Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

XP slow, redirected websites and MBAM Blocking 89.114.9.97

Started by mjzraz, May 10 2012 08:04 PM

XP firefox malware

This topic is locked
Go to first unread post

17 replies to this topic

#1
mjzraz

Posted 10 May 2012 - 08:04 PM

New Member

Members
17 posts

I have an XP Desktop with redirected web searches, slow performance and MBAM reporting that it is blocking access to websites every couple of minutes.

Here is the DDS.txt

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Run by tjmakes at 20:35:31 on 2012-05-10
.
============== Running Processes ===============
.
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.8.3.6\IPSBHO.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [pronto] "c:\program files\wimba\pronto\pronto.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_Plugin.exe -update plugin
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\Iaanotif.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [LogMeIn GUI] "c:\program files\logmein\x86\LogMeInSystray.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\tjmakes\startm~1\programs\startup\startup.lnk - c:\program files\hook\myhook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\eventp~1.lnk - c:\sierra\planner\PLNRnote.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wddmst~1.lnk - c:\program files\western digital\wd smartware\wd drive manager\WDDMStatus.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdsmar~1.lnk - c:\program files\western digital\wd smartware\front parlor\WDSmartWare.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
TCP: Interfaces\{AF2BCFCC-E41D-41B9-83CD-E1E385AD5109} : DhcpNameServer = 192.168.1.1 71.242.0.12
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: LMIinit - LMIinit.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: ehshell.exe - "c:\program files\logmein\x86\LogMeInSystray.exe" -MceShellRedirect
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\tjmakes\application data\mozilla\firefox\profiles\ex69fmbj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12190&client_id=176448126eb8180a965b1d64&camp_id=2533&install_time=2011-05-21T01:15:38Z&tb_version=2.4.16500%28F%29&pr=auto&q=
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\documents and settings\tjmakes\application data\mozilla\firefox\profiles\ex69fmbj.default\extensions\toolbar@alot.com\components\AlotXpcom.dll
FF - plugin: c:\documents and settings\tjmakes\application data\move networks\plugins\npqmp071500000347.dll
FF - plugin: c:\documents and settings\tjmakes\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-05-11 00:22:46 -------- d-----w- C:\cf
2012-05-10 02:29:50 711240 ----a-w- c:\windows\is-AV3HJ.exe
.
==================== Find3M ====================
.
2012-04-04 19:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 20:38:19.82 ===============

Here is the attach.txt:

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
.
==== Disk Partitions =========================
.
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
3100_3200_3300_Help
3100_3200_3300trb
3200
3D Christmas Cottage
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.5
Adobe Shockwave Player 11.5
AiO_Scan_CDA
AiOSoftwareNPI
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ATI Control Panel
ATI Display Driver
Bonjour
BufferChm
CCleaner
Chutes and Ladders
Compatibility Pack for the 2007 Office system
Complete Care Consumer Service Agreement
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
CueTour
Dell Driver Reset Tool
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
DocProc
DocumentViewer
DocumentViewerQFolder
ESPNMotion
eSupportQFolder
Event Planner
Fax_CDA
FullDPAppQFolder
GemMaster Mystic
Hallmark Card Studio 2
High Definition Audio Driver Package - KB835221
HijackThis 1.99.1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
InstantShareDevices
Intel® Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
iTunes
Jacquie Lawson Advent Calendar
Jacquie Lawson London Advent Calendar
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 5
Learning in Toyland
LogMeIn
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Zoo Tycoon
Modem Event Monitor
Modem Helper
Modem On Hold
Move Media Player
Mozilla Firefox 10.0.2 (x86 en-US)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB954459)
NewCopy_CDA
Night Before Christmas
Norton AntiVirus
Otto
PanoStandAlone
PhotoGallery
PowerDVD 5.5
ProductContextNPI
Pronto 3.1.0-D
QualXServ Service Agreement
QuickTime
RandMap
Readme
Registry Mechanic 10.0
Safari
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
Snowing
SolutionCenter
Sonic Encoders
Sonic_PrimoSDK
Spelling Dictionaries Support For Adobe Reader 9
Status
SUPERAntiSpyware Free Edition
The Game Of Life
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Windows (KB971513)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update Rollup 2 for Windows XP Media Center Edition 2005
Verizon Media Manager
VoiceOver Kit
Vz In Home Agent
WD SmartWare
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 10 Hotfix [See EmeraldQFE2 for more information]
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB908246
Windows XP Media Center Edition 2005 KB912067
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3
Zoo Vet
.
==== End Of File ===========================

I have run a MBAM scan and Norton AV scan.
Thanks! This is getting frustrating. I was also getting reports from people that said my verizon mail was sending them spam.

#2
Elise

Posted 11 May 2012 - 09:50 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

Hello and

Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!

Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
Vista/Windows 7 users right-click and select Run As Administrator.
If TDSSKiller does not run, try renaming it.
To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
Click the Start Scan button.
Do not use the computer during the scan
If the scan completes with nothing found, click Close to exit.
If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
Copy and paste the contents of that file in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#3
mjzraz

Posted 11 May 2012 - 01:09 PM

New Member

Members
17 posts

Thanks - All steps completed.
After reboot it's already running "snappier"

I havent seen any blocked access IP messages yet. Opening windows explorer seemed a little slow, but not horrible.

Log file:

