Jump to content


Photo

Possible RAT (Remote Access Trojan) infection :(


  • This topic is locked This topic is locked
24 replies to this topic

#1 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 14 May 2013 - 12:26 PM

May 14, 10:20 AM
 
Dear Forum:
 
I suspect I've had a RAT in my computer for a couple of months that even thorough low-level formatting seems unable to remove :(.
 
It apparently does two things:
a) Before I installed Malwarebytes it frequently (and always rather suddenly) kept all the webpages I tried to open from loading. My Net Meter app, though, always showed the DSL line to be OK (usally around 2mbps) and torrent downloads weren't affected, either.
b) Malwarebytes fairly often displays a pop-up note that shows an IP address it says it successfully blocked (some unnamed application) from connecting to (i.e a website with 'potentially malicious code')Actually, it's not just one but many IP addresses this RAT has tried to connect to. Since then the problem with webpages that won't load has disappeared or at least been greatly reduced (I'm not exactly sure, which).
 
Neither Malwarebytes nor SUPERAntiSpyware, Spybot Search & Destroy or Avast! Intenet Security have found anything. And Bitdefender's QuickScan didn't find anything, either (it didn't provide me with a log just stating that it didn't find any viruses). And Panda, because it couldn't run it's ActiveScan2.0 (We have detected that your PC is using a version of Microsoft Internet Explorer or Firefox, or another browser, that is not compatible with ActiveScan 2.0.) it suggested that I download (and install) it's Panda Cloud Cleaner. Which I did and ran. But when it was done I didn't get any log either just the anouncement that it had removed a suspicious Registry entry. 
 
Is it possible this RAT installed itself in the BIOS or the M/B software (that is, if there's additional M/B software to the BIOS)? Also, last night my PC suddenly started shutting down every few minutes. More to the point, I was using XP when it began and when I switched to Linux Mint the same thing happened. Now, though, it's been OK for several hours. Could the RAT be the cause for this strange behavior or is this occurrence likely something completely unrelated?
 
I'd really appreciate any help in this regard! Btw, I have read the FAQ and followed the directions :). Hopefully, I haven't forgotten anything.
 
Many thanks :).
 
Rathater13 ;)
 
P.S. Here are the requested logs:
Malwarebytes Anti-Malware (PRO) 1.65.0.1400
www.malwarebytes.org
 
Database version: v2013.05.14.04
 
Windows XP Service Pack 2 x86 NTFS
Internet Explorer 7.0.5730.13
Administrator-Dude :: LastXP17 [administrator]
 
Protection: Enabled
 
5/14/2013 8:31:39 AM
mbam-log-2013-05-14 (08-31-39).txt
 
Scan type: Full scan (C:\|E:\|F:\|G:\|H:\|I:\|)
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 294001
Time elapsed: 46 minute(s), 12 second(s)
 
Memory Processes Detected: 0
(No malicious items detected)
 
Memory Modules Detected: 0
(No malicious items detected)
 
Registry Keys Detected: 0
(No malicious items detected)
 
Registry Values Detected: 0
(No malicious items detected)
 
Registry Data Items Detected: 0
(No malicious items detected)
 
Folders Detected: 0
(No malicious items detected)
 
Files Detected: 0
(No malicious items detected)
 
(end)
 
