39 replies to this topic

[ranon]

I seem to have caught a nasty virus/trojan.

First a process was created vbc.exe which tried to access the internet. Norton Internet security caught it repeatedly as cycbot activity. I blocked that process from the internet through NIS but further infections came along.

A file b38.exe and b38.tmp were created on %appdata%/microsoft/99B3. After deleting it once, it never returned.

Other strange errors keep popping up. The processor is always active at 10-40%, even though it nothing is running. Memory usage is much higher than the sum of all processes (by abt 300 MB).

Please help,

Rishi

DDS and attach file is copied to this post.
Malaware scan log gave 3 errors. Log is copied.

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29
Run by Arvind Raje at 13:15:48 on 2012-02-24
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2037.859 [GMT 5.5:30]
.
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\tools\Advanced SystemCare 5\ASCService.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\bgsvcgen.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\PAStiSvc.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
C:\Program Files\Vongo\VongoService.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Google\Update\1.3.21.99\GoogleCrashHandler.exe
C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Reliance Netconnect - Broadband+\bin\App.exe
C:\Windows\system32\WUDFHost.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:58384
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll
EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302020007.dll
uRun: [Google Update] "c:\users\arvind raje\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [Apoint] c:\program files\apoint2k\Apoint.exe
mRun: [NWEReboot]
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog
dRunOnce: [<NO NAME>]
mExplorerRun: [<NO NAME>] 1 (0x1)
StartupFolder: c:\users\arvind~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\arvind raje\appdata\roaming\dropbox\bin\Dropbox.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: bridgedoctor.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://98.210.180.141:2148/WebClient.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
TCP: Interfaces\{30B622D8-2CA6-426F-BD33-BDBA71AFB6F3} : DhcpNameServer = 172.31.6.198 172.31.6.133
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\copernic desktop search - home\firefoxconnector\components\CSPXPCOMBridge.dll
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\tools\vlc\npvlc.dll
FF - plugin: c:\users\arvind raje\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\users\arvind raje\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\arvind raje\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
.
============= SERVICES / DRIVERS ===============
.
R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-2-1 340088]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-2-1 744568]
R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\bashdefs\20120215.001\BHDrvx86.sys [2012-2-16 820344]
R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\ipsdefs\20120223.002\IDSvix86.sys [2012-2-24 368248]
R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-2-1 136312]
R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1207000.00d\symtdiv.sys [2012-2-1 331384]
R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\tools\advanced systemcare 5\ASCService.exe [2012-2-15 497496]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-8 21504]
R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-2-1 130008]
R2 UDisk Monitor;UDisk Monitor;c:\program files\reliance netconnect - broadband+\bin\MonServiceUDisk.exe [2010-2-5 266240]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-9-28 227896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]
R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2010-2-5 104704]
S2 gupdate1c9a01590e80d30;Google Update Service (gupdate1c9a01590e80d30);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-19 29744]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]
S3 PAC7311;Trust Webcam 14839;c:\windows\system32\drivers\PA707UCM.SYS [2005-10-18 154752]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-02-24 06:45:35 -------- d-----w- C:\63e8929133247ad70dee9a5b
2012-02-23 21:15:25 -------- d-----w- c:\users\arvind raje\appdata\roaming\Malwarebytes
2012-02-23 21:14:27 -------- d-----w- c:\programdata\Malwarebytes
2012-02-23 21:14:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-22 08:37:55 -------- d-----w- c:\users\arvind raje\appdata\local\NPE
2012-02-22 04:16:58 -------- d-----w- c:\users\arvind raje\appdata\roaming\BB06E
2012-02-22 04:16:19 1169736 ----a-w- c:\users\arvind raje\appdata\roaming\microsoft\99b3\B38_virus.exe
2012-02-22 04:16:19 -------- d-----w- c:\users\arvind raje\appdata\roaming\341BB
2012-02-18 05:56:51 -------- d-----w- C:\GamesNon Fellows
2012-02-15 05:28:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-15 04:08:09 -------- d-----w- c:\users\arvind raje\appdata\roaming\Leahs_Tale
2012-02-15 02:41:45 -------- d-----w- c:\programdata\IObit
2012-02-15 02:41:16 -------- d-----w- c:\users\arvind raje\appdata\roaming\IObit
2012-02-15 02:22:02 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 02:19:38 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 02:19:37 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-02-07 03:28:51 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-03 07:19:10 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-02-03 07:19:10 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-02-03 07:19:10 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-02-03 07:19:10 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll
2012-02-02 01:46:06 -------- d-----w- c:\users\arvind raje\appdata\roaming\KatGames
2012-02-02 01:46:06 -------- d-----w- c:\programdata\KatGames
2012-02-01 02:20:04 744568 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\symefa.sys
2012-02-01 02:20:04 331384 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symtdiv.sys
2012-02-01 02:20:04 299640 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symnets.sys
2012-02-01 02:20:03 516216 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\srtsp.sys
2012-02-01 02:20:03 50168 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\srtspx.sys
2012-02-01 02:20:03 340088 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\symds.sys
2012-02-01 02:20:03 136312 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys
2012-02-01 02:19:27 -------- d-----w- c:\windows\system32\drivers\nis\1207000.00D
2012-01-28 16:25:20 -------- d-----w- c:\users\arvind raje\appdata\local\JollyBear
2012-01-28 16:25:20 -------- d-----w- c:\programdata\JollyBear
2012-01-26 08:44:03 -------- d-----w- c:\users\arvind raje\appdata\roaming\Realore All My Gods
.
==================== Find3M ====================
.
2012-01-16 02:47:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll
2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb
.
============= FINISH: 13:16:21.58 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume1
Install Date: 09-11-2007 11:27:49
System Uptime: 24-02-2012 12:34:40 (1 hours ago)
.
Motherboard: Hewlett-Packard | | 30D9
Processor: Intel® Pentium® Dual CPU T2310 @ 1.46GHz | CPU | 1467/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 104 GiB total, 17.552 GiB free.
D: is FIXED (NTFS) - 8 GiB total, 1.808 GiB free.
E: is CDROM ()
F: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}
Description: Nokia 6275
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6275
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd
.
==== System Restore Points ===================
.
RP480: 15-02-2012 10:43:01 - Windows Update
RP481: 24-02-2012 12:13:27 - Windows Update
RP482: 24-02-2012 12:43:38 - Windows Update
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Activation Assistant for the 2007 Microsoft Office suites
ActiveCheck component for HP Active Support Library
Adobe AIR
Adobe Connect Add-in
Adobe Digital Editions
Adobe Flash Player 10 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.3.1
Adobe Shockwave Player 11
Advanced SystemCare 5
Amerzone - Part 1
Apple Application Support
Apple Software Update
Avadon
Beyond Compare Version 3.1.11
Big City Adventure - London Story
Big City Adventure - New York
Bus Driver
calibre
CCleaner
Conexant HD Audio
Copernic Desktop Search - Home
Creeper World 2
Creeper World 2 Demo
Crystal Reports Basic for Visual Studio 2008
Dropbox
ESU for Microsoft Vista
Evocraft
Farm Tribe [UPDATED]
Gemini Lost
Geneforge 5
Google Chrome
Google Desktop
Google Earth
Google Gears
Google Photos Screensaver
Google Talk Plugin
Google Toolbar for Internet Explorer
Google Update Helper
Google Updater
GPU Caps Viewer 1.14.4
HD Writer AE 1.0 for HDC
HDAUDIO Soft Data Fax Modem with SmartCP
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP DVD Play 3.2
HP Easy Setup - Frontend
HP Help and Support
HP LaserJet P1000 series
HP Photosmart Essential 2.0
HP Photosmart Essential2.5
HP Quick Launch Buttons
HP Total Care Advisor
HP Update
HP User Guides 0078
HP Wireless Assistant
HPAsset component for HP Active Support Library
HPNetworkAssistant
HPSSupply
Intel® Graphics Media Accelerator Driver
IrfanView (remove only)
Java Auto Updater
Java™ 6 Update 29
Java™ 6 Update 4
Java™ 6 Update 7
Java™ SE Runtime Environment 6
Leahs Tale
LightScribe 1.6.43.1
Magic Life
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Compact Framework 2.0 SP2
Microsoft .NET Compact Framework 3.5
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft .NET Framework 4 Extended
Microsoft Device Emulator version 3.0 - ENU
Microsoft Document Explorer 2008
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visual Web Developer 2007
Microsoft Office Visual Web Developer MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Compact 3.5 Design Tools ENU
Microsoft SQL Server Compact 3.5 ENU
Microsoft SQL Server Compact 3.5 for Devices ENU
Microsoft SQL Server Database Publishing Wizard 1.2
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual Studio 2005 Tools for Office Runtime
Microsoft Visual Studio 2008 Professional Edition - ENU
Microsoft Visual Studio Web Authoring Component
Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
Microsoft Windows SDK for Visual Studio 2008 Tools
Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
Microsoft Works
Microsoft XNA Framework Redistributable 4.0
MinGW-Get version 0.3-alpha-2.1
mIRC
ModelSim PE Student Edition 10.0a
Monopoly
Monopoly City
Mozilla Firefox 10.0.2 (x86 en-GB)
MrvlUsgTracking
MSCU for Microsoft Vista
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
muvee autoProducer 6.0
My Farm Life 2
My HP Games
My Kingdom For The Princess 3
NetWaiting
Nokia Connectivity Cable Driver
Nokia PC Suite
Non Fellows
Norton Internet Security
OpenOffice.org 3.0
Pahelika 1- Secret Legends
Pahelika 2 - Revelations
PC Connectivity Solution
PC VGA Camer@
Picasa 3
Pioneer Lands
PSSWCORE
QLBCASL
QuickTime
Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista
Realtek USB 2.0 Card Reader
Reliance Netconnect - Broadband+
Rescue Team[Updated]
Rhapsody
Rhapsody Player Engine
RoboForm 7-2-8 (All Users)
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Royal Envoy II CE
Running Sheep Tiny Worlds
SAMSUNG CDMA Modem Driver Set
Samsung Mobile phone USB driver Drive Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Scratch
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Security Update for Microsoft .NET Framework 4 Extended (KB2416472)
Security Update for Microsoft .NET Framework 4 Extended (KB2487367)
Security Update for Microsoft .NET Framework 4 Extended (KB2656351)
Skype Click to Call
Skype™ 5.5
Spelling Dictionaries Support For Adobe Reader 8
Supermarket Management 2
The Cross Formula
The Golden Years - Way Out West
To the Moon
Touch Pad Driver
TreeSize Free V2.6
TV Tycoon en
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Update for Microsoft .NET Framework 4 Extended (KB2468871)
Update for Microsoft .NET Framework 4 Extended (KB2533523)
Update for Microsoft .NET Framework 4 Extended (KB2600217)
VC Runtimes MSI
Vim 7.3 (self-installing)
Virtual City 2 Paradise Resort
Visual Studio 2005 Tools for Office Second Edition Runtime
Visual Studio Tools for the Office system 3.0 Runtime
VLC media player 1.1.11
Vongo
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Live Sync
Windows Media Player Firefox Plugin
Windows Mobile 5.0 SDK R2 for Pocket PC
Windows Mobile 5.0 SDK R2 for Smartphone
WinRAR archiver
WinZip 14.5
Yahoo! Toolbar
Yahoo! Toolbar for Internet Explorer
.
==== Event Viewer Messages From Past Week ========
.
24-02-2012 12:35:42, Error: EventLog [6008] - The previous system shutdown at 12:34:13 on 24-02-2012 was unexpected.
22-02-2012 22:58:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
22-02-2012 22:50:15, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 DfsC eeCtrl IDSVix86 NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr SRTSP SRTSPX StarOpen SymIRON SYMTDIv tdx Wanarpv6
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.
22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.
22-02-2012 22:49:58, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}
22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}
22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}
22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}
22-02-2012 22:49:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
22-02-2012 22:49:11, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}
21-02-2012 08:53:31, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.
19-02-2012 17:06:30, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
.
==== End Of File ===========================

