ranon

a nasty bug - please help

40 posts in this topic

I seem to have caught a nasty virus/trojan.

First a process was created vbc.exe which tried to access the internet. Norton Internet security caught it repeatedly as cycbot activity. I blocked that process from the internet through NIS but further infections came along.

A file b38.exe and b38.tmp were created on %appdata%/microsoft/99B3. After deleting it once, it never returned.

Other strange errors keep popping up. The processor is always active at 10-40%, even though it nothing is running. Memory usage is much higher than the sum of all processes (by abt 300 MB).

Please help,

Rishi

DDS and attach file is copied to this post.

Malaware scan log gave 3 errors. Log is copied.

.

DDS (Ver_2011-08-26.01) - NTFSx86

Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_29

Run by Arvind Raje at 13:15:48 on 2012-02-24

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2037.859 [GMT 5.5:30]

.

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: Norton Internet Security *Enabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

FW: Norton Internet Security *Enabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

.

============== Running Processes ===============

.

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\tools\Advanced SystemCare 5\ASCService.exe

C:\Windows\system32\svchost.exe -k rpcss

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k GPSvcGroup

C:\Windows\system32\SLsvc.exe

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\WLANExt.exe

C:\Windows\System32\spoolsv.exe

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\System32\bgsvcgen.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe

C:\Windows\System32\svchost.exe -k HPZ12

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe

C:\Windows\System32\PAStiSvc.exe

C:\Windows\system32\svchost.exe -k imgsvc

C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe

C:\Program Files\Vongo\VongoService.exe

C:\Windows\System32\svchost.exe -k WerSvcGroup

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\DRIVERS\xaudio.exe

C:\Program Files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe

C:\Windows\system32\Dwm.exe

C:\Windows\system32\taskeng.exe

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Program Files\Google\Update\1.3.21.99\GoogleCrashHandler.exe

C:\Windows\system32\spool\DRIVERS\W32X86\3\HP1006MC.EXE

C:\Program Files\Apoint2K\Apoint.exe

C:\Windows\System32\hkcmd.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\ehome\ehtray.exe

C:\Windows\ehome\ehmsas.exe

C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Windows\system32\igfxsrvc.exe

C:\Program Files\Apoint2K\ApMsgFwd.exe

C:\Program Files\Apoint2K\Apntex.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Windows\system32\wbem\unsecapp.exe

C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Program Files\Reliance Netconnect - Broadband+\bin\App.exe

C:\Windows\system32\WUDFHost.exe

C:\Program Files\Windows Media Player\wmpnscfg.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskmgr.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe

C:\Windows\system32\wbem\wmiprvse.exe

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop

mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop

uInternet Settings,ProxyServer = http=127.0.0.1:58384

BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll

BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll

BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\engine\18.7.0.13\ips\IPSBHO.DLL

BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll

TB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll

TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll

TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\engine\18.7.0.13\coIEPlg.dll

TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll

EB: Copernic Desktop Search - Home Toolbar: {4a1c6093-14f9-44d7-860e-5d265cfca9d9} - c:\program files\copernic desktop search - home\toolbar\ToolbarContainer101000313.dll

EB: Copernic Desktop Search - Home: {9c3fca1f-99e3-48f2-a7f4-dd3931b2f99a} - c:\program files\copernic desktop search - home\DeskbandIntegration302020007.dll

uRun: [Google Update] "c:\users\arvind raje\appdata\local\google\update\GoogleUpdate.exe" /c

uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe

uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"

mRun: [Apoint] c:\program files\apoint2k\Apoint.exe

mRun: [NWEReboot]

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe

mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start

mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe

mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

dRun: [Nokia.PCSync] "c:\program files\nokia\nokia pc suite 6\PcSync2.exe" /NoDialog

dRunOnce: [<NO NAME>]

mExplorerRun: [<NO NAME>] 1 (0x1)

StartupFolder: c:\users\arvind~1\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\arvind raje\appdata\roaming\dropbox\bin\Dropbox.exe

mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)

mPolicies-system: EnableUIADesktopToggle = 0 (0x0)

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html

IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html

IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html

IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll

IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL

Trusted Zone: bridgedoctor.com\www

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://98.210.180.141:2148/WebClient.cab

DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab

DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab

TCP: Interfaces\{30B622D8-2CA6-426F-BD33-BDBA71AFB6F3} : DhcpNameServer = 172.31.6.198 172.31.6.133

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL

Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll

Notify: igfxcui - igfxdev.dll

AppInit_DLLs: c:\progra~1\google\google~3\GOEC62~1.DLL

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: network.proxy.type - 0

FF - component: c:\program files\copernic desktop search - home\firefoxconnector\components\CSPXPCOMBridge.dll

FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll

FF - component: c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.1.0.37\ipsffplgn\components\IPSFFPl.dll

FF - component: c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll

FF - component: c:\users\arvind raje\appdata\roaming\mozilla\firefox\profiles\94ckym6o.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll

FF - plugin: c:\program files\google\google updater\2.4.2432.1652\npCIDetect14.dll

FF - plugin: c:\program files\google\picasa3\npPicasa3.dll

FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll

FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll

FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\tools\vlc\npvlc.dll

FF - plugin: c:\users\arvind raje\appdata\local\google\update\1.3.21.99\npGoogleUpdate3.dll

FF - plugin: c:\users\arvind raje\appdata\roaming\mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\users\arvind raje\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll

.

============= SERVICES / DRIVERS ===============

.

R0 SymDS;Symantec Data Store;c:\windows\system32\drivers\nis\1207000.00d\symds.sys [2012-2-1 340088]

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1207000.00d\symefa.sys [2012-2-1 744568]

R1 BHDrvx86;BHDrvx86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\bashdefs\20120215.001\BHDrvx86.sys [2012-2-16 820344]

R1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\nis_18.6.0.29\definitions\ipsdefs\20120223.002\IDSvix86.sys [2012-2-24 368248]

R1 SymIRON;Symantec Iron Driver;c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys [2012-2-1 136312]

R1 SYMTDIv;Symantec Vista Network Dispatch Driver;c:\windows\system32\drivers\nis\1207000.00d\symtdiv.sys [2012-2-1 331384]

R2 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\tools\advanced systemcare 5\ASCService.exe [2012-2-15 497496]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-6-8 21504]

R2 NIS;Norton Internet Security;c:\program files\norton internet security\engine\18.7.0.13\ccsvchst.exe [2012-2-1 130008]

R2 UDisk Monitor;UDisk Monitor;c:\program files\reliance netconnect - broadband+\bin\MonServiceUDisk.exe [2010-2-5 266240]

R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2011-9-28 227896]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-4 106104]

R3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [2010-2-5 104704]

S2 gupdate1c9a01590e80d30;Google Update Service (gupdate1c9a01590e80d30);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;c:\program files\google\google desktop search\GoogleDesktop.exe [2007-12-19 29744]

S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-8 133104]

S3 PAC7311;Trust Webcam 14839;c:\windows\system32\drivers\PA707UCM.SYS [2005-10-18 154752]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]

.

=============== Created Last 30 ================

.

2012-02-24 06:45:35 -------- d-----w- C:\63e8929133247ad70dee9a5b

2012-02-23 21:15:25 -------- d-----w- c:\users\arvind raje\appdata\roaming\Malwarebytes

2012-02-23 21:14:27 -------- d-----w- c:\programdata\Malwarebytes

2012-02-23 21:14:26 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-22 08:37:55 -------- d-----w- c:\users\arvind raje\appdata\local\NPE

2012-02-22 04:16:58 -------- d-----w- c:\users\arvind raje\appdata\roaming\BB06E

2012-02-22 04:16:19 1169736 ----a-w- c:\users\arvind raje\appdata\roaming\microsoft\99b3\B38_virus.exe

2012-02-22 04:16:19 -------- d-----w- c:\users\arvind raje\appdata\roaming\341BB

2012-02-18 05:56:51 -------- d-----w- C:\GamesNon Fellows

2012-02-15 05:28:58 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-15 04:08:09 -------- d-----w- c:\users\arvind raje\appdata\roaming\Leahs_Tale

2012-02-15 02:41:45 -------- d-----w- c:\programdata\IObit

2012-02-15 02:41:16 -------- d-----w- c:\users\arvind raje\appdata\roaming\IObit

2012-02-15 02:22:02 680448 ----a-w- c:\windows\system32\msvcrt.dll

2012-02-15 02:19:38 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-02-15 02:19:37 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat

2012-02-07 03:28:51 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2012-02-03 07:19:10 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll

2012-02-03 07:19:10 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll

2012-02-03 07:19:10 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll

2012-02-03 07:19:10 45016 ----a-w- c:\program files\mozilla firefox\mozutils.dll

2012-02-02 01:46:06 -------- d-----w- c:\users\arvind raje\appdata\roaming\KatGames

2012-02-02 01:46:06 -------- d-----w- c:\programdata\KatGames

2012-02-01 02:20:04 744568 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\symefa.sys

2012-02-01 02:20:04 331384 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symtdiv.sys

2012-02-01 02:20:04 299640 ----a-w- c:\windows\system32\drivers\nis\1207000.00d\symnets.sys

2012-02-01 02:20:03 516216 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\srtsp.sys

2012-02-01 02:20:03 50168 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\srtspx.sys

2012-02-01 02:20:03 340088 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\symds.sys

2012-02-01 02:20:03 136312 ----a-r- c:\windows\system32\drivers\nis\1207000.00d\ironx86.sys

2012-02-01 02:19:27 -------- d-----w- c:\windows\system32\drivers\nis\1207000.00D

2012-01-28 16:25:20 -------- d-----w- c:\users\arvind raje\appdata\local\JollyBear

2012-01-28 16:25:20 -------- d-----w- c:\programdata\JollyBear

2012-01-26 08:44:03 -------- d-----w- c:\users\arvind raje\appdata\roaming\Realore All My Gods

.

