Program Files\iPod\bin\iPodService.exe

11:30:07.0453 1288 iPod Service - ok

11:30:07.0468 1288 IPSec (23c74d75e36e7158768dd63d92789a91) J:\WINDOWS\system32\DRIVERS\ipsec.sys

11:30:07.0468 1288 IPSec - ok

11:30:07.0468 1288 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) J:\WINDOWS\system32\DRIVERS\irenum.sys

11:30:07.0484 1288 IRENUM - ok

11:30:07.0500 1288 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) J:\WINDOWS\system32\DRIVERS\isapnp.sys

11:30:07.0500 1288 isapnp - ok

11:30:07.0593 1288 JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) J:\Program Files\Java\jre6\bin\jqs.exe

11:30:07.0593 1288 JavaQuickStarterService - ok

11:30:07.0609 1288 Kbdclass (463c1ec80cd17420a542b7f36a36f128) J:\WINDOWS\system32\DRIVERS\kbdclass.sys

11:30:07.0609 1288 Kbdclass - ok

11:30:07.0625 1288 kbdhid (9ef487a186dea361aa06913a75b3fa99) J:\WINDOWS\system32\DRIVERS\kbdhid.sys

11:30:07.0625 1288 kbdhid - ok

11:30:07.0640 1288 kmixer (692bcf44383d056aed41b045a323d378) J:\WINDOWS\system32\drivers\kmixer.sys

11:30:07.0640 1288 kmixer - ok

11:30:07.0671 1288 KSecDD (b467646c54cc746128904e1654c750c1) J:\WINDOWS\system32\drivers\KSecDD.sys

11:30:07.0687 1288 KSecDD - ok

11:30:07.0718 1288 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) J:\WINDOWS\System32\srvsvc.dll

11:30:07.0718 1288 lanmanserver - ok

11:30:07.0734 1288 lanmanworkstation (a8888a5327621856c0cec4e385f69309) J:\WINDOWS\System32\wkssvc.dll

11:30:07.0750 1288 lanmanworkstation - ok

11:30:07.0765 1288 LBeepKE (be2dc24d403643a2d1d98f33c7087b38) J:\WINDOWS\system32\Drivers\LBeepKE.sys

11:30:07.0765 1288 LBeepKE - ok

11:30:07.0781 1288 lbrtfdc - ok

11:30:07.0828 1288 LBTServ (910344e2a984010435ae84783b25e5eb) J:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe

11:30:07.0843 1288 LBTServ - ok

11:30:07.0890 1288 LEqdUsb (717e6714bca808f2a372e636aff3d15a) J:\WINDOWS\system32\Drivers\LEqdUsb.Sys

11:30:07.0890 1288 LEqdUsb - ok

11:30:07.0937 1288 LHidEqd (2786f7b4003adff88ce28bc1800b5407) J:\WINDOWS\system32\Drivers\LHidEqd.Sys

11:30:07.0937 1288 LHidEqd - ok

11:30:07.0953 1288 LHidFilt (01cc7fb6e790ef044b411377f3a1ff41) J:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

11:30:07.0953 1288 LHidFilt - ok

11:30:07.0968 1288 LmHosts (a7db739ae99a796d91580147e919cc59) J:\WINDOWS\System32\lmhsvc.dll

11:30:07.0968 1288 LmHosts - ok

11:30:08.0000 1288 LMouFilt (a2e7eae8898d7b4b8c302b8f4e836bb5) J:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

11:30:08.0000 1288 LMouFilt - ok

11:30:08.0015 1288 Messenger (986b1ff5814366d71e0ac5755c88f2d3) J:\WINDOWS\System32\msgsvc.dll

11:30:08.0015 1288 Messenger - ok

11:30:08.0031 1288 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) J:\WINDOWS\system32\drivers\mnmdd.sys

11:30:08.0031 1288 mnmdd - ok

11:30:08.0046 1288 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) J:\WINDOWS\system32\mnmsrvc.exe

11:30:08.0046 1288 mnmsrvc - ok

11:30:08.0078 1288 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) J:\WINDOWS\system32\drivers\Modem.sys

11:30:08.0078 1288 Modem - ok

11:30:08.0078 1288 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) J:\WINDOWS\system32\DRIVERS\mouclass.sys

11:30:08.0078 1288 Mouclass - ok

11:30:08.0109 1288 mouhid (b1c303e17fb9d46e87a98e4ba6769685) J:\WINDOWS\system32\DRIVERS\mouhid.sys

11:30:08.0109 1288 mouhid - ok

11:30:08.0125 1288 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) J:\WINDOWS\system32\drivers\MountMgr.sys

11:30:08.0125 1288 MountMgr - ok

11:30:08.0140 1288 mraid35x - ok

11:30:08.0171 1288 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) J:\WINDOWS\system32\DRIVERS\mrxdav.sys

11:30:08.0187 1288 MRxDAV - ok

11:30:08.0203 1288 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) J:\WINDOWS\system32\DRIVERS\mrxsmb.sys

11:30:08.0218 1288 MRxSmb - ok

11:30:08.0234 1288 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) J:\WINDOWS\system32\msdtc.exe

11:30:08.0234 1288 MSDTC - ok

11:30:08.0265 1288 MSDV (1477849772712bac69c144dcf2c9ce81) J:\WINDOWS\system32\DRIVERS\msdv.sys

11:30:08.0265 1288 MSDV - ok

11:30:08.0281 1288 Msfs (c941ea2454ba8350021d774daf0f1027) J:\WINDOWS\system32\drivers\Msfs.sys

11:30:08.0281 1288 Msfs - ok

11:30:08.0296 1288 MSIServer - ok

11:30:08.0312 1288 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) J:\WINDOWS\system32\drivers\MSKSSRV.sys

11:30:08.0312 1288 MSKSSRV - ok

11:30:08.0328 1288 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) J:\WINDOWS\system32\drivers\MSPCLOCK.sys

11:30:08.0328 1288 MSPCLOCK - ok

11:30:08.0343 1288 MSPQM (bad59648ba099da4a17680b39730cb3d) J:\WINDOWS\system32\drivers\MSPQM.sys

11:30:08.0343 1288 MSPQM - ok

11:30:08.0359 1288 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) J:\WINDOWS\system32\DRIVERS\mssmbios.sys

11:30:08.0359 1288 mssmbios - ok

11:30:08.0375 1288 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) J:\WINDOWS\system32\drivers\MSTEE.sys

11:30:08.0375 1288 MSTEE - ok

11:30:08.0406 1288 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) J:\WINDOWS\system32\drivers\msmpu401.sys

11:30:08.0406 1288 ms_mpu401 - ok

11:30:08.0421 1288 Mup (de6a75f5c270e756c5508d94b6cf68f5) J:\WINDOWS\system32\drivers\Mup.sys

11:30:08.0421 1288 Mup - ok

11:30:08.0421 1288 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) J:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

11:30:08.0421 1288 NABTSFEC - ok

11:30:08.0468 1288 napagent (0102140028fad045756796e1c685d695) J:\WINDOWS\System32\qagentrt.dll

11:30:08.0484 1288 napagent - ok

11:30:08.0484 1288 NDIS (1df7f42665c94b825322fae71721130d) J:\WINDOWS\system32\drivers\NDIS.sys

11:30:08.0484 1288 NDIS - ok

11:30:08.0500 1288 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) J:\WINDOWS\system32\DRIVERS\NdisIP.sys

11:30:08.0500 1288 NdisIP - ok

11:30:08.0531 1288 NdisTapi (0109c4f3850dfbab279542515386ae22) J:\WINDOWS\system32\DRIVERS\ndistapi.sys

11:30:08.0531 1288 NdisTapi - ok

11:30:08.0562 1288 Ndisuio (f927a4434c5028758a842943ef1a3849) J:\WINDOWS\system32\DRIVERS\ndisuio.sys

11:30:08.0562 1288 Ndisuio - ok

11:30:08.0578 1288 NdisWan (edc1531a49c80614b2cfda43ca8659ab) J:\WINDOWS\system32\DRIVERS\ndiswan.sys

11:30:08.0578 1288 NdisWan - ok

11:30:08.0593 1288 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) J:\WINDOWS\system32\drivers\NDProxy.sys

11:30:08.0593 1288 NDProxy - ok

11:30:08.0625 1288 Net Driver HPZ12 (2969d26eee289be7422aa46fc55f4e38) J:\WINDOWS\system32\HPZinw12.dll

11:30:08.0625 1288 Net Driver HPZ12 - ok

11:30:08.0640 1288 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) J:\WINDOWS\system32\DRIVERS\netbios.sys

11:30:08.0640 1288 NetBIOS - ok

11:30:08.0687 1288 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) J:\WINDOWS\system32\DRIVERS\netbt.sys

11:30:08.0687 1288 NetBT - ok

11:30:08.0703 1288 NetDDE (b857ba82860d7ff85ae29b095645563b) J:\WINDOWS\system32\netdde.exe

11:30:08.0703 1288 NetDDE - ok

11:30:08.0703 1288 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) J:\WINDOWS\system32\netdde.exe

11:30:08.0703 1288 NetDDEdsdm - ok

11:30:08.0734 1288 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

11:30:08.0734 1288 Netlogon - ok

11:30:08.0750 1288 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) J:\WINDOWS\System32\netman.dll

11:30:08.0750 1288 Netman - ok

11:30:08.0812 1288 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) j:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

11:30:08.0812 1288 NetTcpPortSharing - ok

11:30:08.0828 1288 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) J:\WINDOWS\system32\DRIVERS\nic1394.sys

11:30:08.0828 1288 NIC1394 - ok

11:30:08.0875 1288 Nla (943337d786a56729263071623bbb9de5) J:\WINDOWS\System32\mswsock.dll

11:30:08.0890 1288 Nla - ok

11:30:08.0890 1288 nm (1e421a6bcf2203cc61b821ada9de878b) J:\WINDOWS\system32\DRIVERS\NMnt.sys

11:30:08.0890 1288 nm - ok

11:30:08.0906 1288 Npfs (3182d64ae053d6fb034f44b6def8034a) J:\WINDOWS\system32\drivers\Npfs.sys

11:30:08.0906 1288 Npfs - ok

11:30:08.0984 1288 nSvcIp (7a1c8633f57fa89553d4edc3507ba4c3) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

11:30:08.0984 1288 nSvcIp - ok

11:30:09.0000 1288 nSvcLog (e3d66b843755ac586c6622af4efa662c) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

11:30:09.0000 1288 nSvcLog - ok

11:30:09.0031 1288 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) J:\WINDOWS\system32\drivers\Ntfs.sys

11:30:09.0031 1288 Ntfs - ok

11:30:09.0046 1288 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

11:30:09.0046 1288 NtLmSsp - ok

11:30:09.0093 1288 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) J:\WINDOWS\system32\ntmssvc.dll

11:30:09.0093 1288 NtmsSvc - ok

11:30:09.0109 1288 Null (73c1e1f395918bc2c6dd67af7591a3ad) J:\WINDOWS\system32\drivers\Null.sys

11:30:09.0109 1288 Null - ok

11:30:09.0140 1288 nvax (f3d3015e52f2732042197d4edcaac2cb) J:\WINDOWS\system32\drivers\nvax.sys

11:30:09.0140 1288 nvax - ok

11:30:09.0171 1288 NVENETFD (97724affdd7a5a47c3bc07ccd1b88745) J:\WINDOWS\system32\DRIVERS\NVENETFD.sys

11:30:09.0171 1288 NVENETFD - ok

11:30:09.0218 1288 nvnetbus (82c2b3a89b9edfa6287c5aba1a4e6a99) J:\WINDOWS\system32\DRIVERS\nvnetbus.sys

11:30:09.0218 1288 nvnetbus - ok

11:30:09.0250 1288 nvnforce (6d6fd2b7035d415621acaf1e555c8b90) J:\WINDOWS\system32\drivers\nvapu.sys

11:30:09.0265 1288 nvnforce - ok

11:30:09.0281 1288 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) J:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

11:30:09.0296 1288 NwlnkFlt - ok

11:30:09.0296 1288 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) J:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

11:30:09.0296 1288 NwlnkFwd - ok

11:30:09.0312 1288 ohci1394 (ca33832df41afb202ee7aeb05145922f) J:\WINDOWS\system32\DRIVERS\ohci1394.sys

11:30:09.0312 1288 ohci1394 - ok

11:30:09.0375 1288 ose (9d10f99a6712e28f8acd5641e3a7ea6b) J:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

11:30:09.0390 1288 ose - ok

11:30:09.0546 1288 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) J:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

11:30:09.0640 1288 osppsvc - ok

11:30:09.0656 1288 Parport (5575faf8f97ce5e713d108c2a58d7c7c) J:\WINDOWS\system32\DRIVERS\parport.sys

11:30:09.0656 1288 Parport - ok

11:30:09.0671 1288 PartMgr (beb3ba25197665d82ec7065b724171c6) J:\WINDOWS\system32\drivers\PartMgr.sys

11:30:09.0671 1288 PartMgr - ok

11:30:09.0687 1288 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) J:\WINDOWS\system32\drivers\ParVdm.sys

11:30:09.0687 1288 ParVdm - ok

11:30:09.0703 1288 PCI (a219903ccf74233761d92bef471a07b1) J:\WINDOWS\system32\DRIVERS\pci.sys

11:30:09.0703 1288 PCI - ok

11:30:09.0718 1288 PCIDump - ok

11:30:09.0734 1288 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) J:\WINDOWS\system32\DRIVERS\pciide.sys

11:30:09.0734 1288 PCIIde - ok

11:30:09.0750 1288 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) J:\WINDOWS\system32\drivers\Pcmcia.sys