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.02.23.03

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Arvind Raje :: LAPTOPPC [administrator]

24-02-2012 02:47:46
mbam-log-2012-02-24 (02-47-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 200714
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Users\Arvind Raje\Downloads\SoftonicDownloader_for_vlc-media-player.exe (PUP.BundleOffer.Downloader.S) -> No action taken.
C:\Users\Arvind Raje\AppData\Roaming\Microsoft\99B3\852_virus.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.
C:\Users\Arvind Raje\AppData\Roaming\firefox.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

[MrCharlie]

Welcome to the forum

First I suggest you uninstall Advanced SystemCare 5

Here's why:

http://www.systemloo...ivers/5068.html

--------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.
Click Scan to scan the system (don't run any other options)
Post back the report.
MrC

[ranon]

Thanks for the reply.

I uninstalled systemcare.

Just yesterday, I downloaded dds.com and dds.scr. Today when I try to download roguekiller, in firefox I get an error "c:\windows\temp could not be saved because you cannot change the contents of the folder". Also "save link as" in firefox is disabled.

Chrome is not working at all. It says that it is unable to connect to a proxy, but I dont use any proxy and nothing is shown under LAN settings.

It looks related to the virus, so I am posting back for further instructions.

[MrCharlie]

From your log I do see a proxy set up.

uInternet Settings,ProxyServer = http=127.0.0.1:58384

See if you can run RKill as outlined in the post below:

http://www.bleepingc...opic308364.html

or the link below shows you how to disable it: (you don't have this infection, it's just for illustration purposes)

http://www.bleepingc...ows-shield-tool

Start from here:

Automated Removal Instructions for Windows Shield Tool using Malwarebytes' Anti-Malware:

Let me know, MrC

[ranon]

I shut down firefox and after restarting the downloads started working.