13:52:57.0678 5996 TDSS rootkit removing tool 2.7.34.0 May 2 2012 09:59:18
13:52:58.0350 5996 ============================================================
13:52:58.0350 5996 Current date / time: 2012/05/11 13:52:58.0350
13:52:58.0350 5996 SystemInfo:
13:52:58.0350 5996
13:52:58.0350 5996 OS Version: 5.1.2600 ServicePack: 3.0
13:52:58.0350 5996 Product type: Workstation
13:52:58.0350 5996 ComputerName: D4Z3MZ81
13:52:58.0350 5996 UserName: tjmakes
13:52:58.0350 5996 Windows directory: C:\WINDOWS
13:52:58.0350 5996 System windows directory: C:\WINDOWS
13:52:58.0350 5996 Processor architecture: Intel x86
13:52:58.0350 5996 Number of processors: 2
13:52:58.0350 5996 Page size: 0x1000
13:52:58.0350 5996 Boot type: Normal boot
13:52:58.0350 5996 ============================================================
13:53:02.0506 5996 Drive \Device\Harddisk0\DR0 - Size: 0x2540BE4000 (149.01 Gb), SectorSize: 0x200, Cylinders: 0x4BFC, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
13:53:02.0506 5996 ============================================================
13:53:02.0506 5996 \Device\Harddisk0\DR0:
13:53:02.0584 5996 MBR partitions:
13:53:02.0584 5996 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x11F301F9
13:53:02.0584 5996 ============================================================
13:53:02.0975 5996 C: <-> \Device\Harddisk0\DR0\Partition0
13:53:02.0975 5996 ============================================================
13:53:02.0975 5996 Initialize success
13:53:02.0975 5996 ============================================================
13:53:12.0085 4344 ============================================================
13:53:12.0085 4344 Scan started
13:53:12.0085 4344 Mode: Manual;
13:53:12.0085 4344 ============================================================
13:53:13.0819 4344 Abiosdsk - ok
13:53:14.0038 4344 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
13:53:14.0179 4344 abp480n5 - ok
13:53:14.0288 4344 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:53:14.0335 4344 ACPI - ok
13:53:14.0476 4344 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
13:53:14.0507 4344 ACPIEC - ok
13:53:14.0695 4344 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
13:53:14.0773 4344 adpu160m - ok
13:53:14.0820 4344 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
13:53:15.0007 4344 aec - ok
13:53:15.0070 4344 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
13:53:15.0085 4344 AFD - ok
13:53:15.0226 4344 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
13:53:15.0273 4344 agp440 - ok
13:53:15.0429 4344 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
13:53:15.0460 4344 agpCPQ - ok
13:53:15.0804 4344 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
13:53:15.0991 4344 Aha154x - ok
13:53:16.0460 4344 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
13:53:16.0632 4344 aic78u2 - ok
13:53:16.0632 4344 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
13:53:16.0695 4344 aic78xx - ok
13:53:17.0413 4344 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
13:53:17.0492 4344 Alerter - ok
13:53:17.0523 4344 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
13:53:17.0523 4344 ALG - ok
13:53:17.0585 4344 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
13:53:17.0617 4344 AliIde - ok
13:53:17.0726 4344 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
13:53:17.0742 4344 alim1541 - ok
13:53:17.0867 4344 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
13:53:17.0898 4344 amdagp - ok
13:53:18.0038 4344 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
13:53:18.0179 4344 amsint - ok
13:53:18.0335 4344 Apple Mobile Device (2e3e53a6aef23e24f402c7855b9b1542) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
13:53:18.0789 4344 Apple Mobile Device - ok
13:53:18.0914 4344 AppMgmt (d8849f77c0b66226335a59d26cb4edc6) C:\WINDOWS\System32\appmgmts.dll
13:53:18.0945 4344 AppMgmt - ok
13:53:19.0085 4344 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
13:53:19.0117 4344 asc - ok
13:53:19.0132 4344 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
13:53:19.0132 4344 asc3350p - ok
13:53:19.0367 4344 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
13:53:19.0398 4344 asc3550 - ok
13:53:19.0617 4344 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
13:53:19.0664 4344 aspnet_state - ok
13:53:19.0710 4344 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:53:19.0726 4344 AsyncMac - ok
13:53:19.0789 4344 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
13:53:19.0835 4344 atapi - ok
13:53:19.0867 4344 Atdisk - ok
13:53:19.0929 4344 Ati HotKey Poller (abc57a6f6070baf9786c318f59f29f0b) C:\WINDOWS\system32\Ati2evxx.exe
13:53:20.0164 4344 Ati HotKey Poller - ok
13:53:20.0367 4344 ati2mtag (03621f7f968ff63713943405deb777f9) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
13:53:20.0445 4344 ati2mtag - ok
13:53:20.0554 4344 atinewp2 (34e74fab657dc47031330dfa30ee7e38) C:\WINDOWS\system32\DRIVERS\atinewp2.sys
13:53:20.0601 4344 atinewp2 - ok
13:53:20.0679 4344 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:53:20.0711 4344 Atmarpc - ok
13:53:20.0804 4344 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
13:53:20.0820 4344 AudioSrv - ok
13:53:20.0929 4344 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
13:53:20.0976 4344 audstub - ok
13:53:21.0039 4344 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
13:53:21.0039 4344 Beep - ok
13:53:21.0726 4344 BHDrvx86 (76154fa6a742c613b44bb636b1a7c057) C:\WINDOWS\System32\Drivers\NAV\1008030.006\BHDrvx86.sys
13:53:21.0820 4344 BHDrvx86 - ok
13:53:21.0961 4344 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
13:53:22.0383 4344 BITS - ok
13:53:22.0508 4344 Bonjour Service (5ab58c337ac65837fe404462ad6265ab) C:\Program Files\Bonjour\mDNSResponder.exe
13:53:22.0679 4344 Bonjour Service - ok
13:53:22.0789 4344 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
13:53:22.0789 4344 Browser - ok
13:53:22.0789 4344 bvrp_pci - ok
13:53:23.0039 4344 catchme - ok
13:53:23.0101 4344 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
13:53:23.0164 4344 cbidf - ok
13:53:23.0164 4344 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
13:53:23.0179 4344 cbidf2k - ok
13:53:23.0242 4344 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
13:53:23.0273 4344 CCDECODE - ok
13:53:23.0492 4344 ccHP (3182b846490dc4d71fabd4a8cb6b73ea) C:\WINDOWS\System32\Drivers\NAV\1008030.006\ccHPx86.sys
13:53:23.0523 4344 ccHP - ok
13:53:23.0664 4344 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
13:53:23.0742 4344 cd20xrnt - ok
13:53:23.0804 4344 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
13:53:23.0804 4344 Cdaudio - ok
13:53:23.0851 4344 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
13:53:23.0898 4344 Cdfs - ok
13:53:23.0961 4344 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:53:24.0039 4344 Cdrom - ok
13:53:24.0039 4344 Changer - ok
13:53:24.0883 4344 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
13:53:24.0930 4344 CiSvc - ok
13:53:24.0961 4344 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
13:53:24.0976 4344 ClipSrv - ok
13:53:25.0336 4344 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
13:53:25.0789 4344 clr_optimization_v2.0.50727_32 - ok
13:53:26.0039 4344 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
13:53:26.0242 4344 CmdIde - ok
13:53:26.0258 4344 COMSysApp - ok
13:53:26.0508 4344 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
13:53:26.0523 4344 Cpqarray - ok
13:53:26.0586 4344 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
13:53:27.0039 4344 CryptSvc - ok
13:53:27.0398 4344 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
13:53:27.0570 4344 dac2w2k - ok
13:53:27.0617 4344 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
13:53:27.0633 4344 dac960nt - ok
13:53:27.0680 4344 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
13:53:27.0899 4344 DcomLaunch - ok
13:53:27.0961 4344 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
13:53:27.0961 4344 Dhcp - ok
13:53:28.0024 4344 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
13:53:28.0102 4344 Disk - ok
13:53:28.0102 4344 dmadmin - ok
13:53:28.0555 4344 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
13:53:28.0680 4344 dmboot - ok
13:53:28.0789 4344 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
13:53:28.0914 4344 dmio - ok
13:53:28.0945 4344 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
13:53:28.0992 4344 dmload - ok
13:53:29.0086 4344 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
13:53:29.0086 4344 dmserver - ok
13:53:29.0149 4344 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
13:53:29.0149 4344 DMusic - ok
13:53:29.0274 4344 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
13:53:29.0274 4344 Dnscache - ok
13:53:29.0336 4344 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
13:53:29.0461 4344 Dot3svc - ok
13:53:29.0539 4344 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
13:53:29.0617 4344 dpti2o - ok
13:53:29.0633 4344 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
13:53:29.0633 4344 drmkaud - ok
13:53:29.0680 4344 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
13:53:29.0977 4344 E100B - ok
13:53:30.0211 4344 e1express (5b75bbf89d8341f424171df7ad9dc465) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
13:53:30.0430 4344 e1express - ok
13:53:30.0492 4344 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
13:53:30.0508 4344 EapHost - ok
13:53:30.0680 4344 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
13:53:30.0742 4344 eeCtrl - ok
13:53:31.0102 4344 ehRecvr (d039a0c347632622934906bd59a4e1ea) C:\WINDOWS\eHome\ehRecvr.exe