11:30:09.0750 1288 Pcmcia - ok

11:30:09.0765 1288 PDCOMP - ok

11:30:09.0765 1288 PDFRAME - ok

11:30:09.0781 1288 PDRELI - ok

11:30:09.0796 1288 PDRFRAME - ok

11:30:09.0812 1288 perc2 - ok

11:30:09.0812 1288 perc2hib - ok

11:30:09.0875 1288 PlugPlay (65df52f5b8b6e9bbd183505225c37315) J:\WINDOWS\system32\services.exe

11:30:09.0875 1288 PlugPlay - ok

11:30:09.0921 1288 Pml Driver HPZ12 (bafc9706bdf425a02b66468ab2605c59) J:\WINDOWS\system32\HPZipm12.dll

11:30:09.0937 1288 Pml Driver HPZ12 - ok

11:30:09.0953 1288 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

11:30:09.0953 1288 PolicyAgent - ok

11:30:09.0968 1288 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) J:\WINDOWS\system32\DRIVERS\raspptp.sys

11:30:09.0968 1288 PptpMiniport - ok

11:30:10.0000 1288 Processor (a32bebaf723557681bfc6bd93e98bd26) J:\WINDOWS\system32\DRIVERS\processr.sys

11:30:10.0000 1288 Processor - ok

11:30:10.0015 1288 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

11:30:10.0015 1288 ProtectedStorage - ok

11:30:10.0031 1288 PSched (09298ec810b07e5d582cb3a3f9255424) J:\WINDOWS\system32\DRIVERS\psched.sys

11:30:10.0031 1288 PSched - ok

11:30:10.0046 1288 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) J:\WINDOWS\system32\DRIVERS\ptilink.sys

11:30:10.0046 1288 Ptilink - ok

11:30:10.0062 1288 PxHelp20 (153d02480a0a2f45785522e814c634b6) J:\WINDOWS\system32\Drivers\PxHelp20.sys

11:30:10.0062 1288 PxHelp20 - ok

11:30:10.0078 1288 ql1080 - ok

11:30:10.0078 1288 Ql10wnt - ok

11:30:10.0093 1288 ql12160 - ok

11:30:10.0109 1288 ql1240 - ok

11:30:10.0125 1288 ql1280 - ok

11:30:10.0156 1288 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) J:\WINDOWS\system32\DRIVERS\rasacd.sys

11:30:10.0156 1288 RasAcd - ok

11:30:10.0187 1288 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) J:\WINDOWS\System32\rasauto.dll

11:30:10.0187 1288 RasAuto - ok

11:30:10.0234 1288 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) J:\WINDOWS\system32\DRIVERS\rasl2tp.sys

11:30:10.0234 1288 Rasl2tp - ok

11:30:10.0250 1288 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) J:\WINDOWS\System32\rasmans.dll

11:30:10.0265 1288 RasMan - ok

11:30:10.0265 1288 RasPppoe (5bc962f2654137c9909c3d4603587dee) J:\WINDOWS\system32\DRIVERS\raspppoe.sys

11:30:10.0265 1288 RasPppoe - ok

11:30:10.0281 1288 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) J:\WINDOWS\system32\DRIVERS\raspti.sys

11:30:10.0281 1288 Raspti - ok

11:30:10.0312 1288 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) J:\WINDOWS\system32\DRIVERS\rdbss.sys

11:30:10.0328 1288 Rdbss - ok

11:30:10.0328 1288 RDPCDD (4912d5b403614ce99c28420f75353332) J:\WINDOWS\system32\DRIVERS\RDPCDD.sys

11:30:10.0328 1288 RDPCDD - ok

11:30:10.0390 1288 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) J:\WINDOWS\system32\drivers\RDPWD.sys

11:30:10.0390 1288 RDPWD - ok

11:30:10.0406 1288 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) J:\WINDOWS\system32\sessmgr.exe

11:30:10.0406 1288 RDSessMgr - ok

11:30:10.0453 1288 redbook (f828dd7e1419b6653894a8f97a0094c5) J:\WINDOWS\system32\DRIVERS\redbook.sys

11:30:10.0453 1288 redbook - ok

11:30:10.0484 1288 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) J:\WINDOWS\System32\mprdim.dll

11:30:10.0484 1288 RemoteAccess - ok

11:30:10.0531 1288 RichVideo (06a49b7bdc36cfbf97dd90804f833369) J:\Program Files\CyberLink\Shared Files\RichVideo.exe

11:30:10.0531 1288 RichVideo - ok

11:30:10.0546 1288 RpcLocator (aaed593f84afa419bbae8572af87cf6a) J:\WINDOWS\system32\locator.exe

11:30:10.0546 1288 RpcLocator - ok

11:30:10.0578 1288 RpcSs (6b27a5c03dfb94b4245739065431322c) J:\WINDOWS\System32\rpcss.dll

11:30:10.0578 1288 RpcSs - ok

11:30:10.0609 1288 RSVP (471b3f9741d762abe75e9deea4787e47) J:\WINDOWS\system32\rsvp.exe

11:30:10.0609 1288 RSVP - ok

11:30:10.0640 1288 RT2500 (e2988349fe0567cbe4161cc653575a8e) J:\WINDOWS\system32\DRIVERS\RT2500.sys

11:30:10.0640 1288 RT2500 - ok

11:30:10.0656 1288 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

11:30:10.0656 1288 SamSs - ok

11:30:10.0656 1288 SCardSvr (86d007e7a654b9a71d1d7d856b104353) J:\WINDOWS\System32\SCardSvr.exe

11:30:10.0671 1288 SCardSvr - ok

11:30:10.0687 1288 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) J:\WINDOWS\system32\schedsvc.dll

11:30:10.0703 1288 Schedule - ok

11:30:10.0734 1288 Secdrv (90a3935d05b494a5a39d37e71f09a677) J:\WINDOWS\system32\DRIVERS\secdrv.sys

11:30:10.0734 1288 Secdrv - ok

11:30:10.0750 1288 seclogon (cbe612e2bb6a10e3563336191eda1250) J:\WINDOWS\System32\seclogon.dll

11:30:10.0750 1288 seclogon - ok

11:30:10.0765 1288 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) J:\WINDOWS\system32\sens.dll

11:30:10.0765 1288 SENS - ok

11:30:10.0765 1288 serenum (0f29512ccd6bead730039fb4bd2c85ce) J:\WINDOWS\system32\DRIVERS\serenum.sys

11:30:10.0781 1288 serenum - ok

11:30:10.0781 1288 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) J:\WINDOWS\system32\DRIVERS\serial.sys

11:30:10.0781 1288 Serial - ok

11:30:10.0812 1288 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) J:\WINDOWS\system32\drivers\Sfloppy.sys

11:30:10.0812 1288 Sfloppy - ok

11:30:10.0828 1288 SGHIDI (abd45d0857bbbb12075f53243da2aa41) J:\WINDOWS\system32\drivers\TG_iMON.sys

11:30:10.0828 1288 SGHIDI - ok

11:30:10.0859 1288 SGIR (532f78ba55b3c8556c8998cb59a00471) J:\WINDOWS\system32\drivers\iMON_PAD.sys

11:30:10.0875 1288 SGIR - ok

11:30:10.0890 1288 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) J:\WINDOWS\System32\ipnathlp.dll

11:30:10.0890 1288 SharedAccess - ok

11:30:10.0921 1288 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

11:30:10.0921 1288 ShellHWDetection - ok

11:30:10.0937 1288 Simbad - ok

11:30:10.0953 1288 Sk9920nt - ok

11:30:10.0968 1288 SLIP (866d538ebe33709a5c9f5c62b73b7d14) J:\WINDOWS\system32\DRIVERS\SLIP.sys

11:30:10.0984 1288 SLIP - ok

11:30:10.0984 1288 Sparrow - ok

11:30:11.0031 1288 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) J:\WINDOWS\system32\drivers\splitter.sys

11:30:11.0031 1288 splitter - ok

11:30:11.0046 1288 Spooler (60784f891563fb1b767f70117fc2428f) J:\WINDOWS\system32\spoolsv.exe

11:30:11.0046 1288 Spooler - ok

11:30:11.0093 1288 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) J:\WINDOWS\system32\DRIVERS\sr.sys

11:30:11.0093 1288 sr - ok

11:30:11.0109 1288 srservice (3805df0ac4296a34ba4bf93b346cc378) J:\WINDOWS\system32\srsvc.dll

11:30:11.0109 1288 srservice - ok

11:30:11.0140 1288 Srv (47ddfc2f003f7f9f0592c6874962a2e7) J:\WINDOWS\system32\DRIVERS\srv.sys

11:30:11.0140 1288 Srv - ok

11:30:11.0156 1288 SSDPSRV (0a5679b3714edab99e357057ee88fca6) J:\WINDOWS\System32\ssdpsrv.dll

11:30:11.0171 1288 SSDPSRV - ok

11:30:11.0203 1288 StillCam (a9573045baa16eab9b1085205b82f1ed) J:\WINDOWS\system32\DRIVERS\serscan.sys

11:30:11.0203 1288 StillCam - ok

11:30:11.0218 1288 stisvc (8bad69cbac032d4bbacfce0306174c30) J:\WINDOWS\system32\wiaservc.dll

11:30:11.0218 1288 stisvc - ok

11:30:11.0250 1288 streamip (77813007ba6265c4b6098187e6ed79d2) J:\WINDOWS\system32\DRIVERS\StreamIP.sys

11:30:11.0250 1288 streamip - ok

11:30:11.0265 1288 swenum (3941d127aef12e93addf6fe6ee027e0f) J:\WINDOWS\system32\DRIVERS\swenum.sys

11:30:11.0265 1288 swenum - ok

11:30:11.0281 1288 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) J:\WINDOWS\system32\drivers\swmidi.sys

11:30:11.0281 1288 swmidi - ok

11:30:11.0296 1288 SwPrv - ok

11:30:11.0312 1288 symc810 - ok

11:30:11.0328 1288 symc8xx - ok

11:30:11.0343 1288 sym_hi - ok

11:30:11.0343 1288 sym_u3 - ok

11:30:11.0375 1288 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) J:\WINDOWS\system32\drivers\sysaudio.sys

11:30:11.0375 1288 sysaudio - ok

11:30:11.0390 1288 SysmonLog (c7abbc59b43274b1109df6b24d617051) J:\WINDOWS\system32\smlogsvc.exe

11:30:11.0390 1288 SysmonLog - ok

11:30:11.0421 1288 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) J:\WINDOWS\System32\tapisrv.dll

11:30:11.0421 1288 TapiSrv - ok

11:30:11.0453 1288 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) J:\WINDOWS\system32\DRIVERS\tcpip.sys

11:30:11.0453 1288 Tcpip - ok

11:30:11.0484 1288 TDPIPE (6471a66807f5e104e4885f5b67349397) J:\WINDOWS\system32\drivers\TDPIPE.sys

11:30:11.0484 1288 TDPIPE - ok

11:30:11.0500 1288 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) J:\WINDOWS\system32\drivers\TDTCP.sys

11:30:11.0500 1288 TDTCP - ok

11:30:11.0515 1288 TermDD (88155247177638048422893737429d9e) J:\WINDOWS\system32\DRIVERS\termdd.sys

11:30:11.0515 1288 TermDD - ok

11:30:11.0546 1288 TermService (ff3477c03be7201c294c35f684b3479f) J:\WINDOWS\System32\termsrv.dll

11:30:11.0562 1288 TermService - ok

11:30:11.0562 1288 Themes (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

11:30:11.0578 1288 Themes - ok

11:30:11.0578 1288 TosIde - ok

11:30:11.0593 1288 TrkWks (55bca12f7f523d35ca3cb833c725f54e) J:\WINDOWS\system32\trkwks.dll

11:30:11.0593 1288 TrkWks - ok

11:30:11.0656 1288 TrufosAlt (c380e830a4bd08440e6757213f126db7) J:\WINDOWS\system32\DRIVERS\TrufosAlt.sys

11:30:11.0656 1288 TrufosAlt - ok

11:30:11.0687 1288 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) J:\WINDOWS\system32\drivers\Udfs.sys

11:30:11.0687 1288 Udfs - ok

11:30:11.0703 1288 ultra - ok

11:30:11.0718 1288 Update (402ddc88356b1bac0ee3dd1580c76a31) J:\WINDOWS\system32\DRIVERS\update.sys

11:30:11.0718 1288 Update - ok

11:30:11.0734 1288 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) J:\WINDOWS\System32\upnphost.dll

11:30:11.0750 1288 upnphost - ok

11:30:11.0765 1288 UPS (05365fb38fca1e98f7a566aaaf5d1815) J:\WINDOWS\System32\ups.exe

11:30:11.0765 1288 UPS - ok

11:30:11.0812 1288 usbccgp (173f317ce0db8e21322e71b7e60a27e8) J:\WINDOWS\system32\DRIVERS\usbccgp.sys

11:30:11.0812 1288 usbccgp - ok

11:30:11.0859 1288 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) J:\WINDOWS\system32\DRIVERS\usbehci.sys

11:30:11.0859 1288 usbehci - ok

11:30:11.0906 1288 usbhub (1ab3cdde553b6e064d2e754efe20285c) J:\WINDOWS\system32\DRIVERS\usbhub.sys

11:30:11.0906 1288 usbhub - ok

11:30:11.0937 1288 usbohci (0daecce65366ea32b162f85f07c6753b) J:\WINDOWS\system32\DRIVERS\usbohci.sys

11:30:11.0937 1288 usbohci - ok

11:30:11.0953 1288 usbprint (a717c8721046828520c9edf31288fc00) J:\WINDOWS\system32\DRIVERS\usbprint.sys