I was able to download rkill and also roguekiller. I ran rkill and then roguekiller. Reports follow.

About the USB device, I use it to connect to the internet. So, I can run scans with it removed, but it goes right back on before I can get online. This device cannot be read in explorer, but I think that it too might be infected.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 25-02-2012 at 23:45:22.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Program Files\Common Files\LightScribe\LSSrvc.exe


--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is: http=127.0.0.1:58384

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.


Rkill completed on 25-02-2012 at 23:45:33.


RogueKiller V7.1.0 [02/15/2012] by Tigzy
mail: tigzyRK<at>gmail<dot>com
Feedback: http://www.geekstogo...13-roguekiller/
Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version
Started in : Normal mode
User: Arvind Raje [Admin rights]
Mode: Scan -- Date: 02/25/2012 23:51:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤
[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{987402B1-87AC-46C4-8075-611663028AEB} : NameServer (220.226.100.40 220.226.6.104) -> FOUND
[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
127.0.0.1 localhost
::1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS541612J9SA00 +++++
--- User ---
[MBR] bd22d4321d55ce605867c1b2076c58c5
[BSP] f0ca4accb9dcee899f59d2e183c62159 : HP tatooed MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 106022 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 217134540 | Size: 8448 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1].txt >>
RKreport[1].txt

[MrCharlie]

OK, lets check for rootkits:

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.



-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.



------------------------

Click the Start Scan button.



-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue
If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose
Skip and click on Continue



----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.





--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

[ranon]

I wasn't sure whether to skip or cure, so I just chose skip for now. TDSSkiller report follows.