13:53:31.0117 4344 ehRecvr - ok
13:53:31.0321 4344 ehSched (a53243709439ac2a4c216b817f8d7411) C:\WINDOWS\eHome\ehSched.exe
13:53:31.0321 4344 ehSched - ok
13:53:31.0555 4344 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
13:53:31.0774 4344 EraserUtilRebootDrv - ok
13:53:31.0868 4344 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
13:53:31.0868 4344 ERSvc - ok
13:53:31.0914 4344 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:53:31.0914 4344 Eventlog - ok
13:53:32.0039 4344 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
13:53:32.0055 4344 EventSystem - ok
13:53:33.0602 4344 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
13:53:33.0836 4344 Fastfat - ok
13:53:34.0008 4344 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:53:34.0040 4344 FastUserSwitchingCompatibility - ok
13:53:34.0118 4344 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
13:53:34.0133 4344 Fax - ok
13:53:34.0196 4344 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
13:53:34.0227 4344 Fdc - ok
13:53:34.0258 4344 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
13:53:34.0258 4344 Fips - ok
13:53:34.0555 4344 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
13:53:34.0680 4344 Flpydisk - ok
13:53:34.0743 4344 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
13:53:34.0790 4344 FltMgr - ok
13:53:35.0024 4344 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
13:53:35.0086 4344 FontCache3.0.0.0 - ok
13:53:35.0165 4344 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:53:35.0165 4344 Fs_Rec - ok
13:53:35.0227 4344 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:53:35.0477 4344 Ftdisk - ok
13:53:35.0524 4344 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
13:53:35.0665 4344 GEARAspiWDM - ok
13:53:35.0774 4344 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:53:36.0008 4344 Gpc - ok
13:53:36.0055 4344 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
13:53:36.0368 4344 HDAudBus - ok
13:53:36.0540 4344 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:53:36.0555 4344 helpsvc - ok
13:53:36.0805 4344 HidServ (deb04da35cc871b6d309b77e1443c796) C:\WINDOWS\System32\hidserv.dll
13:53:36.0805 4344 HidServ - ok
13:53:36.0930 4344 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:53:37.0055 4344 HidUsb - ok
13:53:37.0759 4344 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
13:53:38.0055 4344 hkmsvc - ok
13:53:38.0321 4344 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
13:53:38.0540 4344 hpn - ok
13:53:38.0602 4344 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
13:53:38.0759 4344 HPZid412 - ok
13:53:38.0774 4344 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
13:53:38.0821 4344 HPZipr12 - ok
13:53:38.0946 4344 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
13:53:39.0024 4344 HPZius12 - ok
13:53:39.0071 4344 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
13:53:39.0071 4344 HTTP - ok
13:53:39.0368 4344 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
13:53:39.0602 4344 HTTPFilter - ok
13:53:39.0634 4344 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
13:53:39.0665 4344 i2omgmt - ok
13:53:39.0712 4344 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
13:53:39.0993 4344 i2omp - ok
13:53:40.0024 4344 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:53:40.0040 4344 i8042prt - ok
13:53:40.0806 4344 IAANTMON (b122be74e283a2bc7febc180bfd2efd5) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
13:53:41.0118 4344 IAANTMON - ok
13:53:41.0384 4344 iaStor (019cf5f31c67030841233c545a0e217a) C:\WINDOWS\system32\drivers\iaStor.sys
13:53:41.0384 4344 iaStor - ok
13:53:42.0368 4344 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
13:53:42.0478 4344 idsvc - ok
13:53:42.0743 4344 IDSxpx86 (c924bf6d42b3d9292268ff1998596bd1) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\ipsdefs\20120510.001\IDSxpx86.sys
13:53:43.0149 4344 IDSxpx86 - ok
13:53:43.0743 4344 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
13:53:43.0759 4344 Imapi - ok
13:53:43.0821 4344 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
13:53:43.0837 4344 ImapiService - ok
13:53:44.0118 4344 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
13:53:44.0493 4344 ini910u - ok
13:53:44.0493 4344 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
13:53:44.0728 4344 IntelIde - ok
13:53:44.0775 4344 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:53:44.0806 4344 intelppm - ok
13:53:44.0993 4344 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
13:53:45.0150 4344 Ip6Fw - ok
13:53:45.0447 4344 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:53:45.0462 4344 IpFilterDriver - ok
13:53:45.0556 4344 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:53:45.0603 4344 IpInIp - ok
13:53:45.0697 4344 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:53:45.0962 4344 IpNat - ok
13:53:46.0259 4344 iPod Service (8f610078437a459948480407f4db91ea) C:\Program Files\iPod\bin\iPodService.exe
13:53:46.0462 4344 iPod Service - ok
13:53:46.0478 4344 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:53:46.0478 4344 IPSec - ok
13:53:46.0978 4344 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
13:53:47.0072 4344 IRENUM - ok
13:53:47.0478 4344 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:53:47.0556 4344 isapnp - ok
13:53:47.0681 4344 JavaQuickStarterService (1834c96fb1f9280bcf6ddfa6de8338bf) C:\Program Files\Java\jre6\bin\jqs.exe
13:53:47.0869 4344 JavaQuickStarterService - ok
13:53:47.0884 4344 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:53:47.0915 4344 Kbdclass - ok
13:53:47.0931 4344 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:53:47.0931 4344 kbdhid - ok
13:53:48.0009 4344 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
13:53:48.0009 4344 kmixer - ok
13:53:48.0103 4344 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
13:53:48.0103 4344 KSecDD - ok
13:53:48.0150 4344 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
13:53:48.0165 4344 lanmanserver - ok
13:53:48.0681 4344 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
13:53:48.0728 4344 lanmanworkstation - ok
13:53:48.0728 4344 lbrtfdc - ok
13:53:48.0853 4344 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
13:53:48.0884 4344 LmHosts - ok
13:53:49.0775 4344 LMIGuardianSvc (2375e7e01635fbccde2f796a9e078e07) C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
13:53:50.0025 4344 LMIGuardianSvc - ok
13:53:50.0056 4344 LMIInfo (4f69faaabb7db0d43e327c0b6aab40fc) C:\Program Files\LogMeIn\x86\RaInfo.sys
13:53:50.0087 4344 LMIInfo - ok
13:53:50.0212 4344 LMIMaint (b9c127273eaba403311854a8dcb6d0aa) C:\Program Files\LogMeIn\x86\RaMaint.exe
13:53:50.0306 4344 LMIMaint - ok
13:53:50.0416 4344 lmimirr (4477689e2d8ae6b78ba34c9af4cc1ed1) C:\WINDOWS\system32\DRIVERS\lmimirr.sys
13:53:50.0478 4344 lmimirr - ok
13:53:50.0494 4344 LMIRfsClientNP - ok
13:53:50.0509 4344 LMIRfsDriver (3faa563ddf853320f90259d455a01d79) C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
13:53:50.0541 4344 LMIRfsDriver - ok
13:53:50.0650 4344 LogMeIn (432618fa75b61059d2c57d6a7e55147a) C:\Program Files\LogMeIn\x86\LogMeIn.exe
13:53:50.0791 4344 LogMeIn - ok
13:53:50.0900 4344 MBAMProtector (fb097bbc1a18f044bd17bd2fccf97865) C:\WINDOWS\system32\drivers\mbam.sys
13:53:50.0900 4344 MBAMProtector - ok
13:53:51.0087 4344 MBAMService (ba400ed640bca1eae5c727ae17c10207) C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
13:53:51.0166 4344 MBAMService - ok
13:53:51.0416 4344 McrdSvc (df0a511f38f16016bf658fca0090cb87) C:\WINDOWS\ehome\mcrdsvc.exe
13:53:51.0416 4344 McrdSvc - ok
13:53:51.0416 4344 MCSTRM - ok
13:53:51.0509 4344 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
13:53:51.0556 4344 Messenger - ok
13:53:51.0681 4344 MHN (b7521f69c0a9b29d356157229376fb21) C:\WINDOWS\System32\mhn.dll
13:53:51.0728 4344 MHN - ok
13:53:52.0119 4344 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
13:53:52.0447 4344 MHNDRV - ok
13:53:52.0525 4344 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
13:53:52.0525 4344 mnmdd - ok
13:53:52.0603 4344 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
13:53:52.0791 4344 mnmsrvc - ok
13:53:53.0885 4344 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
13:53:54.0416 4344 Modem - ok
13:53:54.0494 4344 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:53:54.0510 4344 Mouclass - ok
13:53:54.0588 4344 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:53:54.0619 4344 mouhid - ok
13:53:54.0635 4344 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
13:53:54.0666 4344 MountMgr - ok
13:53:54.0775 4344 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
13:53:54.0869 4344 mraid35x - ok
13:53:54.0900 4344 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:53:55.0338 4344 MRxDAV - ok
13:53:55.0557 4344 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:53:55.0900 4344 MRxSmb - ok
13:53:55.0978 4344 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
13:53:56.0010 4344 MSDTC - ok
13:53:56.0119 4344 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
13:53:56.0119 4344 Msfs - ok
13:53:56.0119 4344 MSIServer - ok
13:53:56.0322 4344 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:53:57.0619 4344 MSKSSRV - ok
13:53:57.0650 4344 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:53:57.0791 4344 MSPCLOCK - ok
13:53:57.0869 4344 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
13:53:57.0869 4344 MSPQM - ok
13:53:57.0916 4344 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:53:57.0916 4344 mssmbios - ok
13:53:58.0213 4344 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
13:53:58.0244 4344 MSTEE - ok