==================== Find3M ====================

.

2012-01-16 02:47:01 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-14 03:04:54 1798656 ----a-w- c:\windows\system32\jscript9.dll

2011-12-14 02:57:18 1127424 ----a-w- c:\windows\system32\wininet.dll

2011-12-14 02:50:04 2382848 ----a-w- c:\windows\system32\mshtml.tlb

.

============= FINISH: 13:16:21.58 ===============

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2011-08-26.01)

.

Microsoft® Windows Vista™ Home Premium

Boot Device: \Device\HarddiskVolume1

Install Date: 09-11-2007 11:27:49

System Uptime: 24-02-2012 12:34:40 (1 hours ago)

.

Motherboard: Hewlett-Packard | | 30D9

Processor: Intel® Pentium® Dual CPU T2310 @ 1.46GHz | CPU | 1467/533mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 104 GiB total, 17.552 GiB free.

D: is FIXED (NTFS) - 8 GiB total, 1.808 GiB free.

E: is CDROM ()

F: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {eec5ad98-8080-425f-922a-dabf3de3f69a}

Description: Nokia 6275

Device ID: ROOT\WPD\0000

Manufacturer: Nokia

Name: Nokia 6275

PNP Device ID: ROOT\WPD\0000

Service: WUDFRd

.

==== System Restore Points ===================

.

RP480: 15-02-2012 10:43:01 - Windows Update

RP481: 24-02-2012 12:13:27 - Windows Update

RP482: 24-02-2012 12:43:38 - Windows Update

.

==== Installed Programs ======================

.

32 Bit HP CIO Components Installer

Activation Assistant for the 2007 Microsoft Office suites

ActiveCheck component for HP Active Support Library

Adobe AIR

Adobe Connect Add-in

Adobe Digital Editions

Adobe Flash Player 10 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader 8.3.1

Adobe Shockwave Player 11

Advanced SystemCare 5

Amerzone - Part 1

Apple Application Support

Apple Software Update

Avadon

Beyond Compare Version 3.1.11

Big City Adventure - London Story

Big City Adventure - New York

Bus Driver

calibre

CCleaner

Conexant HD Audio

Copernic Desktop Search - Home

Creeper World 2

Creeper World 2 Demo

Crystal Reports Basic for Visual Studio 2008

Dropbox

ESU for Microsoft Vista

Evocraft

Farm Tribe [uPDATED]

Gemini Lost

Geneforge 5

Google Chrome

Google Desktop

Google Earth

Google Gears

Google Photos Screensaver

Google Talk Plugin

Google Toolbar for Internet Explorer

Google Update Helper

Google Updater

GPU Caps Viewer 1.14.4

HD Writer AE 1.0 for HDC

HDAUDIO Soft Data Fax Modem with SmartCP

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

HP Active Support Library

HP Active Support Library 32 bit components

HP Customer Experience Enhancements

HP Doc Viewer

HP DVD Play 3.2

HP Easy Setup - Frontend

HP Help and Support

HP LaserJet P1000 series

HP Photosmart Essential 2.0

HP Photosmart Essential2.5

HP Quick Launch Buttons

HP Total Care Advisor

HP Update

HP User Guides 0078

HP Wireless Assistant

HPAsset component for HP Active Support Library

HPNetworkAssistant

HPSSupply

Intel® Graphics Media Accelerator Driver

IrfanView (remove only)

Java Auto Updater

Java™ 6 Update 29

Java™ 6 Update 4

Java™ 6 Update 7

Java™ SE Runtime Environment 6

Leahs Tale

LightScribe 1.6.43.1

Magic Life

Malwarebytes Anti-Malware version 1.60.1.1000

Microsoft .NET Compact Framework 2.0 SP2

Microsoft .NET Compact Framework 3.5

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Microsoft .NET Framework 4 Extended

Microsoft Device Emulator version 3.0 - ENU

Microsoft Document Explorer 2008

Microsoft Office Access MUI (English) 2007

Microsoft Office Access Setup Metadata MUI (English) 2007

Microsoft Office Enterprise 2007

Microsoft Office Excel MUI (English) 2007

Microsoft Office Groove MUI (English) 2007

Microsoft Office Groove Setup Metadata MUI (English) 2007

Microsoft Office Home and Student 2007

Microsoft Office InfoPath MUI (English) 2007

Microsoft Office OneNote MUI (English) 2007

Microsoft Office Outlook MUI (English) 2007

Microsoft Office PowerPoint MUI (English) 2007

Microsoft Office PowerPoint Viewer 2007 (English)

Microsoft Office Proof (English) 2007

Microsoft Office Proof (French) 2007

Microsoft Office Proof (Spanish) 2007

Microsoft Office Proofing (English) 2007

Microsoft Office Publisher MUI (English) 2007

Microsoft Office Shared MUI (English) 2007

Microsoft Office Shared Setup Metadata MUI (English) 2007

Microsoft Office Visual Web Developer 2007

Microsoft Office Visual Web Developer MUI (English) 2007

Microsoft Office Word MUI (English) 2007

Microsoft SQL Server 2005

Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)

Microsoft SQL Server 2005 Tools Express Edition

Microsoft SQL Server Compact 3.5 Design Tools ENU

Microsoft SQL Server Compact 3.5 ENU

Microsoft SQL Server Compact 3.5 for Devices ENU

Microsoft SQL Server Database Publishing Wizard 1.2

Microsoft SQL Server Native Client

Microsoft SQL Server Setup Support Files (English)

Microsoft SQL Server VSS Writer

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022

Microsoft Visual Studio 2005 Tools for Office Runtime

Microsoft Visual Studio 2008 Professional Edition - ENU

Microsoft Visual Studio Web Authoring Component

Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools

Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries

Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense

Microsoft Windows SDK for Visual Studio 2008 Tools

Microsoft Windows SDK for Visual Studio 2008 Win32 Tools

Microsoft Works

Microsoft XNA Framework Redistributable 4.0

MinGW-Get version 0.3-alpha-2.1

mIRC

ModelSim PE Student Edition 10.0a

Monopoly

Monopoly City

Mozilla Firefox 10.0.2 (x86 en-GB)

MrvlUsgTracking

MSCU for Microsoft Vista

MSVC80_x86

MSXML 4.0 SP2 (KB936181)

MSXML 4.0 SP2 (KB941833)

MSXML 4.0 SP2 (KB954430)

MSXML 4.0 SP2 (KB973688)

muvee autoProducer 6.0

My Farm Life 2

My HP Games

My Kingdom For The Princess 3

NetWaiting

Nokia Connectivity Cable Driver

Nokia PC Suite

Non Fellows

Norton Internet Security

OpenOffice.org 3.0

Pahelika 1- Secret Legends

Pahelika 2 - Revelations

PC Connectivity Solution

PC VGA Camer@

Picasa 3

Pioneer Lands

PSSWCORE

QLBCASL

QuickTime

Realtek 8139 and 8139C+ Ethernet Network Card Driver for Windows Vista

Realtek USB 2.0 Card Reader

Reliance Netconnect - Broadband+

Rescue Team[updated]

Rhapsody

Rhapsody Player Engine

RoboForm 7-2-8 (All Users)

Roxio Activation Module

Roxio Creator Audio

Roxio Creator Basic v9

Roxio Creator Copy

Roxio Creator Data

Roxio Creator EasyArchive

Roxio Creator Tools

Roxio Express Labeler 3

Roxio MyDVD Basic v9

Royal Envoy II CE

Running Sheep Tiny Worlds

SAMSUNG CDMA Modem Driver Set

Samsung Mobile phone USB driver Drive Software

SAMSUNG Mobile USB Modem 1.0 Software

SAMSUNG Mobile USB Modem Software

Samsung PC Studio

Scratch

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)

Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)

Security Update for Microsoft .NET Framework 4 Extended (KB2416472)

Security Update for Microsoft .NET Framework 4 Extended (KB2487367)

Security Update for Microsoft .NET Framework 4 Extended (KB2656351)

Skype Click to Call

Skype™ 5.5

Spelling Dictionaries Support For Adobe Reader 8

Supermarket Management 2

The Cross Formula

The Golden Years - Way Out West

To the Moon

Touch Pad Driver

TreeSize Free V2.6

TV Tycoon en

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Microsoft .NET Framework 4 Client Profile (KB2468871)

Update for Microsoft .NET Framework 4 Client Profile (KB2473228)

Update for Microsoft .NET Framework 4 Client Profile (KB2533523)

Update for Microsoft .NET Framework 4 Client Profile (KB2600217)

Update for Microsoft .NET Framework 4 Extended (KB2468871)

Update for Microsoft .NET Framework 4 Extended (KB2533523)

Update for Microsoft .NET Framework 4 Extended (KB2600217)

VC Runtimes MSI

Vim 7.3 (self-installing)

Virtual City 2 Paradise Resort

Visual Studio 2005 Tools for Office Second Edition Runtime

Visual Studio Tools for the Office system 3.0 Runtime

VLC media player 1.1.11

Vongo

Windows Driver Package - Nokia Modem (02/15/2007 3.1)

Windows Live Sync

Windows Media Player Firefox Plugin

Windows Mobile 5.0 SDK R2 for Pocket PC

Windows Mobile 5.0 SDK R2 for Smartphone

WinRAR archiver

WinZip 14.5

Yahoo! Toolbar

Yahoo! Toolbar for Internet Explorer

.

==== Event Viewer Messages From Past Week ========

.

24-02-2012 12:35:42, Error: EventLog [6008] - The previous system shutdown at 12:34:13 on 24-02-2012 was unexpected.