00:13:44.0028 3860 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49
00:13:45.0394 3860 ============================================================
00:13:45.0394 3860 Current date / time: 2012/02/26 00:13:45.0394
00:13:45.0394 3860 SystemInfo:
00:13:45.0394 3860
00:13:45.0394 3860 OS Version: 6.0.6002 ServicePack: 2.0
00:13:45.0394 3860 Product type: Workstation
00:13:45.0395 3860 ComputerName: LAPTOPPC
00:13:45.0395 3860 UserName: Arvind Raje
00:13:45.0395 3860 Windows directory: C:\Windows
00:13:45.0395 3860 System windows directory: C:\Windows
00:13:45.0395 3860 Processor architecture: Intel x86
00:13:45.0395 3860 Number of processors: 2
00:13:45.0395 3860 Page size: 0x1000
00:13:45.0395 3860 Boot type: Normal boot
00:13:45.0395 3860 ============================================================
00:13:46.0414 3860 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
00:13:46.0436 3860 \Device\Harddisk0\DR0:
00:13:46.0436 3860 MBR used
00:13:46.0436 3860 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCF1358D
00:13:46.0436 3860 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCF135CC, BlocksNum 0x10801F5
00:13:46.0517 3860 Initialize success
00:13:46.0517 3860 ============================================================
00:15:15.0506 4832 ============================================================
00:15:15.0506 4832 Scan started
00:15:15.0506 4832 Mode: Manual; SigCheck; TDLFS;
00:15:15.0506 4832 ============================================================
00:15:18.0048 4832 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
00:15:18.0239 4832 ACPI - ok
00:15:18.0489 4832 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
00:15:18.0552 4832 adp94xx - ok
00:15:18.0708 4832 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
00:15:18.0770 4832 adpahci - ok
00:15:18.0879 4832 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
00:15:18.0926 4832 adpu160m - ok
00:15:19.0285 4832 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
00:15:19.0301 4832 adpu320 - ok
00:15:19.0659 4832 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
00:15:19.0800 4832 AFD - ok
00:15:20.0018 4832 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
00:15:20.0049 4832 agp440 - ok
00:15:20.0330 4832 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
00:15:20.0361 4832 aic78xx - ok
00:15:20.0673 4832 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
00:15:20.0705 4832 aliide - ok
00:15:20.0845 4832 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
00:15:20.0876 4832 amdagp - ok
00:15:20.0923 4832 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
00:15:20.0954 4832 amdide - ok
00:15:21.0157 4832 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
00:15:21.0453 4832 AmdK7 - ok
00:15:21.0719 4832 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
00:15:21.0875 4832 AmdK8 - ok
00:15:22.0171 4832 ApfiltrService (e05c9bb1798b8c590f6592fabb03a93e) C:\Windows\system32\DRIVERS\Apfiltr.sys
00:15:22.0249 4832 ApfiltrService - ok
00:15:22.0452 4832 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
00:15:22.0483 4832 arc - ok
00:15:22.0561 4832 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
00:15:22.0592 4832 arcsas - ok
00:15:22.0764 4832 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
00:15:22.0842 4832 AsyncMac - ok
00:15:22.0935 4832 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
00:15:22.0951 4832 atapi - ok
00:15:23.0357 4832 BCM43XV (34a0a6386256080f52c74076c6157026) C:\Windows\system32\DRIVERS\bcmwl6.sys
00:15:23.0497 4832 BCM43XV - ok
00:15:23.0544 4832 BCM43XX (34a0a6386256080f52c74076c6157026) C:\Windows\system32\DRIVERS\bcmwl6.sys
00:15:23.0700 4832 BCM43XX - ok
00:15:23.0903 4832 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
00:15:23.0996 4832 Beep - ok
00:15:24.0573 4832 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys
00:15:24.0683 4832 BHDrvx86 - ok
00:15:24.0917 4832 blbdrive - ok
00:15:24.0963 4832 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
00:15:25.0041 4832 bowser - ok
00:15:25.0338 4832 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
00:15:25.0463 4832 BrFiltLo - ok
00:15:25.0728 4832 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
00:15:25.0806 4832 BrFiltUp - ok
00:15:25.0931 4832 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
00:15:26.0024 4832 Brserid - ok
00:15:26.0196 4832 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
00:15:26.0305 4832 BrSerWdm - ok
00:15:26.0430 4832 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
00:15:26.0523 4832 BrUsbMdm - ok
00:15:26.0617 4832 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
00:15:26.0742 4832 BrUsbSer - ok
00:15:26.0960 4832 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
00:15:27.0085 4832 BTHMODEM - ok
00:15:27.0225 4832 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
00:15:27.0319 4832 cdfs - ok
00:15:27.0366 4832 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\Windows\system32\drivers\cdrbsdrv.sys
00:15:27.0397 4832 cdrbsdrv ( UnsignedFile.Multi.Generic ) - warning
00:15:27.0397 4832 cdrbsdrv - detected UnsignedFile.Multi.Generic (1)
00:15:27.0600 4832 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
00:15:27.0678 4832 cdrom - ok
00:15:27.0927 4832 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
00:15:28.0037 4832 circlass - ok
00:15:28.0193 4832 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
00:15:28.0224 4832 CLFS - ok
00:15:28.0427 4832 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
00:15:28.0489 4832 CmBatt - ok
00:15:28.0645 4832 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
00:15:28.0676 4832 cmdide - ok
00:15:28.0926 4832 CnxtHdAudService (b6e7991e3d6146c04c85cd31af22a381) C:\Windows\system32\drivers\CHDRT32.sys
00:15:29.0066 4832 CnxtHdAudService - ok
00:15:29.0394 4832 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
00:15:29.0456 4832 Compbatt - ok
00:15:29.0581 4832 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
00:15:29.0612 4832 crcdisk - ok
00:15:29.0643 4832 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
00:15:29.0737 4832 Crusoe - ok
00:15:30.0033 4832 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
00:15:30.0111 4832 DfsC - ok
00:15:30.0299 4832 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
00:15:30.0361 4832 disk - ok
00:15:30.0595 4832 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys
00:15:30.0689 4832 Dot4 - ok
00:15:31.0032 4832 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys
00:15:31.0094 4832 Dot4Print - ok
00:15:31.0406 4832 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys
00:15:31.0500 4832 dot4usb - ok
00:15:31.0874 4832 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
00:15:31.0937 4832 drmkaud - ok
00:15:32.0139 4832 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
00:15:32.0217 4832 DXGKrnl - ok
00:15:32.0670 4832 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys
00:15:32.0810 4832 E100B - ok
00:15:32.0935 4832 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
00:15:33.0044 4832 E1G60 - ok
00:15:33.0450 4832 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
00:15:33.0481 4832 Ecache - ok
00:15:33.0715 4832 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
00:15:33.0762 4832 eeCtrl - ok
00:15:34.0183 4832 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
00:15:34.0199 4832 elxstor - ok
00:15:34.0355 4832 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
00:15:34.0401 4832 EraserUtilRebootDrv - ok
00:15:34.0698 4832 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
00:15:34.0776 4832 exfat - ok
00:15:34.0979 4832 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
00:15:35.0072 4832 fastfat - ok
00:15:35.0369 4832 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
00:15:35.0447 4832 fdc - ok
00:15:35.0525 4832 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
00:15:35.0556 4832 FileInfo - ok
00:15:35.0634 4832 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
00:15:35.0696 4832 Filetrace - ok
00:15:35.0759 4832 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
00:15:35.0837 4832 flpydisk - ok
00:15:35.0946 4832 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
00:15:35.0977 4832 FltMgr - ok
00:15:36.0102 4832 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
00:15:36.0149 4832 Fs_Rec - ok
00:15:36.0227 4832 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
00:15:36.0242 4832 gagp30kx - ok
00:15:36.0461 4832 HBtnKey (93aee3434935fc2f805fefd8dc5ed1b4) C:\Windows\system32\DRIVERS\cpqbttn.sys
00:15:36.0476 4832 HBtnKey - ok
00:15:36.0554 4832 HdAudAddService (743e5199a34101a3ee444df5f74d0311) C:\Windows\system32\drivers\CHDART.sys
00:15:36.0617 4832 HdAudAddService - ok
00:15:36.0726 4832 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
00:15:36.0788 4832 HDAudBus - ok
00:15:36.0897 4832 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
00:15:37.0038 4832 HidBth - ok
00:15:37.0100 4832 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
00:15:37.0163 4832 HidIr - ok
00:15:37.0303 4832 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
00:15:37.0428 4832 HidUsb - ok
00:15:37.0537 4832 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
00:15:37.0553 4832 HpCISSs - ok
00:15:37.0646 4832 HpqKbFiltr (1210960ff8928950d2a786895b0c424a) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys
00:15:37.0724 4832 HpqKbFiltr - ok
00:15:37.0833 4832 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
00:15:37.0896 4832 HSFHWAZL - ok
00:15:38.0021 4832 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys
00:15:38.0145 4832 HSF_DPV - ok
00:15:38.0333 4832 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
00:15:38.0379 4832 HSXHWAZL - ok
00:15:38.0442 4832 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
00:15:38.0520 4832 HTTP - ok
00:15:38.0645 4832 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
00:15:38.0660 4832 i2omp - ok
00:15:38.0754 4832 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
00:15:38.0801 4832 i8042prt - ok
00:15:38.0988 4832 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
00:15:39.0269 4832 ialm - ok
00:15:39.0409 4832 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\DRIVERS\iaStor.sys
00:15:39.0456 4832 iaStor - ok
00:15:39.0503 4832 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
00:15:39.0534 4832 iaStorV - ok
00:15:39.0674 4832 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\Windows\system32\Drivers\Icam3.sys