13:53:58.0369 4344 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
13:53:58.0588 4344 Mup - ok
13:53:58.0885 4344 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
13:53:59.0447 4344 NABTSFEC - ok
13:53:59.0713 4344 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
13:54:00.0041 4344 napagent - ok
13:54:00.0651 4344 NAVENG (862f55824ac81295837b0ab63f91071f) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120510.033\NAVENG.SYS
13:54:00.0807 4344 NAVENG - ok
13:54:02.0635 4344 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20120510.033\NAVEX15.SYS
13:54:02.0729 4344 NAVEX15 - ok
13:54:03.0151 4344 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
13:54:03.0323 4344 NDIS - ok
13:54:03.0635 4344 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
13:54:03.0760 4344 NdisIP - ok
13:54:03.0791 4344 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:54:03.0807 4344 NdisTapi - ok
13:54:03.0838 4344 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:54:03.0838 4344 Ndisuio - ok
13:54:03.0932 4344 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:54:03.0932 4344 NdisWan - ok
13:54:04.0229 4344 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
13:54:04.0229 4344 NDProxy - ok
13:54:04.0229 4344 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
13:54:04.0245 4344 NetBIOS - ok
13:54:04.0323 4344 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
13:54:04.0370 4344 NetBT - ok
13:54:04.0432 4344 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:54:04.0495 4344 NetDDE - ok
13:54:04.0495 4344 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
13:54:04.0495 4344 NetDDEdsdm - ok
13:54:04.0541 4344 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:54:04.0541 4344 Netlogon - ok
13:54:04.0620 4344 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
13:54:04.0776 4344 Netman - ok
13:54:05.0276 4344 NetSvc (9da26b773bd04b867a8e9f427cd048fc) C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
13:54:05.0495 4344 NetSvc - ok
13:54:06.0073 4344 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
13:54:06.0229 4344 NetTcpPortSharing - ok
13:54:06.0432 4344 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
13:54:06.0432 4344 Nla - ok
13:54:06.0510 4344 Norton AntiVirus (64c89db40949fd0e7c8ff303676a91f1) C:\Program Files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe
13:54:06.0526 4344 Norton AntiVirus - ok
13:54:06.0573 4344 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
13:54:06.0573 4344 Npfs - ok
13:54:06.0682 4344 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
13:54:06.0995 4344 Ntfs - ok
13:54:07.0120 4344 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:54:07.0120 4344 NtLmSsp - ok
13:54:07.0182 4344 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
13:54:07.0385 4344 NtmsSvc - ok
13:54:07.0432 4344 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
13:54:07.0432 4344 Null - ok
13:54:07.0792 4344 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
13:54:08.0026 4344 nv - ok
13:54:08.0667 4344 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:54:08.0682 4344 NwlnkFlt - ok
13:54:08.0729 4344 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:54:08.0760 4344 NwlnkFwd - ok
13:54:08.0839 4344 ose (7a56cf3e3f12e8af599963b16f50fb6a) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:54:09.0089 4344 ose - ok
13:54:09.0682 4344 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
13:54:09.0714 4344 Parport - ok
13:54:09.0776 4344 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
13:54:09.0792 4344 PartMgr - ok
13:54:09.0823 4344 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
13:54:09.0823 4344 ParVdm - ok
13:54:09.0839 4344 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
13:54:09.0839 4344 PCI - ok
13:54:09.0870 4344 PCIDump - ok
13:54:09.0870 4344 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
13:54:09.0901 4344 PCIIde - ok
13:54:09.0979 4344 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
13:54:10.0011 4344 Pcmcia - ok
13:54:10.0136 4344 PCToolsSSDMonitorSvc (e6e503845208a148a9e3e7faa63b97a4) C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe
13:54:10.0276 4344 PCToolsSSDMonitorSvc - ok
13:54:10.0292 4344 PDCOMP - ok
13:54:10.0292 4344 PDFRAME - ok
13:54:10.0307 4344 PDRELI - ok
13:54:10.0323 4344 PDRFRAME - ok
13:54:10.0370 4344 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
13:54:10.0401 4344 perc2 - ok
13:54:10.0542 4344 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
13:54:10.0573 4344 perc2hib - ok
13:54:10.0667 4344 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
13:54:10.0682 4344 PlugPlay - ok
13:54:10.0714 4344 Pml Driver HPZ12 (9d84376931440f3679beef2a414fa493) C:\WINDOWS\system32\HPZipm12.exe
13:54:11.0042 4344 Pml Driver HPZ12 - ok
13:54:11.0261 4344 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:54:11.0261 4344 PolicyAgent - ok
13:54:11.0323 4344 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:54:11.0323 4344 PptpMiniport - ok
13:54:11.0323 4344 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:54:11.0339 4344 ProtectedStorage - ok
13:54:11.0370 4344 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
13:54:11.0386 4344 PSched - ok
13:54:11.0417 4344 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:54:11.0433 4344 Ptilink - ok
13:54:11.0511 4344 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:54:11.0526 4344 PxHelp20 - ok
13:54:11.0745 4344 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
13:54:11.0745 4344 ql1080 - ok
13:54:11.0776 4344 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
13:54:11.0776 4344 Ql10wnt - ok
13:54:11.0792 4344 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
13:54:11.0823 4344 ql12160 - ok
13:54:11.0823 4344 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
13:54:11.0839 4344 ql1240 - ok
13:54:11.0839 4344 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
13:54:11.0854 4344 ql1280 - ok
13:54:11.0917 4344 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:54:11.0948 4344 RasAcd - ok
13:54:12.0042 4344 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
13:54:12.0089 4344 RasAuto - ok
13:54:12.0120 4344 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:54:12.0136 4344 Rasl2tp - ok
13:54:12.0667 4344 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
13:54:12.0776 4344 RasMan - ok
13:54:12.0948 4344 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:54:13.0714 4344 RasPppoe - ok
13:54:13.0745 4344 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
13:54:13.0761 4344 Raspti - ok
13:54:13.0823 4344 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:54:13.0839 4344 Rdbss - ok
13:54:13.0870 4344 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:54:13.0870 4344 RDPCDD - ok
13:54:13.0901 4344 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
13:54:13.0901 4344 rdpdr - ok
13:54:13.0964 4344 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
13:54:14.0089 4344 RDPWD - ok
13:54:14.0214 4344 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
13:54:14.0276 4344 RDSessMgr - ok
13:54:14.0323 4344 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
13:54:14.0355 4344 redbook - ok
13:54:14.0417 4344 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
13:54:14.0448 4344 RemoteAccess - ok
13:54:14.0511 4344 RemoteRegistry (5b19b557b0c188210a56a6b699d90b8f) C:\WINDOWS\system32\regsvc.dll
13:54:14.0511 4344 RemoteRegistry - ok
13:54:14.0558 4344 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
13:54:14.0589 4344 RpcLocator - ok
13:54:14.0667 4344 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
13:54:14.0683 4344 RpcSs - ok
13:54:14.0745 4344 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
13:54:14.0777 4344 RSVP - ok
13:54:14.0808 4344 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
13:54:14.0808 4344 SamSs - ok
13:54:14.0886 4344 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
13:54:14.0902 4344 SASDIFSV - ok
13:54:14.0902 4344 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
13:54:14.0948 4344 SASENUM - ok
13:54:14.0995 4344 SASKUTIL (f81ea209a3e43c33f99ff89ebab82d93) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
13:54:14.0995 4344 SASKUTIL - ok
13:54:15.0073 4344 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
13:54:15.0448 4344 SCardSvr - ok
13:54:15.0511 4344 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
13:54:15.0542 4344 Schedule - ok
13:54:15.0870 4344 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:54:15.0933 4344 Secdrv - ok
13:54:16.0027 4344 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
13:54:16.0058 4344 seclogon - ok
13:54:16.0120 4344 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
13:54:16.0152 4344 SENS - ok
13:54:16.0214 4344 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
13:54:16.0245 4344 serenum - ok
13:54:16.0355 4344 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
13:54:16.0355 4344 Serial - ok
13:54:16.0573 4344 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
13:54:16.0589 4344 Sfloppy - ok
13:54:16.0714 4344 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
13:54:16.0792 4344 SharedAccess - ok
13:54:16.0839 4344 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:54:16.0855 4344 ShellHWDetection - ok
13:54:16.0886 4344 Simbad - ok
13:54:16.0933 4344 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
13:54:16.0964 4344 sisagp - ok
13:54:16.0980 4344 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
13:54:16.0980 4344 SLIP - ok
13:54:17.0105 4344 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
13:54:17.0370 4344 Sparrow - ok
13:54:17.0433 4344 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