22-02-2012 22:58:08, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

22-02-2012 22:50:15, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD BHDrvx86 DfsC eeCtrl IDSVix86 NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr SRTSP SRTSPX StarOpen SymIRON SYMTDIv tdx Wanarpv6

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The IP Helper service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning.

22-02-2012 22:50:03, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start.

22-02-2012 22:49:58, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030}

22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89}

22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E}

22-02-2012 22:49:23, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF}

22-02-2012 22:49:20, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

22-02-2012 22:49:11, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC}

21-02-2012 08:53:31, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the NIS service.

19-02-2012 17:06:30, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

.

==== End Of File ===========================

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.23.03

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Arvind Raje :: LAPTOPPC [administrator]

24-02-2012 02:47:46

mbam-log-2012-02-24 (02-47-46).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 200714

Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 3

C:\Users\Arvind Raje\Downloads\SoftonicDownloader_for_vlc-media-player.exe (PUP.BundleOffer.Downloader.S) -> No action taken.

C:\Users\Arvind Raje\AppData\Roaming\Microsoft\99B3\852_virus.tmp (Trojan.Backdoor) -> Quarantined and deleted successfully.

C:\Users\Arvind Raje\AppData\Roaming\firefox.exe (Trojan.Agent) -> Quarantined and deleted successfully.

(end)

Share this post


Link to post
Share on other sites

Welcome to the forum

First I suggest you uninstall Advanced SystemCare 5

Here's why:

http://www.systemloo...ivers/5068.html

--------------------------------------

Please remove any usb or external drives from the computer before you run this scan!

Please download and run RogueKiller.

Click Scan to scan the system (don't run any other options)

Post back the report.

MrC

Share this post


Link to post
Share on other sites

Thanks for the reply.

I uninstalled systemcare.

Just yesterday, I downloaded dds.com and dds.scr. Today when I try to download roguekiller, in firefox I get an error "c:\windows\temp could not be saved because you cannot change the contents of the folder". Also "save link as" in firefox is disabled.

Chrome is not working at all. It says that it is unable to connect to a proxy, but I dont use any proxy and nothing is shown under LAN settings.

It looks related to the virus, so I am posting back for further instructions.

Share this post


Link to post
Share on other sites

From your log I do see a proxy set up.

uInternet Settings,ProxyServer = http=127.0.0.1:58384

See if you can run RKill as outlined in the post below:

http://www.bleepingc...opic308364.html

or the link below shows you how to disable it: (you don't have this infection, it's just for illustration purposes)

http://www.bleepingc...ows-shield-tool

Start from here:

Automated Removal Instructions for Windows Shield Tool using Malwarebytes' Anti-Malware:

Let me know, MrC

Share this post


Link to post
Share on other sites

I shut down firefox and after restarting the downloads started working.

I was able to download rkill and also roguekiller. I ran rkill and then roguekiller. Reports follow.

About the USB device, I use it to connect to the internet. So, I can run scans with it removed, but it goes right back on before I can get online. This device cannot be read in explorer, but I think that it too might be infected.

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 25-02-2012 at 23:45:22.

Operating System: Windows Vista Home Premium

Processes terminated by Rkill or while it was running:

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

--- ATTENTION ---

Windows was configured to use a proxy! Proxy settings have been removed.

The Proxy Server that was configured is: http=127.0.0.1:58384

If this was a valid setting, please double-click on the rk-proxy.reg file on your desktop and allow the data to be merged to restore your proxy settings.

Rkill completed on 25-02-2012 at 23:45:33.

RogueKiller V7.1.0 [02/15/2012] by Tigzy

mail: tigzyRK<at>gmail<dot>com

Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/

Blog: http://tigzyrk.blogspot.com

Operating System: Windows Vista (6.0.6002 Service Pack 2) 32 bits version

Started in : Normal mode

User: Arvind Raje [Admin rights]

Mode: Scan -- Date: 02/25/2012 23:51:24

¤¤¤ Bad processes: 0 ¤¤¤

¤¤¤ Registry Entries: 4 ¤¤¤

[DNS] HKLM\[...]\ControlSet002\Parameters\Interfaces\{987402B1-87AC-46C4-8075-611663028AEB} : NameServer (220.226.100.40 220.226.6.104) -> FOUND

[HJ] HKCU\[...]\Advanced : Start_ShowPrinters (0) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

[HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver: [LOADED] ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤

127.0.0.1 localhost

::1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: Hitachi HTS541612J9SA00 +++++

--- User ---

[MBR] bd22d4321d55ce605867c1b2076c58c5

[bSP] f0ca4accb9dcee899f59d2e183c62159 : HP tatooed MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 106022 Mo

1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 217134540 | Size: 8448 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1].txt >>

RKreport[1].txt

Share this post


Link to post
Share on other sites

OK, lets check for rootkits:

Please download and run TDSSKiller to your desktop as outlined below:

Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

tdss_1.jpg

-------------------------

Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

tdss_2.jpg

------------------------

Click the Start Scan button.

tdss_3.jpg

-----------------------

If a suspicious object is detected, the default action will be Skip, click on Continue

If you get the warning about a file UnsignedFile.Multi.Generic or LockedFile.Multi.Generic please choose

Skip and click on Continue

tdss_4.jpg

----------------------

If malicious objects are found, they will show in the Scan results and offer three (3) options.

Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

tdss_5.jpg

--------------------

A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste its contents on your next reply.

MrC

Share this post


Link to post
Share on other sites

I wasn't sure whether to skip or cure, so I just chose skip for now. TDSSkiller report follows.

00:13:44.0028 3860 TDSS rootkit removing tool 2.7.14.0 Feb 22 2012 16:54:49

00:13:45.0394 3860 ============================================================

00:13:45.0394 3860 Current date / time: 2012/02/26 00:13:45.0394

00:13:45.0394 3860 SystemInfo:

00:13:45.0394 3860

00:13:45.0394 3860 OS Version: 6.0.6002 ServicePack: 2.0

00:13:45.0394 3860 Product type: Workstation

00:13:45.0395 3860 ComputerName: LAPTOPPC

00:13:45.0395 3860 UserName: Arvind Raje

00:13:45.0395 3860 Windows directory: C:\Windows

00:13:45.0395 3860 System windows directory: C:\Windows

00:13:45.0395 3860 Processor architecture: Intel x86

00:13:45.0395 3860 Number of processors: 2

00:13:45.0395 3860 Page size: 0x1000

00:13:45.0395 3860 Boot type: Normal boot

00:13:45.0395 3860 ============================================================

00:13:46.0414 3860 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050

00:13:46.0436 3860 \Device\Harddisk0\DR0:

00:13:46.0436 3860 MBR used

00:13:46.0436 3860 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xCF1358D

00:13:46.0436 3860 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xCF135CC, BlocksNum 0x10801F5

00:13:46.0517 3860 Initialize success

00:13:46.0517 3860 ============================================================

00:15:15.0506 4832 ============================================================

00:15:15.0506 4832 Scan started

00:15:15.0506 4832 Mode: Manual; SigCheck; TDLFS;

00:15:15.0506 4832 ============================================================

00:15:18.0048 4832 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys

00:15:18.0239 4832 ACPI - ok

00:15:18.0489 4832 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys

00:15:18.0552 4832 adp94xx - ok

00:15:18.0708 4832 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys

00:15:18.0770 4832 adpahci - ok

00:15:18.0879 4832 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys

00:15:18.0926 4832 adpu160m - ok

00:15:19.0285 4832 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys

00:15:19.0301 4832 adpu320 - ok

00:15:19.0659 4832 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys

00:15:19.0800 4832 AFD - ok

00:15:20.0018 4832 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys

00:15:20.0049 4832 agp440 - ok

00:15:20.0330 4832 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys

00:15:20.0361 4832 aic78xx - ok

00:15:20.0673 4832 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys

00:15:20.0705 4832 aliide - ok

00:15:20.0845 4832 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys

00:15:20.0876 4832 amdagp - ok

00:15:20.0923 4832 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys

00:15:20.0954 4832 amdide - ok

00:15:21.0157 4832 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys

00:15:21.0453 4832 AmdK7 - ok

00:15:21.0719 4832 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys

00:15:21.0875 4832 AmdK8 - ok

00:15:22.0171 4832 ApfiltrService (e05c9bb1798b8c590f6592fabb03a93e) C:\Windows\system32\DRIVERS\Apfiltr.sys

00:15:22.0249 4832 ApfiltrService - ok

00:15:22.0452 4832 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys

00:15:22.0483 4832 arc - ok

00:15:22.0561 4832 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys

00:15:22.0592 4832 arcsas - ok

00:15:22.0764 4832 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys

00:15:22.0842 4832 AsyncMac - ok

00:15:22.0935 4832 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys

00:15:22.0951 4832 atapi - ok

00:15:23.0357 4832 BCM43XV (34a0a6386256080f52c74076c6157026) C:\Windows\system32\DRIVERS\bcmwl6.sys

00:15:23.0497 4832 BCM43XV - ok

00:15:23.0544 4832 BCM43XX (34a0a6386256080f52c74076c6157026) C:\Windows\system32\DRIVERS\bcmwl6.sys

00:15:23.0700 4832 BCM43XX - ok

00:15:23.0903 4832 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys

00:15:23.0996 4832 Beep - ok

00:15:24.0573 4832 BHDrvx86 (e685ba3267c5a4ec4ce9e2b4a1481725) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\BASHDefs\20120215.001\BHDrvx86.sys