11:30:11.0953 1288 usbprint - ok

11:30:11.0953 1288 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) J:\WINDOWS\system32\DRIVERS\usbscan.sys

11:30:11.0968 1288 usbscan - ok

11:30:11.0968 1288 usbstor (a32426d9b14a089eaa1d922e0c5801a9) J:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

11:30:11.0968 1288 usbstor - ok

11:30:11.0984 1288 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) J:\WINDOWS\System32\drivers\vga.sys

11:30:11.0984 1288 VgaSave - ok

11:30:12.0000 1288 ViaIde - ok

11:30:12.0015 1288 VolSnap (4c8fcb5cc53aab716d810740fe59d025) J:\WINDOWS\system32\drivers\VolSnap.sys

11:30:12.0015 1288 VolSnap - ok

11:30:12.0031 1288 VSS (7a9db3a67c333bf0bd42e42b8596854b) J:\WINDOWS\System32\vssvc.exe

11:30:12.0031 1288 VSS - ok

11:30:12.0078 1288 W32Time (54af4b1d5459500ef0937f6d33b1914f) J:\WINDOWS\system32\w32time.dll

11:30:12.0078 1288 W32Time - ok

11:30:12.0093 1288 Wanarp (e20b95baedb550f32dd489265c1da1f6) J:\WINDOWS\system32\DRIVERS\wanarp.sys

11:30:12.0093 1288 Wanarp - ok

11:30:12.0140 1288 Wdf01000 (d918617b46457b9ac28027722e30f647) J:\WINDOWS\system32\Drivers\wdf01000.sys

11:30:12.0140 1288 Wdf01000 - ok

11:30:12.0156 1288 WDICA - ok

11:30:12.0187 1288 wdmaud (6768acf64b18196494413695f0c3a00f) J:\WINDOWS\system32\drivers\wdmaud.sys

11:30:12.0187 1288 wdmaud - ok

11:30:12.0203 1288 WebClient (77a354e28153ad2d5e120a5a8687bc06) J:\WINDOWS\System32\webclnt.dll

11:30:12.0203 1288 WebClient - ok

11:30:12.0265 1288 winmgmt (2d0e4ed081963804ccc196a0929275b5) J:\WINDOWS\system32\wbem\WMIsvc.dll

11:30:12.0265 1288 winmgmt - ok

11:30:12.0312 1288 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) J:\WINDOWS\system32\MsPMSNSv.dll

11:30:12.0312 1288 WmdmPmSN - ok

11:30:12.0343 1288 WmiApSrv (e0673f1106e62a68d2257e376079f821) J:\WINDOWS\system32\wbem\wmiapsrv.exe

11:30:12.0343 1288 WmiApSrv - ok

11:30:12.0453 1288 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) J:\Program Files\Windows Media Player\WMPNetwk.exe

11:30:12.0468 1288 WMPNetworkSvc - ok

11:30:12.0484 1288 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) J:\WINDOWS\System32\drivers\ws2ifsl.sys

11:30:12.0484 1288 WS2IFSL - ok

11:30:12.0531 1288 wscsvc (7c278e6408d1dce642230c0585a854d5) J:\WINDOWS\system32\wscsvc.dll

11:30:12.0531 1288 wscsvc - ok

11:30:12.0578 1288 WSTCODEC (c98b39829c2bbd34e454150633c62c78) J:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

11:30:12.0578 1288 WSTCODEC - ok

11:30:12.0578 1288 wuauserv - ok

11:30:12.0609 1288 WudfPf (f15feafffbb3644ccc80c5da584e6311) J:\WINDOWS\system32\DRIVERS\WudfPf.sys

11:30:12.0609 1288 WudfPf - ok

11:30:12.0625 1288 WudfRd (28b524262bce6de1f7ef9f510ba3985b) J:\WINDOWS\system32\DRIVERS\wudfrd.sys

11:30:12.0625 1288 WudfRd - ok

11:30:12.0640 1288 WudfSvc (05231c04253c5bc30b26cbaae680ed89) J:\WINDOWS\System32\WUDFSvc.dll

11:30:12.0640 1288 WudfSvc - ok

11:30:12.0687 1288 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) J:\WINDOWS\System32\wzcsvc.dll

11:30:12.0687 1288 WZCSVC - ok

11:30:12.0734 1288 xmlprov (295d21f14c335b53cb8154e5b1f892b9) J:\WINDOWS\System32\xmlprov.dll

11:30:12.0734 1288 xmlprov - ok

11:30:12.0765 1288 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

11:30:12.0890 1288 \Device\Harddisk0\DR0 - ok

11:30:12.0890 1288 Boot (0x1200) (f01bd481348d16c811620a36fbc7b658) \Device\Harddisk0\DR0\Partition0

11:30:12.0890 1288 \Device\Harddisk0\DR0\Partition0 - ok

11:30:12.0890 1288 ============================================================

11:30:12.0890 1288 Scan finished

11:30:12.0890 1288 ============================================================

11:30:12.0906 2816 Detected object count: 0

11:30:12.0906 2816 Actual detected object count: 0

11:36:13.0843 2776 Deinitialize success

Share this post


Link to post
Share on other sites

Hell casualuser. :)

 

It's time to try something new. :thumbup:

 

The Kaspersky Rescue Disk is a bootable CD based version of Kaspersky Antivirus.

The download is in ISO format.

If you are not sure how to burn an image, please read How to write a CD/DVD image or ISO. If you need a FREE utility to burn the ISO image, download and use ImgBurn.

 

Download the Kaspersky Rescue Disk:

http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/ .

  • Burn the Kaspersky Rescue Disk ISO image to CD.
  • Insert the Kaspersky Rescue Disk CD into your CD/DVD drive and boot the computer (you may need to change the boot sequence in your system's BIOS to boot from the CD/DVD drive).
  • Follow the instructions in the initial text screen to press Enter to start Kaspersky AntiVirus.
  • Select your language (or wait a few seconds for the default English to load).
  • Your screen may go blank for several minutes while the program loads.
  • After the Kaspersky Rescue Disk loads, the database will be updated (if you have network connectivity)
    • Click the Update tab to view the update progress.
    • When the update has completed, click the Scan tab.

    [*]Place a checkmark in all the available drives to scan the entire system.

    [*]Click the "Security level" option, and select options.

    • Make sure "All Files" is selected.
    • Under "Scan of compound files" ensure all options are selected and click the OK button.

    [*]Click the "On threat detection" option

    • Select "Do not prompt", "Disinfect", and "Delete if disinfection fails".

    [*]Click the "Start scan" button.

    [*]When the scan has completed, click the Reports button.

    • Click the Save button, and select your System drive (normally your C: drive).
    • In the "File name" box, name the file krd-log and click the Save button.
    • Click Close to close the Reports window.

    [*]Click the Exit button to close the Rescue Disk program and confirm.

    In the lower left of the screen, left-click the red K button, select Logout, and confirm.

    [*]The computer will shut down.

    [*]Restart the computer and reboot normally.

    [*]Please post the log (krd-log.txt) in your next reply.

Share this post


Link to post
Share on other sites

The computer works fine except for not have internet connection due to the IP address not renewing. Nothing was detected, disinfected, or deleted. I saved the detected file but all it says is unknown in the text

 

Objects Scan: completed 2 minutes ago (events: 2, objects: 338287, time: 00:49:24)

4/19/12 10:55 AM Task started

4/19/12 11:45 AM Task completed

Share this post


Link to post
Share on other sites

Howdy casualuser. :)

 

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please delete your current copy of ComboFix. Then, please follow these instructions to download a new version of ComboFix.exe, however please do not run ComboFix. Please visit this webpage for download links:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Then, please follow these instructions to remove the remaining malicious entries:

 

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
     
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.
     

    killall::
     
    DDS::
    uInternet Settings,ProxyOverride = *.local
     
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
     
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
     
    CFScriptB-4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

 

Please post the ComboFix.txt in your next reply.

==========

 

After you have run ComboFix please re-run Webroot's AntiZeroAccess and post its log in your next reply.

==========

 

In your next reply please post the following:

  • ComboFix.txt.
  • AntiZeroAccess log.

Share this post


Link to post
Share on other sites

Howdy casualuser. :)

 

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

 

Please run Rkill, making sure not to reboot.

 

Then, please delete your current copy of ComboFix. Please follow these instructions to download a new version of ComboFix.exe, however please do not run ComboFix. Please visit this webpage for download links:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

 

Then, please follow these instructions to remove the remaining malicious entries:

 

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
     
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.
     

    killall::
     
    DDS::
    uInternet Settings,ProxyOverride = *.local
     
    RegLock::
    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,e6,70,d8,2d,6f,7b,58,4b,b6,c2,c2,\
     
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
     
    CFScriptB-4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

 

Please post the ComboFix.txt in your next reply.

==========

 

After you have run ComboFix please re-run Webroot's AntiZeroAccess and post its log in your next reply.

==========

 

In your next reply please post the following:

  • ComboFix.txt.
  • AntiZeroAccess log.

Share this post


Link to post
Share on other sites

I ran rkill, and the ncombofix. Combofix made it passed the two messages and said it needed to reboot, this is before any stages showed in the progress box. It rebooted, I logged in and the combofix pprompt box reappeared and about 15 sec later I got the blue screen failure message again, "IRQL_NOT_LESS_OR_EQUAL" Technical information "Stop: 0x0000000A (0x0000FFDF,0X00000002,0X00000001,0X806E7A8E) Beginning Dump Physical Memory... Here is the rkill log.

 

This log file is located at J:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

 

Rkill was run on 04/21/2012 at 10:43:29.

Operating System: Microsoft Windows XP

 

 

Processes terminated by Rkill or while it was running:

 

J:\WINDOWS\Explorer.EXE

J:\WINDOWS\System32\rundll32.exe

 

 

Rkill completed on 04/21/2012 at 10:43:32.

Share this post


Link to post
Share on other sites

I disabled my wireless connection, and ran rkill and CFscript/combofix again and now no blue screen but it does still freeze after the two rootkit messages.

Share this post


Link to post
Share on other sites

Hello casualuser. :)

 

My apologies for the delay since yesterday, as I have been caught up with exams.

 

I am currently seeking advice regarding this infection so please hang tight. :)

Share this post


Link to post
Share on other sites

Howdy casualuser. :)

 

 

Please go to the Panda link below and follow their instructions to run the Yorkyt.exe Disinfection Tool:

 

http://www.pandasecurity.com/usa/homeusers/support/card?id=1672

 

 

After completing those instructions, please run the CFScript in my previous post and post the new ComboFix log in your next reply. :thumbup:

Share this post


Link to post
Share on other sites

Same result. Stalls after the two rootkit messages. I did the whole process again with the wireless connection enabled and it gets as far as Combofix rebooting (still no stages listed) and then I get the blue screen when the computer comes back up.

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please delete your current copy of TDSSKiller. Then, please download to your Desktop:

  • TDSSKiller.zip from here and extract it (right click on it => "Extract here").

 

>>> TDSSKiller: Double-click on TDSSKiller.exe to run the application.

  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
     
  • If an infected file is detected, the default action will be Cure. Instead, choose SKIP, then click on Continue tdsskiller2.png
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue tdsskiller3.png
     
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.

Share this post


Link to post
Share on other sites

Nere is the generated log.

 

01:38:32.0734 3536 TDSS rootkit removing tool 2.7.32.0 Apr 23 2012 19:12:34

01:38:32.0750 3536 ============================================================

01:38:32.0750 3536 Current date / time: 2012/04/25 01:38:32.0750

01:38:32.0750 3536 SystemInfo:

01:38:32.0750 3536

01:38:32.0750 3536 OS Version: 5.1.2600 ServicePack: 3.0

01:38:32.0750 3536 Product type: Workstation

01:38:32.0750 3536 ComputerName: MEDIAPC

01:38:32.0750 3536 UserName: Mark Smith

01:38:32.0750 3536 Windows directory: J:\WINDOWS

01:38:32.0750 3536 System windows directory: J:\WINDOWS

01:38:32.0750 3536 Processor architecture: Intel x86

01:38:32.0750 3536 Number of processors: 2

01:38:32.0750 3536 Page size: 0x1000

01:38:32.0750 3536 Boot type: Normal boot

01:38:32.0750 3536 ============================================================

01:38:34.0328 3536 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

01:38:34.0328 3536 Drive \Device\Harddisk1\DR4 - Size: 0x1DEC00000 (7.48 Gb), SectorSize: 0x200, Cylinders: 0x3D0, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

01:38:34.0328 3536 ============================================================

01:38:34.0328 3536 \Device\Harddisk0\DR0:

01:38:34.0328 3536 MBR partitions:

01:38:34.0328 3536 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x74701AC1

01:38:34.0328 3536 \Device\Harddisk1\DR4:

01:38:34.0328 3536 MBR partitions:

01:38:34.0328 3536 \Device\Harddisk1\DR4\Partition0: MBR, Type 0xB, StartLBA 0x2000, BlocksNum 0xEF4000

01:38:34.0328 3536 ============================================================

01:38:34.0343 3536 J: <-> \Device\Harddisk0\DR0\Partition0

01:38:34.0343 3536 ============================================================

01:38:34.0343 3536 Initialize success

01:38:34.0343 3536 ============================================================

01:39:03.0109 4036 ============================================================

01:39:03.0109 4036 Scan started

01:39:03.0109 4036 Mode: Manual;

01:39:03.0109 4036 ============================================================

01:39:03.0281 4036 61883 (914a9709fc3bf419ad2f85547f2a4832) J:\WINDOWS\system32\DRIVERS\61883.sys