DDS
DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 7.0.5730.13  BrowserJavaVersion: 10.21.2
Run by Administrator-Dude at 9:31:30 on 2013-05-14
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.3070.1179 [GMT -7:00]
.
AV: avast! Internet Security *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: avast! Internet Security *Enabled*
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Program Files\AVAST Software\Avast\afwServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\program files\realplayer\update\realsched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\FlashGet 3\FlashGet3.exe
C:\Program Files\NetMeter\HooNetMeter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\utorrent\uTorrent.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe
C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Avisoft Organizer 3.0\Avisoft Organizer.exe
C:\Program Files\OpenOffice.org 3\program\swriter.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\VideoLAN VLC\vlc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\NoteTab Light\NoteTab.exe
C:\Program Files\DVDFab 6\DVDFab.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uWindow Title = IE
mWinlogon: SFCDisable = dword:-99
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealNetworks Download and Record Plugin for Internet Explorer: {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\users\all users\application data\realnetworks\realdownloader\browserplugins\ie\rndlbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: FlashGetBHO: {b070d3e3-fec0-47d9-8e8a-99d4eeb3d3b0} - c:\users\administrator\application data\flashgetbho\FlashGetBHO.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [FlashGet 3] "c:\program files\flashget 3\FlashGet3.exe" -minimize
uRun: [NetMeter] c:\program files\netmeter\HooNetMeter.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"  /MINIMIZED
mRun: [SystemTray] SysTray.Exe
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [TkBellExe] "c:\program files\realplayer\update\realsched.exe"  -osboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_2] regsvr32 /s /n /i:U shell32
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [NewUser] c:\windows\system32\NewUser.cmd
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
uPolicies-Explorer: NoSMMyPictures = dword:1
uPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
mPolicies-System: SynchronousMachineGroupPolicy = dword:0
mPolicies-System: SynchronousUserGroupPolicy = dword:0
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoSMMyPictures = dword:1
mPolicies-Explorer: NoSMHelp = dword:1
mPolicies-Explorer: NoSMConfigurePrograms = dword:1
IE: Download all links by FlashGet3 - c:\program files\flashget 3\bho\fdgetallurl.htm
IE: Download all videos by FlashGet3 - c:\program files\flashget 3\bho\fdgetallflvurl.htm
IE: Download by FlashGet3 - c:\program files\flashget 3\bho\fdgeturl.htm
IE: Download current video by FlashGet3 - c:\program files\flashget 3\bho\fdgetflvurl.htm
IE: Lookup on CD - c:\program files\ahd4\ahd.htm
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\npjpi160_03.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1367974548165
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
TCP: NameServer = 192.168.178.1
TCP: Interfaces\{825517C7-899E-421B-A883-88379E0927AC} : DHCPNameServer = 192.168.178.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
SEH: SABShellExecuteHook Class - {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - c:\program files\superantispyware\SASSEH.DLL
mASetup: {D58F39FF-953E-4F45-898F-59F243B9A523} - "c:\program files\windows sidebar\sidebar.exe" /RegServer
Hosts: 127.0.0.1 ads.mcafee.com
Hosts: 127.0.0.1 ads.microsoft.com
Hosts: 127.0.0.1 counter.kaspersky.com
Hosts: 127.0.0.1 wdcs.trendmicro.com
.
============= SERVICES / DRIVERS ===============
.
R0 aswNdis;avast! Firewall NDIS Filter Service;c:\windows\system32\drivers\aswNdis.sys [2013-5-5 12112]
R0 aswNdis2;avast! Firewall Core Firewall Service;c:\windows\system32\drivers\aswNdis2.sys [2013-5-5 199384]
R0 aswRvrt;aswRvrt;c:\windows\system32\drivers\aswRvrt.sys [2013-5-5 49248]
R1 aswFW;avast! TDI Firewall Driver;c:\windows\system32\drivers\aswFW.sys [2013-5-5 101656]
R1 aswKbd;aswKbd;c:\windows\system32\drivers\aswKbd.sys [2013-5-5 21576]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-5-5 765736]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-5-5 368176]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2012-7-11 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-5-5 29816]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-5-5 66336]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-5-5 45248]
R2 avast! Firewall;avast! Firewall;c:\program files\avast software\avast\afwServ.exe [2013-5-5 136912]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-6 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-6 676936]
R2 RealNetworks Downloader Resolver Service;RealNetworks Downloader Resolver Service;c:\program files\realnetworks\realdownloader\rndlresolversvc.exe [2013-3-6 39056]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2013\TuneUpUtilitiesService32.exe [2013-1-30 1724192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-6 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-14 40776]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2013\TuneUpUtilitiesDriver32.sys [2012-11-15 10088]
S3 ampa;ampa;c:\windows\system32\ampa.sys [2013-5-12 10936]
S3 aswVmm;aswVmm;c:\windows\system32\drivers\aswVmm.sys [2013-5-5 164736]
S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2013-5-5 27064]
.
=============== File Associations ===============
.
FileExt: .txt: Applications\NoteTab.exe="c:\program files\notetab light\NoteTab.exe" "%1" [UserChoice]
.
=============== Created Last 30 ================
.
2013-05-14 15:31:07 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-05-14 11:52:54 -------- d--h--w- c:\windows\PIF
2013-05-13 00:12:43 -------- d-----w- c:\program files\Driver
2013-05-12 17:32:37 1422776 ----a-w- c:\windows\ampa.exe
2013-05-12 17:32:37 10936 ----a-w- c:\windows\system32\ampa.sys
2013-05-12 17:32:35 -------- d-----w- c:\program files\AOMEI Partition Assistant Standard Edition 5.2
2013-05-12 16:03:19 -------- d-----w- c:\program files\VideoLAN VLC
2013-05-11 20:51:31 -------- d-----w- c:\users\administrator\application data\RealNetworks
2013-05-10 21:15:36 -------- d-----w- c:\users\administrator\local settings\application data\Temp
2013-05-10 21:15:36 -------- d-----w- c:\users\administrator\local settings\application data\Adobe
2013-05-10 21:05:52 -------- d-----w- c:\program files\RealNetworks
2013-05-10 21:05:48 -------- d-----w- c:\users\all users\application data\RealNetworks
2013-05-10 21:05:30 -------- d-----w- c:\program files\common files\xing shared
2013-05-10 21:04:48 -------- d-----w- c:\program files\realplayer
2013-05-10 20:56:57 -------- d-----w- c:\program files\Tseries BIOS Update
2013-05-10 20:56:54 32768 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\objectps.dll
2013-05-10 20:56:54 237568 ----a-w- c:\program files\common files\installshield\iscript\IScript.dll
2013-05-10 20:56:54 208896 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\iuser.dll
2013-05-10 20:56:53 212992 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ILog.dll
2013-05-10 20:56:53 151552 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\ctor.dll
2013-05-10 20:56:51 458752 ----a-w- c:\program files\common files\installshield\engine\6\intel 32\IKernel.exe
2013-05-09 16:42:01 -------- d-----w- c:\program files\1-click run
2013-05-09 16:32:38 12872 ----a-w- c:\windows\system32\bootdelete.exe
2013-05-08 01:03:26 -------- d-----w- c:\program files\Java jre7
2013-05-08 00:12:06 550912 ----a-w- c:\users\administrator\application data\microsoft\internet explorer\quick launch\US Convert.exe
2013-05-07 20:01:17 -------- d-----w- c:\users\administrator\application data\Uniblue
2013-05-07 18:53:39 -------- d-----w- c:\program files\GetFLV
2013-05-07 17:38:28 -------- d-----w- C:\XP Icons
2013-05-07 17:20:25 -------- d-----w- c:\users\all users\application data\Spybot - Search & Destroy
2013-05-07 17:20:25 -------- d-----w- c:\program files\Spybot - Search & Destroy
2013-05-07 17:12:49 -------- d-----w- c:\users\administrator\application data\Avisoft
2013-05-07 16:57:54 -------- d-----w- c:\users\all users\application data\YTD Video Downloader
2013-05-07 16:57:38 -------- d-----w- c:\program files\GreenTree Applications
2013-05-07 16:56:18 -------- d-----w- c:\users\administrator\application data\HTNetMeter
2013-05-07 16:54:52 -------- d-----w- c:\program files\NetMeter
2013-05-07 16:53:06 -------- d-----w- c:\users\administrator\application data\BITS
2013-05-07 16:52:58 -------- d-----w- c:\users\administrator\application data\FlashGetBHO
2013-05-07 16:52:54 -------- d-----w- c:\users\administrator\application data\FlashGet
2013-05-07 16:52:54 -------- d-----w- c:\program files\FlashGet 3
2013-05-07 16:41:33 -------- d-----w- c:\program files\utorrent
2013-05-07 16:39:09 -------- d-----w- c:\users\administrator\application data\uTorrent
2013-05-07 16:37:32 -------- d-----w- c:\users\administrator\local settings\application data\Ares
2013-05-07 16:37:26 -------- d-----w- c:\program files\Ares
2013-05-07 16:36:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2013-05-07 16:34:54 87608 ----a-w- c:\users\administrator\application data\inst.exe
2013-05-07 16:34:54 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2013-05-07 16:34:54 47360 ----a-w- c:\users\administrator\application data\pcouffin.sys
2013-05-07 16:34:43 -------- d-----w- c:\program files\DVDFab 6
2013-05-07 16:23:34 -------- d-----w- c:\program files\common files\Real
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin7.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin6.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin5.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin4.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin3.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin2.dll
2013-05-07 16:16:24 159744 ----a-w- c:\program files\internet explorer\plugins\npqtplugin.dll
2013-05-07 16:15:08 -------- d-----w- c:\users\administrator\local settings\application data\Apple
2013-05-07 16:14:46 -------- d-----w- c:\users\administrator\local settings\application data\Apple Computer
2013-05-07 16:12:43 -------- d-----w- c:\program files\Adobe Reader 10.0
2013-05-06 23:11:34 -------- d-----w- c:\program files\TimeRC
2013-05-06 23:09:11 -------- d-----w- c:\program files\US Convert
2013-05-06 23:00:39 -------- d-----w- c:\program files\Foxit PDF Creator
2013-05-06 22:47:34 -------- d-----w- c:\windows\ShellNew
2013-05-06 22:42:51 384512 ----a-w- c:\windows\system32\MFCO40.DLL
2013-05-06 22:42:51 358400 ----a-w- c:\windows\system32\MFC30.DLL
2013-05-06 22:42:51 151040 ----a-w- c:\windows\system32\MFCO30.DLL
2013-05-06 22:42:47 28672 ----a-w- c:\windows\Photo Express 3.scr
2013-05-06 22:42:14 -------- d-----w- c:\program files\Ulead Photo Express 3.0 SE
2013-05-06 22:38:04 -------- d-----w- c:\users\administrator\application data\NoteTab Light
2013-05-06 22:38:00 -------- d-----w- c:\program files\NoteTab Light
2013-05-06 22:37:23 -------- d-----w- c:\program files\Avisoft Organizer 3.0
2013-05-06 22:34:47 743504 ----a-w- c:\windows\system32\Ss32x25.ocx
2013-05-06 22:34:47 245248 ----a-w- c:\windows\system32\Vsocx6.ocx
2013-05-06 22:34:47 1046528 ----a-w- c:\windows\system32\WebPr332.ocx
2013-05-06 22:34:46 77824 ----a-w- c:\windows\system32\NNeRef.dll
2013-05-06 22:34:45 77824 ----a-w- c:\windows\system32\eRef.dll
2013-05-06 22:34:45 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2013-05-06 22:34:03 -------- d-----w- c:\program files\AHD4
2013-05-06 22:33:10 299520 ----a-w- c:\windows\uninst.exe
2013-05-06 22:27:34 18944 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\mdippr.dll
2013-05-06 22:27:34 17920 ----a-w- c:\windows\system32\mdimon.dll
2013-05-06 22:27:11 -------- d-----w- c:\program files\Microsoft ActiveSync
2013-05-06 22:23:45 12288 ----a-w- c:\windows\system32\APFMON40.DLL
2013-05-06 22:23:44 117248 ----a-w- c:\windows\system32\APFAXCNV.DLL
2013-05-06 22:23:44 -------- d-----w- c:\program files\MightyFax
2013-05-06 18:46:03 -------- d-----w- c:\windows\system32\XPSViewer
2013-05-06 18:45:42 28160 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2013-05-06 18:45:29 14048 ------w- c:\windows\system32\spmsg2.dll
2013-05-06 18:38:32 -------- d-----w- c:\program files\hp deskjet 845c series
2013-05-06 18:36:05 -------- d-----w- C:\SupraMax usb
2013-05-06 18:35:42 -------- d-----w- c:\windows\system32\ReinstallBackups
2013-05-06 18:35:40 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2013-05-06 18:35:39 175104 ----a-w- c:\windows\system32\csamsp.dll
2013-05-06 18:35:26 -------- d-----w- c:\program files\UIU
2013-05-06 18:35:01 11562 ----a-w- c:\windows\system32\hsfinst.dll
2013-05-06 18:35:00 90112 ----a-w- c:\windows\system32\mdmxsdk.dll
2013-05-06 18:35:00 11043 ----a-w- c:\windows\system32\drivers\mdmxsdk.sys
2013-05-06 18:34:59 884614 ----a-w- c:\windows\system32\drivers\winachcf.sys
2013-05-06 18:32:44 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2013-05-06 18:23:56 23856 ----a-w- c:\windows\system32\spupdsvc.exe