13:54:17.0433 4344 splitter - ok
13:54:17.0464 4344 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
13:54:17.0480 4344 Spooler - ok
13:54:17.0511 4344 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
13:54:17.0902 4344 sr - ok
13:54:17.0964 4344 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
13:54:18.0027 4344 srservice - ok
13:54:18.0464 4344 SRTSP (e81f6caeab9ad5732e94c07c97866aa2) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SRTSP.SYS
13:54:18.0558 4344 SRTSP - ok
13:54:18.0699 4344 SRTSPX (e28de499d942b08058bffac69d4122b6) C:\WINDOWS\system32\drivers\NAV\1008030.006\SRTSPX.SYS
13:54:18.0996 4344 SRTSPX - ok
13:54:19.0292 4344 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
13:54:19.0730 4344 Srv - ok
13:54:19.0792 4344 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
13:54:19.0792 4344 SSDPSRV - ok
13:54:20.0074 4344 STHDA (0aa91bbe468b3f46072091f18003ecaa) C:\WINDOWS\system32\drivers\sthda.sys
13:54:20.0136 4344 STHDA - ok
13:54:20.0246 4344 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
13:54:20.0292 4344 stisvc - ok
13:54:20.0417 4344 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
13:54:20.0433 4344 streamip - ok
13:54:20.0464 4344 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
13:54:20.0464 4344 swenum - ok
13:54:20.0496 4344 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
13:54:20.0542 4344 swmidi - ok
13:54:20.0542 4344 SwPrv - ok
13:54:20.0668 4344 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
13:54:20.0683 4344 symc810 - ok
13:54:20.0964 4344 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
13:54:21.0277 4344 symc8xx - ok
13:54:21.0699 4344 SymEFA (d0885f6e24259a6c65e68d6ad749910a) C:\WINDOWS\system32\drivers\NAV\1008030.006\SYMEFA.SYS
13:54:22.0183 4344 SymEFA - ok
13:54:22.0261 4344 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
13:54:22.0261 4344 SymEvent - ok
13:54:22.0418 4344 SYMFW (a8c45c36309ee066f9191e511f88ed76) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMFW.SYS
13:54:22.0464 4344 SYMFW - ok
13:54:22.0496 4344 SYMIDS (f4db00bc0c25be3e05d4bbb8637cc3a3) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMIDS.SYS
13:54:22.0496 4344 SYMIDS - ok
13:54:22.0543 4344 SymIM (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
13:54:22.0574 4344 SymIM - ok
13:54:22.0574 4344 SymIMMP (c6db9f873b09c63f5cb1de10c08bf6f9) C:\WINDOWS\system32\DRIVERS\SymIM.sys
13:54:22.0590 4344 SymIMMP - ok
13:54:22.0840 4344 SYMNDIS (06a8ecfc68d61a26a67f0e96ff1ca9cc) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMNDIS.SYS
13:54:22.0840 4344 SYMNDIS - ok
13:54:22.0933 4344 SYMTDI (26bc80ec79d7ba478249c266cbdf17b4) C:\WINDOWS\System32\Drivers\NAV\1008030.006\SYMTDI.SYS
13:54:23.0730 4344 SYMTDI - ok
13:54:23.0746 4344 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
13:54:23.0996 4344 sym_hi - ok
13:54:24.0027 4344 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
13:54:24.0246 4344 sym_u3 - ok
13:54:24.0324 4344 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
13:54:24.0324 4344 sysaudio - ok
13:54:24.0465 4344 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
13:54:24.0855 4344 SysmonLog - ok
13:54:25.0168 4344 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
13:54:25.0168 4344 TapiSrv - ok
13:54:25.0652 4344 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:54:25.0683 4344 Tcpip - ok
13:54:25.0730 4344 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
13:54:26.0262 4344 TDPIPE - ok
13:54:26.0293 4344 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
13:54:26.0387 4344 TDTCP - ok
13:54:26.0465 4344 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
13:54:26.0480 4344 TermDD - ok
13:54:26.0590 4344 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
13:54:26.0809 4344 TermService - ok
13:54:26.0934 4344 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
13:54:26.0949 4344 Themes - ok
13:54:26.0980 4344 TlntSvr (db7205804759ff62c34e3efd8a4cc76a) C:\WINDOWS\system32\tlntsvr.exe
13:54:27.0152 4344 TlntSvr - ok
13:54:27.0449 4344 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
13:54:27.0559 4344 TosIde - ok
13:54:27.0621 4344 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
13:54:27.0652 4344 TrkWks - ok
13:54:27.0668 4344 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
13:54:27.0730 4344 Udfs - ok
13:54:27.0777 4344 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
13:54:27.0809 4344 ultra - ok
13:54:27.0871 4344 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
13:54:27.0934 4344 Update - ok
13:54:28.0059 4344 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
13:54:28.0105 4344 upnphost - ok
13:54:28.0199 4344 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
13:54:28.0215 4344 UPS - ok
13:54:28.0262 4344 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
13:54:28.0340 4344 USBAAPL - ok
13:54:28.0574 4344 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
13:54:28.0918 4344 usbaudio - ok
13:54:28.0981 4344 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:54:29.0027 4344 usbccgp - ok
13:54:29.0059 4344 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:54:29.0106 4344 usbehci - ok
13:54:29.0199 4344 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:54:29.0340 4344 usbhub - ok
13:54:29.0434 4344 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:54:29.0434 4344 usbprint - ok
13:54:29.0496 4344 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:54:29.0496 4344 usbscan - ok
13:54:29.0496 4344 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:54:29.0512 4344 USBSTOR - ok
13:54:29.0527 4344 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:54:29.0543 4344 usbuhci - ok
13:54:29.0606 4344 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
13:54:29.0606 4344 VgaSave - ok
13:54:29.0652 4344 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
13:54:29.0668 4344 viaagp - ok
13:54:29.0684 4344 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
13:54:29.0684 4344 ViaIde - ok
13:54:29.0715 4344 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
13:54:29.0762 4344 VolSnap - ok
13:54:30.0043 4344 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
13:54:30.0418 4344 VSS - ok
13:54:30.0496 4344 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
13:54:30.0559 4344 w32time - ok
13:54:30.0606 4344 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:54:30.0606 4344 Wanarp - ok
13:54:30.0668 4344 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\WINDOWS\system32\DRIVERS\wdcsam.sys
13:54:30.0715 4344 WDC_SAM - ok
13:54:31.0059 4344 WDDMService (300b4847e1157bdd7a306b18ed65a97e) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
13:54:31.0340 4344 WDDMService - ok
13:54:31.0356 4344 WDICA - ok
13:54:31.0371 4344 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
13:54:31.0371 4344 wdmaud - ok
13:54:31.0465 4344 WDSmartWareBackgroundService (138ab06adbbf300aa804d7974a5aec82) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe
13:54:31.0465 4344 WDSmartWareBackgroundService - ok
13:54:31.0559 4344 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
13:54:31.0606 4344 WebClient - ok
13:54:31.0731 4344 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
13:54:31.0965 4344 winmgmt - ok
13:54:32.0184 4344 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
13:54:32.0231 4344 WmdmPmSN - ok
13:54:32.0465 4344 Wmi (e76f8807070ed04e7408a86d6d3a6137) C:\WINDOWS\System32\advapi32.dll
13:54:32.0559 4344 Wmi - ok
13:54:32.0621 4344 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:54:32.0653 4344 WmiApSrv - ok
13:54:32.0700 4344 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
13:54:32.0731 4344 WpdUsb - ok
13:54:32.0887 4344 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
13:54:32.0887 4344 wscsvc - ok
13:54:32.0918 4344 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
13:54:32.0950 4344 WSTCODEC - ok
13:54:33.0028 4344 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
13:54:33.0043 4344 wuauserv - ok
13:54:33.0106 4344 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
13:54:33.0246 4344 WudfPf - ok
13:54:33.0293 4344 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
13:54:33.0434 4344 WudfRd - ok
13:54:33.0528 4344 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
13:54:33.0528 4344 WudfSvc - ok
13:54:33.0700 4344 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
13:54:33.0746 4344 WZCSVC - ok
13:54:33.0809 4344 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
13:54:33.0934 4344 xmlprov - ok
13:54:34.0012 4344 MBR (0x1B8) (1f753b395539269a3484aecd505b79bd) \Device\Harddisk0\DR0
13:54:34.0106 4344 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - infected
13:54:34.0106 4344 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Sinowal.b (0)
13:54:34.0325 4344 Boot (0x1200) (8710d73d0e8dfde59d12630ee99dfff2) \Device\Harddisk0\DR0\Partition0
13:54:34.0325 4344 \Device\Harddisk0\DR0\Partition0 - ok
13:54:34.0325 4344 ============================================================
13:54:34.0325 4344 Scan finished
13:54:34.0325 4344 ============================================================
13:54:34.0340 4336 Detected object count: 1
13:54:34.0340 4336 Actual detected object count: 1
13:55:01.0514 4336 \Device\Harddisk0\DR0\# - copied to quarantine
13:55:01.0545 4336 \Device\Harddisk0\DR0 - copied to quarantine
13:55:02.0170 4336 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - will be cured on reboot
13:55:02.0248 4336 \Device\Harddisk0\DR0 - ok
13:55:02.0248 4336 \Device\Harddisk0\DR0 ( Rootkit.Boot.Sinowal.b ) - User select action: Cure
13:55:07.0045 5056 Deinitialize success