01:39:03.0281 4036 61883 - ok

01:39:03.0296 4036 Abiosdsk - ok

01:39:03.0296 4036 abp480n5 - ok

01:39:03.0343 4036 ACPI (8fd99680a539792a30e97944fdaecf17) J:\WINDOWS\system32\DRIVERS\ACPI.sys

01:39:03.0343 4036 ACPI - ok

01:39:03.0359 4036 ACPIEC (9859c0f6936e723e4892d7141b1327d5) J:\WINDOWS\system32\drivers\ACPIEC.sys

01:39:03.0359 4036 ACPIEC - ok

01:39:03.0437 4036 AdobeActiveFileMonitor8.0 (4451cc2275b04043ec2bcc757af97291) J:\Program Files\Adobe\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe

01:39:03.0453 4036 AdobeActiveFileMonitor8.0 - ok

01:39:03.0453 4036 adpu160m - ok

01:39:03.0468 4036 aec (8bed39e3c35d6a489438b8141717a557) J:\WINDOWS\system32\drivers\aec.sys

01:39:03.0468 4036 aec - ok

01:39:03.0500 4036 AegisP (8d155386b3b032ea7513e19f8c8f80a7) J:\WINDOWS\system32\DRIVERS\AegisP.sys

01:39:03.0500 4036 AegisP - ok

01:39:03.0546 4036 AFD (1e44bc1e83d8fd2305f8d452db109cf9) J:\WINDOWS\System32\drivers\afd.sys

01:39:03.0546 4036 AFD - ok

01:39:03.0546 4036 Aha154x - ok

01:39:03.0562 4036 aic78u2 - ok

01:39:03.0562 4036 aic78xx - ok

01:39:03.0703 4036 ALCXWDM (dd8520280304b6145a6be31008748c7c) J:\WINDOWS\system32\drivers\ALCXWDM.SYS

01:39:03.0765 4036 ALCXWDM - ok

01:39:03.0812 4036 Alerter (a9a3daa780ca6c9671a19d52456705b4) J:\WINDOWS\system32\alrsvc.dll

01:39:03.0812 4036 Alerter - ok

01:39:03.0828 4036 ALG (8c515081584a38aa007909cd02020b3d) J:\WINDOWS\System32\alg.exe

01:39:03.0828 4036 ALG - ok

01:39:03.0843 4036 AliIde - ok

01:39:03.0843 4036 amsint - ok

01:39:03.0921 4036 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) J:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe

01:39:03.0921 4036 Apple Mobile Device - ok

01:39:03.0921 4036 AppMgmt - ok

01:39:03.0953 4036 Arp1394 (b5b8a80875c1dededa8b02765642c32f) J:\WINDOWS\system32\DRIVERS\arp1394.sys

01:39:03.0953 4036 Arp1394 - ok

01:39:03.0953 4036 asc - ok

01:39:03.0953 4036 asc3350p - ok

01:39:03.0968 4036 asc3550 - ok

01:39:04.0031 4036 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

01:39:04.0031 4036 aspnet_state - ok

01:39:04.0031 4036 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) J:\WINDOWS\system32\DRIVERS\asyncmac.sys

01:39:04.0031 4036 AsyncMac - ok

01:39:04.0062 4036 atapi (9f3a2f5aa6875c72bf062c712cfa2674) J:\WINDOWS\system32\DRIVERS\atapi.sys

01:39:04.0062 4036 atapi - ok

01:39:04.0062 4036 Atdisk - ok

01:39:04.0109 4036 Ati HotKey Poller (960c1a7a04b5b029fc1584f8ce708f20) J:\WINDOWS\system32\Ati2evxx.exe

01:39:04.0125 4036 Ati HotKey Poller - ok

01:39:04.0171 4036 ATI Smart (ca2033c7c5491b12c628a1cfdb99d75e) J:\WINDOWS\system32\ati2sgag.exe

01:39:04.0171 4036 ATI Smart - ok

01:39:04.0234 4036 ati2mtag (9a6bfd014090c96a2f3708d98e5a3f40) J:\WINDOWS\system32\DRIVERS\ati2mtag.sys

01:39:04.0250 4036 ati2mtag - ok

01:39:04.0312 4036 AtiHdmiService (dc6957811ff95f2dd3004361b20d8d3f) J:\WINDOWS\system32\drivers\AtiHdmi.sys

01:39:04.0312 4036 AtiHdmiService - ok

01:39:04.0328 4036 Atmarpc (9916c1225104ba14794209cfa8012159) J:\WINDOWS\system32\DRIVERS\atmarpc.sys

01:39:04.0328 4036 Atmarpc - ok

01:39:04.0343 4036 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) J:\WINDOWS\System32\audiosrv.dll

01:39:04.0343 4036 AudioSrv - ok

01:39:04.0359 4036 audstub (d9f724aa26c010a217c97606b160ed68) J:\WINDOWS\system32\DRIVERS\audstub.sys

01:39:04.0359 4036 audstub - ok

01:39:04.0375 4036 Avc (f8e6956a614f15a0860474c5e2a7de6b) J:\WINDOWS\system32\DRIVERS\avc.sys

01:39:04.0375 4036 Avc - ok

01:39:04.0375 4036 bcoreusb - ok

01:39:04.0406 4036 Beep (da1f27d85e0d1525f6621372e7b685e9) J:\WINDOWS\system32\drivers\Beep.sys

01:39:04.0421 4036 Beep - ok

01:39:04.0453 4036 BITS (574738f61fca2935f5265dc4e5691314) J:\WINDOWS\system32\qmgr.dll

01:39:04.0515 4036 BITS - ok

01:39:04.0593 4036 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) J:\Program Files\Bonjour\mDNSResponder.exe

01:39:04.0609 4036 Bonjour Service - ok

01:39:04.0609 4036 Browser (a06ce3399d16db864f55faeb1f1927a9) J:\WINDOWS\System32\browser.dll

01:39:04.0625 4036 Browser - ok

01:39:04.0656 4036 catchme - ok

01:39:04.0656 4036 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) J:\WINDOWS\system32\drivers\cbidf2k.sys

01:39:04.0656 4036 cbidf2k - ok

01:39:04.0671 4036 CCDECODE (0be5aef125be881c4f854c554f2b025c) J:\WINDOWS\system32\DRIVERS\CCDECODE.sys

01:39:04.0671 4036 CCDECODE - ok

01:39:04.0671 4036 cd20xrnt - ok

01:39:04.0687 4036 Cdaudio (c1b486a7658353d33a10cc15211a873b) J:\WINDOWS\system32\drivers\Cdaudio.sys

01:39:04.0687 4036 Cdaudio - ok

01:39:04.0703 4036 Cdfs (c885b02847f5d2fd45a24e219ed93b32) J:\WINDOWS\system32\drivers\Cdfs.sys

01:39:04.0718 4036 Cdfs - ok

01:39:04.0734 4036 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) J:\WINDOWS\system32\DRIVERS\cdrom.sys

01:39:04.0734 4036 Cdrom - ok

01:39:04.0734 4036 Changer - ok

01:39:04.0750 4036 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) J:\WINDOWS\system32\cisvc.exe

01:39:04.0750 4036 CiSvc - ok

01:39:04.0750 4036 ClipSrv (34cbe729f38138217f9c80212a2a0c82) J:\WINDOWS\system32\clipsrv.exe

01:39:04.0750 4036 ClipSrv - ok

01:39:04.0828 4036 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) J:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

01:39:04.0906 4036 clr_optimization_v2.0.50727_32 - ok

01:39:04.0906 4036 CmdIde - ok

01:39:04.0906 4036 COMSysApp - ok

01:39:04.0921 4036 Cpqarray - ok

01:39:04.0937 4036 CryptSvc (3d4e199942e29207970e04315d02ad3b) J:\WINDOWS\System32\cryptsvc.dll

01:39:04.0953 4036 CryptSvc - ok

01:39:04.0953 4036 dac2w2k - ok

01:39:04.0953 4036 dac960nt - ok

01:39:04.0984 4036 DcomLaunch (6b27a5c03dfb94b4245739065431322c) J:\WINDOWS\system32\rpcss.dll

01:39:05.0000 4036 DcomLaunch - ok

01:39:05.0031 4036 Dhcp (5e38d7684a49cacfb752b046357e0589) J:\WINDOWS\System32\dhcpcsvc.dll

01:39:05.0031 4036 Dhcp - ok

01:39:05.0046 4036 Disk (044452051f3e02e7963599fc8f4f3e25) J:\WINDOWS\system32\DRIVERS\disk.sys

01:39:05.0046 4036 Disk - ok

01:39:05.0046 4036 dmadmin - ok

01:39:05.0093 4036 dmboot (d992fe1274bde0f84ad826acae022a41) J:\WINDOWS\system32\drivers\dmboot.sys

01:39:05.0109 4036 dmboot - ok

01:39:05.0125 4036 dmio (7c824cf7bbde77d95c08005717a95f6f) J:\WINDOWS\system32\drivers\dmio.sys

01:39:05.0125 4036 dmio - ok

01:39:05.0125 4036 dmload (e9317282a63ca4d188c0df5e09c6ac5f) J:\WINDOWS\system32\drivers\dmload.sys

01:39:05.0125 4036 dmload - ok

01:39:05.0140 4036 dmserver (57edec2e5f59f0335e92f35184bc8631) J:\WINDOWS\System32\dmserver.dll

01:39:05.0140 4036 dmserver - ok

01:39:05.0171 4036 DMusic (8a208dfcf89792a484e76c40e5f50b45) J:\WINDOWS\system32\drivers\DMusic.sys

01:39:05.0171 4036 DMusic - ok

01:39:05.0203 4036 Dnscache (5f7e24fa9eab896051ffb87f840730d2) J:\WINDOWS\System32\dnsrslvr.dll

01:39:05.0218 4036 Dnscache - ok

01:39:05.0250 4036 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) J:\WINDOWS\System32\dot3svc.dll

01:39:05.0250 4036 Dot3svc - ok

01:39:05.0250 4036 dpti2o - ok

01:39:05.0250 4036 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) J:\WINDOWS\system32\drivers\drmkaud.sys

01:39:05.0265 4036 drmkaud - ok

01:39:05.0296 4036 EapHost (2187855a7703adef0cef9ee4285182cc) J:\WINDOWS\System32\eapsvc.dll

01:39:05.0296 4036 EapHost - ok

01:39:05.0296 4036 ERSvc (bc93b4a066477954555966d77fec9ecb) J:\WINDOWS\System32\ersvc.dll

01:39:05.0296 4036 ERSvc - ok

01:39:05.0328 4036 eusk2par (f7955f5273f7ca5da13ebeef4f736c44) J:\WINDOWS\system32\Drivers\eusk2par.sys

01:39:05.0328 4036 eusk2par - ok

01:39:05.0343 4036 eusk3usb (988e553a4fe340c281376bee5b5c6222) J:\WINDOWS\system32\Drivers\eusk3usb.sys

01:39:05.0343 4036 eusk3usb - ok

01:39:05.0375 4036 Eventlog (65df52f5b8b6e9bbd183505225c37315) J:\WINDOWS\system32\services.exe

01:39:05.0375 4036 Eventlog - ok

01:39:05.0390 4036 EventSystem (d4991d98f2db73c60d042f1aef79efae) J:\WINDOWS\system32\es.dll

01:39:05.0390 4036 EventSystem - ok

01:39:05.0406 4036 Fastfat (38d332a6d56af32635675f132548343e) J:\WINDOWS\system32\drivers\Fastfat.sys

01:39:05.0406 4036 Fastfat - ok

01:39:05.0453 4036 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

01:39:05.0453 4036 FastUserSwitchingCompatibility - ok

01:39:05.0468 4036 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) J:\WINDOWS\system32\drivers\Fdc.sys

01:39:05.0468 4036 Fdc - ok

01:39:05.0468 4036 Fips (d45926117eb9fa946a6af572fbe1caa3) J:\WINDOWS\system32\drivers\Fips.sys

01:39:05.0468 4036 Fips - ok

01:39:05.0546 4036 FLEXnet Licensing Service (abedfd48ac042c6aaad32452e77217a1) J:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

01:39:05.0562 4036 FLEXnet Licensing Service - ok

01:39:05.0562 4036 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) J:\WINDOWS\system32\drivers\Flpydisk.sys

01:39:05.0562 4036 Flpydisk - ok

01:39:05.0593 4036 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) J:\WINDOWS\system32\drivers\fltmgr.sys

01:39:05.0593 4036 FltMgr - ok

01:39:05.0687 4036 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) j:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe

01:39:05.0687 4036 FontCache3.0.0.0 - ok

01:39:05.0718 4036 ForceWare Intelligent Application Manager (IAM) (d22de8ef4077699837c07d47eb843a38) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe

01:39:05.0734 4036 ForceWare Intelligent Application Manager (IAM) - ok

01:39:05.0750 4036 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) J:\WINDOWS\system32\drivers\Fs_Rec.sys

01:39:05.0750 4036 Fs_Rec - ok

01:39:05.0765 4036 Ftdisk (6ac26732762483366c3969c9e4d2259d) J:\WINDOWS\system32\DRIVERS\ftdisk.sys

01:39:05.0765 4036 Ftdisk - ok

01:39:05.0796 4036 gameenum (065639773d8b03f33577f6cdaea21063) J:\WINDOWS\system32\DRIVERS\gameenum.sys

01:39:05.0796 4036 gameenum - ok

01:39:05.0828 4036 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) J:\WINDOWS\system32\Drivers\GEARAspiWDM.sys

01:39:05.0828 4036 GEARAspiWDM - ok

01:39:05.0828 4036 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) J:\WINDOWS\system32\DRIVERS\msgpc.sys