2013-05-06 18:23:34 -------- d-----w- c:\program files\CanoScan Toolbox Ver4.0
2013-05-06 18:23:11 306688 ----a-w- c:\windows\IsUninst.exe
2013-05-06 18:22:50 -------- d-----w- c:\users\administrator\WINDOWS
2013-05-06 18:22:23 327740 ----a-w- c:\windows\system32\UCS32P.DLL
2013-05-06 18:22:22 339968 ----a-w- c:\windows\system32\N067UFW.DLL
2013-05-06 18:22:22 32768 ----a-w- c:\windows\system32\CNQU70.DLL
2013-05-06 18:22:22 -------- d--h--w- C:\CanoScan
.
==================== Find3M  ====================
.
2013-05-10 21:04:52 499712 ----a-w- c:\windows\system32\msvcp71.dll
2013-05-10 21:04:52 348160 ----a-w- c:\windows\system32\msvcr71.dll
2013-05-06 07:07:43 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll
2013-05-06 07:07:39 144896 ----a-w- c:\windows\system32\javacpl.cpl
2013-05-06 07:07:38 866720 ----a-w- c:\windows\system32\npDeployJava1.dll
2013-05-06 07:07:38 788896 ----a-w- c:\windows\system32\deployJava1.dll
2013-05-06 04:27:15 0 ----a-w- c:\windows\ativpsrm.bin
2013-05-06 02:03:14 59 ----a-w- c:\windows\system32\RenAcc.cmd
2013-05-06 02:03:11 297 ----a-w- c:\windows\system32\StartAU.cmd
2013-03-07 00:33:24 765736 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-03-07 00:33:24 49248 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2013-03-07 00:33:24 164736 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2013-03-07 00:33:23 66336 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-03-07 00:33:23 199384 ----a-w- c:\windows\system32\drivers\aswNdis2.sys
2013-03-07 00:33:22 21576 ----a-w- c:\windows\system32\drivers\aswKbd.sys
2013-03-07 00:33:22 101656 ----a-w- c:\windows\system32\drivers\aswFW.sys
2013-03-07 00:32:51 41664 ----a-w- c:\windows\avastSS.scr
2013-03-07 00:11:20 12112 ----a-w- c:\windows\system32\drivers\aswNdis.sys
.
============= FINISH:  9:33:33.25 ===============
Security Check
Results of screen317's Security Check version 0.99.63 
Windows XP Service Pack 2 x86  
Out of date service pack!!
Internet Explorer 7 Out of date!
``````````````Antivirus/Firewall Check:``````````````

Windows Firewall Enabled! 
Please wait while WMIC compiles updated MOF files.d
i
s
p
l
a
y
N
a
m
e
ECHO is off.
a
v
a
s
t
!
ECHO is off.
I
n
t
e
r
n
e
t
ECHO is off.
S
e
c
u
r
i
t
y
ECHO is off.
 Antivirus up to date! 
`````````Anti-malware/Other Utilities Check:`````````
 MVPS Hosts File 
 Spybot - Search & Destroy
 SUPERAntiSpyware    
 Malwarebytes Anti-Malware version 1.65.0.1400 
 TuneUp Utilities 2013  
 AVG PC Tuneup  
 TuneUp Utilities Language Pack (en-US)
 TuneUp Utilities 2013  
 CCleaner v4.01.4093 Professional  
 JavaFX 2.1.0   
 Java 7 Update 21 
 Java™ 6 Update 3 
 Adobe Flash Player  11.1.102.55 
 Adobe Reader 10.1.6 Adobe Reader out of Date! 
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbamservice.exe 
 Malwarebytes Anti-Malware mbamgui.exe 
 Malwarebytes Anti-Malware mbam.exe 
 Malwarebytes' Anti-Malware mbamscheduler.exe  
 Administrator Desktop Malware Forum SecurityCheck.exe
 AVAST Software Avast AvastSvc.exe 
 AVAST Software Avast afwServ.exe 
 AVAST Software Avast avastUI.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C:: 4%
````````````````````End of Log``````````````````````
 


#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 15 May 2013 - 12:10 PM

Hello Rathater13.
 
If you do indeed have a RAT you should alert your providers of credit cards and online banking that there may be unauthorized access.  You should change   your passwords, but this may be useless if a RAT is still present.
 
Your PC is extraordinarily vulnerable with only SP 2 for XP.  Support for SP 2 ended July 2010 so you have no Windows security patches created after that date.  However you cannot install SP 3 until your PC is clean.

File sharing with uTorrent further increases your vulnerability.  
 
 
Since your Windows File Protection is disabled, system files may have been corrupted.

Please delete any copy of TDSSKiller you have(right-click on it => "Delete"

Please download tdsskiller.exe and save it to your Desktop. Go here for information.

  • Double-click on TDSSKiller.exe to run the application.
  • Choose "Change Parameters"
    Make sure "Detect TDLFS file system" is checked.
    Hit; OK
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
  • If a suspicious file is detected, the default action will be Skip, click on Continue
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file in your next reply.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Note: It may be a very long log.  Divide it and use more than one reply if necessary.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 17 May 2013 - 11:45 AM

Hi Mother Lion of SWI:
 
Thanks so much for your reply!
 
I did run TDSSKiller and it too came up empty-handed (i.e. didn't find any viruses or malware). The report is below your mesage. But although it is quite long I pasted it into this message in its entirety because I felt its still more readable that way than if I had posted it in several installments. I hope, that's OK.
 
As for XP and SP3, I have two XP Pro CDs. One with SP2 only and another with SP3 (plus SP2 I assume). I recently installed the latter and found that the computer froze every so often, which is why I uninstalled it and instead installed XP Pro with SP2 only. Of course, I'm not sure if SP3 was the cause of that problem. But a while ago a friend who knows quite a bit about computers told me that SP3 can cause a variety of problems.
 
Anyway, the described symptons of the TDSSKiller how-to guide don't match that of the RAT (or whatever is on my machine).   
 
Again, as far as I can tell it does two things:
a) Before I installed Malwarebytes it frequently (and always from one moment to the next) kept all webpages from loading although My Net Meter app always showed the DSL line to be OK (usally around 2mbps). The only way to get webpages to load again was to reboot the PC although sometimes the problem occured again a few minutes after the reboot.
b) Since I installed Malwarebytes it often (and perhaps increasing in frequency) has displayed a pop-up note that shows an IP address Malwarebytes says it successfully blocked (some unnamed application) from connecting to (i.e a website with 'potentially malicious code'). Actually, it's not just one but many IP addresses this RAT has been trying to connect to. Since then the problem with webpages that won't load has apparently disappeared.
 
I've also noticed some boot problems. More specifically, for the past few days when I start XP (after the computer has been turned off for several hours) it won't load any of the Desktop content (Taskbar, icons, etc.) but does so without a problem when I boot the computer a second time. But because the Biostar M/B (which I bought second hand on eBay) doesn't seem to like cold boots this may be related to that fact?!
 
If I realize I forgot something important I'll add it in an additional post.
 
Many thanks again!
 
Best regards,
 
Rathater13
Hello Rathater13.
 
If you do indeed have a RAT you should alert your providers of credit cards and online banking that there may be unauthorized access. You should change your passwords, but this may be useless if a RAT is still present.
 
Your PC is extraordinarily vulnerable with only SP 2 for XP. Support for SP 2 ended July 2010 so you have no Windows security patches created after that date. However, you cannot install SP 3 until your PC is clean.
 
File sharing with uTorrent further increases your vulnerability. 
 
Since your Windows File Protection is disabled, system files may have been corrupted.
 
Please delete any copy of TDSSKiller you have(right-click on it => "Delete"
 
Please download tdsskiller.exe and save it to your Desktop. Go here for information.
 
- Double-click on TDSSKiller.exe to run the application.
- Choose "Change Parameters"
- Make sure "Detect TDLFS file system" is checked.
- Hit; OK
- Click on the Start Scan button and wait for the scan and disinfection process to be over.
- If an infected file is detected, the default action will be Cure, click on Continue
- If a suspicious file is detected, the default action will be Skip, click on Continue
- If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file in your next reply.
If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.
 
Note: It may be a very long log. Divide it and use more than one reply if necessary.
 
TDSS Report:
10:55:31.0851 4356 TDSS rootkit removing tool 2.8.16.0 Feb 11 2013 18:50:42

10:55:32.0742 4356 ============================================================

10:55:32.0742 4356 Current date / time: 2013/05/16 10:55:32.0742

10:55:32.0742 4356 SystemInfo:

10:55:32.0742 4356

10:55:32.0742 4356 OS Version: 5.1.2600 ServicePack: 2.0

10:55:32.0742 4356 Product type: Workstation

10:55:32.0742 4356 ComputerName: LastXP17

10:55:32.0757 4356 UserName: Administrator-Dude

10:55:32.0757 4356 Windows directory: C:\WINDOWS

10:55:32.0757 4356 System windows directory: C:\WINDOWS

10:55:32.0757 4356 Processor architecture: Intel x86

10:55:32.0757 4356 Number of processors: 2

10:55:32.0757 4356 Page size: 0x1000

10:55:32.0757 4356 Boot type: Normal boot

10:55:32.0757 4356 ============================================================

10:55:34.0210 4356 Drive \Device\Harddisk0\DR0 - Size: 0x2658AE0000 (153.39 Gb), SectorSize: 0x200, Cylinders: 0x4E37, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

10:55:34.0210 4356 Drive \Device\Harddisk1\DR1 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

10:55:34.0226 4356 Drive \Device\Harddisk2\DR2 - Size: 0x132C570000 (76.69 Gb), SectorSize: 0x200, Cylinders: 0x271B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054

10:55:34.0226 4356 Drive \Device\Harddisk3\DR9 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

10:55:34.0226 4356 Drive \Device\Harddisk4\DR11 - Size: 0xF3C00000 (3.81 Gb), SectorSize: 0x200, Cylinders: 0x1F1, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'

10:55:34.0226 4356 ============================================================

10:55:34.0226 4356 \Device\Harddisk0\DR0:

10:55:34.0226 4356 MBR partitions:

10:55:34.0226 4356 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xA75BD2F

10:55:34.0257 4356 \Device\Harddisk1\DR1:

10:55:34.0257 4356 MBR partitions:

10:55:34.0257 4356 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1869E559

10:55:34.0257 4356 \Device\Harddisk1\DR1\Partition2: MBR, Type 0x7, StartLBA 0x1869E598, BlocksNum 0x5C067429

10:55:34.0257 4356 \Device\Harddisk2\DR2:

10:55:34.0257 4356 MBR partitions:

10:55:34.0257 4356 \Device\Harddisk2\DR2\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x996051C

10:55:34.0257 4356 \Device\Harddisk3\DR9:

10:55:34.0257 4356 MBR partitions:

10:55:34.0257 4356 \Device\Harddisk3\DR9\Partition1: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A384441

10:55:34.0257 4356 \Device\Harddisk4\DR11:

10:55:34.0257 4356 MBR partitions:

10:55:34.0257 4356 \Device\Harddisk4\DR11\Partition1: MBR, Type 0xB, StartLBA 0x338, BlocksNum 0x79DCC8

10:55:34.0257 4356 ============================================================

10:55:34.0273 4356 C: <-> \Device\Harddisk0\DR0\Partition1

10:55:34.0273 4356 F: <-> \Device\Harddisk3\DR9\Partition1

10:55:34.0304 4356 G: <-> \Device\Harddisk2\DR2\Partition1

10:55:34.0304 4356 H: <-> \Device\Harddisk1\DR1\Partition1

10:55:34.0304 4356 J: <-> \Device\Harddisk1\DR1\Partition2

10:55:34.0304 4356 ============================================================

10:55:34.0304 4356 Initialize success

10:55:34.0304 4356 ============================================================

10:56:02.0773 5696 ============================================================

10:56:02.0773 5696 Scan started

10:56:02.0773 5696 Mode: Manual; TDLFS;

10:56:02.0773 5696 ============================================================

10:56:03.0023 5696 ================ Scan system memory ========================

10:56:03.0023 5696 System memory - ok

10:56:03.0023 5696 ================ Scan services =============================

10:56:03.0085 5696 [ 01E81C84AD1D0ACC61CF3CFD06632210 ] !SASCORE C:\Program Files\SUPERAntiSpyware\SASCORE.EXE

10:56:03.0101 5696 !SASCORE - ok

10:56:03.0163 5696 Abiosdsk - ok

10:56:03.0179 5696 abp480n5 - ok

10:56:03.0195 5696 [ A10C7534F7223F4A73A948967D00E69B ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys

10:56:03.0195 5696 ACPI - ok

10:56:03.0226 5696 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys

10:56:03.0226 5696 ACPIEC - ok

10:56:03.0226 5696 adpu160m - ok

10:56:03.0273 5696 [ 1EE7B434BA961EF845DE136224C30FEC ] aec C:\WINDOWS\system32\drivers\aec.sys

10:56:03.0273 5696 aec - ok

10:56:03.0304 5696 [ 5AC495F4CB807B2B98AD2AD591E6D92E ] AFD C:\WINDOWS\System32\drivers\afd.sys

10:56:03.0304 5696 AFD - ok

10:56:03.0320 5696 Aha154x - ok

10:56:03.0320 5696 aic78u2 - ok

10:56:03.0335 5696 aic78xx - ok

10:56:03.0351 5696 [ F1958FBF86D5C004CF19A5951A9514B7 ] ALG C:\WINDOWS\System32\alg.exe

10:56:03.0351 5696 ALG - ok

10:56:03.0351 5696 AliIde - ok

10:56:03.0382 5696 [ 0A4D13B388C814560BD69C3A496ECFA8 ] AmdK8 C:\WINDOWS\system32\DRIVERS\AmdK8.sys

10:56:03.0382 5696 AmdK8 - ok

10:56:03.0398 5696 [ FE62E9711285DC2002DEF9B2BC2FB220 ] ampa C:\WINDOWS\system32\ampa.sys

10:56:03.0398 5696 ampa - ok