#4
Elise

Posted 11 May 2012 - 01:24 PM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

I'm glad to hear that, however, this is a nasty rootkit. While its main component is gone, please read the following information before continuing the cleaning process.

BACKDOOR WARNING
------------------------------
One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

mbr -f

Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

helpasst -mbrt

Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#5
mjzraz

Posted 06 June 2012 - 01:54 AM

New Member

Members
17 posts

Elise, on 11 May 2012 - 01:24 PM, said:

I'm glad to hear that, however, this is a nasty rootkit. While its main component is gone, please read the following information before continuing the cleaning process. BACKDOOR WARNING ------------------------------ One or more of the identified infections is known to use a backdoor. This allows hackers to remotely control your computer, steal critical system information and download and execute files. I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? When Should I Format, How Should I Reinstall We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps. Please download HelpAsst_mebroot_fix.exe and save it to your desktop. Close out all other open programs and windows. Double click the file to run it and follow any prompts. If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer. Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter. helpasst -mbrt Make sure you leave a space between helpasst and -mbrt ! When it completes, a log will open. Please post the contents of that log. *In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter. mbr -f Now, please do the Start>Run>mbr -f command a second time. Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up. Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter. helpasst -mbrt Make sure you leave a space between helpasst and -mbrt ! When it completes, a log will open. Please post the contents of that log. **Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).

Why are the same commands run even if there is no detected infection?
I have a Dell computer - when you say there are a couple of known fixes - are they fixes for restoring the system so it can be recovered. I think there is a partition on the hard drive that allows me to re-image the computer back to factory state. Is this what breaks when running mbr -f ?

#6
Elise

Posted 06 June 2012 - 02:38 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

It depends a bit, but yes, that might be broken. that doesn't mean the information is lost though, it does mean however that it might be difficult to access the recovery image (you would have to manually alter the partition table to set it to boot straight into recovery if you wanted that). If you have a Dell reinstall CD there is no need to worry about that though.

This is a tricky infection and sometimes the command does not outright detect the infection. It is also possible that the main components is not there, however other parts are still present and need to be removed (which will be done by this tool).

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#7
mjzraz

Posted 06 June 2012 - 07:21 AM

New Member

Members
17 posts

Thanks - So I guess I should run the tool.
This Dell didn't come with any CDs it's all on a recovery partition. I suppose I am willing to risk breaking that to further ensure getting rid of this infection. Worst case I can use an XP Dell CD and re-install Office from CD

#8
Elise

Posted 06 June 2012 - 07:53 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

Yes, usually nothing goes wrong with it, this is merely a warning for users who see a fix posted somewhere and decide to try out things on their own.

With this infection the risks are a lot bigger just leaving things as they are than risking to lose access to a recovery partition (which can always be manually restored).