00:15:24.0683 4832 BHDrvx86 - ok

00:15:24.0917 4832 blbdrive - ok

00:15:24.0963 4832 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys

00:15:25.0041 4832 bowser - ok

00:15:25.0338 4832 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys

00:15:25.0463 4832 BrFiltLo - ok

00:15:25.0728 4832 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys

00:15:25.0806 4832 BrFiltUp - ok

00:15:25.0931 4832 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys

00:15:26.0024 4832 Brserid - ok

00:15:26.0196 4832 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys

00:15:26.0305 4832 BrSerWdm - ok

00:15:26.0430 4832 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys

00:15:26.0523 4832 BrUsbMdm - ok

00:15:26.0617 4832 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys

00:15:26.0742 4832 BrUsbSer - ok

00:15:26.0960 4832 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys

00:15:27.0085 4832 BTHMODEM - ok

00:15:27.0225 4832 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys

00:15:27.0319 4832 cdfs - ok

00:15:27.0366 4832 cdrbsdrv (e0042bd5bef17a6a3ef1df576bde24d1) C:\Windows\system32\drivers\cdrbsdrv.sys

00:15:27.0397 4832 cdrbsdrv ( UnsignedFile.Multi.Generic ) - warning

00:15:27.0397 4832 cdrbsdrv - detected UnsignedFile.Multi.Generic (1)

00:15:27.0600 4832 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys

00:15:27.0678 4832 cdrom - ok

00:15:27.0927 4832 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys

00:15:28.0037 4832 circlass - ok

00:15:28.0193 4832 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys

00:15:28.0224 4832 CLFS - ok

00:15:28.0427 4832 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys

00:15:28.0489 4832 CmBatt - ok

00:15:28.0645 4832 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys

00:15:28.0676 4832 cmdide - ok

00:15:28.0926 4832 CnxtHdAudService (b6e7991e3d6146c04c85cd31af22a381) C:\Windows\system32\drivers\CHDRT32.sys

00:15:29.0066 4832 CnxtHdAudService - ok

00:15:29.0394 4832 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys

00:15:29.0456 4832 Compbatt - ok

00:15:29.0581 4832 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys

00:15:29.0612 4832 crcdisk - ok

00:15:29.0643 4832 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys

00:15:29.0737 4832 Crusoe - ok

00:15:30.0033 4832 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys

00:15:30.0111 4832 DfsC - ok

00:15:30.0299 4832 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys

00:15:30.0361 4832 disk - ok

00:15:30.0595 4832 Dot4 (4f59c172c094e1a1d46463a8dc061cbd) C:\Windows\system32\DRIVERS\Dot4.sys

00:15:30.0689 4832 Dot4 - ok

00:15:31.0032 4832 Dot4Print (80bf3ba09f6f2523c8f6b7cc6dbf7bd5) C:\Windows\system32\DRIVERS\Dot4Prt.sys

00:15:31.0094 4832 Dot4Print - ok

00:15:31.0406 4832 dot4usb (c55004ca6b419b6695970dfe849b122f) C:\Windows\system32\DRIVERS\dot4usb.sys

00:15:31.0500 4832 dot4usb - ok

00:15:31.0874 4832 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys

00:15:31.0937 4832 drmkaud - ok

00:15:32.0139 4832 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys

00:15:32.0217 4832 DXGKrnl - ok

00:15:32.0670 4832 E100B (c0b00e55cf82d122d25983c7a6a53dea) C:\Windows\system32\DRIVERS\e100b325.sys

00:15:32.0810 4832 E100B - ok

00:15:32.0935 4832 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys

00:15:33.0044 4832 E1G60 - ok

00:15:33.0450 4832 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys

00:15:33.0481 4832 Ecache - ok

00:15:33.0715 4832 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys

00:15:33.0762 4832 eeCtrl - ok

00:15:34.0183 4832 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys

00:15:34.0199 4832 elxstor - ok

00:15:34.0355 4832 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys

00:15:34.0401 4832 EraserUtilRebootDrv - ok

00:15:34.0698 4832 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys

00:15:34.0776 4832 exfat - ok

00:15:34.0979 4832 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys

00:15:35.0072 4832 fastfat - ok

00:15:35.0369 4832 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys

00:15:35.0447 4832 fdc - ok

00:15:35.0525 4832 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys

00:15:35.0556 4832 FileInfo - ok

00:15:35.0634 4832 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys

00:15:35.0696 4832 Filetrace - ok

00:15:35.0759 4832 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys

00:15:35.0837 4832 flpydisk - ok

00:15:35.0946 4832 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys

00:15:35.0977 4832 FltMgr - ok

00:15:36.0102 4832 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys

00:15:36.0149 4832 Fs_Rec - ok

00:15:36.0227 4832 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys

00:15:36.0242 4832 gagp30kx - ok

00:15:36.0461 4832 HBtnKey (93aee3434935fc2f805fefd8dc5ed1b4) C:\Windows\system32\DRIVERS\cpqbttn.sys

00:15:36.0476 4832 HBtnKey - ok

00:15:36.0554 4832 HdAudAddService (743e5199a34101a3ee444df5f74d0311) C:\Windows\system32\drivers\CHDART.sys

00:15:36.0617 4832 HdAudAddService - ok

00:15:36.0726 4832 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys

00:15:36.0788 4832 HDAudBus - ok

00:15:36.0897 4832 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys

00:15:37.0038 4832 HidBth - ok

00:15:37.0100 4832 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys

00:15:37.0163 4832 HidIr - ok

00:15:37.0303 4832 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys

00:15:37.0428 4832 HidUsb - ok

00:15:37.0537 4832 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys

00:15:37.0553 4832 HpCISSs - ok

00:15:37.0646 4832 HpqKbFiltr (1210960ff8928950d2a786895b0c424a) C:\Windows\system32\DRIVERS\HpqKbFiltr.sys

00:15:37.0724 4832 HpqKbFiltr - ok

00:15:37.0833 4832 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS

00:15:37.0896 4832 HSFHWAZL - ok

00:15:38.0021 4832 HSF_DPV (1882827f41dee51c70e24c567c35bfb5) C:\Windows\system32\DRIVERS\HSX_DPV.sys

00:15:38.0145 4832 HSF_DPV - ok

00:15:38.0333 4832 HSXHWAZL (a44ddf3ba83e4664bf4de9220097578c) C:\Windows\system32\DRIVERS\HSXHWAZL.sys

00:15:38.0379 4832 HSXHWAZL - ok

00:15:38.0442 4832 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys

00:15:38.0520 4832 HTTP - ok

00:15:38.0645 4832 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys

00:15:38.0660 4832 i2omp - ok

00:15:38.0754 4832 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys

00:15:38.0801 4832 i8042prt - ok

00:15:38.0988 4832 ialm (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys

00:15:39.0269 4832 ialm - ok

00:15:39.0409 4832 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\DRIVERS\iaStor.sys

00:15:39.0456 4832 iaStor - ok

00:15:39.0503 4832 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys

00:15:39.0534 4832 iaStorV - ok

00:15:39.0674 4832 ICAM3NT5 (7e9dce459be666ab54f67e77cb7d1297) C:\Windows\system32\Drivers\Icam3.sys

00:15:39.0737 4832 ICAM3NT5 - ok

00:15:39.0924 4832 IDSVix86 (b6662611e8fa3a71473c4a9bd0d23755) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\IPSDefs\20120224.002\IDSvix86.sys

00:15:40.0002 4832 IDSVix86 - ok

00:15:40.0205 4832 igfx (9378d57e2b96c0a185d844770ad49948) C:\Windows\system32\DRIVERS\igdkmd32.sys