01:39:05.0828 4036 Gpc - ok

01:39:05.0875 4036 GTNDIS5 (fc80052194d5708254a346568f0e77c0) J:\WINDOWS\system32\GTNDIS5.SYS

01:39:05.0875 4036 GTNDIS5 - ok

01:39:05.0921 4036 gusvc (cc839e8d766cc31a7710c9f38cf3e375) J:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

01:39:05.0921 4036 gusvc - ok

01:39:05.0968 4036 HdAudAddService (56bf27d7a539f9e6bbc1de201aba0edf) J:\WINDOWS\system32\drivers\AtiHdAud.sys

01:39:05.0968 4036 HdAudAddService - ok

01:39:05.0984 4036 HDAudBus (573c7d0a32852b48f3058cfd8026f511) J:\WINDOWS\system32\DRIVERS\HDAudBus.sys

01:39:05.0984 4036 HDAudBus - ok

01:39:06.0015 4036 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) J:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

01:39:06.0015 4036 helpsvc - ok

01:39:06.0015 4036 HidServ (deb04da35cc871b6d309b77e1443c796) J:\WINDOWS\System32\hidserv.dll

01:39:06.0015 4036 HidServ - ok

01:39:06.0031 4036 hidusb (ccf82c5ec8a7326c3066de870c06daf1) J:\WINDOWS\system32\DRIVERS\hidusb.sys

01:39:06.0031 4036 hidusb - ok

01:39:06.0062 4036 hkmsvc (8878bd685e490239777bfe51320b88e9) J:\WINDOWS\System32\kmsvc.dll

01:39:06.0062 4036 hkmsvc - ok

01:39:06.0062 4036 hpn - ok

01:39:06.0109 4036 hpqcxs08 (0a3c6aa4a9fc38c20ba4eac2c3351c05) J:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll

01:39:06.0125 4036 hpqcxs08 - ok

01:39:06.0140 4036 hpqddsvc (df446ba625cc441617843e87798ce048) J:\Program Files\HP\Digital Imaging\bin\hpqddsvc.dll

01:39:06.0140 4036 hpqddsvc - ok

01:39:06.0171 4036 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) J:\WINDOWS\system32\DRIVERS\HPZid412.sys

01:39:06.0171 4036 HPZid412 - ok

01:39:06.0187 4036 HPZipr12 (89f41658929393487b6b7d13c8528ce3) J:\WINDOWS\system32\DRIVERS\HPZipr12.sys

01:39:06.0187 4036 HPZipr12 - ok

01:39:06.0203 4036 HPZius12 (abcb05ccdbf03000354b9553820e39f8) J:\WINDOWS\system32\DRIVERS\HPZius12.sys

01:39:06.0218 4036 HPZius12 - ok

01:39:06.0250 4036 HTTP (f80a415ef82cd06ffaf0d971528ead38) J:\WINDOWS\system32\Drivers\HTTP.sys

01:39:06.0265 4036 HTTP - ok

01:39:06.0296 4036 HTTPFilter (6100a808600f44d999cebdef8841c7a3) J:\WINDOWS\System32\w3ssl.dll

01:39:06.0296 4036 HTTPFilter - ok

01:39:06.0312 4036 i2omgmt - ok

01:39:06.0312 4036 i2omp - ok

01:39:06.0328 4036 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) J:\WINDOWS\system32\drivers\i8042prt.sys

01:39:06.0328 4036 i8042prt - ok

01:39:06.0390 4036 IDriverT (1cf03c69b49acb70c722df92755c0c8c) J:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

01:39:06.0390 4036 IDriverT - ok

01:39:06.0515 4036 idsvc (c01ac32dc5c03076cfb852cb5da5229c) j:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

01:39:06.0546 4036 idsvc - ok

01:39:06.0562 4036 Imapi (083a052659f5310dd8b6a6cb05edcf8e) J:\WINDOWS\system32\DRIVERS\imapi.sys

01:39:06.0562 4036 Imapi - ok

01:39:06.0578 4036 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) J:\WINDOWS\system32\imapi.exe

01:39:06.0578 4036 ImapiService - ok

01:39:06.0578 4036 ini910u - ok

01:39:06.0593 4036 IntelIde - ok

01:39:06.0609 4036 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) J:\WINDOWS\system32\drivers\ip6fw.sys

01:39:06.0609 4036 Ip6Fw - ok

01:39:06.0625 4036 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) J:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

01:39:06.0640 4036 IpFilterDriver - ok

01:39:06.0656 4036 IpInIp (b87ab476dcf76e72010632b5550955f5) J:\WINDOWS\system32\DRIVERS\ipinip.sys

01:39:06.0656 4036 IpInIp - ok

01:39:06.0671 4036 IpNat (cc748ea12c6effde940ee98098bf96bb) J:\WINDOWS\system32\DRIVERS\ipnat.sys

01:39:06.0671 4036 IpNat - ok

01:39:06.0750 4036 iPod Service (49918803b661367023bf325cf602afdc) J:\Program Files\iPod\bin\iPodService.exe

01:39:06.0765 4036 iPod Service - ok

01:39:06.0781 4036 IPSec (23c74d75e36e7158768dd63d92789a91) J:\WINDOWS\system32\DRIVERS\ipsec.sys

01:39:06.0781 4036 IPSec - ok

01:39:06.0796 4036 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) J:\WINDOWS\system32\DRIVERS\irenum.sys

01:39:06.0796 4036 IRENUM - ok

01:39:06.0812 4036 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) J:\WINDOWS\system32\DRIVERS\isapnp.sys

01:39:06.0812 4036 isapnp - ok

01:39:06.0859 4036 JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) J:\Program Files\Java\jre6\bin\jqs.exe

01:39:06.0859 4036 JavaQuickStarterService - ok

01:39:06.0875 4036 Kbdclass (463c1ec80cd17420a542b7f36a36f128) J:\WINDOWS\system32\DRIVERS\kbdclass.sys

01:39:06.0875 4036 Kbdclass - ok

01:39:06.0875 4036 kbdhid (9ef487a186dea361aa06913a75b3fa99) J:\WINDOWS\system32\DRIVERS\kbdhid.sys

01:39:06.0875 4036 kbdhid - ok

01:39:06.0906 4036 kmixer (692bcf44383d056aed41b045a323d378) J:\WINDOWS\system32\drivers\kmixer.sys

01:39:06.0906 4036 kmixer - ok

01:39:06.0921 4036 KSecDD (b467646c54cc746128904e1654c750c1) J:\WINDOWS\system32\drivers\KSecDD.sys

01:39:06.0921 4036 KSecDD - ok

01:39:06.0937 4036 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) J:\WINDOWS\System32\srvsvc.dll

01:39:06.0953 4036 lanmanserver - ok

01:39:06.0953 4036 lanmanworkstation (a8888a5327621856c0cec4e385f69309) J:\WINDOWS\System32\wkssvc.dll

01:39:06.0968 4036 lanmanworkstation - ok

01:39:06.0984 4036 LBeepKE (be2dc24d403643a2d1d98f33c7087b38) J:\WINDOWS\system32\Drivers\LBeepKE.sys

01:39:06.0984 4036 LBeepKE - ok

01:39:06.0984 4036 lbrtfdc - ok

01:39:07.0046 4036 LBTServ (910344e2a984010435ae84783b25e5eb) J:\Program Files\Common Files\LogiShrd\Bluetooth\lbtserv.exe

01:39:07.0046 4036 LBTServ - ok

01:39:07.0078 4036 LEqdUsb (717e6714bca808f2a372e636aff3d15a) J:\WINDOWS\system32\Drivers\LEqdUsb.Sys

01:39:07.0078 4036 LEqdUsb - ok

01:39:07.0093 4036 LHidEqd (2786f7b4003adff88ce28bc1800b5407) J:\WINDOWS\system32\Drivers\LHidEqd.Sys

01:39:07.0093 4036 LHidEqd - ok

01:39:07.0109 4036 LHidFilt (01cc7fb6e790ef044b411377f3a1ff41) J:\WINDOWS\system32\DRIVERS\LHidFilt.Sys

01:39:07.0109 4036 LHidFilt - ok

01:39:07.0140 4036 LmHosts (a7db739ae99a796d91580147e919cc59) J:\WINDOWS\System32\lmhsvc.dll

01:39:07.0140 4036 LmHosts - ok

01:39:07.0140 4036 LMouFilt (a2e7eae8898d7b4b8c302b8f4e836bb5) J:\WINDOWS\system32\DRIVERS\LMouFilt.Sys

01:39:07.0140 4036 LMouFilt - ok

01:39:07.0187 4036 Messenger (986b1ff5814366d71e0ac5755c88f2d3) J:\WINDOWS\System32\msgsvc.dll

01:39:07.0187 4036 Messenger - ok

01:39:07.0203 4036 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) J:\WINDOWS\system32\drivers\mnmdd.sys

01:39:07.0203 4036 mnmdd - ok

01:39:07.0218 4036 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) J:\WINDOWS\system32\mnmsrvc.exe

01:39:07.0218 4036 mnmsrvc - ok

01:39:07.0234 4036 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) J:\WINDOWS\system32\drivers\Modem.sys

01:39:07.0250 4036 Modem - ok

01:39:07.0250 4036 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) J:\WINDOWS\system32\DRIVERS\mouclass.sys

01:39:07.0250 4036 Mouclass - ok

01:39:07.0265 4036 mouhid (b1c303e17fb9d46e87a98e4ba6769685) J:\WINDOWS\system32\DRIVERS\mouhid.sys

01:39:07.0265 4036 mouhid - ok

01:39:07.0265 4036 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) J:\WINDOWS\system32\drivers\MountMgr.sys

01:39:07.0281 4036 MountMgr - ok

01:39:07.0281 4036 mraid35x - ok

01:39:07.0296 4036 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) J:\WINDOWS\system32\DRIVERS\mrxdav.sys

01:39:07.0296 4036 MRxDAV - ok

01:39:07.0359 4036 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) J:\WINDOWS\system32\DRIVERS\mrxsmb.sys

01:39:07.0359 4036 MRxSmb - ok

01:39:07.0390 4036 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) J:\WINDOWS\system32\msdtc.exe

01:39:07.0390 4036 MSDTC - ok

01:39:07.0421 4036 MSDV (1477849772712bac69c144dcf2c9ce81) J:\WINDOWS\system32\DRIVERS\msdv.sys

01:39:07.0421 4036 MSDV - ok

01:39:07.0421 4036 Msfs (c941ea2454ba8350021d774daf0f1027) J:\WINDOWS\system32\drivers\Msfs.sys

01:39:07.0421 4036 Msfs - ok

01:39:07.0437 4036 MSIServer - ok

01:39:07.0437 4036 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) J:\WINDOWS\system32\drivers\MSKSSRV.sys

01:39:07.0437 4036 MSKSSRV - ok

01:39:07.0453 4036 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) J:\WINDOWS\system32\drivers\MSPCLOCK.sys

01:39:07.0453 4036 MSPCLOCK - ok

01:39:07.0453 4036 MSPQM (bad59648ba099da4a17680b39730cb3d) J:\WINDOWS\system32\drivers\MSPQM.sys

01:39:07.0453 4036 MSPQM - ok

01:39:07.0453 4036 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) J:\WINDOWS\system32\DRIVERS\mssmbios.sys

01:39:07.0468 4036 mssmbios - ok

01:39:07.0468 4036 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) J:\WINDOWS\system32\drivers\MSTEE.sys

01:39:07.0468 4036 MSTEE - ok

01:39:07.0500 4036 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) J:\WINDOWS\system32\drivers\msmpu401.sys

01:39:07.0500 4036 ms_mpu401 - ok

01:39:07.0515 4036 Mup (de6a75f5c270e756c5508d94b6cf68f5) J:\WINDOWS\system32\drivers\Mup.sys

01:39:07.0515 4036 Mup - ok

01:39:07.0515 4036 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) J:\WINDOWS\system32\DRIVERS\NABTSFEC.sys

01:39:07.0531 4036 NABTSFEC - ok

01:39:07.0546 4036 napagent (0102140028fad045756796e1c685d695) J:\WINDOWS\System32\qagentrt.dll

01:39:07.0562 4036 napagent - ok

01:39:07.0593 4036 NDIS (1df7f42665c94b825322fae71721130d) J:\WINDOWS\system32\drivers\NDIS.sys

01:39:07.0593 4036 NDIS - ok

01:39:07.0609 4036 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) J:\WINDOWS\system32\DRIVERS\NdisIP.sys

01:39:07.0609 4036 NdisIP - ok

01:39:07.0625 4036 NdisTapi (0109c4f3850dfbab279542515386ae22) J:\WINDOWS\system32\DRIVERS\ndistapi.sys

01:39:07.0625 4036 NdisTapi - ok

01:39:07.0640 4036 Ndisuio (f927a4434c5028758a842943ef1a3849) J:\WINDOWS\system32\DRIVERS\ndisuio.sys

01:39:07.0640 4036 Ndisuio - ok

01:39:07.0640 4036 NdisWan (edc1531a49c80614b2cfda43ca8659ab) J:\WINDOWS\system32\DRIVERS\ndiswan.sys

01:39:07.0656 4036 NdisWan - ok

01:39:07.0656 4036 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) J:\WINDOWS\system32\drivers\NDProxy.sys

01:39:07.0656 4036 NDProxy - ok

01:39:07.0687 4036 Net Driver HPZ12 (2969d26eee289be7422aa46fc55f4e38) J:\WINDOWS\system32\HPZinw12.dll