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#9
mjzraz

Posted 07 June 2012 - 01:17 AM

New Member

Members
17 posts

<p>here is the helpasst.log:</p>
<p> </p>
<div>C:\Documents and Settings\tjmakes\Desktop\HelpAsst_mebroot_fix.exe</div>
<div>Wed 06/06/2012 at 1:36:49.98</div>
<div> </div>
<div>HelpAssistant account Inactive</div>
<div> </div>
<div> ~~ Checking for termsrv32.dll ~~</div>
<div> </div>
<div>termsrv32.dll not found</div>
<div> </div>
<div> ~~ Checking firewall ports ~~</div>
<div> </div>
<div>HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list</div>
<div> </div>
<div>HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list</div>
<div> </div>
<div> ~~ Checking profile list ~~</div>
<div> </div>
<div>No HelpAssistant profile in registry</div>
<div> </div>
<div> ~~ Checking mbr ~~</div>
<div> </div>
<div>user & kernel MBR OK</div>
<div> </div>
<div> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~</div>
<div> </div>
<div>Status check on Thu 06/07/2012 at 2:15:15.59</div>
<div> </div>
<div>Account active No</div>
<div>Local Group Memberships </div>
<div> </div>
<div> ~~ Checking mbr ~~</div>
<div> </div>
<div>Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net</div>
<div> </div>
<div>device: opened successfully</div>
<div>user: MBR read successfully</div>
<div>called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll </div>
<div>kernel: MBR read successfully</div>
<div>user & kernel MBR OK </div>
<div>copy of MBR has been found in sector 0x012A050FC </div>
<div>malicious code @ sector 0x012A050FF !</div>
<div> </div>
<div> ~~ Checking for termsrv32.dll ~~</div>
<div> </div>
<div>termsrv32.dll not found</div>
<div> </div>
<div> </div>
<div>HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters</div>
<div> ServiceDll<span class="Apple-tab-span" style="white-space:pre"> </span>REG_EXPAND_SZ <span class="Apple-tab-span" style="white-space:pre"> </span>%systemroot%\System32\termsrv.dll</div>
<div> </div>
<div> ~~ Checking profile list ~~</div>
<div> </div>
<div>No HelpAssistant profile in registry</div>
<div> </div>
<div> ~~ Checking for HelpAssistant directories ~~</div>
<div> </div>
<div>none found</div>
<div> </div>
<div> ~~ Checking firewall ports ~~</div>
<div> </div>
<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]</div>
<div> </div>
<div>[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]</div>
<div> </div>
<div> </div>
<div> ~~ EOF ~~</div>
<div> </div>

#10
mjzraz

Posted 07 June 2012 - 01:19 AM

New Member

Members
17 posts

let me try again:

Quote

C:\Documents and Settings\tjmakes\Desktop\HelpAsst_mebroot_fix.exe
Wed 06/06/2012 at 1:36:49.98
HelpAssistant account Inactive
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found
~~ Checking firewall ports ~~
HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
~~ Checking profile list ~~
No HelpAssistant profile in registry
~~ Checking mbr ~~
user & kernel MBR OK
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Status check on Thu 06/07/2012 at 2:15:15.59
Account active No
Local Group Memberships
~~ Checking mbr ~~
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A050FC
malicious code @ sector 0x012A050FF !
~~ Checking for termsrv32.dll ~~
termsrv32.dll not found

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll
~~ Checking profile list ~~
No HelpAssistant profile in registry
~~ Checking for HelpAssistant directories ~~
none found
~~ Checking firewall ports ~~
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

~~ EOF ~~

#11
Elise

Posted 07 June 2012 - 04:54 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

Hi, that looks good, fortunately the infection was no longer completely active.

COMBOFIX
---------------
Please download ComboFix from one of these locations:

Bleepingcomputer

ForoSpyware

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
Double click on Combofix.exe and follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\Combofix.txt in your next reply.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#12
mjzraz

Posted 08 June 2012 - 06:05 PM

New Member

Members
17 posts

Here is the combofix log:

Quote

ComboFix 12-06-08.02 - tjmakes 06/08/2012 18:25:27.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.305 [GMT -4:00]
Running from: c:\documents and settings\tjmakes\Desktop\ComboFix.exe
AV: Norton AntiVirus *Disabled/Updated* {E10A9785-9598-4754-B552-92431C1C35F8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\tjmakes\Application Data\8E3EFC
c:\documents and settings\tjmakes\GoToAssistDownloadHelper.exe
c:\documents and settings\tjmakes\My Documents\~WRL0189.tmp
c:\documents and settings\tjmakes\My Documents\~WRL0599.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1195.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1215.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1216.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1234.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1338.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1478.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1836.tmp
c:\documents and settings\tjmakes\My Documents\~WRL1862.tmp
c:\documents and settings\tjmakes\My Documents\~WRL2023.tmp
c:\documents and settings\tjmakes\My Documents\~WRL2275.tmp
c:\documents and settings\tjmakes\My Documents\~WRL2389.tmp
c:\documents and settings\tjmakes\My Documents\~WRL2956.tmp
c:\documents and settings\tjmakes\My Documents\~WRL3063.tmp
c:\documents and settings\tjmakes\My Documents\~WRL3697.tmp
c:\documents and settings\tjmakes\My Documents\~WRL3789.tmp
c:\documents and settings\tjmakes\My Documents\~WRL3861.tmp
c:\documents and settings\tjmakes\My Documents\~WRL3990.tmp
c:\documents and settings\tjmakes\My Documents\~WRL4098.tmp
c:\documents and settings\tjmakes\WINDOWS
c:\windows\TEMP\nscC8.tmp\MBR.DAT
c:\windows\TEMP\nscC8.tmp\System.dll
.
.
((((((((((((((((((((((((( Files Created from 2012-05-08 to 2012-06-08 )))))))))))))))))))))))))))))))
.
.
2012-06-08 22:22 . 2012-06-08 22:22 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-06-08 22:22 . 2012-06-08 22:22 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-06-06 05:36 . 2012-06-06 05:35 476960 ----a-w- c:\windows\system32\npdeployJava1.dll
2012-06-06 05:31 . 2012-06-06 06:04 419488 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-06 05:31 . 2012-06-06 06:04 70304 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-05 12:42 . 2012-06-05 12:42 -------- d-----w- C:\HelpAsst_backup
2012-05-12 07:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\iacenc.dll
2012-05-12 07:12 . 2012-01-11 19:06 3072 ------w- c:\windows\system32\dllcache\iacenc.dll
2012-05-11 17:54 . 2012-05-11 17:54 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-11 00:22 . 2012-06-07 06:16 -------- d-----w- C:\cf
2012-05-10 23:48 . 2012-06-08 00:29 -------- d-----w- c:\documents and settings\LogMeInRemoteUser
2012-05-10 02:29 . 2012-05-10 02:29 711240 ----a-w- c:\windows\is-AV3HJ.exe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-06-06 05:36 . 2006-03-07 13:42 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-06-06 05:35 . 2010-04-15 01:56 472864 ----a-w- c:\windows\system32\deployJava1.dll
2012-05-31 13:22 . 2005-08-16 10:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-21 17:46 . 2010-05-05 11:30 83360 ----a-w- c:\windows\system32\LMIRfsClientNP.dll
2012-05-21 17:46 . 2010-05-05 11:30 52096 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\LMIproc.dll
2012-05-21 17:46 . 2010-05-05 11:30 30592 ----a-w- c:\windows\system32\LMIport.dll
2012-05-21 17:46 . 2010-05-05 11:30 87424 ----a-w- c:\windows\system32\LMIinit.dll
2012-04-11 13:14 . 2005-08-16 10:18 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-04-11 13:12 . 2005-08-16 10:18 1862272 ----a-w- c:\windows\system32\win32k.sys
2012-04-11 12:35 . 2004-08-04 04:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-04-04 19:56 . 2009-04-06 23:48 22344 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-06-08 22:22 . 2012-01-24 01:45 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"pronto"="c:\program files\Wimba\Pronto\pronto.exe" [2010-04-13 15319688]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"SigmatelSysTrayApp"="stsystra.exe" [2006-02-10 282624]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2006-07-06 151552]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-06 344064]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-04-04 462408]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-08-11 63048]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
c:\documents and settings\tjmakes\Start Menu\Programs\Startup\
startup.lnk - c:\program files\hook\myhook.exe [2009-3-31 856882]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Event Planner Reminders Tray Icon.lnk - c:\sierra\Planner\PLNRnote.exe [2009-6-11 172032]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2005-5-12 73728]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-8-17 2043904]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-8-17 8919040]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2012-05-21 17:46 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1008030.006\SymEFA.sys [10/10/2011 8:45 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1008030.006\BHDrvx86.sys [10/10/2011 8:45 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1008030.006\cchpx86.sys [10/10/2011 8:45 PM 467592]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20120607.001\IDSXpx86.sys [6/7/2012 6:49 PM 356792]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 61440]
R2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2/27/2011 2:56 PM 374152]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [8/11/2008 12:41 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/6/2009 7:48 PM 654408]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe [10/10/2011 8:45 PM 117648]
R2 PCToolsSSDMonitorSvc;PC Tools Startup and Shutdown Monitor service;c:\program files\Common Files\PC Tools\sMonitor\StartManSvc.exe [2/16/2011 9:23 PM 583640]
R2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [8/17/2009 10:52 AM 98304]
R2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
R3 atinewp2;ATI eHomeWonder, WDM Video CODEC;c:\windows\system32\drivers\atinewp2.sys [3/27/2009 12:57 PM 485888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/5/2012 2:20 AM 106656]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/6/2009 7:48 PM 22344]
S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [6/6/2012 1:31 AM 257696]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [5/6/2008 4:06 PM 11520]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
Contents of the 'Scheduled Tasks' folder
.
2012-06-08 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-06-06 06:04]
.
2012-06-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]
.
2012-06-07 c:\windows\Tasks\RMSchedule.job
- c:\program files\Registry Mechanic\RegMech.exe [2011-02-17 13:46]
.
2012-06-08 c:\windows\Tasks\RMSmartUpdate.job
- c:\program files\Registry Mechanic\Update.exe [2011-02-17 13:46]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
TCP: DhcpNameServer = 192.168.1.1 71.242.0.12
FF - ProfilePath - c:\documents and settings\tjmakes\Application Data\Mozilla\Firefox\Profiles\ex69fmbj.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.alot.com/web?&src_id=12190&client_id=176448126eb8180a965b1d64&camp_id=2533&install_time=2011-05-21T01:15Z&tb_version=2.4.16500%28F%29&pr=auto&q=
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
AddRemove-Toyland - D:\setup.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-06-08 18:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.8.3.6\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.8.3.6\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(980)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'explorer.exe'(2988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\windows\system32\HPZipm12.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
c:\program files\HP\Digital Imaging\bin\hpqimzone.exe
.
**************************************************************************
.
Completion time: 2012-06-08 18:49:02 - machine was rebooted
ComboFix-quarantined-files.txt 2012-06-08 22:48
ComboFix2.txt 2010-04-21 02:52
.
Pre-Run: 40,133,505,024 bytes free
Post-Run: 44,190,363,648 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - FF4B21C8B85F585DA13C78D4849A9687