00:15:39.0737 4832 ICAM3NT5 - ok
00:15:39.0924 4832 IDSVix86 (b6662611e8fa3a71473c4a9bd0d23755) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20120224.002\IDSvix86.sys
00:15:40.0002 4832 IDSVix86 - ok
00:15:40.0205 4832 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys
00:15:40.0579 4832 igfx - ok
00:15:40.0688 4832 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
00:15:40.0704 4832 iirsp - ok
00:15:40.0782 4832 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
00:15:40.0797 4832 intelide - ok
00:15:40.0891 4832 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
00:15:41.0078 4832 intelppm - ok
00:15:41.0219 4832 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
00:15:41.0297 4832 IpFilterDriver - ok
00:15:41.0343 4832 IpInIp - ok
00:15:41.0406 4832 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
00:15:41.0499 4832 IPMIDRV - ok
00:15:41.0609 4832 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
00:15:41.0655 4832 IPNAT - ok
00:15:41.0718 4832 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
00:15:41.0780 4832 IRENUM - ok
00:15:41.0874 4832 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
00:15:41.0889 4832 isapnp - ok
00:15:41.0967 4832 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
00:15:41.0999 4832 iScsiPrt - ok
00:15:42.0030 4832 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
00:15:42.0045 4832 iteatapi - ok
00:15:42.0139 4832 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
00:15:42.0170 4832 iteraid - ok
00:15:42.0233 4832 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
00:15:42.0248 4832 kbdclass - ok
00:15:42.0357 4832 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
00:15:42.0435 4832 kbdhid - ok
00:15:42.0513 4832 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
00:15:42.0560 4832 KSecDD - ok
00:15:42.0701 4832 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
00:15:42.0747 4832 lltdio - ok
00:15:42.0825 4832 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
00:15:42.0841 4832 LSI_FC - ok
00:15:42.0950 4832 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
00:15:42.0966 4832 LSI_SAS - ok
00:15:43.0044 4832 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
00:15:43.0059 4832 LSI_SCSI - ok
00:15:43.0122 4832 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
00:15:43.0169 4832 luafv - ok
00:15:43.0278 4832 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
00:15:43.0309 4832 mdmxsdk - ok
00:15:43.0340 4832 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
00:15:43.0356 4832 megasas - ok
00:15:43.0512 4832 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
00:15:43.0559 4832 Modem - ok
00:15:43.0652 4832 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
00:15:43.0746 4832 monitor - ok
00:15:43.0839 4832 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
00:15:43.0855 4832 mouclass - ok
00:15:43.0902 4832 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
00:15:43.0949 4832 mouhid - ok
00:15:43.0995 4832 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
00:15:44.0011 4832 MountMgr - ok
00:15:44.0136 4832 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
00:15:44.0167 4832 mpio - ok
00:15:44.0229 4832 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
00:15:44.0292 4832 mpsdrv - ok
00:15:44.0385 4832 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
00:15:44.0401 4832 Mraid35x - ok
00:15:44.0479 4832 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
00:15:44.0557 4832 MRxDAV - ok
00:15:44.0666 4832 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
00:15:44.0744 4832 mrxsmb - ok
00:15:44.0807 4832 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
00:15:44.0853 4832 mrxsmb10 - ok
00:15:44.0963 4832 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
00:15:44.0994 4832 mrxsmb20 - ok
00:15:45.0072 4832 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
00:15:45.0087 4832 msahci - ok
00:15:45.0197 4832 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
00:15:45.0212 4832 msdsm - ok
00:15:45.0290 4832 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
00:15:45.0353 4832 Msfs - ok
00:15:45.0493 4832 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
00:15:45.0509 4832 msisadrv - ok
00:15:45.0587 4832 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
00:15:45.0665 4832 MSKSSRV - ok
00:15:45.0758 4832 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
00:15:45.0821 4832 MSPCLOCK - ok
00:15:45.0867 4832 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
00:15:45.0914 4832 MSPQM - ok
00:15:46.0039 4832 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
00:15:46.0070 4832 MsRPC - ok
00:15:46.0117 4832 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
00:15:46.0148 4832 mssmbios - ok
00:15:46.0273 4832 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
00:15:46.0335 4832 MSTEE - ok
00:15:46.0398 4832 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
00:15:46.0429 4832 Mup - ok
00:15:46.0476 4832 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
00:15:46.0507 4832 NativeWifiP - ok
00:15:46.0679 4832 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120224.034\NAVENG.SYS
00:15:46.0725 4832 NAVENG - ok
00:15:46.0819 4832 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120224.034\NAVEX15.SYS
00:15:46.0913 4832 NAVEX15 - ok
00:15:47.0069 4832 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
00:15:47.0147 4832 NDIS - ok
00:15:47.0287 4832 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
00:15:47.0334 4832 NdisTapi - ok
00:15:47.0412 4832 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
00:15:47.0443 4832 Ndisuio - ok
00:15:47.0552 4832 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
00:15:47.0615 4832 NdisWan - ok
00:15:47.0677 4832 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
00:15:47.0724 4832 NDProxy - ok
00:15:47.0864 4832 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
00:15:47.0927 4832 NetBIOS - ok
00:15:47.0989 4832 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
00:15:48.0051 4832 netbt - ok
00:15:48.0332 4832 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys
00:15:48.0644 4832 NETw3v32 - ok
00:15:48.0847 4832 NETw4v32 (cb3af516a6797b27725e3f1e73f3496c) C:\Windows\system32\DRIVERS\NETw4v32.sys
00:15:49.0112 4832 NETw4v32 - ok
00:15:49.0221 4832 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
00:15:49.0284 4832 nfrd960 - ok
00:15:49.0409 4832 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\Windows\system32\drivers\nmwcd.sys
00:15:49.0518 4832 nmwcd - ok
00:15:49.0596 4832 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\Windows\system32\drivers\nmwcdc.sys
00:15:49.0674 4832 nmwcdc - ok
00:15:49.0767 4832 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcj.sys
00:15:49.0845 4832 nmwcdcj - ok
00:15:49.0923 4832 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcm.sys
00:15:49.0986 4832 nmwcdcm - ok
00:15:50.0017 4832 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
00:15:50.0079 4832 Npfs - ok
00:15:50.0189 4832 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
00:15:50.0267 4832 nsiproxy - ok
00:15:50.0376 4832 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
00:15:50.0438 4832 Ntfs - ok
00:15:50.0579 4832 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
00:15:50.0657 4832 ntrigdigi - ok
00:15:50.0719 4832 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
00:15:50.0766 4832 Null - ok
00:15:50.0859 4832 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
00:15:50.0891 4832 nvraid - ok
00:15:50.0937 4832 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
00:15:50.0969 4832 nvstor - ok
00:15:51.0000 4832 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
00:15:51.0015 4832 nv_agp - ok
00:15:51.0093 4832 NwlnkFlt - ok
00:15:51.0140 4832 NwlnkFwd - ok
00:15:51.0218 4832 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
00:15:51.0312 4832 ohci1394 - ok
00:15:51.0499 4832 PAC7311 (2085d5168fc0c56bb13304d180d244b6) C:\Windows\system32\DRIVERS\PA707UCM.SYS
00:15:51.0546 4832 PAC7311 - ok
00:15:51.0608 4832 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
00:15:51.0686 4832 Parport - ok
00:15:51.0780 4832 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
00:15:51.0811 4832 partmgr - ok
00:15:51.0858 4832 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
00:15:51.0920 4832 Parvdm - ok
00:15:52.0029 4832 pccsmcfd - ok
00:15:52.0092 4832 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
00:15:52.0123 4832 pci - ok
00:15:52.0170 4832 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys
00:15:52.0201 4832 pciide - ok
00:15:52.0295 4832 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
00:15:52.0326 4832 pcmcia - ok
00:15:52.0419 4832 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
00:15:52.0731 4832 PEAUTH - ok
00:15:52.0919 4832 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
00:15:52.0965 4832 PptpMiniport - ok
00:15:53.0012 4832 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
00:15:53.0106 4832 Processor - ok
00:15:53.0199 4832 PROCEXP151 - ok
00:15:53.0277 4832 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
00:15:53.0324 4832 PSched - ok
00:15:53.0433 4832 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys
00:15:53.0465 4832 PxHelp20 - ok
00:15:53.0589 4832 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
00:15:53.0636 4832 ql2300 - ok
00:15:53.0745 4832 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
00:15:53.0777 4832 ql40xx - ok
00:15:53.0855 4832 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
00:15:53.0948 4832 QWAVEdrv - ok
00:15:54.0057 4832 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
00:15:54.0104 4832 RasAcd - ok
00:15:54.0167 4832 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
00:15:54.0229 4832 Rasl2tp - ok
00:15:54.0338 4832 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
00:15:54.0401 4832 RasPppoe - ok
00:15:54.0447 4832 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
00:15:54.0494 4832 RasSstp - ok
00:15:54.0681 4832 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
00:15:54.0728 4832 rdbss - ok
00:15:54.0791 4832 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
00:15:54.0853 4832 RDPCDD - ok
00:15:54.0962 4832 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
00:15:55.0025 4832 rdpdr - ok
00:15:55.0149 4832 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
00:15:55.0227 4832 RDPENCDD - ok