01:39:07.0687 4036 Net Driver HPZ12 - ok

01:39:07.0703 4036 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) J:\WINDOWS\system32\DRIVERS\netbios.sys

01:39:07.0703 4036 NetBIOS - ok

01:39:07.0734 4036 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) J:\WINDOWS\system32\DRIVERS\netbt.sys

01:39:07.0734 4036 NetBT - ok

01:39:07.0765 4036 NetDDE (b857ba82860d7ff85ae29b095645563b) J:\WINDOWS\system32\netdde.exe

01:39:07.0765 4036 NetDDE - ok

01:39:07.0765 4036 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) J:\WINDOWS\system32\netdde.exe

01:39:07.0765 4036 NetDDEdsdm - ok

01:39:07.0796 4036 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

01:39:07.0796 4036 Netlogon - ok

01:39:07.0812 4036 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) J:\WINDOWS\System32\netman.dll

01:39:07.0812 4036 Netman - ok

01:39:07.0906 4036 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) j:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

01:39:07.0921 4036 NetTcpPortSharing - ok

01:39:07.0921 4036 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) J:\WINDOWS\system32\DRIVERS\nic1394.sys

01:39:07.0921 4036 NIC1394 - ok

01:39:07.0968 4036 Nla (943337d786a56729263071623bbb9de5) J:\WINDOWS\System32\mswsock.dll

01:39:07.0968 4036 Nla - ok

01:39:07.0984 4036 nm (1e421a6bcf2203cc61b821ada9de878b) J:\WINDOWS\system32\DRIVERS\NMnt.sys

01:39:07.0984 4036 nm - ok

01:39:07.0984 4036 Npfs (3182d64ae053d6fb034f44b6def8034a) J:\WINDOWS\system32\drivers\Npfs.sys

01:39:07.0984 4036 Npfs - ok

01:39:08.0078 4036 nSvcIp (7a1c8633f57fa89553d4edc3507ba4c3) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe

01:39:08.0078 4036 nSvcIp - ok

01:39:08.0093 4036 nSvcLog (e3d66b843755ac586c6622af4efa662c) J:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe

01:39:08.0109 4036 nSvcLog - ok

01:39:08.0125 4036 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) J:\WINDOWS\system32\drivers\Ntfs.sys

01:39:08.0140 4036 Ntfs - ok

01:39:08.0140 4036 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

01:39:08.0140 4036 NtLmSsp - ok

01:39:08.0187 4036 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) J:\WINDOWS\system32\ntmssvc.dll

01:39:08.0187 4036 NtmsSvc - ok

01:39:08.0218 4036 Null (73c1e1f395918bc2c6dd67af7591a3ad) J:\WINDOWS\system32\drivers\Null.sys

01:39:08.0218 4036 Null - ok

01:39:08.0250 4036 nvax (f3d3015e52f2732042197d4edcaac2cb) J:\WINDOWS\system32\drivers\nvax.sys

01:39:08.0250 4036 nvax - ok

01:39:08.0250 4036 NVENETFD (97724affdd7a5a47c3bc07ccd1b88745) J:\WINDOWS\system32\DRIVERS\NVENETFD.sys

01:39:08.0265 4036 NVENETFD - ok

01:39:08.0281 4036 nvnetbus (82c2b3a89b9edfa6287c5aba1a4e6a99) J:\WINDOWS\system32\DRIVERS\nvnetbus.sys

01:39:08.0281 4036 nvnetbus - ok

01:39:08.0312 4036 nvnforce (6d6fd2b7035d415621acaf1e555c8b90) J:\WINDOWS\system32\drivers\nvapu.sys

01:39:08.0328 4036 nvnforce - ok

01:39:08.0343 4036 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) J:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

01:39:08.0343 4036 NwlnkFlt - ok

01:39:08.0343 4036 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) J:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

01:39:08.0359 4036 NwlnkFwd - ok

01:39:08.0359 4036 ohci1394 (ca33832df41afb202ee7aeb05145922f) J:\WINDOWS\system32\DRIVERS\ohci1394.sys

01:39:08.0359 4036 ohci1394 - ok

01:39:08.0406 4036 ose (9d10f99a6712e28f8acd5641e3a7ea6b) J:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

01:39:08.0406 4036 ose - ok

01:39:08.0578 4036 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) J:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE

01:39:08.0671 4036 osppsvc - ok

01:39:08.0734 4036 Parport (5575faf8f97ce5e713d108c2a58d7c7c) J:\WINDOWS\system32\DRIVERS\parport.sys

01:39:08.0734 4036 Parport - ok

01:39:08.0734 4036 PartMgr (beb3ba25197665d82ec7065b724171c6) J:\WINDOWS\system32\drivers\PartMgr.sys

01:39:08.0734 4036 PartMgr - ok

01:39:08.0765 4036 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) J:\WINDOWS\system32\drivers\ParVdm.sys

01:39:08.0765 4036 ParVdm - ok

01:39:08.0765 4036 PCI (a219903ccf74233761d92bef471a07b1) J:\WINDOWS\system32\DRIVERS\pci.sys

01:39:08.0781 4036 PCI - ok

01:39:08.0781 4036 PCIDump - ok

01:39:08.0812 4036 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) J:\WINDOWS\system32\DRIVERS\pciide.sys

01:39:08.0812 4036 PCIIde - ok

01:39:08.0828 4036 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) J:\WINDOWS\system32\drivers\Pcmcia.sys

01:39:08.0828 4036 Pcmcia - ok

01:39:08.0828 4036 PDCOMP - ok

01:39:08.0843 4036 PDFRAME - ok

01:39:08.0843 4036 PDRELI - ok

01:39:08.0859 4036 PDRFRAME - ok

01:39:08.0859 4036 perc2 - ok

01:39:08.0875 4036 perc2hib - ok

01:39:08.0906 4036 PlugPlay (65df52f5b8b6e9bbd183505225c37315) J:\WINDOWS\system32\services.exe

01:39:08.0921 4036 PlugPlay - ok

01:39:08.0953 4036 Pml Driver HPZ12 (bafc9706bdf425a02b66468ab2605c59) J:\WINDOWS\system32\HPZipm12.dll

01:39:08.0953 4036 Pml Driver HPZ12 - ok

01:39:08.0968 4036 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

01:39:08.0968 4036 PolicyAgent - ok

01:39:08.0968 4036 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) J:\WINDOWS\system32\DRIVERS\raspptp.sys

01:39:08.0968 4036 PptpMiniport - ok

01:39:08.0984 4036 Processor (a32bebaf723557681bfc6bd93e98bd26) J:\WINDOWS\system32\DRIVERS\processr.sys

01:39:08.0984 4036 Processor - ok

01:39:09.0000 4036 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

01:39:09.0000 4036 ProtectedStorage - ok

01:39:09.0000 4036 PSched (09298ec810b07e5d582cb3a3f9255424) J:\WINDOWS\system32\DRIVERS\psched.sys

01:39:09.0000 4036 PSched - ok

01:39:09.0031 4036 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) J:\WINDOWS\system32\DRIVERS\ptilink.sys

01:39:09.0031 4036 Ptilink - ok

01:39:09.0046 4036 PxHelp20 (153d02480a0a2f45785522e814c634b6) J:\WINDOWS\system32\Drivers\PxHelp20.sys

01:39:09.0046 4036 PxHelp20 - ok

01:39:09.0046 4036 ql1080 - ok

01:39:09.0046 4036 Ql10wnt - ok

01:39:09.0062 4036 ql12160 - ok

01:39:09.0062 4036 ql1240 - ok

01:39:09.0078 4036 ql1280 - ok

01:39:09.0093 4036 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) J:\WINDOWS\system32\DRIVERS\rasacd.sys

01:39:09.0093 4036 RasAcd - ok

01:39:09.0140 4036 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) J:\WINDOWS\System32\rasauto.dll

01:39:09.0140 4036 RasAuto - ok

01:39:09.0140 4036 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) J:\WINDOWS\system32\DRIVERS\rasl2tp.sys

01:39:09.0140 4036 Rasl2tp - ok

01:39:09.0187 4036 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) J:\WINDOWS\System32\rasmans.dll

01:39:09.0187 4036 RasMan - ok

01:39:09.0203 4036 RasPppoe (5bc962f2654137c9909c3d4603587dee) J:\WINDOWS\system32\DRIVERS\raspppoe.sys

01:39:09.0203 4036 RasPppoe - ok

01:39:09.0203 4036 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) J:\WINDOWS\system32\DRIVERS\raspti.sys

01:39:09.0203 4036 Raspti - ok

01:39:09.0234 4036 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) J:\WINDOWS\system32\DRIVERS\rdbss.sys

01:39:09.0234 4036 Rdbss - ok

01:39:09.0250 4036 RDPCDD (4912d5b403614ce99c28420f75353332) J:\WINDOWS\system32\DRIVERS\RDPCDD.sys

01:39:09.0250 4036 RDPCDD - ok

01:39:09.0296 4036 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) J:\WINDOWS\system32\drivers\RDPWD.sys

01:39:09.0296 4036 RDPWD - ok

01:39:09.0312 4036 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) J:\WINDOWS\system32\sessmgr.exe

01:39:09.0312 4036 RDSessMgr - ok

01:39:09.0328 4036 redbook (f828dd7e1419b6653894a8f97a0094c5) J:\WINDOWS\system32\DRIVERS\redbook.sys

01:39:09.0328 4036 redbook - ok

01:39:09.0343 4036 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) J:\WINDOWS\System32\mprdim.dll

01:39:09.0343 4036 RemoteAccess - ok

01:39:09.0437 4036 RichVideo (06a49b7bdc36cfbf97dd90804f833369) J:\Program Files\CyberLink\Shared Files\RichVideo.exe

01:39:09.0437 4036 RichVideo - ok

01:39:09.0437 4036 RpcLocator (aaed593f84afa419bbae8572af87cf6a) J:\WINDOWS\system32\locator.exe

01:39:09.0453 4036 RpcLocator - ok

01:39:09.0484 4036 RpcSs (6b27a5c03dfb94b4245739065431322c) J:\WINDOWS\System32\rpcss.dll

01:39:09.0484 4036 RpcSs - ok

01:39:09.0515 4036 RSVP (471b3f9741d762abe75e9deea4787e47) J:\WINDOWS\system32\rsvp.exe

01:39:09.0531 4036 RSVP - ok

01:39:09.0546 4036 RT2500 (e2988349fe0567cbe4161cc653575a8e) J:\WINDOWS\system32\DRIVERS\RT2500.sys

01:39:09.0546 4036 RT2500 - ok

01:39:09.0562 4036 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) J:\WINDOWS\system32\lsass.exe

01:39:09.0562 4036 SamSs - ok

01:39:09.0578 4036 SCardSvr (86d007e7a654b9a71d1d7d856b104353) J:\WINDOWS\System32\SCardSvr.exe

01:39:09.0578 4036 SCardSvr - ok

01:39:09.0609 4036 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) J:\WINDOWS\system32\schedsvc.dll

01:39:09.0609 4036 Schedule - ok

01:39:09.0625 4036 Secdrv (90a3935d05b494a5a39d37e71f09a677) J:\WINDOWS\system32\DRIVERS\secdrv.sys

01:39:09.0625 4036 Secdrv - ok

01:39:09.0656 4036 seclogon (cbe612e2bb6a10e3563336191eda1250) J:\WINDOWS\System32\seclogon.dll

01:39:09.0656 4036 seclogon - ok

01:39:09.0671 4036 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) J:\WINDOWS\system32\sens.dll

01:39:09.0671 4036 SENS - ok

01:39:09.0671 4036 serenum (0f29512ccd6bead730039fb4bd2c85ce) J:\WINDOWS\system32\DRIVERS\serenum.sys

01:39:09.0671 4036 serenum - ok

01:39:09.0687 4036 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) J:\WINDOWS\system32\DRIVERS\serial.sys

01:39:09.0687 4036 Serial - ok

01:39:09.0703 4036 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) J:\WINDOWS\system32\drivers\Sfloppy.sys

01:39:09.0703 4036 Sfloppy - ok

01:39:09.0718 4036 SGHIDI (abd45d0857bbbb12075f53243da2aa41) J:\WINDOWS\system32\drivers\TG_iMON.sys

01:39:09.0718 4036 SGHIDI - ok

01:39:09.0750 4036 SGIR (532f78ba55b3c8556c8998cb59a00471) J:\WINDOWS\system32\drivers\iMON_PAD.sys

01:39:09.0750 4036 SGIR - ok

01:39:09.0765 4036 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) J:\WINDOWS\System32\ipnathlp.dll

01:39:09.0781 4036 SharedAccess - ok

01:39:09.0812 4036 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

01:39:09.0812 4036 ShellHWDetection - ok

01:39:09.0812 4036 Simbad - ok

01:39:09.0828 4036 Sk9920nt - ok

01:39:09.0843 4036 SLIP (866d538ebe33709a5c9f5c62b73b7d14) J:\WINDOWS\system32\DRIVERS\SLIP.sys

01:39:09.0843 4036 SLIP - ok

01:39:09.0843 4036 Sparrow - ok

01:39:09.0875 4036 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) J:\WINDOWS\system32\drivers\splitter.sys

01:39:09.0875 4036 splitter - ok

01:39:09.0890 4036 Spooler (60784f891563fb1b767f70117fc2428f) J:\WINDOWS\system32\spoolsv.exe

01:39:09.0906 4036 Spooler - ok

01:39:09.0921 4036 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) J:\WINDOWS\system32\DRIVERS\sr.sys

01:39:09.0921 4036 sr - ok

01:39:09.0937 4036 srservice (3805df0ac4296a34ba4bf93b346cc378) J:\WINDOWS\system32\srsvc.dll