10:56:03.0413 5696 amsint - ok

10:56:03.0413 5696 [ 9C3C12975C97119412802B181FBEEFFE ] AppMgmt C:\WINDOWS\System32\appmgmts.dll

10:56:03.0429 5696 AppMgmt - ok

10:56:03.0429 5696 asc - ok

10:56:03.0429 5696 asc3350p - ok

10:56:03.0445 5696 asc3550 - ok

10:56:03.0460 5696 [ B979979AB8027F7F53FB16EC4229B7DB ] Aspi32 C:\WINDOWS\system32\drivers\Aspi32.sys

10:56:03.0460 5696 Aspi32 - ok

10:56:03.0554 5696 [ 4EABF511B1AF176A971C3271E48FA3A8 ] aspnet_state C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

10:56:03.0554 5696 aspnet_state - ok

10:56:03.0570 5696 [ CCDA8D84FD02AEC52E62F296433AE9DC ] aswFsBlk C:\WINDOWS\system32\drivers\aswFsBlk.sys

10:56:03.0570 5696 aswFsBlk - ok

10:56:03.0585 5696 [ A65FC444F7660F0CAC9A9E22203FD4BA ] aswFW C:\WINDOWS\system32\drivers\aswFW.sys

10:56:03.0585 5696 aswFW - ok

10:56:03.0601 5696 [ 4691B3FE3717F9D9C64A5282C8543D4D ] aswKbd C:\WINDOWS\system32\drivers\aswKbd.sys

10:56:03.0601 5696 aswKbd - ok

10:56:03.0601 5696 [ A6E20E62871A28A0F1C05B1681848FA7 ] aswMonFlt C:\WINDOWS\system32\drivers\aswMonFlt.sys

10:56:03.0601 5696 aswMonFlt - ok

10:56:03.0632 5696 [ 7B948E3657BEA62E437BC46CA6EF6012 ] aswNdis C:\WINDOWS\system32\DRIVERS\aswNdis.sys

10:56:03.0632 5696 aswNdis - ok

10:56:03.0648 5696 [ 672A45E2AA1FA8178DB8CF1A39BEFC83 ] aswNdis2 C:\WINDOWS\system32\drivers\aswNdis2.sys

10:56:03.0648 5696 aswNdis2 - ok

10:56:03.0663 5696 [ C1A411B7CCD604554D96EFDAC2F83617 ] AswRdr C:\WINDOWS\system32\drivers\AswRdr.sys

10:56:03.0663 5696 AswRdr - ok

10:56:03.0679 5696 [ 657A61979F40D67CA29716149766FFA7 ] aswRvrt C:\WINDOWS\system32\drivers\aswRvrt.sys

10:56:03.0679 5696 aswRvrt - ok

10:56:03.0710 5696 [ 0E604867FC28F00D91CB0B00D2EC830D ] aswSnx C:\WINDOWS\system32\drivers\aswSnx.sys

10:56:03.0710 5696 aswSnx - ok

10:56:03.0726 5696 [ 6FC4AA106AA505394C908D37CCCB9148 ] aswSP C:\WINDOWS\system32\drivers\aswSP.sys

10:56:03.0726 5696 aswSP - ok

10:56:03.0742 5696 [ 33E21FFB063CA6C7E00D568467DC72E4 ] aswTdi C:\WINDOWS\system32\drivers\aswTdi.sys

10:56:03.0742 5696 aswTdi - ok

10:56:03.0757 5696 [ EDB0C9BA44B748E420CCA989FD8B826E ] aswVmm C:\WINDOWS\system32\drivers\aswVmm.sys

10:56:03.0773 5696 aswVmm - ok

10:56:03.0788 5696 [ 02000ABF34AF4C218C35D257024807D6 ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys

10:56:03.0788 5696 AsyncMac - ok

10:56:03.0788 5696 [ CDFE4411A69C224BD1D11B2DA92DAC51 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys

10:56:03.0788 5696 atapi - ok

10:56:03.0804 5696 Atdisk - ok

10:56:03.0835 5696 [ 9C72537D345DD5761D2785B294C763D9 ] Ati HotKey Poller C:\WINDOWS\system32\Ati2evxx.exe

10:56:03.0835 5696 Ati HotKey Poller - ok

10:56:03.0960 5696 [ D30344F87CE4A7C44D6DBC6978981010 ] ati2mtag C:\WINDOWS\system32\DRIVERS\ati2mtag.sys

10:56:03.0992 5696 ati2mtag - ok

10:56:04.0023 5696 [ EC88DA854AB7D7752EC8BE11A741BB7F ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys

10:56:04.0023 5696 Atmarpc - ok

10:56:04.0038 5696 [ DB66DB626E4882EBEF55F136F12C1829 ] AudioSrv C:\WINDOWS\System32\audiosrv.dll

10:56:04.0038 5696 AudioSrv - ok

10:56:04.0054 5696 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys

10:56:04.0054 5696 audstub - ok

10:56:04.0101 5696 [ 41735B82DB57E4EBE9504EC400FD120E ] avast! Antivirus C:\Program Files\AVAST Software\Avast\AvastSvc.exe

10:56:04.0117 5696 avast! Antivirus - ok

10:56:04.0148 5696 [ DA387EDDBA421A7A8132E256343C2799 ] avast! Firewall C:\Program Files\AVAST Software\Avast\afwServ.exe

10:56:04.0148 5696 avast! Firewall - ok

10:56:04.0179 5696 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys

10:56:04.0179 5696 Beep - ok

10:56:04.0210 5696 [ 2C69EC7E5A311334D10DD95F338FCCEA ] BITS C:\WINDOWS\system32\qmgr.dll

10:56:04.0226 5696 BITS - ok

10:56:04.0257 5696 [ 39128B5A743545BAEDD3984C210F00A8 ] Browser C:\WINDOWS\System32\browser.dll

10:56:04.0257 5696 Browser - ok

10:56:04.0288 5696 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys

10:56:04.0288 5696 cbidf2k - ok

10:56:04.0304 5696 cd20xrnt - ok

10:56:04.0304 5696 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys

10:56:04.0304 5696 Cdaudio - ok

10:56:04.0335 5696 [ CD7D5152DF32B47F4E36F710B35AAE02 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys

10:56:04.0335 5696 Cdfs - ok

10:56:04.0351 5696 [ AF9C19B3100FE010496B1A27181FBF72 ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys

10:56:04.0367 5696 Cdrom - ok

10:56:04.0367 5696 Changer - ok

10:56:04.0398 5696 [ 3192BD04D032A9C4A85A3278C268A13A ] CiSvc C:\WINDOWS\system32\cisvc.exe

10:56:04.0398 5696 CiSvc - ok

10:56:04.0413 5696 [ D152BE596F3ADFCA2125891BEB7607C6 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe

10:56:04.0413 5696 ClipSrv - ok

10:56:04.0429 5696 [ 234B1BC2796483E1F5C3F26649FB3388 ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

10:56:04.0445 5696 clr_optimization_v2.0.50727_32 - ok

10:56:04.0445 5696 CmdIde - ok

10:56:04.0445 5696 COMSysApp - ok

10:56:04.0460 5696 Cpqarray - ok

10:56:04.0492 5696 [ 87F3E2D2A3231F820F9248DB90090F42 ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll

10:56:04.0492 5696 CryptSvc - ok

10:56:04.0492 5696 dac2w2k - ok

10:56:04.0507 5696 dac960nt - ok

10:56:04.0538 5696 [ 348F04E3582EF2467EE5379D67B99FD7 ] DcomLaunch C:\WINDOWS\system32\rpcss.dll

10:56:04.0554 5696 DcomLaunch - ok

10:56:04.0585 5696 [ 3F15A1DBD86F7BDAF404648282D11ECE ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll

10:56:04.0585 5696 Dhcp - ok

10:56:04.0601 5696 [ 00CA44E4534865F8A3B64F7C0984BFF0 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys

10:56:04.0601 5696 Disk - ok

10:56:04.0601 5696 dmadmin - ok

10:56:04.0632 5696 [ C0FBB516E06E243F0CF31F597E7EBF7D ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys

10:56:04.0632 5696 dmboot - ok

10:56:04.0648 5696 [ F5E7B358A732D09F4BCF2824B88B9E28 ] dmio C:\WINDOWS\system32\drivers\dmio.sys

10:56:04.0648 5696 dmio - ok

10:56:04.0663 5696 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys

10:56:04.0663 5696 dmload - ok

10:56:04.0679 5696 [ 1639D9964C9E1B2ECCA95C8217D3E70D ] dmserver C:\WINDOWS\System32\dmserver.dll

10:56:04.0679 5696 dmserver - ok

10:56:04.0695 5696 [ A6F881284AC1150E37D9AE47FF601267 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys

10:56:04.0695 5696 DMusic - ok

10:56:04.0710 5696 [ 7379DE06FD196E396A00AA97B990C00D ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll

10:56:04.0726 5696 Dnscache - ok

10:56:04.0726 5696 dpti2o - ok

10:56:04.0726 5696 [ 1ED4DBBAE9F5D558DBBA4CC450E3EB2E ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys

10:56:04.0742 5696 drmkaud - ok

10:56:04.0757 5696 [ 67DFF7BBBD0E80AAB7B3CF061448DB8A ] ERSvc C:\WINDOWS\System32\ersvc.dll

10:56:04.0757 5696 ERSvc - ok

10:56:04.0820 5696 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] Eventlog C:\WINDOWS\system32\services.exe

10:56:04.0835 5696 Eventlog - ok

10:56:05.0007 5696 [ 3D9418CF112A11ADC45E2A0C0A44DF47 ] EventSystem C:\WINDOWS\system32\es.dll

10:56:05.0007 5696 EventSystem - ok

10:56:05.0054 5696 [ 3117F595E9615E04F05A54FC15A03B20 ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys

10:56:05.0054 5696 Fastfat - ok

10:56:05.0070 5696 [ 53D9184A21C5CBF600D918E51EF3A7E5 ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll

10:56:05.0085 5696 FastUserSwitchingCompatibility - ok

10:56:05.0085 5696 [ CED2E8396A8838E59D8FD529C680E02C ] Fdc C:\WINDOWS\system32\DRIVERS\fdc.sys

10:56:05.0085 5696 Fdc - ok

10:56:05.0117 5696 [ E153AB8A11DE5452BCF5AC7652DBF3ED ] Fips C:\WINDOWS\system32\drivers\Fips.sys

10:56:05.0117 5696 Fips - ok

10:56:05.0132 5696 [ 0DD1DE43115B93F4D85E889D7A86F548 ] Flpydisk C:\WINDOWS\system32\DRIVERS\flpydisk.sys

10:56:05.0132 5696 Flpydisk - ok

10:56:05.0163 5696 [ 5A85CD3D07273E3F6FE72EE9C6431632 ] FltMgr C:\WINDOWS\system32\DRIVERS\fltMgr.sys

10:56:05.0163 5696 FltMgr - ok

10:56:05.0242 5696 [ 993883524AA9CF1C90E1545411A9AC9C ] FontCache3.0.0.0 C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe

10:56:05.0242 5696 FontCache3.0.0.0 - ok

10:56:05.0257 5696 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys

10:56:05.0257 5696 Fs_Rec - ok

10:56:05.0288 5696 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys

10:56:05.0288 5696 Ftdisk - ok

10:56:05.0288 5696 GMSIPCI - ok

10:56:05.0335 5696 [ C0F1D4A21DE5A415DF8170616703DEBF ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys

10:56:05.0335 5696 Gpc - ok

10:56:05.0382 5696 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe

10:56:05.0382 5696 gupdate - ok

10:56:05.0398 5696 [ 506708142BC63DABA64F2D3AD1DCD5BF ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe

10:56:05.0398 5696 gupdatem - ok

10:56:05.0445 5696 [ 4236E014632F4163F53EBB717F41594C ] HCF_MSFT C:\WINDOWS\system32\DRIVERS\HCF_MSFT.sys

10:56:05.0460 5696 HCF_MSFT - ok

10:56:05.0476 5696 [ 3FCC124B6E08EE0E9351F717DD136939 ] HDAudBus C:\WINDOWS\system32\DRIVERS\HDAudBus.sys

10:56:05.0476 5696 HDAudBus - ok

10:56:05.0538 5696 [ 8827911A8C37E40C027CBFC88E69D967 ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll

10:56:05.0538 5696 helpsvc - ok

10:56:05.0554 5696 [ 9376E6893E52B368ABC6255BF54F0B28 ] HidServ C:\WINDOWS\System32\hidserv.dll

10:56:05.0554 5696 HidServ - ok

10:56:05.0570 5696 [ 1DE6783B918F540149AA69943BDFEBA8 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys

10:56:05.0570 5696 HidUsb - ok

10:56:05.0585 5696 hpn - ok

10:56:05.0632 5696 [ 909D110C9634B0F1487EAAEA837317D9 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys

10:56:05.0632 5696 HTTP - ok

10:56:05.0648 5696 [ 064D8581ADF77C25133E7D751D917D83 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll

10:56:05.0663 5696 HTTPFilter - ok

10:56:05.0663 5696 i2omgmt - ok

10:56:05.0663 5696 i2omp - ok

10:56:05.0679 5696 [ 5502B58EEF7486EE6F93F3F164DCB808 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys

10:56:05.0679 5696 i8042prt - ok

10:56:05.0710 5696 [ 1CF03C69B49ACB70C722DF92755C0C8C ] IDriverT C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

10:56:05.0710 5696 IDriverT - ok

10:56:05.0757 5696 [ E7CC3AEAED9893A88876744CD439F76C ] idsvc C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

10:56:05.0773 5696 idsvc - ok

10:56:05.0788 5696 [ 12C59B8929121ACE2F55ACC86682CF12 ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys

10:56:05.0788 5696 Imapi - ok

10:56:05.0804 5696 [ FA788520BCAC0F5D9D5CDE5615C0D931 ] ImapiService C:\WINDOWS\system32\imapi.exe

10:56:05.0804 5696 ImapiService - ok

10:56:05.0804 5696 ini910u - ok

10:56:05.0945 5696 [ C282875880DF189C64C465FC54A0150A ] IntcAzAudAddService C:\WINDOWS\system32\drivers\RtkHDAud.sys

10:56:05.0976 5696 IntcAzAudAddService - ok

10:56:05.0992 5696 IntelIde - ok

10:56:06.0038 5696 [ 4448006B6BC60E6C027932CFC38D6855 ] Ip6Fw C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys

10:56:06.0038 5696 Ip6Fw - ok

10:56:06.0070 5696 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys

10:56:06.0070 5696 IpFilterDriver - ok

10:56:06.0085 5696 [ E1EC7F5DA720B640CD8FB8424F1B14BB ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys

10:56:06.0085 5696 IpInIp - ok

10:56:06.0101 5696 [ 472C75F85E631F8AA87D21C9FEE6238D ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys

10:56:06.0101 5696 IpNat - ok

10:56:06.0101 5696 [ 64537AA5C003A6AFEEE1DF819062D0D1 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys

10:56:06.0101 5696 IPSec - ok

10:56:06.0132 5696 [ 50708DAA1B1CBB7D6AC1CF8F56A24410 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys

10:56:06.0132 5696 IRENUM - ok

10:56:06.0148 5696 [ E504F706CCB699C2596E9A3DA1596E87 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys

10:56:06.0148 5696 isapnp - ok

10:56:06.0226 5696 [ 5739F2821D49975CEDE6BF0153D0CF01 ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe

10:56:06.0226 5696 JavaQuickStarterService - ok

10:56:06.0273 5696 [ EBDEE8A2EE5393890A1ACEE971C4C246 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys

10:56:06.0273 5696 Kbdclass - ok

10:56:06.0304 5696 [ E182FA8E49E8EE41B4ADC53093F3C7E6 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys

10:56:06.0304 5696 kbdhid - ok

10:56:06.0320 5696 [ 8531438246CE9474E41EE1599904C0C7 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys

10:56:06.0320 5696 kmixer - ok

10:56:06.0351 5696 [ EB7FFE87FD367EA8FCA0506F74A87FBB ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys

10:56:06.0351 5696 KSecDD - ok

10:56:06.0367 5696 [ 76B15AC51A74BE936EA86EA6E08817CF ] lanmanserver C:\WINDOWS\System32\srvsvc.dll

10:56:06.0382 5696 lanmanserver - ok

10:56:06.0413 5696 [ EF48ED538B8BF80825DABB6BA17F2F09 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll

10:56:06.0413 5696 lanmanworkstation - ok

10:56:06.0413 5696 lbrtfdc - ok

10:56:06.0429 5696 [ B3EFF6D938C572E90A07B3D87A3C7657 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll

10:56:06.0445 5696 LmHosts - ok

10:56:06.0445 5696 [ 65E794E86468B61F2BC79ABC48BC4433 ] MBAMProtector C:\WINDOWS\system32\drivers\mbam.sys

10:56:06.0445 5696 MBAMProtector - ok

10:56:06.0523 5696 [ 0DCF16B1449811EFA47AB52CAC84093C ] MBAMScheduler C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

10:56:06.0523 5696 MBAMScheduler - ok

10:56:06.0554 5696 [ 9EAABA4D601004BEA4DAA6E146E19A96 ] MBAMService C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