00:15:40.0579 4832 igfx - ok

00:15:40.0688 4832 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys

00:15:40.0704 4832 iirsp - ok

00:15:40.0782 4832 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys

00:15:40.0797 4832 intelide - ok

00:15:40.0891 4832 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys

00:15:41.0078 4832 intelppm - ok

00:15:41.0219 4832 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys

00:15:41.0297 4832 IpFilterDriver - ok

00:15:41.0343 4832 IpInIp - ok

00:15:41.0406 4832 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys

00:15:41.0499 4832 IPMIDRV - ok

00:15:41.0609 4832 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys

00:15:41.0655 4832 IPNAT - ok

00:15:41.0718 4832 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys

00:15:41.0780 4832 IRENUM - ok

00:15:41.0874 4832 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys

00:15:41.0889 4832 isapnp - ok

00:15:41.0967 4832 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys

00:15:41.0999 4832 iScsiPrt - ok

00:15:42.0030 4832 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys

00:15:42.0045 4832 iteatapi - ok

00:15:42.0139 4832 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys

00:15:42.0170 4832 iteraid - ok

00:15:42.0233 4832 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys

00:15:42.0248 4832 kbdclass - ok

00:15:42.0357 4832 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys

00:15:42.0435 4832 kbdhid - ok

00:15:42.0513 4832 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys

00:15:42.0560 4832 KSecDD - ok

00:15:42.0701 4832 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys

00:15:42.0747 4832 lltdio - ok

00:15:42.0825 4832 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys

00:15:42.0841 4832 LSI_FC - ok

00:15:42.0950 4832 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys

00:15:42.0966 4832 LSI_SAS - ok

00:15:43.0044 4832 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys

00:15:43.0059 4832 LSI_SCSI - ok

00:15:43.0122 4832 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys

00:15:43.0169 4832 luafv - ok

00:15:43.0278 4832 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys

00:15:43.0309 4832 mdmxsdk - ok

00:15:43.0340 4832 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys

00:15:43.0356 4832 megasas - ok

00:15:43.0512 4832 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys

00:15:43.0559 4832 Modem - ok

00:15:43.0652 4832 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys

00:15:43.0746 4832 monitor - ok

00:15:43.0839 4832 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys

00:15:43.0855 4832 mouclass - ok

00:15:43.0902 4832 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys

00:15:43.0949 4832 mouhid - ok

00:15:43.0995 4832 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys

00:15:44.0011 4832 MountMgr - ok

00:15:44.0136 4832 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys

00:15:44.0167 4832 mpio - ok

00:15:44.0229 4832 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys

00:15:44.0292 4832 mpsdrv - ok

00:15:44.0385 4832 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys

00:15:44.0401 4832 Mraid35x - ok

00:15:44.0479 4832 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys

00:15:44.0557 4832 MRxDAV - ok

00:15:44.0666 4832 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys

00:15:44.0744 4832 mrxsmb - ok

00:15:44.0807 4832 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys

00:15:44.0853 4832 mrxsmb10 - ok

00:15:44.0963 4832 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys

00:15:44.0994 4832 mrxsmb20 - ok

00:15:45.0072 4832 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys

00:15:45.0087 4832 msahci - ok

00:15:45.0197 4832 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys

00:15:45.0212 4832 msdsm - ok

00:15:45.0290 4832 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys

00:15:45.0353 4832 Msfs - ok

00:15:45.0493 4832 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys

00:15:45.0509 4832 msisadrv - ok

00:15:45.0587 4832 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys

00:15:45.0665 4832 MSKSSRV - ok

00:15:45.0758 4832 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys

00:15:45.0821 4832 MSPCLOCK - ok

00:15:45.0867 4832 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys

00:15:45.0914 4832 MSPQM - ok

00:15:46.0039 4832 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys

00:15:46.0070 4832 MsRPC - ok

00:15:46.0117 4832 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys

00:15:46.0148 4832 mssmbios - ok

00:15:46.0273 4832 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys

00:15:46.0335 4832 MSTEE - ok

00:15:46.0398 4832 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys

00:15:46.0429 4832 Mup - ok

00:15:46.0476 4832 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys

00:15:46.0507 4832 NativeWifiP - ok

00:15:46.0679 4832 NAVENG (862f55824ac81295837b0ab63f91071f) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120224.034\NAVENG.SYS

00:15:46.0725 4832 NAVENG - ok

00:15:46.0819 4832 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_18.6.0.29\Definitions\VirusDefs\20120224.034\NAVEX15.SYS

00:15:46.0913 4832 NAVEX15 - ok

00:15:47.0069 4832 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys

00:15:47.0147 4832 NDIS - ok

00:15:47.0287 4832 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys

00:15:47.0334 4832 NdisTapi - ok

00:15:47.0412 4832 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys

00:15:47.0443 4832 Ndisuio - ok

00:15:47.0552 4832 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys

00:15:47.0615 4832 NdisWan - ok

00:15:47.0677 4832 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys

00:15:47.0724 4832 NDProxy - ok

00:15:47.0864 4832 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys

00:15:47.0927 4832 NetBIOS - ok

00:15:47.0989 4832 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys

00:15:48.0051 4832 netbt - ok

00:15:48.0332 4832 NETw3v32 (a15f219208843a5a210c8cb391384453) C:\Windows\system32\DRIVERS\NETw3v32.sys

00:15:48.0644 4832 NETw3v32 - ok

00:15:48.0847 4832 NETw4v32 (cb3af516a6797b27725e3f1e73f3496c) C:\Windows\system32\DRIVERS\NETw4v32.sys

00:15:49.0112 4832 NETw4v32 - ok

00:15:49.0221 4832 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys

00:15:49.0284 4832 nfrd960 - ok

00:15:49.0409 4832 nmwcd (696b37ea78f9d9767a2f18ba0304a51a) C:\Windows\system32\drivers\nmwcd.sys

00:15:49.0518 4832 nmwcd - ok

00:15:49.0596 4832 nmwcdc (bbb6010fc01d9239d88fcdf133e03ff0) C:\Windows\system32\drivers\nmwcdc.sys

00:15:49.0674 4832 nmwcdc - ok

00:15:49.0767 4832 nmwcdcj (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcj.sys

00:15:49.0845 4832 nmwcdcj - ok

00:15:49.0923 4832 nmwcdcm (4c3726467d67483f054c88f058e9c153) C:\Windows\system32\drivers\nmwcdcm.sys

00:15:49.0986 4832 nmwcdcm - ok

00:15:50.0017 4832 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys

00:15:50.0079 4832 Npfs - ok

00:15:50.0189 4832 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys

00:15:50.0267 4832 nsiproxy - ok

00:15:50.0376 4832 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys

00:15:50.0438 4832 Ntfs - ok

00:15:50.0579 4832 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys

00:15:50.0657 4832 ntrigdigi - ok

00:15:50.0719 4832 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys

00:15:50.0766 4832 Null - ok

00:15:50.0859 4832 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys

00:15:50.0891 4832 nvraid - ok

00:15:50.0937 4832 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys

00:15:50.0969 4832 nvstor - ok

00:15:51.0000 4832 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys

00:15:51.0015 4832 nv_agp - ok

00:15:51.0093 4832 NwlnkFlt - ok

00:15:51.0140 4832 NwlnkFwd - ok

00:15:51.0218 4832 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys

00:15:51.0312 4832 ohci1394 - ok

00:15:51.0499 4832 PAC7311 (2085d5168fc0c56bb13304d180d244b6) C:\Windows\system32\DRIVERS\PA707UCM.SYS

00:15:51.0546 4832 PAC7311 - ok

00:15:51.0608 4832 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys

00:15:51.0686 4832 Parport - ok

00:15:51.0780 4832 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys

00:15:51.0811 4832 partmgr - ok

00:15:51.0858 4832 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys

00:15:51.0920 4832 Parvdm - ok

00:15:52.0029 4832 pccsmcfd - ok

00:15:52.0092 4832 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys

00:15:52.0123 4832 pci - ok

00:15:52.0170 4832 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\DRIVERS\pciide.sys

00:15:52.0201 4832 pciide - ok

00:15:52.0295 4832 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys

00:15:52.0326 4832 pcmcia - ok

00:15:52.0419 4832 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys

00:15:52.0731 4832 PEAUTH - ok

00:15:52.0919 4832 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys

00:15:52.0965 4832 PptpMiniport - ok

00:15:53.0012 4832 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys

00:15:53.0106 4832 Processor - ok

00:15:53.0199 4832 PROCEXP151 - ok

00:15:53.0277 4832 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys

00:15:53.0324 4832 PSched - ok

00:15:53.0433 4832 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\Windows\system32\Drivers\PxHelp20.sys

00:15:53.0465 4832 PxHelp20 - ok

00:15:53.0589 4832 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys

00:15:53.0636 4832 ql2300 - ok

00:15:53.0745 4832 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys

00:15:53.0777 4832 ql40xx - ok

00:15:53.0855 4832 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys

00:15:53.0948 4832 QWAVEdrv - ok

00:15:54.0057 4832 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys

00:15:54.0104 4832 RasAcd - ok

00:15:54.0167 4832 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys

00:15:54.0229 4832 Rasl2tp - ok

00:15:54.0338 4832 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys

00:15:54.0401 4832 RasPppoe - ok

00:15:54.0447 4832 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys

00:15:54.0494 4832 RasSstp - ok

00:15:54.0681 4832 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys

00:15:54.0728 4832 rdbss - ok

00:15:54.0791 4832 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys

00:15:54.0853 4832 RDPCDD - ok

00:15:54.0962 4832 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys

00:15:55.0025 4832 rdpdr - ok

00:15:55.0149 4832 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys

00:15:55.0227 4832 RDPENCDD - ok

00:15:55.0290 4832 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys

00:15:55.0337 4832 RDPWD - ok

00:15:55.0493 4832 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys

00:15:55.0539 4832 rspndr - ok

00:15:55.0617 4832 RTL8023xp (166911eada13cd34dd8f8c667707be94) C:\Windows\system32\DRIVERS\Rtnicxp.sys

00:15:55.0695 4832 RTL8023xp - ok

00:15:55.0805 4832 RTSTOR (59b8716084597c9d6d7165835c8479c1) C:\Windows\system32\drivers\RTSTOR.SYS

00:15:55.0867 4832 RTSTOR - ok

00:15:55.0992 4832 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys

00:15:56.0023 4832 sbp2port - ok

00:15:56.0132 4832 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys

00:15:56.0195 4832 secdrv - ok

00:15:56.0257 4832 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys

00:15:56.0351 4832 Serenum - ok

00:15:56.0444 4832 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys

00:15:56.0522 4832 Serial - ok

00:15:56.0585 4832 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys

00:15:56.0631 4832 sermouse - ok

00:15:56.0756 4832 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys

00:15:56.0850 4832 sffdisk - ok

00:15:56.0912 4832 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys

00:15:56.0990 4832 sffp_mmc - ok

00:15:57.0084 4832 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys

00:15:57.0162 4832 sffp_sd - ok

00:15:57.0224 4832 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys

00:15:57.0302 4832 sfloppy - ok

00:15:57.0427 4832 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys

00:15:57.0443 4832 sisagp - ok

00:15:57.0505 4832 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys

00:15:57.0521 4832 SiSRaid2 - ok

00:15:57.0552 4832 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys

00:15:57.0567 4832 SiSRaid4 - ok

00:15:57.0708 4832 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys

00:15:57.0770 4832 Smb - ok

00:15:57.0879 4832 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys

00:15:57.0895 4832 spldr - ok

00:15:58.0082 4832 SRTSP (83726cf02eced69138948083e06b6eac) C:\Windows\System32\Drivers\NIS\1207000.00D\SRTSP.SYS