00:15:55.0290 4832 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
00:15:55.0337 4832 RDPWD - ok
00:15:55.0493 4832 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
00:15:55.0539 4832 rspndr - ok
00:15:55.0617 4832 RTL8023xp (166911eada13cd34dd8f8c667707be94) C:\Windows\system32\DRIVERS\Rtnicxp.sys
00:15:55.0695 4832 RTL8023xp - ok
00:15:55.0805 4832 RTSTOR (59b8716084597c9d6d7165835c8479c1) C:\Windows\system32\drivers\RTSTOR.SYS
00:15:55.0867 4832 RTSTOR - ok
00:15:55.0992 4832 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
00:15:56.0023 4832 sbp2port - ok
00:15:56.0132 4832 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
00:15:56.0195 4832 secdrv - ok
00:15:56.0257 4832 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
00:15:56.0351 4832 Serenum - ok
00:15:56.0444 4832 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
00:15:56.0522 4832 Serial - ok
00:15:56.0585 4832 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
00:15:56.0631 4832 sermouse - ok
00:15:56.0756 4832 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
00:15:56.0850 4832 sffdisk - ok
00:15:56.0912 4832 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
00:15:56.0990 4832 sffp_mmc - ok
00:15:57.0084 4832 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
00:15:57.0162 4832 sffp_sd - ok
00:15:57.0224 4832 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
00:15:57.0302 4832 sfloppy - ok
00:15:57.0427 4832 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
00:15:57.0443 4832 sisagp - ok
00:15:57.0505 4832 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
00:15:57.0521 4832 SiSRaid2 - ok
00:15:57.0552 4832 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
00:15:57.0567 4832 SiSRaid4 - ok
00:15:57.0708 4832 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
00:15:57.0770 4832 Smb - ok
00:15:57.0879 4832 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
00:15:57.0895 4832 spldr - ok
00:15:58.0082 4832 SRTSP (83726cf02eced69138948083e06b6eac) C:\Windows\System32\Drivers\NIS\1207000.00D\SRTSP.SYS
00:15:58.0160 4832 SRTSP - ok
00:15:58.0347 4832 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\Windows\system32\drivers\NIS\1207000.00D\SRTSPX.SYS
00:15:58.0379 4832 SRTSPX - ok
00:15:58.0472 4832 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
00:15:58.0519 4832 srv - ok
00:15:58.0628 4832 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
00:15:58.0706 4832 srv2 - ok
00:15:58.0815 4832 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
00:15:58.0862 4832 srvnet - ok
00:15:58.0940 4832 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys
00:15:59.0003 4832 sscdbus - ok
00:15:59.0127 4832 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys
00:15:59.0190 4832 sscdmdfl - ok
00:15:59.0252 4832 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys
00:15:59.0268 4832 sscdmdm - ok
00:15:59.0393 4832 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys
00:15:59.0408 4832 StarOpen ( UnsignedFile.Multi.Generic ) - warning
00:15:59.0408 4832 StarOpen - detected UnsignedFile.Multi.Generic (1)
00:15:59.0517 4832 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
00:15:59.0533 4832 swenum - ok
00:15:59.0627 4832 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
00:15:59.0642 4832 Symc8xx - ok
00:15:59.0783 4832 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\Windows\system32\drivers\NIS\1207000.00D\SYMDS.SYS
00:15:59.0845 4832 SymDS - ok
00:16:00.0048 4832 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\Windows\system32\drivers\NIS\1207000.00D\SYMEFA.SYS
00:16:00.0157 4832 SymEFA - ok
00:16:00.0266 4832 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\Windows\system32\Drivers\SYMEVENT.SYS
00:16:00.0313 4832 SymEvent - ok
00:16:00.0453 4832 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\NIS\1207000.00D\Ironx86.SYS
00:16:00.0485 4832 SymIRON - ok
00:16:00.0625 4832 SYMTDIv (d42a7229e333af725f1445f785e4658d) C:\Windows\System32\Drivers\NIS\1207000.00D\SYMTDIV.SYS
00:16:00.0703 4832 SYMTDIv - ok
00:16:00.0843 4832 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
00:16:00.0859 4832 Sym_hi - ok
00:16:00.0921 4832 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
00:16:00.0937 4832 Sym_u3 - ok
00:16:01.0031 4832 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
00:16:01.0093 4832 Tcpip - ok
00:16:01.0265 4832 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
00:16:01.0358 4832 Tcpip6 - ok
00:16:01.0499 4832 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
00:16:01.0577 4832 tcpipreg - ok
00:16:01.0623 4832 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
00:16:01.0701 4832 TDPIPE - ok
00:16:01.0811 4832 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
00:16:01.0873 4832 TDTCP - ok
00:16:01.0935 4832 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
00:16:01.0982 4832 tdx - ok
00:16:02.0091 4832 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
00:16:02.0107 4832 TermDD - ok
00:16:02.0201 4832 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
00:16:02.0247 4832 tssecsrv - ok
00:16:02.0372 4832 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
00:16:02.0450 4832 tunmp - ok
00:16:02.0513 4832 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
00:16:02.0559 4832 tunnel - ok
00:16:02.0669 4832 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
00:16:02.0684 4832 uagp35 - ok
00:16:02.0778 4832 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
00:16:02.0809 4832 udfs - ok
00:16:02.0918 4832 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
00:16:02.0934 4832 uliagpkx - ok
00:16:03.0012 4832 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
00:16:03.0043 4832 uliahci - ok
00:16:03.0137 4832 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
00:16:03.0152 4832 UlSata - ok
00:16:03.0230 4832 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
00:16:03.0246 4832 ulsata2 - ok
00:16:03.0293 4832 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
00:16:03.0339 4832 umbus - ok
00:16:03.0480 4832 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
00:16:03.0542 4832 usbaudio - ok
00:16:03.0620 4832 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
00:16:03.0683 4832 usbccgp - ok
00:16:03.0792 4832 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
00:16:03.0854 4832 usbcir - ok
00:16:03.0948 4832 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
00:16:04.0010 4832 usbehci - ok
00:16:04.0119 4832 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
00:16:04.0166 4832 usbhub - ok
00:16:04.0244 4832 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
00:16:04.0338 4832 usbohci - ok
00:16:04.0447 4832 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
00:16:04.0509 4832 usbprint - ok
00:16:04.0619 4832 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
00:16:04.0665 4832 usbscan - ok
00:16:04.0759 4832 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
00:16:04.0821 4832 USBSTOR - ok
00:16:04.0899 4832 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
00:16:04.0946 4832 usbuhci - ok
00:16:05.0087 4832 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
00:16:05.0149 4832 usbvideo - ok
00:16:05.0227 4832 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
00:16:05.0321 4832 vga - ok
00:16:05.0430 4832 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
00:16:05.0492 4832 VgaSave - ok
00:16:05.0570 4832 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
00:16:05.0586 4832 viaagp - ok
00:16:05.0695 4832 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
00:16:05.0789 4832 ViaC7 - ok
00:16:05.0851 4832 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
00:16:05.0867 4832 viaide - ok
00:16:05.0960 4832 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
00:16:05.0976 4832 volmgr - ok
00:16:06.0069 4832 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
00:16:06.0085 4832 volmgrx - ok
00:16:06.0194 4832 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
00:16:06.0225 4832 volsnap - ok
00:16:06.0272 4832 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
00:16:06.0303 4832 vsmraid - ok
00:16:06.0350 4832 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
00:16:06.0444 4832 WacomPen - ok
00:16:06.0553 4832 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:16:06.0584 4832 Wanarp - ok
00:16:06.0600 4832 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
00:16:06.0647 4832 Wanarpv6 - ok
00:16:06.0725 4832 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
00:16:06.0740 4832 Wd - ok
00:16:06.0865 4832 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
00:16:06.0896 4832 Wdf01000 - ok
00:16:07.0099 4832 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
00:16:07.0239 4832 winachsf - ok
00:16:07.0411 4832 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
00:16:07.0458 4832 WmiAcpi - ok
00:16:07.0551 4832 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
00:16:07.0614 4832 WpdUsb - ok
00:16:07.0723 4832 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
00:16:07.0785 4832 ws2ifsl - ok
00:16:07.0863 4832 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
00:16:07.0926 4832 WUDFRd - ok
00:16:08.0051 4832 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys
00:16:08.0066 4832 XAudio - ok
00:16:08.0175 4832 ztemtusbser (20f4f87625edddb97b48da66ace7dc8d) C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys
00:16:08.0238 4832 ztemtusbser - ok
00:16:08.0285 4832 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0
00:16:08.0378 4832 \Device\Harddisk0\DR0 - ok
00:16:08.0394 4832 Boot (0x1200) (5332633f4e1e7a357c3f12e29a85170b) \Device\Harddisk0\DR0\Partition0
00:16:08.0394 4832 \Device\Harddisk0\DR0\Partition0 - ok
00:16:08.0394 4832 Boot (0x1200) (f2734062f590ed25e7028b4b440da767) \Device\Harddisk0\DR0\Partition1
00:16:08.0409 4832 \Device\Harddisk0\DR0\Partition1 - ok
00:16:08.0409 4832 ============================================================
00:16:08.0409 4832 Scan finished
00:16:08.0409 4832 ============================================================
00:16:08.0425 5196 Detected object count: 2
00:16:08.0425 5196 Actual detected object count: 2
00:17:09.0234 5196 cdrbsdrv ( UnsignedFile.Multi.Generic ) - skipped by user
00:17:09.0234 5196 cdrbsdrv ( UnsignedFile.Multi.Generic ) - User select action: Skip
00:17:09.0249 5196 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user
00:17:09.0249 5196 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip

[MrCharlie]

OK, that was correct...those files are good.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

[ranon]

Just a quick question before I run combofix.

Do I remove the USB drive before running it? Even if I remove the USB drive, I need to put it in again to connect to the internet.

Previous scans were done with the USB removed.

[MrCharlie]

Yes, may be you better, MrC

[ranon]

I ran combofix from desktop as instructed. Norton was also disabled. USB device was removed.

It ran for 40+ stages and came to the screen of "preparing log report". there the system automatically turned off.
When started again, it asked if I should choose safe mode. I chose normal mode and it started OK.

c:\combofix.txt is not available. Please tell me what to do now.

Rishi

[MrCharlie]

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:


"C:\ComboFix.txt"

Press enter, see if it comes up.

MrC

[ranon]

Doesn't work.
It says "windows cannot find c:\combofix.txt"

[MrCharlie]

Lets run a couple of other scans first, then will try ComboFix again:

Next, please run a free online scan with the ESET Online Scanner:

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Scan

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

[ranon]

The proxy server was again set on IE so initially I could not connect. Then, I saw the setting. The proxy was enabled for only the specific connection as opposed to a general setting. I changed that and got IE to work.

ESET worked OK. Took 6.5 hrs to scan. It found no threats.

Log file is attached.

Rishi

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

[MrCharlie]

Lets try ComboFix again:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

[ranon]

I could run Combofix. After running, firefox did not open. It opened after a restart.

Combofix log follows.