10:56:06.0554 5696 MBAMService - ok

10:56:06.0585 5696 [ EEAEA6514BA7C9D273B5E87C4E1AAB30 ] mdmxsdk C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys

10:56:06.0585 5696 mdmxsdk - ok

10:56:06.0617 5696 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys

10:56:06.0617 5696 mnmdd - ok

10:56:06.0632 5696 [ BA60F5A89184727FB630556E056107E4 ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe

10:56:06.0632 5696 mnmsrvc - ok

10:56:06.0663 5696 [ 6FC6F9D7ACC36DCA9B914565A3AEDA05 ] Modem C:\WINDOWS\system32\drivers\Modem.sys

10:56:06.0663 5696 Modem - ok

10:56:06.0695 5696 [ 1992E0D143B09653AB0F9C5E04B0FD65 ] MODEMCSA C:\WINDOWS\system32\drivers\MODEMCSA.sys

10:56:06.0695 5696 MODEMCSA - ok

10:56:06.0710 5696 [ 34E1F0031153E491910E12551400192C ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys

10:56:06.0710 5696 Mouclass - ok

10:56:06.0726 5696 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys

10:56:06.0726 5696 mouhid - ok

10:56:06.0742 5696 [ 65653F3B4477F3C63E68A9659F85EE2E ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys

10:56:06.0742 5696 MountMgr - ok

10:56:06.0742 5696 mraid35x - ok

10:56:06.0773 5696 [ 46EDCC8F2DB2F322C24F48785CB46366 ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys

10:56:06.0773 5696 MRxDAV - ok

10:56:06.0788 5696 [ 83691C30B248034BDDDB76B0D6593449 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys

10:56:06.0788 5696 MRxSmb - ok

10:56:06.0820 5696 [ A82FF842A4A4A6420308FF509E29C51F ] MSDTC C:\WINDOWS\system32\msdtc.exe

10:56:06.0820 5696 MSDTC - ok

10:56:06.0835 5696 [ 561B3A4333CA2DBDBA28B5B956822519 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys

10:56:06.0835 5696 Msfs - ok

10:56:06.0851 5696 MSIServer - ok

10:56:06.0851 5696 [ AE431A8DD3C1D0D0610CDBAC16057AD0 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys

10:56:06.0851 5696 MSKSSRV - ok

10:56:06.0867 5696 [ 13E75FEF9DFEB08EEDED9D0246E1F448 ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys

10:56:06.0867 5696 MSPCLOCK - ok

10:56:06.0882 5696 [ 1988A33FF19242576C3D0EF9CE785DA7 ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys

10:56:06.0882 5696 MSPQM - ok

10:56:06.0898 5696 [ 469541F8BFD2B32659D5D463A6714BCE ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys

10:56:06.0898 5696 mssmbios - ok

10:56:06.0929 5696 [ 79A9C030299E8CC04F18D0765155D902 ] Mup C:\WINDOWS\system32\drivers\Mup.sys

10:56:06.0929 5696 Mup - ok

10:56:06.0945 5696 [ 558635D3AF1C7546D26067D5D9B6959E ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys

10:56:06.0945 5696 NDIS - ok

10:56:06.0976 5696 [ 08D43BBDACDF23F34D79E44ED35C1B4C ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys

10:56:06.0976 5696 NdisTapi - ok

10:56:06.0992 5696 [ 77D9BF86B912104C229D4F0D25BE3C12 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys

10:56:06.0992 5696 Ndisuio - ok

10:56:06.0992 5696 [ 0B90E255A9490166AB368CD55A529893 ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys

10:56:06.0992 5696 NdisWan - ok

10:56:07.0023 5696 [ 59FC3FB44D2669BC144FD87826BB571F ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys

10:56:07.0023 5696 NDProxy - ok

10:56:07.0038 5696 [ 3A2ACA8FC1D7786902CA434998D7CEB4 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys

10:56:07.0038 5696 NetBIOS - ok

10:56:07.0054 5696 [ 0C80E410CD2F47134407EE7DD19CC86B ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys

10:56:07.0054 5696 NetBT - ok

10:56:07.0070 5696 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDE C:\WINDOWS\system32\netdde.exe

10:56:07.0070 5696 NetDDE - ok

10:56:07.0085 5696 [ 05AFB5AD06462257BEA7495283C86D50 ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe

10:56:07.0085 5696 NetDDEdsdm - ok

10:56:07.0101 5696 [ 84885F9B82F4D55C6146EBF6065D75D2 ] Netlogon C:\WINDOWS\system32\lsass.exe

10:56:07.0117 5696 Netlogon - ok

10:56:07.0148 5696 [ 3516D8A18B36784B1005B950B84232E1 ] Netman C:\WINDOWS\System32\netman.dll

10:56:07.0148 5696 Netman - ok

10:56:07.0179 5696 [ F9102685F97F9BA85F4A70AFCF722CFE ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

10:56:07.0179 5696 NetTcpPortSharing - ok

10:56:07.0195 5696 [ 4E74AF063C3271FBEA20DD940CFD1184 ] Nla C:\WINDOWS\System32\mswsock.dll

10:56:07.0210 5696 Nla - ok

10:56:07.0226 5696 [ 4F601BCB8F64EA3AC0994F98FED03F8E ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys

10:56:07.0242 5696 Npfs - ok

10:56:07.0257 5696 [ 7179AC3F4258AEC9627590A842FDA1D6 ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys

10:56:07.0257 5696 Ntfs - ok

10:56:07.0257 5696 [ 84885F9B82F4D55C6146EBF6065D75D2 ] NtLmSsp C:\WINDOWS\system32\lsass.exe

10:56:07.0257 5696 NtLmSsp - ok

10:56:07.0304 5696 [ B62F29C00AC55A761B2E45877D85EA0F ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll

10:56:07.0320 5696 NtmsSvc - ok

10:56:07.0351 5696 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys

10:56:07.0351 5696 Null - ok

10:56:07.0367 5696 [ 982702A22349C2B31F7DCEF62241058F ] NVENETFD C:\WINDOWS\system32\DRIVERS\NVENETFD.sys

10:56:07.0382 5696 NVENETFD - ok

10:56:07.0398 5696 [ BC0F2C4ED9D6DA9A2519C55AF7D4FC60 ] nvnetbus C:\WINDOWS\system32\DRIVERS\nvnetbus.sys

10:56:07.0398 5696 nvnetbus - ok

10:56:07.0413 5696 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys

10:56:07.0413 5696 NwlnkFlt - ok

10:56:07.0413 5696 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys

10:56:07.0413 5696 NwlnkFwd - ok

10:56:07.0460 5696 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE

10:56:07.0460 5696 ose - ok

10:56:07.0476 5696 [ 29744EB4CE659DFE3B4122DEB45BC478 ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys

10:56:07.0476 5696 Parport - ok

10:56:07.0507 5696 [ 3334430C29DC338092F79C38EF7B4CD0 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys

10:56:07.0507 5696 PartMgr - ok

10:56:07.0507 5696 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys

10:56:07.0507 5696 ParVdm - ok

10:56:07.0538 5696 [ 8086D9979234B603AD5BC2F5D890B234 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys

10:56:07.0538 5696 PCI - ok

10:56:07.0538 5696 PCIDump - ok

10:56:07.0554 5696 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys

10:56:07.0554 5696 PCIIde - ok

10:56:07.0570 5696 [ 82A087207DECEC8456FBE8537947D579 ] Pcmcia C:\WINDOWS\system32\drivers\Pcmcia.sys

10:56:07.0570 5696 Pcmcia - ok

10:56:07.0601 5696 [ 5B6C11DE7E839C05248CED8825470FEF ] pcouffin C:\WINDOWS\system32\Drivers\pcouffin.sys

10:56:07.0601 5696 pcouffin - ok

10:56:07.0601 5696 PDCOMP - ok

10:56:07.0617 5696 PDFRAME - ok

10:56:07.0617 5696 PDRELI - ok

10:56:07.0632 5696 PDRFRAME - ok

10:56:07.0632 5696 perc2 - ok

10:56:07.0632 5696 perc2hib - ok

10:56:07.0663 5696 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] PlugPlay C:\WINDOWS\system32\services.exe

10:56:07.0663 5696 PlugPlay - ok

10:56:07.0679 5696 [ 84885F9B82F4D55C6146EBF6065D75D2 ] PolicyAgent C:\WINDOWS\system32\lsass.exe

10:56:07.0679 5696 PolicyAgent - ok

10:56:07.0710 5696 [ 1C5CC65AAC0783C344F16353E60B72AC ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys

10:56:07.0710 5696 PptpMiniport - ok

10:56:07.0710 5696 [ 84885F9B82F4D55C6146EBF6065D75D2 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe

10:56:07.0710 5696 ProtectedStorage - ok

10:56:07.0726 5696 [ 48671F327553DCF1D27F6197F622A668 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys

10:56:07.0726 5696 PSched - ok

10:56:07.0742 5696 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys

10:56:07.0742 5696 Ptilink - ok

10:56:07.0742 5696 ql1080 - ok

10:56:07.0757 5696 Ql10wnt - ok

10:56:07.0757 5696 ql12160 - ok

10:56:07.0773 5696 ql1240 - ok

10:56:07.0773 5696 ql1280 - ok

10:56:07.0788 5696 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys

10:56:07.0788 5696 RasAcd - ok

10:56:07.0820 5696 [ 44DB7A9BDD2FB58747D123FBF1D35ADB ] RasAuto C:\WINDOWS\System32\rasauto.dll

10:56:07.0820 5696 RasAuto - ok

10:56:07.0820 5696 [ 98FAEB4A4DCF812BA1C6FCA4AA3E115C ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys

10:56:07.0820 5696 Rasl2tp - ok

10:56:07.0835 5696 [ ED5E89DEDB0111E2869CB37D62B46C7A ] RasMan C:\WINDOWS\System32\rasmans.dll

10:56:07.0851 5696 RasMan - ok

10:56:07.0851 5696 [ 7306EEED8895454CBED4669BE9F79FAA ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys

10:56:07.0851 5696 RasPppoe - ok

10:56:07.0851 5696 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys

10:56:07.0867 5696 Raspti - ok

10:56:07.0882 5696 [ B48441A6DC703EE4C36DB14EE51A189C ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys

10:56:07.0882 5696 Rdbss - ok

10:56:07.0882 5696 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys

10:56:07.0882 5696 RDPCDD - ok

10:56:07.0929 5696 [ A2CAE2C60BC37E0751EF9DDA7CEAF4AD ] rdpdr C:\WINDOWS\system32\DRIVERS\rdpdr.sys

10:56:07.0929 5696 rdpdr - ok

10:56:07.0945 5696 [ 047BEA21274C8A4A233674A76C958C2C ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys

10:56:07.0960 5696 RDPWD - ok

10:56:07.0960 5696 [ 729798E0933076B8FCFCD9934698F164 ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe

10:56:07.0976 5696 RDSessMgr - ok

10:56:08.0023 5696 [ 89525CC2DBAD44F7199B9CC188B3F9C5 ] RealNetworks Downloader Resolver Service C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe

10:56:08.0023 5696 RealNetworks Downloader Resolver Service - ok

10:56:08.0038 5696 [ B31B4588E4086D8D84ADBF9845C2402B ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys

10:56:08.0054 5696 redbook - ok

10:56:08.0070 5696 [ 3046DB917E3CFA040632799DD9B14865 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll

10:56:08.0070 5696 RemoteAccess - ok

10:56:08.0101 5696 [ 8B5B8A11306190C6963D3473F052D3C8 ] Revoflt C:\WINDOWS\system32\DRIVERS\revoflt.sys

10:56:08.0101 5696 Revoflt - ok

10:56:08.0132 5696 [ 793F04A09B15E7C6C11DBDFFAF06C0AB ] RpcLocator C:\WINDOWS\system32\locator.exe

10:56:08.0132 5696 RpcLocator - ok

10:56:08.0163 5696 [ 348F04E3582EF2467EE5379D67B99FD7 ] RpcSs C:\WINDOWS\system32\rpcss.dll

10:56:08.0163 5696 RpcSs - ok

10:56:08.0195 5696 [ 0E11B35E972796042044BC27CE13B065 ] rspndr C:\WINDOWS\system32\DRIVERS\rspndr.sys

10:56:08.0195 5696 rspndr - ok

10:56:08.0226 5696 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe

10:56:08.0226 5696 RSVP - ok

10:56:08.0367 5696 [ 017CC2E361A47461472BC4C08BD12440 ] RTHDMIAzAudService C:\WINDOWS\system32\drivers\RtHDMI.sys

10:56:08.0382 5696 RTHDMIAzAudService - ok

10:56:08.0398 5696 [ 84885F9B82F4D55C6146EBF6065D75D2 ] SamSs C:\WINDOWS\system32\lsass.exe

10:56:08.0398 5696 SamSs - ok

10:56:08.0429 5696 [ 39763504067962108505BFF25F024345 ] SASDIFSV C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS

10:56:08.0429 5696 SASDIFSV - ok

10:56:08.0445 5696 [ 77B9FC20084B48408AD3E87570EB4A85 ] SASKUTIL C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS

10:56:08.0445 5696 SASKUTIL - ok

10:56:08.0476 5696 [ 25D8DE134DF108E3DBC8D7D23B1AA58E ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe

10:56:08.0476 5696 SCardSvr - ok

10:56:08.0507 5696 [ 92360854316611F6CC471612213C3D92 ] Schedule C:\WINDOWS\system32\schedsvc.dll

10:56:08.0507 5696 Schedule - ok

10:56:08.0523 5696 [ 07F7F501AD50DE2BA2D5842D9B6D6155 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys

10:56:08.0523 5696 Secdrv - ok

10:56:08.0554 5696 [ B1E0CE09895376871746F36DC5773B4F ] seclogon C:\WINDOWS\System32\seclogon.dll

10:56:08.0554 5696 seclogon - ok

10:56:08.0570 5696 [ DFD9870CF39C791D86C4C209DA9FA919 ] SENS C:\WINDOWS\system32\sens.dll

10:56:08.0570 5696 SENS - ok

10:56:08.0585 5696 [ A2D868AEEFF612E70E213C451A70CAFB ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys

10:56:08.0585 5696 serenum - ok

10:56:08.0601 5696 [ CD9404D115A00D249F70A371B46D5A26 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys

10:56:08.0601 5696 Serial - ok

10:56:08.0632 5696 [ 0D13B6DF6E9E101013A7AFB0CE629FE0 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys

10:56:08.0632 5696 Sfloppy - ok

10:56:08.0663 5696 [ 36CC8C01B5E50163037BEF56CB96DEFF ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll

10:56:08.0679 5696 SharedAccess - ok

10:56:08.0695 5696 [ 53D9184A21C5CBF600D918E51EF3A7E5 ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll

10:56:08.0695 5696 ShellHWDetection - ok

10:56:08.0695 5696 Simbad - ok

10:56:08.0710 5696 Sparrow - ok

10:56:08.0710 5696 [ 9BB1DD670CB7505A90FC4E61D4AA8227 ] splitter C:\WINDOWS\system32\drivers\splitter.sys

10:56:08.0726 5696 splitter - ok

10:56:08.0742 5696 [ AD3D9D191AEA7B5445FE1D82FFBB4788 ] Spooler C:\WINDOWS\system32\spoolsv.exe

10:56:08.0742 5696 Spooler - ok

10:56:08.0773 5696 [ E41B6D037D6CD08461470AF04500DC24 ] Sr C:\WINDOWS\system32\DRIVERS\sr.sys

10:56:08.0773 5696 Sr - ok

10:56:08.0788 5696 [ 92BDF74F12D6CBEC43C94D4B7F804838 ] srservice C:\WINDOWS\system32\srsvc.dll

10:56:08.0788 5696 srservice - ok

10:56:08.0820 5696 [ 5230953C21C811B5FC1FF31AE2B48097 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys

10:56:08.0820 5696 Srv - ok

10:56:08.0835 5696 [ 4B8D61792F7175BED48859CC18CE4E38 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll

10:56:08.0835 5696 SSDPSRV - ok

10:56:08.0867 5696 [ D9F097AA3B97034D3358A01B43E635B2 ] stisvc C:\WINDOWS\system32\wiaservc.dll

10:56:08.0882 5696 stisvc - ok