00:15:58.0160 4832 SRTSP - ok

00:15:58.0347 4832 SRTSPX (4e7eab2e5615d39cf1f1df9c71e5e225) C:\Windows\system32\drivers\NIS\1207000.00D\SRTSPX.SYS

00:15:58.0379 4832 SRTSPX - ok

00:15:58.0472 4832 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys

00:15:58.0519 4832 srv - ok

00:15:58.0628 4832 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys

00:15:58.0706 4832 srv2 - ok

00:15:58.0815 4832 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys

00:15:58.0862 4832 srvnet - ok

00:15:58.0940 4832 sscdbus (d5dffeaa1e15d4effabb9d9a3068ac5b) C:\Windows\system32\DRIVERS\sscdbus.sys

00:15:59.0003 4832 sscdbus - ok

00:15:59.0127 4832 sscdmdfl (8a1be0c347814f482f493aea619d57f6) C:\Windows\system32\DRIVERS\sscdmdfl.sys

00:15:59.0190 4832 sscdmdfl - ok

00:15:59.0252 4832 sscdmdm (5ab0b1987f682a59b15b78f84c6ad7d0) C:\Windows\system32\DRIVERS\sscdmdm.sys

00:15:59.0268 4832 sscdmdm - ok

00:15:59.0393 4832 StarOpen (306521935042fc0a6988d528643619b3) C:\Windows\system32\drivers\StarOpen.sys

00:15:59.0408 4832 StarOpen ( UnsignedFile.Multi.Generic ) - warning

00:15:59.0408 4832 StarOpen - detected UnsignedFile.Multi.Generic (1)

00:15:59.0517 4832 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys

00:15:59.0533 4832 swenum - ok

00:15:59.0627 4832 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys

00:15:59.0642 4832 Symc8xx - ok

00:15:59.0783 4832 SymDS (9bbeb8c6258e72d62e7560e6667aad39) C:\Windows\system32\drivers\NIS\1207000.00D\SYMDS.SYS

00:15:59.0845 4832 SymDS - ok

00:16:00.0048 4832 SymEFA (d5c02629c02a820a7e71bca3d44294a3) C:\Windows\system32\drivers\NIS\1207000.00D\SYMEFA.SYS

00:16:00.0157 4832 SymEFA - ok

00:16:00.0266 4832 SymEvent (ab33c3b196197ca467cbdda717860dba) C:\Windows\system32\Drivers\SYMEVENT.SYS

00:16:00.0313 4832 SymEvent - ok

00:16:00.0453 4832 SymIRON (a73399804d5d4a8b20ba60fcf70c9f1f) C:\Windows\system32\drivers\NIS\1207000.00D\Ironx86.SYS

00:16:00.0485 4832 SymIRON - ok

00:16:00.0625 4832 SYMTDIv (d42a7229e333af725f1445f785e4658d) C:\Windows\System32\Drivers\NIS\1207000.00D\SYMTDIV.SYS

00:16:00.0703 4832 SYMTDIv - ok

00:16:00.0843 4832 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys

00:16:00.0859 4832 Sym_hi - ok

00:16:00.0921 4832 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys

00:16:00.0937 4832 Sym_u3 - ok

00:16:01.0031 4832 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys

00:16:01.0093 4832 Tcpip - ok

00:16:01.0265 4832 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys

00:16:01.0358 4832 Tcpip6 - ok

00:16:01.0499 4832 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys

00:16:01.0577 4832 tcpipreg - ok

00:16:01.0623 4832 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys

00:16:01.0701 4832 TDPIPE - ok

00:16:01.0811 4832 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys

00:16:01.0873 4832 TDTCP - ok

00:16:01.0935 4832 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys

00:16:01.0982 4832 tdx - ok

00:16:02.0091 4832 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys

00:16:02.0107 4832 TermDD - ok

00:16:02.0201 4832 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys

00:16:02.0247 4832 tssecsrv - ok

00:16:02.0372 4832 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys

00:16:02.0450 4832 tunmp - ok

00:16:02.0513 4832 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys

00:16:02.0559 4832 tunnel - ok

00:16:02.0669 4832 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys

00:16:02.0684 4832 uagp35 - ok

00:16:02.0778 4832 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys

00:16:02.0809 4832 udfs - ok

00:16:02.0918 4832 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys

00:16:02.0934 4832 uliagpkx - ok

00:16:03.0012 4832 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys

00:16:03.0043 4832 uliahci - ok

00:16:03.0137 4832 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys

00:16:03.0152 4832 UlSata - ok

00:16:03.0230 4832 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys

00:16:03.0246 4832 ulsata2 - ok

00:16:03.0293 4832 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys

00:16:03.0339 4832 umbus - ok

00:16:03.0480 4832 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys

00:16:03.0542 4832 usbaudio - ok

00:16:03.0620 4832 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys

00:16:03.0683 4832 usbccgp - ok

00:16:03.0792 4832 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys

00:16:03.0854 4832 usbcir - ok

00:16:03.0948 4832 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys

00:16:04.0010 4832 usbehci - ok

00:16:04.0119 4832 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys

00:16:04.0166 4832 usbhub - ok

00:16:04.0244 4832 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys

00:16:04.0338 4832 usbohci - ok

00:16:04.0447 4832 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys

00:16:04.0509 4832 usbprint - ok

00:16:04.0619 4832 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys

00:16:04.0665 4832 usbscan - ok

00:16:04.0759 4832 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS

00:16:04.0821 4832 USBSTOR - ok

00:16:04.0899 4832 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys

00:16:04.0946 4832 usbuhci - ok

00:16:05.0087 4832 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys

00:16:05.0149 4832 usbvideo - ok

00:16:05.0227 4832 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys

00:16:05.0321 4832 vga - ok

00:16:05.0430 4832 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys

00:16:05.0492 4832 VgaSave - ok

00:16:05.0570 4832 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys

00:16:05.0586 4832 viaagp - ok

00:16:05.0695 4832 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys

00:16:05.0789 4832 ViaC7 - ok

00:16:05.0851 4832 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys

00:16:05.0867 4832 viaide - ok

00:16:05.0960 4832 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys

00:16:05.0976 4832 volmgr - ok

00:16:06.0069 4832 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys

00:16:06.0085 4832 volmgrx - ok

00:16:06.0194 4832 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys

00:16:06.0225 4832 volsnap - ok

00:16:06.0272 4832 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys

00:16:06.0303 4832 vsmraid - ok

00:16:06.0350 4832 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys

00:16:06.0444 4832 WacomPen - ok

00:16:06.0553 4832 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

00:16:06.0584 4832 Wanarp - ok

00:16:06.0600 4832 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys

00:16:06.0647 4832 Wanarpv6 - ok

00:16:06.0725 4832 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys

00:16:06.0740 4832 Wd - ok

00:16:06.0865 4832 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys

00:16:06.0896 4832 Wdf01000 - ok

00:16:07.0099 4832 winachsf (e096ffb754f1e45ae1bddac1275ae2c5) C:\Windows\system32\DRIVERS\HSX_CNXT.sys

00:16:07.0239 4832 winachsf - ok

00:16:07.0411 4832 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys

00:16:07.0458 4832 WmiAcpi - ok

00:16:07.0551 4832 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys

00:16:07.0614 4832 WpdUsb - ok

00:16:07.0723 4832 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys

00:16:07.0785 4832 ws2ifsl - ok

00:16:07.0863 4832 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys

00:16:07.0926 4832 WUDFRd - ok

00:16:08.0051 4832 XAudio (19e7c173b6242ad7521e537ae54768bf) C:\Windows\system32\DRIVERS\xaudio.sys

00:16:08.0066 4832 XAudio - ok

00:16:08.0175 4832 ztemtusbser (20f4f87625edddb97b48da66ace7dc8d) C:\Windows\system32\DRIVERS\CT_ZTEMT_U_USBSER.sys

00:16:08.0238 4832 ztemtusbser - ok

00:16:08.0285 4832 MBR (0x1B8) (1a1a06f62e891045814007163c1c76c3) \Device\Harddisk0\DR0

00:16:08.0378 4832 \Device\Harddisk0\DR0 - ok

00:16:08.0394 4832 Boot (0x1200) (5332633f4e1e7a357c3f12e29a85170b) \Device\Harddisk0\DR0\Partition0

00:16:08.0394 4832 \Device\Harddisk0\DR0\Partition0 - ok

00:16:08.0394 4832 Boot (0x1200) (f2734062f590ed25e7028b4b440da767) \Device\Harddisk0\DR0\Partition1

00:16:08.0409 4832 \Device\Harddisk0\DR0\Partition1 - ok

00:16:08.0409 4832 ============================================================

00:16:08.0409 4832 Scan finished

00:16:08.0409 4832 ============================================================

00:16:08.0425 5196 Detected object count: 2

00:16:08.0425 5196 Actual detected object count: 2

00:17:09.0234 5196 cdrbsdrv ( UnsignedFile.Multi.Generic ) - skipped by user

00:17:09.0234 5196 cdrbsdrv ( UnsignedFile.Multi.Generic ) - User select action: Skip

00:17:09.0249 5196 StarOpen ( UnsignedFile.Multi.Generic ) - skipped by user

00:17:09.0249 5196 StarOpen ( UnsignedFile.Multi.Generic ) - User select action: Skip

Share this post


Link to post
Share on other sites

OK, that was correct...those files are good.

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Share this post


Link to post
Share on other sites

Just a quick question before I run combofix.