ComboFix 12-02-25.02 - Arvind Raje 26-02-2012 23:05:35.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2037.1048 [GMT 5.5:30]
Running from: c:\users\Arvind Raje\Desktop\ComboFix.exe
AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}
FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}
SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\install.exe
c:\programdata\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll
c:\programdata\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll
c:\programdata\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll
c:\programdata\Microsoft\corecon\1.0\addons\SDKAddonVer.dll
c:\programdata\Microsoft\corecon\1.0\SDKFilesVer.dll
c:\users\Public\Norton_Removal_Tool.exe
c:\windows\system32\CddbCdda.dll
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
.
.
((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))
.
.
2012-02-26 17:47 . 2012-02-26 17:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-02-25 21:25 . 2012-02-25 21:25 -------- d-----w- c:\program files\ESET
2012-02-24 06:45 . 2012-02-24 06:45 -------- d-----w- C:\63e8929133247ad70dee9a5b
2012-02-23 21:15 . 2012-02-23 21:15 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\Malwarebytes
2012-02-23 21:14 . 2012-02-23 21:14 -------- d-----w- c:\programdata\Malwarebytes
2012-02-23 21:14 . 2011-12-10 09:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-22 08:37 . 2012-02-22 09:08 -------- d-----w- c:\users\Arvind Raje\AppData\Local\NPE
2012-02-22 04:16 . 2012-02-22 04:16 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\BB06E
2012-02-22 04:16 . 2012-02-22 04:16 1169736 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3\B38_virus.exe
2012-02-22 04:16 . 2012-02-22 04:16 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\341BB
2012-02-18 05:56 . 2012-02-18 06:41 -------- d-----w- C:\GamesNon Fellows
2012-02-15 05:28 . 2011-12-14 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-15 04:08 . 2012-02-16 09:40 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\Leahs_Tale
2012-02-15 02:41 . 2012-02-15 02:41 -------- d-----w- c:\programdata\IObit
2012-02-15 02:41 . 2012-02-15 02:41 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\IObit
2012-02-15 02:22 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll
2012-02-15 02:19 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-02-15 02:19 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2012-02-07 03:28 . 2012-02-07 03:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8
2012-02-03 07:19 . 2012-02-17 08:32 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll
2012-02-03 07:19 . 2012-02-03 07:19 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll
2012-02-03 07:19 . 2012-02-03 07:19 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll
2012-02-03 07:19 . 2012-02-03 07:19 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll
2012-02-02 01:46 . 2012-02-02 01:46 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\KatGames
2012-02-02 01:46 . 2012-02-02 01:46 -------- d-----w- c:\programdata\KatGames
2012-02-01 02:19 . 2012-02-03 06:50 -------- d-----w- c:\windows\system32\drivers\NIS\1207000.00D
2012-01-28 16:25 . 2012-02-18 04:50 -------- d-----w- c:\users\Arvind Raje\AppData\Local\JollyBear
2012-01-28 16:25 . 2012-02-18 04:50 -------- d-----w- c:\programdata\JollyBear
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-16 02:47 . 2011-09-04 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-30 04:27 . 2011-12-30 04:13 1680064 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2011-12-30 04:13 . 2011-12-30 04:13 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll
2011-12-30 03:52 . 2011-12-30 03:52 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2012-02-17 08:32 . 2011-05-06 09:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2008-06-30 08:14 . 2009-11-03 17:38 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]
"NWEReboot"="" [BU]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"SunJavaUpdateSched"="c:\program files\common files\java\java update\jusched.exe" [2011-06-09 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]
.
c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Dropbox.lnk - c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HD Writer AE 1.0.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HD Writer AE 1.0.lnk
backup=c:\windows\pss\HD Writer AE 1.0.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk
backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup
backupExtension=.CommonStartup
.
[HKLM\~\startupfolder\C:^Users^Arvind Raje^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
path=c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk
backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup
backupExtension=.Startup
.
[HKLM\~\startupfolder\C:^Users^Arvind Raje^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]
path=c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk
backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2011-03-29 16:29 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
2008-09-26 06:32 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
c:\tools\Advanced SystemCare 5\ASCTray.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]
c:\users\Arvind Raje\Documents\RCA easyRip\EZDock.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2007-12-19 04:56 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-10-25 14:02 136176 ----atw- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2006-10-26 19:17 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]
2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]
2006-11-08 00:39 44128 ------w- c:\windows\SMINST\Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
2007-12-10 04:42 695808 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
2008-02-11 14:43 133656 ----a-w- c:\windows\System32\igfxpers.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
2009-11-24 05:37 323640 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]
2007-03-29 00:45 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-09-08 05:47 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
2011-04-15 06:05 107000 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-10-13 03:57 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-12-19 04:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 15:45]
.
2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 17:44]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 17:44]
.
2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1008920372-1273433071-3186582681-1000Core.job
- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 14:02]
.
2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1008920372-1273433071-3186582681-1000UA.job
- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 14:02]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop
uInternet Settings,ProxyServer = http=127.0.0.1:58384
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: bridgedoctor.com\www
DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://98.210.180.141:2148/WebClient.cab
FF - ProfilePath - c:\users\Arvind Raje\AppData\Roaming\Mozilla\Firefox\Profiles\94ckym6o.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.com/
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-26 23:17
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(6080)
c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
c:\program files\Copernic Desktop Search - Home\DeskbandIntegration302020007.dll
c:\program files\Copernic Desktop Search - Home\SearchPlatform-s.dll
.
Completion time: 2012-02-26 23:35:25
ComboFix-quarantined-files.txt 2012-02-26 18:05
.
Pre-Run: 17,573,310,464 bytes free
Post-Run: 17,333,161,984 bytes free
.
- - End Of File - - 218E0A2BE72D7D624914D0DC596245F2

[MrCharlie]

Can you take a look in these folders and see what's in them and do you recognize them, you may have to enable hidden files to see them:

http://www.bleepingc...-windows-vista/

c:\users\Arvind Raje\AppData\Local\NPE
c:\users\Arvind Raje\AppData\Roaming\BB06E
c:\users\Arvind Raje\AppData\Roaming\341BB
c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3

also upload this file to VirusTotal for a free scan, post back the report (just copy the url)
c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3\B38_virus.exe

http://www.virustotal.com/

-------------------------------------------

Please delete these two folders:

c:\programdata\IObit
c:\users\Arvind Raje\AppData\Roaming\IObit

------------------------------------------

This proxy is still showing, if you didn't set it....please delete it as show in this link as before:
http://forums.malwar...ndpost&p=530462

uInternet Settings,ProxyServer = http=127.0.0.1:58384

Let me know, MrC

[ranon]

Firstly, thank you very much, for all the efforts you are taking in combating this virus.

Step by step answers are given below.

1. c:\users\Arvind Raje\AppData\Local\NPE

This contains many files. The output of dir /s is as follows.

Volume in drive C has no label.
Volume Serial Number is 341B-B06E

Directory of C:\Users\Arvind Raje\AppData\Local\NPE

27-02-2012 00:24 <DIR> .
27-02-2012 00:24 <DIR> ..
27-02-2012 00:24 0 dir.txt
22-02-2012 14:38 <DIR> ErrMgmt
22-02-2012 14:38 <DIR> ErrorInstances
22-02-2012 14:38 873,242 Info20120222141813.xml
22-02-2012 14:38 <DIR> LocalDumps
22-02-2012 14:34 4,608 Metadata.dat
22-02-2012 14:38 7,864,320 NPETraceSession.etl
22-02-2012 14:37 2,883,584 NPETraceSessionBoot.etl
22-02-2012 14:34 1,431 Remediate2012022214181379211000000.dat
6 File(s) 11,627,185 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
22-02-2012 14:38 <DIR> Queue
22-02-2012 14:38 2,048 SQCLIENT.dat
22-02-2012 14:38 <DIR> Tasks
1 File(s) 2,048 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
22-02-2012 14:38 <DIR> Incoming
22-02-2012 14:38 <DIR> Staging
0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue\Incoming

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue\Staging

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Tasks

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrorInstances

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\LocalDumps

22-02-2012 14:38 <DIR> .
22-02-2012 14:38 <DIR> ..
0 File(s) 0 bytes

Total Files Listed:
7 File(s) 11,629,233 bytes
23 Dir(s) 17,416,953,856 bytes free


2. c:\users\Arvind Raje\AppData\Roaming\BB06E

Folder is empty.

3. c:\users\Arvind Raje\AppData\Roaming\341BB

Contains a file B06E.41B. Virustotal report is at

https://www.virustot...sis/1330283050/

4. c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3

It contains a file named B38_virus.exe. This is a file that I had identified previosly as a problem. I just renamed the file as virus to make sure that the program cannot find it. Original name was B38.exe.

Virustotal log is at https://www.virustot...sis/1330283429/

5. Deleted folders -
c:\programdata\IObit
c:\users\Arvind Raje\AppData\Roaming\IObit

6. To remove proxy
a, If I go to Internet options--> connections --> Lan Settings, all boxes are unchecked

b. If I go to Internet options --> connections --> Reliance Netconnect Broadband + (my internet provider name) --> settings. again all boxes are unchecked.

Previously a. was set with proxy. When I unchecked it, option b. got set with proxy. Now it seems that there is another option which I am not seeing.

I will run rkill and post the results in next post.

[ranon]

after running rkill, IE works fine.

rkill log follows.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 27-02-2012 at 1:02:00.
Operating System: Windows Vista ™ Home Premium


Processes terminated by Rkill or while it was running:

C:\Users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Vim\vim73\gvim.exe


Rkill completed on 27-02-2012 at 1:02:09.