01:39:09.0937 4036 srservice - ok

01:39:09.0968 4036 Srv (47ddfc2f003f7f9f0592c6874962a2e7) J:\WINDOWS\system32\DRIVERS\srv.sys

01:39:09.0984 4036 Srv - ok

01:39:09.0984 4036 SSDPSRV (0a5679b3714edab99e357057ee88fca6) J:\WINDOWS\System32\ssdpsrv.dll

01:39:09.0984 4036 SSDPSRV - ok

01:39:10.0015 4036 StillCam (a9573045baa16eab9b1085205b82f1ed) J:\WINDOWS\system32\DRIVERS\serscan.sys

01:39:10.0015 4036 StillCam - ok

01:39:10.0046 4036 stisvc (8bad69cbac032d4bbacfce0306174c30) J:\WINDOWS\system32\wiaservc.dll

01:39:10.0046 4036 stisvc - ok

01:39:10.0046 4036 streamip (77813007ba6265c4b6098187e6ed79d2) J:\WINDOWS\system32\DRIVERS\StreamIP.sys

01:39:10.0046 4036 streamip - ok

01:39:10.0078 4036 swenum (3941d127aef12e93addf6fe6ee027e0f) J:\WINDOWS\system32\DRIVERS\swenum.sys

01:39:10.0078 4036 swenum - ok

01:39:10.0093 4036 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) J:\WINDOWS\system32\drivers\swmidi.sys

01:39:10.0093 4036 swmidi - ok

01:39:10.0093 4036 SwPrv - ok

01:39:10.0109 4036 symc810 - ok

01:39:10.0109 4036 symc8xx - ok

01:39:10.0125 4036 sym_hi - ok

01:39:10.0125 4036 sym_u3 - ok

01:39:10.0140 4036 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) J:\WINDOWS\system32\drivers\sysaudio.sys

01:39:10.0140 4036 sysaudio - ok

01:39:10.0156 4036 SysmonLog (c7abbc59b43274b1109df6b24d617051) J:\WINDOWS\system32\smlogsvc.exe

01:39:10.0156 4036 SysmonLog - ok

01:39:10.0171 4036 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) J:\WINDOWS\System32\tapisrv.dll

01:39:10.0187 4036 TapiSrv - ok

01:39:10.0218 4036 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) J:\WINDOWS\system32\DRIVERS\tcpip.sys

01:39:10.0218 4036 Tcpip - ok

01:39:10.0250 4036 TDPIPE (6471a66807f5e104e4885f5b67349397) J:\WINDOWS\system32\drivers\TDPIPE.sys

01:39:10.0250 4036 TDPIPE - ok

01:39:10.0265 4036 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) J:\WINDOWS\system32\drivers\TDTCP.sys

01:39:10.0265 4036 TDTCP - ok

01:39:10.0265 4036 TermDD (88155247177638048422893737429d9e) J:\WINDOWS\system32\DRIVERS\termdd.sys

01:39:10.0265 4036 TermDD - ok

01:39:10.0296 4036 TermService (ff3477c03be7201c294c35f684b3479f) J:\WINDOWS\System32\termsrv.dll

01:39:10.0296 4036 TermService - ok

01:39:10.0328 4036 Themes (99bc0b50f511924348be19c7c7313bbf) J:\WINDOWS\System32\shsvcs.dll

01:39:10.0328 4036 Themes - ok

01:39:10.0343 4036 TosIde - ok

01:39:10.0359 4036 TrkWks (55bca12f7f523d35ca3cb833c725f54e) J:\WINDOWS\system32\trkwks.dll

01:39:10.0359 4036 TrkWks - ok

01:39:10.0390 4036 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) J:\WINDOWS\system32\drivers\Udfs.sys

01:39:10.0390 4036 Udfs - ok

01:39:10.0390 4036 ultra - ok

01:39:10.0437 4036 Update (402ddc88356b1bac0ee3dd1580c76a31) J:\WINDOWS\system32\DRIVERS\update.sys

01:39:10.0453 4036 Update - ok

01:39:10.0468 4036 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) J:\WINDOWS\System32\upnphost.dll

01:39:10.0484 4036 upnphost - ok

01:39:10.0500 4036 UPS (05365fb38fca1e98f7a566aaaf5d1815) J:\WINDOWS\System32\ups.exe

01:39:10.0500 4036 UPS - ok

01:39:10.0515 4036 usbccgp (173f317ce0db8e21322e71b7e60a27e8) J:\WINDOWS\system32\DRIVERS\usbccgp.sys

01:39:10.0515 4036 usbccgp - ok

01:39:10.0546 4036 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) J:\WINDOWS\system32\DRIVERS\usbehci.sys

01:39:10.0546 4036 usbehci - ok

01:39:10.0578 4036 usbhub (1ab3cdde553b6e064d2e754efe20285c) J:\WINDOWS\system32\DRIVERS\usbhub.sys

01:39:10.0578 4036 usbhub - ok

01:39:10.0593 4036 usbohci (0daecce65366ea32b162f85f07c6753b) J:\WINDOWS\system32\DRIVERS\usbohci.sys

01:39:10.0593 4036 usbohci - ok

01:39:10.0609 4036 usbprint (a717c8721046828520c9edf31288fc00) J:\WINDOWS\system32\DRIVERS\usbprint.sys

01:39:10.0609 4036 usbprint - ok

01:39:10.0609 4036 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) J:\WINDOWS\system32\DRIVERS\usbscan.sys

01:39:10.0609 4036 usbscan - ok

01:39:10.0625 4036 usbstor (a32426d9b14a089eaa1d922e0c5801a9) J:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

01:39:10.0625 4036 usbstor - ok

01:39:10.0625 4036 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) J:\WINDOWS\System32\drivers\vga.sys

01:39:10.0625 4036 VgaSave - ok

01:39:10.0625 4036 ViaIde - ok

01:39:10.0671 4036 VolSnap (4c8fcb5cc53aab716d810740fe59d025) J:\WINDOWS\system32\drivers\VolSnap.sys

01:39:10.0671 4036 VolSnap - ok

01:39:10.0687 4036 VSS (7a9db3a67c333bf0bd42e42b8596854b) J:\WINDOWS\System32\vssvc.exe

01:39:10.0703 4036 VSS - ok

01:39:10.0718 4036 W32Time (54af4b1d5459500ef0937f6d33b1914f) J:\WINDOWS\system32\w32time.dll

01:39:10.0718 4036 W32Time - ok

01:39:10.0734 4036 Wanarp (e20b95baedb550f32dd489265c1da1f6) J:\WINDOWS\system32\DRIVERS\wanarp.sys

01:39:10.0734 4036 Wanarp - ok

01:39:10.0781 4036 Wdf01000 (d918617b46457b9ac28027722e30f647) J:\WINDOWS\system32\Drivers\wdf01000.sys

01:39:10.0781 4036 Wdf01000 - ok

01:39:10.0796 4036 WDICA - ok

01:39:10.0812 4036 wdmaud (6768acf64b18196494413695f0c3a00f) J:\WINDOWS\system32\drivers\wdmaud.sys

01:39:10.0812 4036 wdmaud - ok

01:39:10.0828 4036 WebClient (77a354e28153ad2d5e120a5a8687bc06) J:\WINDOWS\System32\webclnt.dll

01:39:10.0828 4036 WebClient - ok

01:39:10.0875 4036 winmgmt (2d0e4ed081963804ccc196a0929275b5) J:\WINDOWS\system32\wbem\WMIsvc.dll

01:39:10.0875 4036 winmgmt - ok

01:39:10.0906 4036 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) J:\WINDOWS\system32\MsPMSNSv.dll

01:39:10.0906 4036 WmdmPmSN - ok

01:39:10.0921 4036 WmiApSrv (e0673f1106e62a68d2257e376079f821) J:\WINDOWS\system32\wbem\wmiapsrv.exe

01:39:10.0921 4036 WmiApSrv - ok

01:39:11.0031 4036 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) J:\Program Files\Windows Media Player\WMPNetwk.exe

01:39:11.0046 4036 WMPNetworkSvc - ok

01:39:11.0062 4036 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) J:\WINDOWS\System32\drivers\ws2ifsl.sys

01:39:11.0062 4036 WS2IFSL - ok

01:39:11.0093 4036 wscsvc (7c278e6408d1dce642230c0585a854d5) J:\WINDOWS\system32\wscsvc.dll

01:39:11.0093 4036 wscsvc - ok

01:39:11.0125 4036 WSTCODEC (c98b39829c2bbd34e454150633c62c78) J:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS

01:39:11.0125 4036 WSTCODEC - ok

01:39:11.0125 4036 wuauserv - ok

01:39:11.0140 4036 WudfPf (f15feafffbb3644ccc80c5da584e6311) J:\WINDOWS\system32\DRIVERS\WudfPf.sys

01:39:11.0140 4036 WudfPf - ok

01:39:11.0156 4036 WudfRd (28b524262bce6de1f7ef9f510ba3985b) J:\WINDOWS\system32\DRIVERS\wudfrd.sys

01:39:11.0156 4036 WudfRd - ok

01:39:11.0171 4036 WudfSvc (05231c04253c5bc30b26cbaae680ed89) J:\WINDOWS\System32\WUDFSvc.dll

01:39:11.0218 4036 WudfSvc - ok

01:39:11.0234 4036 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) J:\WINDOWS\System32\wzcsvc.dll

01:39:11.0250 4036 WZCSVC - ok

01:39:11.0265 4036 xmlprov (295d21f14c335b53cb8154e5b1f892b9) J:\WINDOWS\System32\xmlprov.dll

01:39:11.0296 4036 xmlprov - ok

01:39:11.0328 4036 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0

01:39:11.0468 4036 \Device\Harddisk0\DR0 - ok

01:39:11.0468 4036 MBR (0x1B8) (ddae9d649db12f6aff24483f2c298989) \Device\Harddisk1\DR4

01:39:11.0468 4036 \Device\Harddisk1\DR4 - ok

01:39:11.0484 4036 Boot (0x1200) (f01bd481348d16c811620a36fbc7b658) \Device\Harddisk0\DR0\Partition0

01:39:11.0484 4036 \Device\Harddisk0\DR0\Partition0 - ok

01:39:11.0484 4036 Boot (0x1200) (9a2f4033b63c285f79f02eed95b5b8c0) \Device\Harddisk1\DR4\Partition0

01:39:11.0484 4036 \Device\Harddisk1\DR4\Partition0 - ok

01:39:11.0484 4036 ============================================================

01:39:11.0484 4036 Scan finished

01:39:11.0484 4036 ============================================================

01:39:11.0500 4028 Detected object count: 0

01:39:11.0500 4028 Actual detected object count: 0

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Please run these two scans and post their logs in your next reply.

 

Please download RootRepeal from the following location and save it to your Desktop.

 

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open rootrepealicon.png on your Desktop.
  • Click the Report tab.
  • Click the Scan button.
  • Check all seven boxes: rrcheckboxes.png
  • Click Ok.
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, a logfile will open Save the log to your Desktop as RootRepeal.txt. Include this report in your next reply, please.

 

 

Then, please run this tool but do not be alarmed if it crashes as this has been known to occur on Windows 7.

 

Download Rootkit Unhooker and save it to your Desktop.

 

Close all open programs and browsers, then double-click RKUnhookerLE.exe to run it.

Vista/Windows 7 users right-click and select Run As Administrator.

 

  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth Code, Files, and Code Hooks.
  • UNcheck the rest, then click OK.
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK.
  • Wait until the scanner has finished then go File > Save Report.
  • Save the report somewhere you can find it. Click Close.
  • Copy the entire contents of the report and paste it in your next reply.
     
    Note: You may get the following warning---just ignore it, click OK and continue. Rootkit Unhooker has detected a parasite inside itself!
    It is recommended to remove parasite, okay?

==========

 

In your next post please provide the following:

  • RootRepeal.txt.
  • Log from Rootkit Unhooker.

Share this post


Link to post
Share on other sites

Done and done. Here are the logs.

 

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2012/04/26 08:56

Program Version: Version 1.3.5.0

Windows Version: Windows XP SP3

==================================================

 

Drivers

-------------------

Name: dump_atapi.sys

Image Path: J:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xAD0F9000 Size: 98304 File Visible: No Signed: -

Status: -

 

Name: dump_WMILIB.SYS

Image Path: J:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5D2000 Size: 8192 File Visible: No Signed: -

Status: -

 

Name: rootrepeal.sys

Image Path: J:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xAA372000 Size: 49152 File Visible: No Signed: -

Status: -

 

==EOF==

RkU Version: 3.8.389.593, Type LE (SR2)

==============================================

OS Name: Windows XP

Version 5.1.2600 (Service Pack 3)

Number of processors #2

==============================================

>Drivers

==============================================

0xB99A3000 J:\WINDOWS\system32\drivers\ALCXWDM.SYS 4124672 bytes (Realtek Semiconductor Corp., Realtek AC'97 Audio Driver (WDM))

0xBF130000 J:\WINDOWS\System32\ati3duag.dll 2945024 bytes (ATI Technologies Inc. , ati3duag.dll)

0xB9675000 J:\WINDOWS\system32\DRIVERS\ati2mtag.sys 2510848 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Miniport Driver)

0x804D7000 J:\WINDOWS\system32\ntkrnlpa.exe 2154496 bytes (Microsoft Corporation, NT Kernel & System)

0x804D7000 PnpManager 2154496 bytes

0x804D7000 RAW 2154496 bytes

0x804D7000 WMIxWDM 2154496 bytes

0xBF800000 Win32k 1859584 bytes

0xBF800000 J:\WINDOWS\System32\win32k.sys 1859584 bytes (Microsoft Corporation, Multi-User Win32 Driver)

0xBF3FF000 J:\WINDOWS\System32\ativvaxx.dll 1523712 bytes (ATI Technologies Inc. , Radeon Video Acceleration Universal Driver)

0xB9E5B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)

0xAD111000 J:\WINDOWS\System32\Drivers\wdf01000.sys 462848 bytes (Microsoft Corporation, Kernel Mode Driver Framework Runtime)

0xAD24A000 J:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)

0xB94FF000 J:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)

0xBF058000 J:\WINDOWS\System32\ati2cqag.dll 376832 bytes (ATI Technologies Inc., Central Memory Manager / Queue Server Module)

0xAD355000 J:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)

0xAA8EF000 J:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)

0xBF0B4000 J:\WINDOWS\System32\atikvmag.dll 331776 bytes (ATI Technologies Inc., Virtual Command And Memory Manager)

0xB9911000 J:\WINDOWS\system32\DRIVERS\NVNRM.SYS 307200 bytes (NVIDIA Corporation, NVIDIA Network Resource Manager.)