Do I remove the USB drive before running it? Even if I remove the USB drive, I need to put it in again to connect to the internet.

Previous scans were done with the USB removed.

Share this post


Link to post
Share on other sites

I ran combofix from desktop as instructed. Norton was also disabled. USB device was removed.

It ran for 40+ stages and came to the screen of "preparing log report". there the system automatically turned off.

When started again, it asked if I should choose safe mode. I chose normal mode and it started OK.

c:\combofix.txt is not available. Please tell me what to do now.

Rishi

Share this post


Link to post
Share on other sites

Press the Windows logo key + R to bring up the "run box"

Copy and paste next command in the field:

"C:\ComboFix.txt"

Press enter, see if it comes up.

MrC

Share this post


Link to post
Share on other sites

Lets run a couple of other scans first, then will try ComboFix again:

Next, please run a free online scan with the ESET Online Scanner:

Note: You will need to use Internet Explorer for this scan.

http://www.eset.eu/online-scanner

Tick the box next to YES, I accept the Terms of Use.

Click Start

When asked, allow the ActiveX control to install

Click Start

Make sure that the options Remove found threats and the option Scan unwanted applications is checked

Click Scan

Wait for the scan to finish

Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt

Copy and paste that log as a reply to this topic

MrC

Share this post


Link to post
Share on other sites

The proxy server was again set on IE so initially I could not connect. Then, I saw the setting. The proxy was enabled for only the specific connection as opposed to a general setting. I changed that and got IE to work.

ESET worked OK. Took 6.5 hrs to scan. It found no threats.

Log file is attached.

Rishi

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

Share this post


Link to post
Share on other sites

Lets try ComboFix again:

Please download and run ComboFix.

The most important things to remember when running it is to disable all your malware programs and run Combofix from your desktop.

Please visit this webpage for download links, and instructions for running ComboFix

http://www.bleepingc...to-use-combofix

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Information on disabling your malware programs can be found Here.

Make sure you run ComboFix from your desktop.

Please include the C:\ComboFix.txt in your next reply for further review.

MrC

Share this post


Link to post
Share on other sites

I could run Combofix. After running, firefox did not open. It opened after a restart.

Combofix log follows.

ComboFix 12-02-25.02 - Arvind Raje 26-02-2012 23:05:35.2.2 - x86

Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2037.1048 [GMT 5.5:30]

Running from: c:\users\Arvind Raje\Desktop\ComboFix.exe

AV: Norton Internet Security *Disabled/Updated* {63DF5164-9100-186D-2187-8DC619EFD8BF}

FW: Norton Internet Security *Disabled* {5BE4D041-DB6F-1935-0AD8-24F3E73C9FC4}

SP: Norton Internet Security *Disabled/Updated* {D8BEB080-B73A-17E3-1B37-B6B462689202}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

.

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

---- Previous Run -------

.

C:\install.exe

c:\programdata\Microsoft\corecon\1.0\1033\NonSDKAddonLangVer.dll

c:\programdata\Microsoft\corecon\1.0\1033\SDKAddonLangVer.dll

c:\programdata\Microsoft\corecon\1.0\addons\NonSDKAddonVer.dll

c:\programdata\Microsoft\corecon\1.0\addons\SDKAddonVer.dll

c:\programdata\Microsoft\corecon\1.0\SDKFilesVer.dll

c:\users\Public\Norton_Removal_Tool.exe

c:\windows\system32\CddbCdda.dll

c:\windows\system32\html

c:\windows\system32\html\calendar.html

c:\windows\system32\html\calendarbottom.html

c:\windows\system32\html\calendartop.html

c:\windows\system32\html\crystalexportdialog.htm

c:\windows\system32\html\crystalprinthost.html

c:\windows\system32\images

c:\windows\system32\images\toolbar\calendar.gif

c:\windows\system32\images\toolbar\crlogo.gif

c:\windows\system32\images\toolbar\export.gif

c:\windows\system32\images\toolbar\export_over.gif

c:\windows\system32\images\toolbar\exportd.gif

c:\windows\system32\images\toolbar\First.gif

c:\windows\system32\images\toolbar\first_over.gif

c:\windows\system32\images\toolbar\Firstd.gif

c:\windows\system32\images\toolbar\gotopage.gif

c:\windows\system32\images\toolbar\gotopage_over.gif

c:\windows\system32\images\toolbar\gotopaged.gif

c:\windows\system32\images\toolbar\grouptree.gif

c:\windows\system32\images\toolbar\grouptree_over.gif

c:\windows\system32\images\toolbar\grouptreed.gif

c:\windows\system32\images\toolbar\grouptreepressed.gif

c:\windows\system32\images\toolbar\Last.gif

c:\windows\system32\images\toolbar\last_over.gif

c:\windows\system32\images\toolbar\Lastd.gif

c:\windows\system32\images\toolbar\Next.gif

c:\windows\system32\images\toolbar\next_over.gif

c:\windows\system32\images\toolbar\Nextd.gif

c:\windows\system32\images\toolbar\Prev.gif

c:\windows\system32\images\toolbar\prev_over.gif

c:\windows\system32\images\toolbar\Prevd.gif

c:\windows\system32\images\toolbar\print.gif

c:\windows\system32\images\toolbar\print_over.gif

c:\windows\system32\images\toolbar\printd.gif

c:\windows\system32\images\toolbar\Refresh.gif

c:\windows\system32\images\toolbar\refresh_over.gif

c:\windows\system32\images\toolbar\refreshd.gif

c:\windows\system32\images\toolbar\Search.gif

c:\windows\system32\images\toolbar\search_over.gif

c:\windows\system32\images\toolbar\searchd.gif

c:\windows\system32\images\toolbar\up.gif

c:\windows\system32\images\toolbar\up_over.gif

c:\windows\system32\images\toolbar\upd.gif

c:\windows\system32\images\tree\begindots.gif

c:\windows\system32\images\tree\beginminus.gif

c:\windows\system32\images\tree\beginplus.gif

c:\windows\system32\images\tree\blank.gif

c:\windows\system32\images\tree\blankdots.gif

c:\windows\system32\images\tree\dots.gif

c:\windows\system32\images\tree\lastdots.gif

c:\windows\system32\images\tree\lastminus.gif

c:\windows\system32\images\tree\lastplus.gif

c:\windows\system32\images\tree\Magnify.gif

c:\windows\system32\images\tree\minus.gif

c:\windows\system32\images\tree\minusbox.gif

c:\windows\system32\images\tree\plus.gif

c:\windows\system32\images\tree\plusbox.gif

c:\windows\system32\images\tree\singleminus.gif

c:\windows\system32\images\tree\singleplus.gif

.

.

((((((((((((((((((((((((( Files Created from 2012-01-26 to 2012-02-26 )))))))))))))))))))))))))))))))

.

.

2012-02-26 17:47 . 2012-02-26 17:47 -------- d-----w- c:\users\Default\AppData\Local\temp

2012-02-25 21:25 . 2012-02-25 21:25 -------- d-----w- c:\program files\ESET

2012-02-24 06:45 . 2012-02-24 06:45 -------- d-----w- C:\63e8929133247ad70dee9a5b

2012-02-23 21:15 . 2012-02-23 21:15 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\Malwarebytes

2012-02-23 21:14 . 2012-02-23 21:14 -------- d-----w- c:\programdata\Malwarebytes

2012-02-23 21:14 . 2011-12-10 09:54 20464 ----a-w- c:\windows\system32\drivers\mbam.sys

2012-02-22 08:37 . 2012-02-22 09:08 -------- d-----w- c:\users\Arvind Raje\AppData\Local\NPE

2012-02-22 04:16 . 2012-02-22 04:16 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\BB06E

2012-02-22 04:16 . 2012-02-22 04:16 1169736 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3\B38_virus.exe

2012-02-22 04:16 . 2012-02-22 04:16 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\341BB

2012-02-18 05:56 . 2012-02-18 06:41 -------- d-----w- C:\GamesNon Fellows

2012-02-15 05:28 . 2011-12-14 02:56 1427456 ----a-w- c:\windows\system32\inetcpl.cpl

2012-02-15 04:08 . 2012-02-16 09:40 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\Leahs_Tale

2012-02-15 02:41 . 2012-02-15 02:41 -------- d-----w- c:\programdata\IObit

2012-02-15 02:41 . 2012-02-15 02:41 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\IObit

2012-02-15 02:22 . 2011-12-14 16:17 680448 ----a-w- c:\windows\system32\msvcrt.dll

2012-02-15 02:19 . 2012-01-12 19:52 2044416 ----a-w- c:\windows\system32\win32k.sys

2012-02-15 02:19 . 2011-12-20 10:56 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat

2012-02-07 03:28 . 2012-02-07 03:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2012-02-03 07:19 . 2012-02-17 08:32 45016 ----a-w- c:\program files\Mozilla Firefox\mozutils.dll

2012-02-03 07:19 . 2012-02-03 07:19 626688 ----a-w- c:\program files\Mozilla Firefox\msvcr80.dll

2012-02-03 07:19 . 2012-02-03 07:19 548864 ----a-w- c:\program files\Mozilla Firefox\msvcp80.dll

2012-02-03 07:19 . 2012-02-03 07:19 479232 ----a-w- c:\program files\Mozilla Firefox\msvcm80.dll

2012-02-02 01:46 . 2012-02-02 01:46 -------- d-----w- c:\users\Arvind Raje\AppData\Roaming\KatGames

2012-02-02 01:46 . 2012-02-02 01:46 -------- d-----w- c:\programdata\KatGames

2012-02-01 02:19 . 2012-02-03 06:50 -------- d-----w- c:\windows\system32\drivers\NIS\1207000.00D

2012-01-28 16:25 . 2012-02-18 04:50 -------- d-----w- c:\users\Arvind Raje\AppData\Local\JollyBear

2012-01-28 16:25 . 2012-02-18 04:50 -------- d-----w- c:\programdata\JollyBear

.