10:56:08.0898 5696 [ 03C1BAE4766E2450219D20B993D6E046 ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys

10:56:08.0898 5696 swenum - ok

10:56:08.0898 5696 [ 94ABC808FC4B6D7D2BBF42B85E25BB4D ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys

10:56:08.0898 5696 swmidi - ok

10:56:08.0898 5696 SwPrv - ok

10:56:08.0913 5696 symc810 - ok

10:56:08.0913 5696 symc8xx - ok

10:56:08.0929 5696 sym_hi - ok

10:56:08.0929 5696 sym_u3 - ok

10:56:08.0929 5696 [ 650AD082D46BAC0E64C9C0E0928492FD ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys

10:56:08.0929 5696 sysaudio - ok

10:56:08.0960 5696 [ 8B54AA346D1B1B113FFAA75501B8B1B2 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe

10:56:08.0960 5696 SysmonLog - ok

10:56:08.0976 5696 [ 1418A3A6E76E5A2E3F5E43866E793A8B ] TapiSrv C:\WINDOWS\System32\tapisrv.dll

10:56:08.0992 5696 TapiSrv - ok

10:56:09.0023 5696 [ 03738E4B4AAE1DFDF246C36A6B9709D6 ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys

10:56:09.0023 5696 Tcpip - ok

10:56:09.0054 5696 [ 38D437CF2D98965F239B0ABCD66DCB0F ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys

10:56:09.0054 5696 TDPIPE - ok

10:56:09.0070 5696 [ ED0580AF02502D00AD8C4C066B156BE9 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys

10:56:09.0070 5696 TDTCP - ok

10:56:09.0070 5696 [ A540A99C281D933F3D69D55E48727F47 ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys

10:56:09.0070 5696 TermDD - ok

10:56:09.0101 5696 [ C29A5286E64D97385178452D5F307B98 ] TermService C:\WINDOWS\System32\termsrv.dll

10:56:09.0101 5696 TermService - ok

10:56:09.0132 5696 [ 53D9184A21C5CBF600D918E51EF3A7E5 ] Themes C:\WINDOWS\System32\shsvcs.dll

10:56:09.0132 5696 Themes - ok

10:56:09.0148 5696 [ 37DB0A7D097310E8B4DE803FC3119C78 ] TlntSvr C:\WINDOWS\system32\tlntsvr.exe

10:56:09.0163 5696 TlntSvr - ok

10:56:09.0163 5696 TosIde - ok

10:56:09.0179 5696 [ 6D9AC544B30F96C57F8206566C1FB6A1 ] TrkWks C:\WINDOWS\system32\trkwks.dll

10:56:09.0195 5696 TrkWks - ok

10:56:09.0288 5696 [ D179DD8F0C475B0FC609EE01FB3F5F50 ] TuneUp.UtilitiesSvc C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe

10:56:09.0304 5696 TuneUp.UtilitiesSvc - ok

10:56:09.0320 5696 [ 94C4CD2D19B8C4137A46261F229FEC24 ] TuneUpUtilitiesDrv C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesDriver32.sys

10:56:09.0320 5696 TuneUpUtilitiesDrv - ok

10:56:09.0351 5696 [ 12F70256F140CD7D52C58C7048FDE657 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys

10:56:09.0351 5696 Udfs - ok

10:56:09.0351 5696 ultra - ok

10:56:09.0382 5696 [ BB879DCFD22926EFBEB3298129898CBB ] UnlockerDriver5 C:\Program Files\Unlocker\UnlockerDriver5.sys

10:56:09.0382 5696 UnlockerDriver5 - ok

10:56:09.0413 5696 [ A4815A4884898F355A3513E60843A4FD ] Update C:\WINDOWS\system32\DRIVERS\update.sys

10:56:09.0413 5696 Update - ok

10:56:09.0429 5696 [ 36ACA6CDC19C95FF468A1426EB7F32F0 ] upnphost C:\WINDOWS\System32\upnphost.dll

10:56:09.0445 5696 upnphost - ok

10:56:09.0445 5696 [ 3F5DF65B0758675F95A2D43918A740A3 ] UPS C:\WINDOWS\System32\ups.exe

10:56:09.0445 5696 UPS - ok

10:56:09.0460 5696 [ BFFD9F120CC63BCBAA3D840F3EEF9F79 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys

10:56:09.0460 5696 usbccgp - ok

10:56:09.0492 5696 [ A45EA1550EA4B368C4FBA7CA9D056BC9 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys

10:56:09.0492 5696 usbehci - ok

10:56:09.0507 5696 [ A874D1629762019CEAF824AD8A8C5660 ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys

10:56:09.0507 5696 usbhub - ok

10:56:09.0523 5696 [ 555B2B2108C5085CC203202FEC702D08 ] usbohci C:\WINDOWS\system32\DRIVERS\usbohci.sys

10:56:09.0523 5696 usbohci - ok

10:56:09.0538 5696 [ A42369B7CD8886CD7C70F33DA6FCBCF5 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys

10:56:09.0538 5696 usbprint - ok

10:56:09.0554 5696 [ A6BC71402F4F7DD5B77FD7F4A8DDBA85 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys

10:56:09.0554 5696 usbscan - ok

10:56:09.0554 5696 [ 6CD7B22193718F1D17A47A1CD6D37E75 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS

10:56:09.0570 5696 USBSTOR - ok

10:56:09.0585 5696 [ 8A60EDD72B4EA5AEA8202DAF0E427925 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys

10:56:09.0585 5696 VgaSave - ok

10:56:09.0585 5696 ViaIde - ok

10:56:09.0601 5696 [ EE4660083DEBA849FF6C485D944B379B ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys

10:56:09.0617 5696 VolSnap - ok

10:56:09.0617 5696 [ 3EE00364AE0FD8D604F46CBAF512838A ] VSS C:\WINDOWS\System32\vssvc.exe

10:56:09.0632 5696 VSS - ok

10:56:09.0648 5696 [ 2B281958F5D0CF99ED626E3EF39D5C8D ] W32Time C:\WINDOWS\system32\w32time.dll

10:56:09.0648 5696 W32Time - ok

10:56:09.0663 5696 [ 984EF0B9788ABF89974CFED4BFBAACBC ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys

10:56:09.0663 5696 Wanarp - ok

10:56:09.0679 5696 WDICA - ok

10:56:09.0679 5696 [ 0BFA8203B8148FB4E54BC212C41CE497 ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys

10:56:09.0679 5696 wdmaud - ok

10:56:09.0695 5696 [ 346E7D636ADFE4E3B1B32AF8326220FF ] WebClient C:\WINDOWS\System32\webclnt.dll

10:56:09.0695 5696 WebClient - ok

10:56:09.0726 5696 [ CF063A377D62E93999122DC109ADB271 ] Winachcf C:\WINDOWS\system32\DRIVERS\winachcf.sys

10:56:09.0742 5696 Winachcf - ok

10:56:09.0788 5696 [ F399242A80C4066FD155EFA4CF96658E ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll

10:56:09.0788 5696 winmgmt - ok

10:56:09.0820 5696 [ C51B4A5C05A5475708E3C81C7765B71D ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll

10:56:09.0820 5696 WmdmPmSN - ok

10:56:09.0851 5696 [ 1AFF244CA134956C54474F4E2433E4CE ] Wmi C:\WINDOWS\System32\advapi32.dll

10:56:09.0851 5696 Wmi - ok

10:56:09.0867 5696 [ BA8CECC3E813E1F7C441B20393D4F86C ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe

10:56:09.0867 5696 WmiApSrv - ok

10:56:09.0960 5696 [ F74E3D9A7FA9556C3BBB14D4E5E63D3B ] WMPNetworkSvc C:\Program Files\Windows Media Player\WMPNetwk.exe

10:56:09.0960 5696 WMPNetworkSvc - ok

10:56:09.0976 5696 [ 478995B4555958E52388496618D9C678 ] wscsvc C:\WINDOWS\system32\wscsvc.dll

10:56:09.0992 5696 wscsvc - ok

10:56:10.0007 5696 [ 365980DA5B43B397542429B0743E6226 ] wuauserv C:\WINDOWS\system32\wuauserv.dll

10:56:10.0023 5696 wuauserv - ok

10:56:10.0023 5696 [ F15FEAFFFBB3644CCC80C5DA584E6311 ] WudfPf C:\WINDOWS\system32\DRIVERS\WudfPf.sys

10:56:10.0023 5696 WudfPf - ok

10:56:10.0038 5696 [ 28B524262BCE6DE1F7EF9F510BA3985B ] WudfRd C:\WINDOWS\system32\DRIVERS\wudfrd.sys

10:56:10.0038 5696 WudfRd - ok

10:56:10.0038 5696 [ 05231C04253C5BC30B26CBAAE680ED89 ] WudfSvc C:\WINDOWS\System32\WUDFSvc.dll

10:56:10.0038 5696 WudfSvc - ok

10:56:10.0070 5696 [ B1F190A2BF52B8F4601C677F475CE5E5 ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll

10:56:10.0085 5696 WZCSVC - ok

10:56:10.0101 5696 [ EEF46DAB68229A14DA3D8E73C99E2959 ] xmlprov C:\WINDOWS\System32\xmlprov.dll

10:56:10.0101 5696 xmlprov - ok

10:56:10.0101 5696 ================ Scan global ===============================

10:56:10.0132 5696 [ 00EF9C3AF83EDBAF18CA7A2837750117 ] C:\WINDOWS\system32\basesrv.dll

10:56:10.0163 5696 [ 3E958EBBE7DA5691E8B08429A7EDB44B ] C:\WINDOWS\system32\winsrv.dll

10:56:10.0163 5696 [ 3E958EBBE7DA5691E8B08429A7EDB44B ] C:\WINDOWS\system32\winsrv.dll

10:56:10.0179 5696 [ C6CE6EEC82F187615D1002BB3BB50ED4 ] C:\WINDOWS\system32\services.exe

10:56:10.0195 5696 [Global] - ok

10:56:10.0195 5696 ================ Scan MBR ==================================

10:56:10.0210 5696 [ 10AE9EB13951B8E206480773F877A330 ] \Device\Harddisk0\DR0

10:56:10.0320 5696 \Device\Harddisk0\DR0 - ok

10:56:10.0320 5696 [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk1\DR1

10:56:10.0382 5696 \Device\Harddisk1\DR1 - ok

10:56:10.0398 5696 [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk2\DR2

10:56:10.0445 5696 \Device\Harddisk2\DR2 - ok

10:56:10.0445 5696 [ 5FB38429D5D77768867C76DCBDB35194 ] \Device\Harddisk3\DR9

10:56:10.0538 5696 \Device\Harddisk3\DR9 - ok

10:56:10.0538 5696 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk4\DR11

10:56:12.0820 5696 \Device\Harddisk4\DR11 - ok

10:56:12.0820 5696 ================ Scan VBR ==================================

10:56:12.0820 5696 [ 057001B094AF9BAE1A0C08E417A84B3D ] \Device\Harddisk0\DR0\Partition1

10:56:12.0835 5696 \Device\Harddisk0\DR0\Partition1 - ok

10:56:12.0835 5696 [ ECFBD985CD9D628E542FE1F9E3351472 ] \Device\Harddisk1\DR1\Partition1

10:56:12.0835 5696 \Device\Harddisk1\DR1\Partition1 - ok

10:56:12.0835 5696 [ FA5CA029FF86CF6DA587E32068FA2AA6 ] \Device\Harddisk1\DR1\Partition2

10:56:12.0835 5696 \Device\Harddisk1\DR1\Partition2 - ok

10:56:12.0835 5696 [ C868078063E9904B9093FE933FE16A72 ] \Device\Harddisk2\DR2\Partition1

10:56:12.0851 5696 \Device\Harddisk2\DR2\Partition1 - ok

10:56:12.0851 5696 [ 2D773742CF790A06F4E50A48DB8673D8 ] \Device\Harddisk3\DR9\Partition1

10:56:12.0851 5696 \Device\Harddisk3\DR9\Partition1 - ok

10:56:12.0851 5696 [ 3C5726D38EA476395F58BBC78658743A ] \Device\Harddisk4\DR11\Partition1

10:56:12.0851 5696 \Device\Harddisk4\DR11\Partition1 - ok

10:56:12.0851 5696 ============================================================

10:56:12.0851 5696 Scan finished

10:56:12.0851 5696 ============================================================

10:56:12.0867 2028 Detected object count: 0

10:56:12.0867 2028 Actual detected object count: 0



#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 17 May 2013 - 01:01 PM

OK.  Please try to turn on Windows File Protection.  This is important.
Go to Start > Run, type REGEDIT then press the Enter key.

Find the following registry keys:

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

Look for the key ”SFCDisable“ and double click on it.  Make a note of current value, then:

Set the value to 0.  (zero)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection]

Look for the key ”SFCDisable“ and double click on it.  Make a note of current value, then:

Set the value to 0.  (zero)

 

Exit from Regedit.

 

Go to Start > Run, type cmd.exe then press the Enter key.

At the command prompt enter SFC   /SCANNOW

Note: There's a space between sfc and /scannow.

 

Restart your computer if sfc /scannow did actually repair any files.  Note: System File Checker may or may not prompt you to restart but even if it doesn't, you should restart anyway.

Reboot into Safe Mode with network (hit F8 several times while booting to get the boot menu).  Do your symptoms occur in Safe Mode?

So far the malware is very well hidden.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 18 May 2013 - 12:53 PM

Many thanks for your continued help, Mother Lion of SWI :).

 

The mystery, though, seems to deepen...
 
No problem with changing the first value of ”SFCDisable“ to 0 :).
 
However, when I got to [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Windows File Protection] I discovered that there's just Windows in the Microsoft folder but no Windows NT. I double and tripple checked. Still no Windows NT key there!
 
And googling for the missing Windows NT didn't get me anything immediately useful, either :(.
 
So, what's next? No Windows NT key there, apparently no Windows File Protection to enable?!
 
Many thanks again :).
 
Rathater 13 ;)

Edited by Rathater13, 18 May 2013 - 12:53 PM.


#6 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 18 May 2013 - 01:10 PM

Search for additional instances of SFCDisable as follows:
Please download SystemLook from one of the links below and save it to your Desktop on the affected PC.
http://jpshortstuff..../SystemLook.exe
http://images.malwar.../SystemLook.exe
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:regfind
SFCDisable

Click the 'Look' button to start the scan and wait for a few minutes until the "Look" button reappears.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#7 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 19 May 2013 - 04:09 PM

Hi Mother Lion of SWI:
 
Thanks!
 
Here's the SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 13:55 on 19/05/2013 by Administrator-Dude
Administrator - Elevation successful
No Context:  :regfind
No Context:  SFCDisable
= EOF =
 
Apparently no more 'SFCDisable' registry entries...
 
I'm sorry this RAT seems to be a rather difficult to find and root out :).
 
What's next?
 
Many thanks again,
 
Rathater13 ;)
 
P.S. Changing the 'SFCDisable' value (in [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]) to '0' (from ffffff9d) appears to have fixed the boot problems! :)


#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 19 May 2013 - 04:16 PM

OK, good, we can stop worrying about it.  However, SystemLook log suggests it wasn't run correctly ("No Context"). Try it again.  The text to copy into the top of its text window is:

 

:regfind
SFCDisable

 

Don't leave out the colon, and don't leave an empty line above it or space before it.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 20 May 2013 - 11:41 AM

Hi Mother Lion of SWI:
 
Thanks again! :)
 
Here's today's SystemLook log:
SystemLook 30.07.11 by jpshortstuff
Log created at 08:34 on 20/05/2013 by Administrator-Dude
Administrator - Elevation successful
 
========== regfind ==========
 
Searching for "SFCDisable"
No data found.
 
-= EOF =-
 
I did it exactly as you specified. Apparently, still no "SFCDisable" keys?! :(
 