0xBF573000 J:\WINDOWS\System32\ATMFD.DLL 290816 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)

0xBF012000 J:\WINDOWS\System32\ati2dvag.dll 286720 bytes (ATI Technologies Inc., ATI Radeon WindowsNT Display Driver)

0xA9F11000 J:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)

0xA9B3A000 J:\WINDOWS\system32\DRIVERS\RT2500.sys 245760 bytes (Ralink Technology Inc., RT2500 802.11g Wireless Adapter Driver)

0xB98DA000 J:\WINDOWS\system32\DRIVERS\NVSNPU.SYS 225280 bytes (NVIDIA Corporation, NVIDIA Networking Soft-NPU Driver.)

0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)

0xAAAD3000 J:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)

0xB9E2E000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)

0xBF105000 J:\WINDOWS\System32\atiok3x2.dll 176128 bytes (ATI Technologies Inc., Ring 0 x2 component)

0xAD2BA000 J:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)

0xB9639000 J:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)

0xAD307000 J:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)

0xAAA87000 J:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)

0xB997F000 J:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))

0xB9D92000 J:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)

0xB995C000 J:\WINDOWS\system32\drivers\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)

0xAD2E5000 J:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)

0x806E5000 ACPI_HAL 134400 bytes

0x806E5000 J:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)

0xB9F11000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)

0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)

0xAD3E1000 J:\WINDOWS\system32\drivers\AtiHdmi.sys 106496 bytes (ATI Research Inc., Ati High Definition Audio Function Driver)

0xB9E14000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)

0xB9F31000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)

0xAD0F9000 J:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes

0xB9EE8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)

0xB960E000 J:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))

0xAA56A000 J:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)

0xB9625000 J:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)

0xB9661000 J:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)

0xAD3AE000 J:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)

0xBF000000 J:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)

0xB9EFF000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)

0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)

0xB95FD000 J:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)

0xBA2D8000 J:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)

0xBA178000 J:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)

0xBA0B8000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)

0xBA198000 J:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)

0xBA158000 J:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)

0xBA188000 J:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)

0xAA6D7000 J:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)

0xBA1F8000 J:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)

0xBA0C8000 J:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)

0xBA308000 J:\WINDOWS\System32\Drivers\WDFLDR.SYS 57344 bytes (Microsoft Corporation, Kernel Mode Driver Framework Loader)

0xBA108000 J:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)

0xBA1A8000 J:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)

0xBA0E8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)

0xBA1C8000 J:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)

0xBA278000 J:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)

0xBA168000 J:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)

0xBA0D8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)

0xBA1B8000 J:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)

0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)

0xBA208000 J:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)

0xBA118000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)

0xBA1E8000 J:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)

0xAA5F7000 J:\WINDOWS\System32\Drivers\BlackBox.SYS 36864 bytes (RKU Driver)

0xBA0F8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)

0xBA2E8000 J:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)

0xBA2F8000 J:\WINDOWS\System32\Drivers\LEqdUsb.Sys 36864 bytes (Logitech, Inc., Logitech Equad USB Driver.)

0xBA1D8000 J:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)

0xBA268000 J:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)

0xBA148000 J:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)

0xBA258000 J:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)

0xBA3C8000 J:\WINDOWS\system32\DRIVERS\LHidFilt.Sys 32768 bytes (Logitech, Inc., Logitech HID Filter Driver.)

0xBA3D0000 J:\WINDOWS\system32\DRIVERS\LMouFilt.Sys 32768 bytes (Logitech, Inc., Logitech Mouse Filter Driver.)

0xBA480000 J:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)

0xBA3A8000 J:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)

0xBA390000 J:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)

0xBA458000 J:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)

0xBA328000 J:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)

0xBA4A0000 J:\WINDOWS\system32\Drivers\eusk2par.sys 24576 bytes (EUTRON, SmartKey Parallel driver for Windows)

0xBA3B8000 J:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)

0xBA400000 J:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)

0xBA408000 J:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)

0xBA460000 J:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)

0xBA4A8000 J:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)

0xBA470000 J:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)

0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)

0xBA3E8000 J:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)

0xBA3F8000 J:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)

0xBA3D8000 J:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)

0xBA388000 J:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)

0xBA418000 J:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)

0xA9C5D000 J:\WINDOWS\system32\GTNDIS5.SYS 16384 bytes (Printing Communications Assoc., Inc. (PCAUSA), PCAUSA NDIS 5.0 Protocol Driver)

0xB948A000 J:\WINDOWS\system32\drivers\iMON_PAD.sys 16384 bytes

0xB9476000 J:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA584000 J:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)

0xAADC4000 J:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)

0xBA550000 J:\WINDOWS\system32\DRIVERS\nvnetbus.sys 16384 bytes (NVIDIA Corporation, NVIDIA Networking Bus Driver.)

0xBA55C000 J:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)

0xBA4B8000 J:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)

0xAD345000 J:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)

0xBA568000 J:\WINDOWS\system32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)

0xB9482000 J:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)

0xB946E000 J:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)

0xBA570000 J:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)

0xBA554000 J:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)

0xBA56C000 J:\WINDOWS\System32\drivers\ws2ifsl.sys 12288 bytes (Microsoft Corporation, Winsock2 IFS Layer)

0xBA5BE000 J:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)

0xBA5D2000 J:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes

0xBA5BA000 J:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)

0xBA5A8000 J:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)

0xBA5C2000 J:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)

0xBA606000 J:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)

0xBA5C6000 J:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)

0xBA5B0000 J:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)

0xBA5B4000 J:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)

0xBA5AA000 J:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)

0xBA74B000 J:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)

0xBA6E9000 J:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)

0xBA76B000 J:\WINDOWS\System32\Drivers\LBeepKE.sys 4096 bytes (Logitech, Inc., Logitech Consumer Control Filter Driver.)

0xBA6B0000 J:\WINDOWS\System32\Drivers\LHidEqd.Sys 4096 bytes (Logitech, Inc., Logitech HID Filter Driver.)

0xBA748000 J:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)

0xBA78F000 J:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)

0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)

==============================================

>Stealth

==============================================

==============================================

>Files

==============================================

!-->[Hidden] J:\Qoobox\BackEnv\AppData.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Cache.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Cookies.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Desktop.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Favorites.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\History.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\LocalAppData.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\LocalSettings.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Music.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\NetHood.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Personal.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Pictures.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\PrintHood.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Profiles.Folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Profiles.Folder.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Programs.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\Recent.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\SendTo.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\SetPath.bat

!-->[Hidden] J:\Qoobox\BackEnv\StartMenu.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\StartUp.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\SysPath.dat

!-->[Hidden] J:\Qoobox\BackEnv\Templates.folder.dat

!-->[Hidden] J:\Qoobox\BackEnv\VikPev00

!-->[Hidden] J:\WINDOWS\$NtUninstallKB27616$\2196561247

==============================================

>Hooks

==============================================

ntkrnlpa.exe+0x0006ECEE, Type: Inline - RelativeJump 0x80545CEE-->80545CF5 [ntkrnlpa.exe]

[272]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->5CB77774 [shimeng.dll]

[272]explorer.exe-->crypt32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77A81188-->5CB77774 [shimeng.dll]

[272]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->5CB77774 [shimeng.dll]

[272]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->5CB77774 [shimeng.dll]

[272]explorer.exe-->mswsock.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71A51178-->5CB77774 [shimeng.dll]

[272]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->5CB77774 [shimeng.dll]

[272]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->5CB77774 [shimeng.dll]

[272]explorer.exe-->wininet.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x3D9314B0-->5CB77774 [shimeng.dll]

[272]explorer.exe-->ws2_32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x71AB109C-->5CB77774 [shimeng.dll]

Share this post


Link to post
Share on other sites

Hey casualuser. :)

 

Thanks for the logs. :thumbup:

 

Please download aswMBR by gmer to your Desktop.

 

  • Please visit this site for instructions on how to run the tool.
  • Once familiar with this tool, double click aswMBR.exe to run it.
  • Click the Scan button to start the scan.
    Note: Please DO NOT fix anything aswMBR finds.
  • Once the scan has completed, please save the aswMBR.txt log to the Desktop and post it in your next reply.

Then, please download to the Desktop RogueKiller (by tigzy).

  • Please quit all programs.
  • Start RogueKiller.exe.
  • Wait until Prescan has finished.
  • Click on Scan.
  • Click on Report and copy/paste the contents of the report in your next reply.

===========

 

In your netx post please post the following:

  • aswMBR.txt.
  • RogueKiller log.

Share this post


Link to post
Share on other sites

Here the logs.

 

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software

Run date: 2012-04-27 09:49:27

-----------------------------

09:49:27.453 OS Version: Windows 5.1.2600 Service Pack 3

09:49:27.453 Number of processors: 2 586 0x2302

09:49:27.453 ComputerName: MEDIAPC UserName:

09:49:28.281 Initialize success

09:50:06.250 Service scanning

09:50:12.140 Modules scanning

09:50:14.875 Disk 0 trace - called modules:

09:50:14.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS

09:50:14.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a753ab8]

09:50:14.890 3 CLASSPNP.SYS[ba108fd7] -> nt!IofCallDriver -> \Device\00000068[0x8a73b9e8]

09:50:14.890 5 ACPI.sys[b9f7f620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-12[0x8a7c5d98]

09:50:14.890 Scan finished successfully

09:50:48.218 The log file has been saved successfully to "M:\aswMBR.txt"

 

 

RogueKiller V7.3.3 [04/22/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

 

Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User: Mark Smith [Admin rights]

Mode: Scan -- Date: 04/27/2012 09:51:38

 

¤¤¤ Bad processes: 0 ¤¤¤

 

¤¤¤ Registry Entries: 2 ¤¤¤

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

 

¤¤¤ Particular Files / Folders: ¤¤¤

 

¤¤¤ Driver: [LOADED] ¤¤¤

 

¤¤¤ Infection : ¤¤¤

 

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

 

 

¤¤¤ MBR Check: ¤¤¤

 

+++++ PhysicalDrive0: ST31000528AS +++++

--- User ---

[MBR] 45e23835597b6a0b4128dfb9747afda0

[bSP] d22ef517afb7effd96e6605679505ba7 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 953859 Mo

User = LL1 ... OK!

User = LL2 ... OK!

 

+++++ PhysicalDrive1: JetFlash Transcend 8GB USB Device +++++

--- User ---

[MBR] 977e55d9969dce8c190369cae6ae7c44

[bSP] ad180d2594ca120697c2f0b2ce76fe86 : MBR Code unknown

Partition table:

0 - [XXXXXX] FAT32 (0x0b) [VISIBLE] Offset (sectors): 8192 | Size: 7656 Mo

User = LL1 ... OK!

Error reading LL2 MBR!

 

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

Hello casualuser. :)

 

Please do the following to create a new System Restore Point:

 

  • Go to Start>All Programs>Accessories>System Tools>System Restore.
  • Click Create a Restore Point.
  • Click Next.
  • For the description, just type today's date.
  • Then click Create.
  • Click Close one finished.

Once you have created a System Restore Point, please run RKill but do not reboot.

 

 

Then, please follow these instructions to remove the remaining malicious entries:

 

  • Please close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open Notepad and copy/paste the text in the quotebox below into it:
     
    Please Note: Do NOT use any other text editor than Notepad or the CFScript will fail.
     

    killall::
     
    Folder::
    J:\WINDOWS\$NtUninstallKB27616$\
     
     
  • Save this as CFScript.txt, in the same location as ComboFix.exe.
     
    CFScriptB-4.gif
     
  • Referring to the picture above, drag CFScript into ComboFix.exe.
  • When finished, it shall produce a log for you at C:\ComboFix.txt.

===========

 

Please restart your computer after you have run the CFScript. Then, please delete your current copy of ComboFix. Please follow these instructions to run ComboFix.exe. Please visit this webpage for download links and instructions for running this tool:

 

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

 

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix (CF).

 

Please go here to see a list of programs that need to be disabled.

 

**Note: Do not mouseclick ComboFix's window while it's running. That may cause it to stall.**

 

**Note 2: If you get a message saying "Illegal operation attempted on a registry key that has been marked for deletion", please restart your computer.**

 

Please include the C:\ComboFix.txt in your next reply for further review.

==========

 

Finally, please re-run TDSSKiller and post its log in your next reply.

==========

 

In your next reply I would like to see the following please:

  • ComboFix.txt.
  • TDSSKiller log.

Share this post


Link to post
Share on other sites

I get as far as running Combofix, It says it needs to reboot before progressing, it does and 10-15 secs after it comes back up, I get the blue screen error.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.