#13
Elise

Posted 09 June 2012 - 03:04 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

Hi, that is looking quite good!

Do you have any problem left at this point?

Your version of Adobe Reader is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Adobe components and update:

Download the latest version of Adobe Reader Version X. and save it to your desktop.
Uncheck the "Free McAfee Security plan Plus" option or any other Toolbar you are offered
Click the download button at the bottom.
If you use Internet Explorer and do not wish to install the ActiveX element, simply click on the click here to download link on the next page.
Remove all older version of Adobe Reader: Go to Add/remove and uninstall all versions of Adobe Reader, Acrobat Reader and Adobe Acrobat.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial:How To Remove An Installed Program From Your Computer
Then from your desktop double-click on Adobe Reader to install the newest version.
If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
When the "Adobe Setup - Welcome" window opens, click the Install > button.
If offered to install a Toolbar, just uncheck the box before continuing unless you want it.

Your Adobe Reader is now up to date!

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system.

Download the latest version of Java Runtime Environment (JRE) Version 7u4.
Look for "JDK 7u4 (JDK or JRE).
Click the "Download JRE" button at the right.
Read the License Agreement, and then check the box that says: "Accept License Agreement".
- Select "Windows x86 Offline" and click on jre-7-windows-i586.exe
Save it to your desktop
Close any programs you may have running - especially your web browser.
Uninstall all older versions of Java (any item with Java Runtime Environment, JRE or J2SE in the name).
Reboot your computer once all Java components are removed.
Install the newest version by double clicking (run as Administrator for Windows Vista/Seven) the downloaded file.

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#14
mjzraz

Posted 09 June 2012 - 03:21 PM

New Member

Members
17 posts

Elise, on 09 June 2012 - 03:04 AM, said:

Hi, that is looking quite good!

Do you have any problem left at this point?

No, I would say it's running fine. Thanks for all the help!

Elise, on 09 June 2012 - 03:04 AM, said:

Your version of [b]Adobe Reader is out of date

This has been updated.

Elise, on 09 June 2012 - 03:04 AM, said:

Your version of Java is out of date.

This has been updated.

Elise, on 09 June 2012 - 03:04 AM, said:

Finally, please launch MBAM, update it and run a full scan. Post me the resulting log.

Updated and here is the log:

Quote

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.09.05

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
tjmakes :: D4Z3MZ81 [administrator]

Protection: Enabled

6/9/2012 1:11:56 PM
mbam-log-2012-06-09 (13-11-56).txt

Scan type: Full scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 398429
Time elapsed: 1 hour(s), 10 minute(s), 19 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

#15
Elise

Posted 10 June 2012 - 01:14 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

That looks excellent!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean

Please do the following to remove the remaining programs from your PC:

Delete the tools used during the disinfection:
- Press windows key + r on your keyboard at the same time. In the run box type combofix /uninstall, then press OK.
- This will remove Combofix and other tools we used from your computer.
You can delete any other tool or log by simply deleting them.

Please read the following advice on how to prevent reinfecting your PC:

Install and update the following programs regularly:
- an outbound firewall. If you are connected to the internet through a router, you are already behind a hardware firewall and as such you do not need an extra software firewall.
  A comprehensive tutorial and a list of possible firewalls can be found here.
- an AntiVirus Software
  It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
- an Anti-Spyware program
  Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
  SUPERAntiSpyware is another good scanner with high detection and removal rates.
  Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
- Spyware Blaster
  A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
Keep Windows (and your other Microsoft software) up to date!
I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
Keep your other software up to date as well
Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
Stay up to date!
The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.

Some more links you might find of interest:

Miekies' prevention suggestions
So How did I get infected?
Microsoft - 'Security at home'
Calendar of Updates: See which updates have been released.
How to backup your Data with Cobian Backup:because you never know, when your harddisk might fail :wink:
Commonly Used Freeware Replacements: a nice list of freeware programs in all categories, that are regarded as useful by the users of this forum.
osalt: Find (free) open source alternatives to known commercial software.

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#16
mjzraz

Posted 12 June 2012 - 10:00 PM

New Member

Members
17 posts

Thanks for all your help - you are very much appreciated.

#17
Elise

Posted 13 June 2012 - 05:57 AM

Forum Deity

Experts
8,720 posts

Gender:Female
Location:Romania

You are most welcome!

I will request this topic to be closed.

regards, Elise

If I am helping you and I haven't replied within 24 hours, please feel free to send me a PM.

#18
LDTate

Posted 13 June 2012 - 06:48 AM

Forum Deity

Moderators
20,104 posts

Gender:Male
Location:Missouri, USA

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.

Larry Tate
Consumer Support Specialist

Back to Resolved HijackThis Logs · Next Unread Topic →

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

Malwarebytes