What about running software like Agnitum's Tauscan or a related program that can (allegedly) tell from which program the RAT tried to connect to website with "potentially malicious content"?
 
If there's no Windows File Protection key (?!) in the Registry, are there ways to somehow add it to the Registry or other ways to scan/access the SFC (System File Checker)?
 
Btw, I did look for 'Windows File Protection' in the Registry and found this (below) in: HKEY_LOCAL_MACHINE/SYSTEM/Services/Eventlog/System-Sources (Sources being one of the keys in the System folder). No idea, though, if that's relevant in any way :(
WZCSVC
Wudf01000
WPDClassInstaller
Workstation
WMPNetworkSvc
Windows Update Agent
Windows Script Host
Windows File Protection
Win32k
W32Time
VolSnap
viaide
VgaSave
USER32
UPS
ultra
udfs
toside
TermServSessDir
TermService
TermServDevices
TermDD
tdi
TCPMon
Tcpip
System Error
sym_u3
sym_hi
symc8xx
symc810
StillImage
SSDPSRV
Srv
srservice
sr
sparrow
sndblst
SMSvcHost 3.0.0.0
Simbad
SideBySide
sfloppy
Setup
Service Control Manager
Server
serial
scsiport
Schedule
Schannel
SCardSvr
Save Dump
SAM
RSVP
rspndr
Removable Storage Service
RemoteAccess
redbook
Rdbss
RasMan
RasAuto
ql1280
ql1240
ql12160
ql10wnt
ql1080
PSched
PrintFilterPipelineSvc
Print
PptpMiniport
PolicyAgent
PlugPlayManager
perc2
pcmcia
pciide
pci
parvdm
partmgr
parport
OSPFMib
OSPF
NVENETFD
null
NtServicePack
ntfs
npfs
Nla
Netlogon
NetDDE
NetBT
NetBIOS
NdisWan
ndis
Mup
msfs
MSDTC WS-AT Protocol
MSDTC Gateway
msadlib
MrxSmb
MRxDAV
mraid35x
mouhid
mouclass
Modem
LsaSrv
LmHosts
LDMS
LDM
lbrtfdc
Kerberos
kbdhid
kbdclass
isapnp
IPXSAP
IPXRouterManager
IPXRIP
IPXCP
IPSec
IPRouterManager
IPRIP2
IPNATHLP
IPMGM
IPBOOTP
intelide
ini910u
IGMPv2
i8042prt
i2omp
i2omgmt
Http
hpn
HCF_MSFT
ftdisk
fs_rec
flpydisk
Fips
fdc
fastfat
eventlog
efs
dpti2o
Dnscache
Dnsapi
dmio
dmboot
Distributed Link Tracking Client
disk
Dhcp
DfsSvc
DfsDriver
DCOM
dac960nt
dac2w2k
cpqarray
cmdide
changer
cdrom
Cdm
cdfs
cdaudio
cd20xrnt
cbidf2k
Browser
BITS
beep
Atmarpc
ati2mtag
Ati HotKey Poller
atdisk
atapi
AsyncMac
asc3550
asc3350p
asc
Application Popup
apphelp
amsint
ami0nt
AmdK8
aliide
aic78xx
aic78u2
aha154x
adpu160m
acpiec
acpi
abp480n5
abiosdsk
System
 
I also found a Windows File Protection folder in: HKEY_LOCAL_MACHINE/SYSTEM/Services/Eventlog/System/Windows File Protection.
 
Many thanks again,
 
Rathater13 ;)
 


#10 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 20 May 2013 - 12:02 PM

Agnitum has discontinued development on the Trojan-specific Tauscan product.

 

 

I think your System File Protection is working now - I just wanted to be sure it wasn't being overridden by some other instance of SFCDisable.

 

Please do this now:

Go to Start > Run, type cmd.exe then press the Enter key.

At the command prompt enter SFC   /SCANNOW

Note: There's a space between sfc and /scannow.

 

Restart your computer if sfc /scannow did actually repair any files.  Note: System File Checker may or may not prompt you to restart but even if it doesn't, you should restart anyway if it repaired anything.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#11 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 21 May 2013 - 03:55 PM

Hi Mother Lion of SWI:
 
When I did this again...
Go to Start > Run, type cmd.exe then press the Enter key.
At the command prompt enter SFC   /SCANNOW
Note: There's a space between sfc and /scannow.
 
... I only got the same error message I got a few days ago: Windows File Protection could not initiate a scan of protected system files. The specific error code is 0x000006ba [The RPC server is unavailable]. :(.
 
Goggling quite a bit for aditional info (i.e. Windows File Protection could not initiate a scan of protected system files. The specific error code is 0x000006ba [The RPC server is unavailable] and Malwarebytes Anti-Malware: Succesfully blocked access to potentially malicious website: .... Type: outgoing.) I found a couple of suggestions that might work.
 
For example to run AdwCleaner and/or ComboFix and sfcenable.
 
And...
Try this:
1) Click Start then Run... and type in cmd and press Enter.
2) Now type in enable RpcSs SYSTEM_AUTO_START and press Enter.
3) Restart your PC and see if you can run sfc.
4) If not then try a Chkdsk, which is what helped me with this same issue :).

 

Also...

1) Rename a file called sfcfiles.dll to sfcfiles.old
2) Restart your system
3) Rename the sfcfiles.old file back to sfcfiles.dll - you should find this file in c:\windows\system32 (it may be hidden though).
4) If the file isn't there then do a search (using Windows search) for any files named sfcfiles.dll 5) Copy this file and paste it into the C:\Windows\System32 folder
6) Restart your system 
7) Try running a sfc /scannow again.
 
What do you think?
 
Many thanks,

Rathater13 ;)


Edited by Rathater13, 21 May 2013 - 03:57 PM.


#12 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 21 May 2013 - 03:57 PM

We need a look.

Please download Farbar Service Scanner and run it on the computer with the issue.

  • Check all the boxes.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#13 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 May 2013 - 04:42 PM

Below is the FSS log. Many thanks :).
 
Farbar Service Scanner Version: 14-04-2013
Ran by Administrator-Dude (administrator) on 22-05-2013 at 14:37:11
Running from "C:\Users\Administrator\Desktop\Malware Forum"
Microsoft Windows XP Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************
 
Internet Services:
============
 
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Attempt to access Yahoo IP returned error. Yahoo IP is offline
Yahoo.com is accessible.
 
 
Windows Firewall:
=============
 
Firewall Disabled Policy: 
==================
 
 
System Restore:
============
 
System Restore Disabled Policy: 
========================
 
 
Security Center:
============
 
Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv: "C:\WINDOWS\system32\wuauserv.dll".
 
 
Windows Autoupdate Disabled Policy: 
============================
 
 
File Check:
========
C:\WINDOWS\system32\dhcpcsvc.dll
[2007-10-09 21:04] - [2007-10-09 21:04] - 0112128 ____A (Microsoft Corporation) 3F15A1DBD86F7BDAF404648282D11ECE
 
C:\WINDOWS\system32\Drivers\afd.sys => MD5 is legit
C:\WINDOWS\system32\Drivers\netbt.sys
[2004-08-03 23:14] - [2004-08-03 23:14] - 0162816 ____A (Microsoft Corporation) 0C80E410CD2F47134407EE7DD19CC86B
 
C:\WINDOWS\system32\Drivers\tcpip.sys
[2007-10-09 21:14] - [2007-10-09 21:14] - 0360704 ____A (Microsoft Corporation) 03738E4B4AAE1DFDF246C36A6B9709D6
 
C:\WINDOWS\system32\Drivers\ipsec.sys
[2004-08-03 23:14] - [2004-08-03 23:14] - 0074752 ____A (Microsoft Corporation) 64537AA5C003A6AFEEE1DF819062D0D1
 
C:\WINDOWS\system32\dnsrslvr.dll
[2004-08-04 00:56] - [2004-08-04 00:56] - 0045568 ____A (Microsoft Corporation) 7379DE06FD196E396A00AA97B990C00D
 
C:\WINDOWS\system32\ipnathlp.dll
[2004-08-04 00:56] - [2004-08-04 00:56] - 0331264 ____A (Microsoft Corporation) 36CC8C01B5E50163037BEF56CB96DEFF
 
C:\WINDOWS\system32\netman.dll
[2007-10-09 21:05] - [2007-10-09 21:05] - 0197632 ____A (Microsoft Corporation) 3516D8A18B36784B1005B950B84232E1
 
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-05-05 18:39] - [2004-08-04 00:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
 
C:\WINDOWS\system32\srsvc.dll
[2013-05-05 18:41] - [2004-08-04 00:56] - 0170496 ____A (Microsoft Corporation) 92BDF74F12D6CBEC43C94D4B7F804838
 
C:\WINDOWS\system32\Drivers\sr.sys
[2013-05-05 18:41] - [2004-08-03 23:06] - 0073472 ____A (Microsoft Corporation) E41B6D037D6CD08461470AF04500DC24
 
C:\WINDOWS\system32\wscsvc.dll
[2007-10-09 21:07] - [2007-10-09 21:07] - 0080896 ____A (Microsoft Corporation) 478995B4555958E52388496618D9C678
 
C:\WINDOWS\system32\wbem\WMIsvc.dll
[2013-05-05 18:39] - [2004-08-04 00:56] - 0144896 ____A (Microsoft Corporation) F399242A80C4066FD155EFA4CF96658E
 
C:\WINDOWS\system32\wuauserv.dll
[2013-05-05 18:41] - [2007-10-09 21:07] - 0025944 ____A (Microsoft Corporation) 365980DA5B43B397542429B0743E6226
 
C:\WINDOWS\system32\qmgr.dll
[2013-05-05 18:41] - [2004-08-04 00:56] - 0382464 ____A (Microsoft Corporation) 2C69EC7E5A311334D10DD95F338FCCEA
 
C:\WINDOWS\system32\es.dll
[2007-10-09 21:04] - [2007-10-09 21:04] - 0243200 ____A (Microsoft Corporation) 3D9418CF112A11ADC45E2A0C0A44DF47
 
C:\WINDOWS\system32\cryptsvc.dll
[2007-10-09 21:04] - [2007-10-09 21:04] - 0062464 ____A (Microsoft Corporation) 87F3E2D2A3231F820F9248DB90090F42
 
C:\WINDOWS\system32\svchost.exe
[2004-08-04 00:56] - [2004-08-04 00:56] - 0014336 ____A (Microsoft Corporation) 8F078AE4ED187AAABC0A305146DE6716
 
C:\WINDOWS\system32\rpcss.dll
[2007-10-09 21:06] - [2007-10-09 21:06] - 0399360 ____A (Microsoft Corporation) 348F04E3582EF2467EE5379D67B99FD7
 
C:\WINDOWS\system32\services.exe
[2004-08-04 00:56] - [2004-08-04 00:56] - 0108032 ____A (Microsoft Corporation) C6CE6EEC82F187615D1002BB3BB50ED4
 
 
Extra List:
=======
aswFW(9) aswTdi(8) Gpc(6) IPSec(4) NetBT(5) PSched(7) Tcpip(3) 
0x09000000040000000100000002000000030000000900000008000000050000000600000007000000
IpSec Tag value is correct.
 
**** End of log ****


#14 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 22 May 2013 - 04:47 PM

Hi Mother Lion of SWI:

 

Not sure if that has anything to do with that possible RAT but Malwarebytes pops up these notes even when no browsers are running.

 

Rathater13 ;) 



#15 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 22 May 2013 - 05:17 PM

Hi Mother Lion of SWI:
 
Not sure if that has anything to do with that possible RAT but Malwarebytes pops up these notes even when no browsers are running.
 
Rathater13 ;)

Programs can connect to internet without using a browser and can download files.  If there is a RAT then it could download malware or transmit info and it is good that MBAM stops it.
 
However I just don't see any sign of malware.
Your Windows update is disabled - please do this:
Start > Run and enter services.msc.  Find Windows Update and double-click it.  Set the Startup type to Automatic.
Click Apply and OK.

Another scan for malware:
Please scan your machine with ESET OnlineScan

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png button.
  • For altenate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the esetsmartinstaller_enu.png icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.
  • Please let me know if any problems remain.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#16 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 29 May 2013 - 03:51 PM

Hi Mother Lion of SWI:
 
I'm sorry for the delay in replying :(.
 
While I was running Eset's online scanner the other day after your last reply my computer crashed again, 3 times within a short time. Possible cause might the CPU that's not firmly attached to the M/B. I then cleaned the CPU fan and the heatsink. I also checked if the CPU wasn't perhaps securely attached to the mainboard which didn't seem to be the case, though. Anyhow, I then switched to my other machine from which I'm writing this mail now. Well, I plan on trying to finish Eset's online scanner on the other PC ASAP and will then get in touch with you again.
 
Curiously, though, Malwarebytes that I've also installed on my 2nd machine (the one I'm using right on) keeps popping up notes that show IP addresses it says it successfully blocked from connecting to websites with 'potentially malicious code'. But the apps it mentions are as far as I know legit ones such Google Chrome, FlashGet3 (in one case IP 58.241.191.2 of someone in Nanjing, Jiangsu, China) and svchost.exe (e.g. port 49256). In the case of FlashGet3 it does that even if I'm not downloading anything. Btw, I did run Eset's online scanner on the computer I'm using at the moment but these Malwarebytes pop-up notes still keep appearing even after Eset's online scanner quarantined/deleted whatever it found??!!
 
Many thanks :).
 
Rathater13 ;) 


#17 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 29 May 2013 - 04:16 PM

It sounds as though the 2nd machine is infected.  Please start a separate topic for it, name it "rathater13 2nd machine", and post its logs there.  Include a link to this topic.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#18 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 31 May 2013 - 08:30 PM

Hi Mother Lion of SWI:
 
Thanks for your reply.
 
Below is the ESET Online Scanner log of today. Although ESET found (and deleted) 40 instances of malware those Malwarebytes pop-up notes keep coming... :(
C:\Program Files\SearchProtect\bin\ChromeModule.dll a variant of Win32/Conduit.SearchProtect.C application cleaned by deleting - quarantined
C:\Program Files\SearchProtect\bin\FirefoxModule.dll a variant of Win32/Conduit.SearchProtect.C application cleaned by deleting - quarantined
C:\Program Files\SearchProtect\bin\InternetExplorerModule.dll a variant of Win32/Conduit.SearchProtect.C application cleaned by deleting - quarantined
C:\Program Files\SearchProtect\ffprotect\application.js Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\Program Files\SearchProtect\ffprotect\nsprotector.js Win32/Conduit.SearchProtect.A application cleaned by deleting - quarantined
C:\UBCD4Win\BartPE\programs\sdfix\SDFix.exe Win32/PrcView application deleted - quarantined
C:\UBCD4Win\plugin\Cleanup Tools\SDFix\SDFix.exe Win32/PrcView application deleted - quarantined
C:\Users\Administrator\Application Data\Real\Update\UpgradeHelper\RealPlayer\10.40\agent\stub_data\stubinst_pkg_en-eu.cab Win32/OpenCandy application deleted - quarantined
C:\Users\All Users\Application Data\APN\APN-Stub\W3IV6-G\APNIC.7z Win32/Bundled.Toolbar.Ask.B application deleted - quarantined
C:\Users\All Users\Application Data\APN\APN-Stub\W3IV6-G\APNIC.dll Win32/Bundled.Toolbar.Ask.B application cleaned by deleting - quarantined
C:\Users\All Users\Application Data\YTD Video Downloader\ytd_installer.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
F:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
F:\Software\Smaller Files\PC Maintenance\Registry Software\UnibluRegistrybooster\Uniblue RegistryBooster 2011 v. 6.0.7.2.rar Win32/RegistryBooster application deleted - quarantined
F:\Software\Smaller Files\PC Maintenance\Unlockers\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E application cleaned by deleting - quarantined
H:\Downloads\Setup-Stick für Windows 7 und XP\Win-7\Service-Pack\Update-Pack für Microsoft Windows 7 x64 ohne Service Pack (19.05.2013).exe Win32/OpenCandy application cleaned by deleting - quarantined
H:\Downloads\Setup-Stick für Windows 7 und XP\Win-XP\UBCD4WinV360.exe Win32/PrcView application cleaned by deleting - quarantined
H:\Downloads\Software\MD5 Checker Setup.exe a variant of Win32/Adware.iBryte.H application cleaned by deleting - quarantined
H:\Software\Smaller Files\Anti Virus Software\Malware Software\IObit Malware Fighter PRO v1.11\imf-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
H:\Software\Smaller Files\Anti Virus Software\Malware Software\IObit Malware Fighter PRO v1.11\IObit Malware Fighter PRO v1.11\imf-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
H:\Software\Smaller Files\Audio & Video\PowerISO\PowerISO_3.7_with_keygen.rar a variant of Win32/Keygen.CP application deleted - quarantined
H:\Software\Smaller Files\Audio & Video\WM Recorder\WM Recorder 9\Keygen.exe a variant of Win32/Keygen.CY application cleaned by deleting - quarantined
H:\Software\Smaller Files\Desk\Organizers\Osmo\SoftonicDownloader_for_osmo.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\FlashGet\flashget3.7.0.1218en-d2c.exe Win32/OpenCandy application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\FlashGet\SoftonicDownloader_for_flashget-portable.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\LimeWire\LimeWire PRO 5.5.5 Final+Serial-[HB]\setup.exe multiple threats cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Various\1ClickDownload_Setup.exe Win32/Adware.1ClickDownload application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTD YouTube Downloader\SoftonicDownloader (for YTD Video Downloader).exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTD YouTube Downloader\YTDSetup 11-12.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTD YouTube Downloader\YTDSetup 12-12.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTD YouTube Downloader\YTD Video Downloader PRO v3.9.3 including crack\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
H:\Software\Smaller Files\Internet, Bookmarks & Browsing\MS Internet Explorer\SoftonicDownloader for IE8.exe a variant of Win32/SoftonicDownloader.E application cleaned by deleting - quarantined
H:\Software\Smaller Files\Internet, Bookmarks & Browsing\Super Hide IP 3.1.7.6 Incl Crack\Super Hide IP 3.1.7.6 Incl Crack [ThumperDC].rar a variant of Win32/Bundled.Toolbar.Ask application deleted - quarantined
H:\Software\Smaller Files\Internet, Bookmarks & Browsing\Super Hide IP 3.1.7.6 Incl Crack\Super Hide IP 3.1.7.6 Incl Crack [ThumperDC]\Super Hide IP 3.1.7.6 Incl Crack [ThumperDC].rar a variant of Win32/Bundled.Toolbar.Ask application deleted - quarantined
H:\Software\Smaller Files\PC Maintenance\Boot Sticks\UBCD4WinV360.exe Win32/PrcView application cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\Registry Software\registrybooster.exe a variant of Win32/RegistryBooster application cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\UBCD4Win\UBCD4WinV360.exe Win32/PrcView application cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\Unlockers\iobitunlocker-setup.exe a variant of Win32/Toolbar.Widgi application cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\Unlockers\Unlocker1.9.1-x64.exe multiple threats cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\Unlockers\Unlocker1.9.1.exe multiple threats cleaned by deleting - quarantined
H:\Software\Smaller Files\Web Design\acessdiver4.260.installer.exe a variant of Win32/NetTool.AccessDiver.AA application cleaned by deleting - quarantined.
 
What's next? I find it a bit strange that so far none of the scanners has found the culprit...
 
Many thanks :).
 
Rathater13 ;)
 
P.S. I think I'll tackle the possible infection of my other computer when hopefully this one has been fixed. Sorry about perhaps being a bit dense but how do I link to this topic once I've started the other thread? Thanks.   


#19 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 31 May 2013 - 09:51 PM

With uTorrent on your PC, you can easily get reinfected.  P2P file sharing is dangerous.  The danger in any kind of sharing is from the files that you download, a lot of them are fakes and have viruses and spyware.  File sharing also makes it possible that your two computers infect each other if they are on the same local network.

And you are very vulnerable without SP 3 for XP.
 
Download the ESET Sirefef Cleaner tool and save the file to your Desktop.
Double-click it and wait for its window to appear. If security notifications appear, click Continue or Run.   

The message "Win32/Sirefef.EV found in your system" will be displayed If an infection is found. Press Y on your keyboard to remove the infection.   If infection was found:

  • Once the tool has run, you will be prompted to restore system services after you restart your computer. Press Y on your keyboard to restore system services and restart your computer.
  • Once your computer has restarted, if you are presented with a security notification click Yes or Allow.
  • Click Yes at the ESET Services Repair tool window.
  • Once the ESET Services Repair process is complete, you will again be prompted to restart your computer, to do so click Yes.

Let me know if the Sirefef Cleaner said "Threat Not Found".

Then run the ESET online scanner again and post the log.  I want to see if the things came back.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#20 Rathater13

Rathater13

    Member

  • Full Member
  • Pip
  • 17 posts

Posted 02 June 2013 - 04:11 PM

Hi Mother Lion of SWI:
 
Many thanks again!
 
As for the the Sirefef Cleaner it came out as "Threat Not Found" (log below) :).
 
And with regards to ESET's Online Scan, a friend sent me the 2013 Desinfec't version on a memstick I then ran on the Win7 machine. Since I have installed the same software on both the Win XP and the Win 7 machines (and also have the same software backups) I then used the results of the Desinfec't scan to manually delete the infected files on the Win XP computer. After that I again ran the ESET Online Scan, the result of which is added below.
 
What I don't understand, though, why ESET's Online Scan keeps complaining about these programs: Unlocker 1.92, YTD Downloader and Flashget 3.7. I downloaded all of them again and checked them with: Malwarebytes, Avast Internet Security 2013 and SUPERAntispyware all of which didn't find any infections whatsoever.
 
Not sure why but under Win XP I can't run the Desinfec't memstick. So, I'll try to burn it on a CD/DVD with the Win 7 computer to do a scan of the Win XP machine. Once that's been accomplished (and things hopefully come out clean) I plan on installing Win XP with SP3. Hopefully, those frequent incidents of the machine freezing (when I had Win XP with SP3 installed the last time) were just a fluke and not a problem of the OS.
 
Still, after all that hard work ;) Malwarebytes' pop-up notes keep coming... What a bummer! :(
 
Rathater13 ;)
 
P.S. I haven't used P2P software in quite a while though I sometimes do to download music I can't find on torrrent sites. I'm on a fixed income and can't afford to get what folks who are better off can do more easily. But I do make monthly donations to a couple of organizations I feel do a good job at helping to create a more just and sustainable world for all of us :).
P.S. 2 Here are the logs:
ESETSirefefCleaner:
[2013.06.01 10:33:27.844] -
[2013.06.01 10:33:27.844] -     ....................................
[2013.06.01 10:33:27.844] -   ..::::::::::::::::::....................
[2013.06.01 10:33:27.844] -   .::EEEEEE:::SSSSSS::..EEEEEE..TTTTTTTT..    Win32/Sirefef (special build)
[2013.06.01 10:33:27.844] -  .::EE::::EE:SS:::::::.EE....EE....TT......   Version: 1.1.0.11
[2013.06.01 10:33:27.844] -  .::EEEEEEEE::SSSSSS::.EEEEEEEE....TT......   Built: May 23 2013
[2013.06.01 10:33:27.844] -  .::EE:::::::::::::SS:.EE..........TT......
[2013.06.01 10:33:27.844] -   .::EEEEEE:::SSSSSS::..EEEEEE.....TT.....    Copyright © ESET, spol. s r.o.
[2013.06.01 10:33:27.844] -   ..::::::::::::::::::....................    1992-2013. All rights reserved.
[2013.06.01 10:33:27.844] -     ....................................
[2013.06.01 10:33:27.844] -
[2013.06.01 10:33:27.844] - --------------------------------------------------------------------------------
[2013.06.01 10:33:27.844] -
[2013.06.01 10:33:27.844] - INFO: OS: 5.1.2600 SP2
[2013.06.01 10:33:27.844] - INFO: Product Type: Workstation
[2013.06.01 10:33:27.844] - INFO: WoW64: False
[2013.06.01 10:33:27.844] - INFO: Machine guid: 3190EB5B-9587-4B80-9ED2-624152A39CC5
[2013.06.01 10:33:27.844] -
[2013.06.01 10:33:30.719] - INFO: EULA Accepted
[2013.06.01 10:33:30.719] - --------------------------------------------------------------------------------
[2013.06.01 10:33:30.719] - INFO: Scanning for system infection...
[2013.06.01 10:33:30.719] - --------------------------------------------------------------------------------
[2013.06.01 10:33:30.719] -
[2013.06.01 10:33:30.719] - INFO: System modules modification not detected...
[2013.06.01 10:33:30.719] - INFO: Current Shell HKLM [Explorer.exe].
[2013.06.01 10:33:30.719] - INFO: Current SubSystems [%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16].
[2013.06.01 10:33:30.734] - INFO: Win32/Sirefef not found
[2013.06.01 10:41:20.266] - --------------------------------------------------------------------------------
[2013.06.01 10:41:20.266] - INFO: Logging finished successfully...
[2013.06.01 10:41:20.266] - --------------------------------------------------------------------------------
 
ESET Onlne Scan:
C:\Users\Administrator\Local Settings\Temporary Internet Files\Content.IE5\R0IMAQOX\cbsidlm-tr1_13-FlashGet-SEO-10969751[1].exe Win32/DownloadAdmin.G application cleaned by deleting - quarantined
F:\Downloads\Software\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E application cleaned by deleting - quarantined
F:\Downloads\Software\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
F:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
F:\Software\Smaller Files\PC Maintenance\Unlockers\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E application cleaned by deleting - quarantined
H:\Downloads\Software\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E application cleaned by deleting - quarantined
H:\Downloads\Software\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
H:\Software\Smaller Files\Downloads & P2P\Video Downloaders\YTDSetup.exe a variant of Win32/Bundled.Toolbar.Ask.C application cleaned by deleting - quarantined
H:\Software\Smaller Files\PC Maintenance\Unlockers\Unlocker1.9.2.exe a variant of Win32/Toolbar.Babylon.E application cleaned by deleting - quarantined


#21 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 02 June 2013 - 04:24 PM

What I don't understand, though, why ESET's Online Scan keeps complaining about these programs: Unlocker 1.92, YTD Downloader and Flashget 3.7.

 

They may use methods that are often used by malware.  If an up to date Avast finds them clean then they are OK.

 

Please try to get SP 3 for your Windows XP.  SP 2 is no longer supported and is vulnerable to all the latest threats.

http://support.micro...22389#method222

 

Backup your system first as SP3 installations can fail.  We highly recommend making a full disk image with the free Macrium Reflect.


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#22 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 09 June 2013 - 05:29 PM

Are you still with me, rathater13?


Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#23 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 23 June 2013 - 01:19 PM

Glad we could help. :)

[Reopened]

Everyone else please begin a New Topic.


Edited by cnm, 05 August 2013 - 05:49 PM.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#24 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,257 posts

Posted 05 August 2013 - 05:48 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#25 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 48,253 posts

Posted 09 May 2014 - 06:15 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button