.

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2012-01-16 02:47 . 2011-09-04 09:53 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2011-12-30 04:27 . 2011-12-30 04:13 1680064 ----a-w- c:\programdata\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll

2011-12-30 04:13 . 2011-12-30 04:13 18368 ----a-w- c:\programdata\Microsoft\VSA\9.0\1033\ResourceCache.dll

2011-12-30 03:52 . 2011-12-30 03:52 416 ----a-w- c:\programdata\Microsoft\MSDN\9.0\1033\ResourceCache.dll

2012-02-17 08:32 . 2011-05-06 09:45 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll

2008-06-30 08:14 . 2009-11-03 17:38 324976 ----a-w- c:\program files\mozilla firefox\components\coFFPlgn.dll

.

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2011-02-18 05:12 94208 ----a-w- c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]

"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-12-19 68856]

.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Apoint"="c:\program files\Apoint2K\Apoint.exe" [2007-12-21 217088]

"NWEReboot"="" [bU]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]

"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]

"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2009-11-24 323640]

"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]

"SunJavaUpdateSched"="c:\program files\common files\java\java update\jusched.exe" [2011-06-09 254696]

.

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 1294336]

.

c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

Dropbox.lnk - c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-2-15 24246216]

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll

.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Google Updater.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Google Updater.lnk

backup=c:\windows\pss\Google Updater.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HD Writer AE 1.0.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HD Writer AE 1.0.lnk

backup=c:\windows\pss\HD Writer AE 1.0.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Vongo Tray.lnk]

path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Vongo Tray.lnk

backup=c:\windows\pss\Vongo Tray.lnk.CommonStartup

backupExtension=.CommonStartup

.

[HKLM\~\startupfolder\C:^Users^Arvind Raje^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]

path=c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 2.4.lnk

backup=c:\windows\pss\OpenOffice.org 2.4.lnk.Startup

backupExtension=.Startup

.

[HKLM\~\startupfolder\C:^Users^Arvind Raje^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.0.lnk]

path=c:\users\Arvind Raje\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.0.lnk

backup=c:\windows\pss\OpenOffice.org 3.0.lnk.Startup

backupExtension=.Startup

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]

2011-03-29 16:29 937920 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

2011-08-31 01:57 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]

2008-09-26 06:32 2356088 ----a-r- c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]

c:\tools\Advanced SystemCare 5\ASCTray.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy Dock]

c:\users\Arvind Raje\Documents\RCA easyRip\EZDock.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

2007-12-19 04:56 29744 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]

2010-10-25 14:02 136176 ----atw- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]

2006-10-26 19:17 31016 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpWirelessAssistant]

2007-03-01 20:18 472776 ----a-w- c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Launcher]

2006-11-08 00:39 44128 ------w- c:\windows\SMINST\Launcher.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

2007-12-10 04:42 695808 ----a-w- c:\program files\Nokia\Nokia PC Suite 6\PCSuite.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe [bU]

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

2008-02-11 14:43 133656 ----a-w- c:\windows\System32\igfxpers.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]

2009-11-24 05:37 323640 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QPService]

2007-03-29 00:45 176128 ----a-w- c:\program files\HP\QuickPlay\QPService.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

2010-09-08 05:47 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]

2011-04-15 06:05 107000 ----a-w- c:\program files\Siber Systems\AI RoboForm\robotaskbaricon.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

2011-10-13 03:57 17351304 ----a-r- c:\program files\Skype\Phone\Skype.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

2007-12-19 04:56 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]

2008-01-19 07:38 1008184 ----a-w- c:\program files\Windows Defender\MSASCui.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]

2008-01-19 07:33 202240 ----a-w- c:\program files\Windows Media Player\wmpnscfg.exe

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

.

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

.

--- Other Services/Drivers In Memory ---

.

*NewlyCreated* - WS2IFSL

.

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

.

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

2007-04-19 20:23 452136 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe

.

Contents of the 'Scheduled Tasks' folder

.

2012-02-25 c:\windows\Tasks\Google Software Updater.job

- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-12-18 15:45]

.

2012-02-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 17:44]

.

2012-02-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job

- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-08 17:44]

.

2012-02-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1008920372-1273433071-3186582681-1000Core.job

- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 14:02]

.

2012-02-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1008920372-1273433071-3186582681-1000UA.job

- c:\users\Arvind Raje\AppData\Local\Google\Update\GoogleUpdate.exe [2010-12-24 14:02]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage

mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_IN&c=73&bd=PRESARIO&pf=laptop

uInternet Settings,ProxyServer = http=127.0.0.1:58384

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html

IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html

IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html

Trusted Zone: bridgedoctor.com\www

DPF: {9EF2BA47-C6A7-470D-9DD9-4323B0CB8353} - hxxp://98.210.180.141:2148/WebClient.cab

FF - ProfilePath - c:\users\Arvind Raje\AppData\Roaming\Mozilla\Firefox\Profiles\94ckym6o.default\

FF - prefs.js: browser.startup.homepage - hxxp://google.com/

FF - prefs.js: network.proxy.type - 0

.

.

**************************************************************************

.

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2012-02-26 23:17

Windows 6.0.6002 Service Pack 2 NTFS

.

scanning hidden processes ...

.

scanning hidden autostart entries ...

.

scanning hidden files ...

.

scan completed successfully

hidden files: 0

.

**************************************************************************

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\NIS]

"ImagePath"="\"c:\program files\Norton Internet Security\Engine\18.7.0.13\ccSvcHst.exe\" /s \"NIS\" /m \"c:\program files\Norton Internet Security\Engine\18.7.0.13\diMaster.dll\" /prefetch:1"

.

--------------------- LOCKED REGISTRY KEYS ---------------------

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

--------------------- DLLs Loaded Under Running Processes ---------------------

.

- - - - - - - > 'Explorer.exe'(6080)

c:\users\Arvind Raje\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll

c:\program files\Copernic Desktop Search - Home\DeskbandIntegration302020007.dll

c:\program files\Copernic Desktop Search - Home\SearchPlatform-s.dll

.

Completion time: 2012-02-26 23:35:25

ComboFix-quarantined-files.txt 2012-02-26 18:05

.

Pre-Run: 17,573,310,464 bytes free

Post-Run: 17,333,161,984 bytes free

.

- - End Of File - - 218E0A2BE72D7D624914D0DC596245F2

Share this post


Link to post
Share on other sites

Can you take a look in these folders and see what's in them and do you recognize them, you may have to enable hidden files to see them:

http://www.bleepingc...-windows-vista/

c:\users\Arvind Raje\AppData\Local\NPE

c:\users\Arvind Raje\AppData\Roaming\BB06E

c:\users\Arvind Raje\AppData\Roaming\341BB

c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3

also upload this file to VirusTotal for a free scan, post back the report (just copy the url)

c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3\B38_virus.exe

http://www.virustotal.com/

-------------------------------------------

Please delete these two folders:

c:\programdata\IObit

c:\users\Arvind Raje\AppData\Roaming\IObit

------------------------------------------

This proxy is still showing, if you didn't set it....please delete it as show in this link as before:

http://forums.malwar...ndpost&p=530462

uInternet Settings,ProxyServer = http=127.0.0.1:58384

Let me know, MrC

Share this post


Link to post
Share on other sites

Firstly, thank you very much, for all the efforts you are taking in combating this virus.

Step by step answers are given below.

1. c:\users\Arvind Raje\AppData\Local\NPE

This contains many files. The output of dir /s is as follows.

Volume in drive C has no label.

Volume Serial Number is 341B-B06E

Directory of C:\Users\Arvind Raje\AppData\Local\NPE

27-02-2012 00:24 <DIR> .

27-02-2012 00:24 <DIR> ..

27-02-2012 00:24 0 dir.txt

22-02-2012 14:38 <DIR> ErrMgmt

22-02-2012 14:38 <DIR> ErrorInstances

22-02-2012 14:38 873,242 Info20120222141813.xml

22-02-2012 14:38 <DIR> LocalDumps

22-02-2012 14:34 4,608 Metadata.dat

22-02-2012 14:38 7,864,320 NPETraceSession.etl

22-02-2012 14:37 2,883,584 NPETraceSessionBoot.etl

22-02-2012 14:34 1,431 Remediate2012022214181379211000000.dat

6 File(s) 11,627,185 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

22-02-2012 14:38 <DIR> Queue

22-02-2012 14:38 2,048 SQCLIENT.dat

22-02-2012 14:38 <DIR> Tasks

1 File(s) 2,048 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

22-02-2012 14:38 <DIR> Incoming

22-02-2012 14:38 <DIR> Staging

0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue\Incoming

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Queue\Staging

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrMgmt\Tasks

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\ErrorInstances

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

0 File(s) 0 bytes

Directory of C:\Users\Arvind Raje\AppData\Local\NPE\LocalDumps

22-02-2012 14:38 <DIR> .

22-02-2012 14:38 <DIR> ..

0 File(s) 0 bytes

Total Files Listed:

7 File(s) 11,629,233 bytes

23 Dir(s) 17,416,953,856 bytes free

2. c:\users\Arvind Raje\AppData\Roaming\BB06E

Folder is empty.

3. c:\users\Arvind Raje\AppData\Roaming\341BB

Contains a file B06E.41B. Virustotal report is at

https://www.virustotal.com/file/aea36656225305eff321b811395790a6fe35ba0a5146f83b5b69a4abe6f4bb3d/analysis/1330283050/

4. c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3

It contains a file named B38_virus.exe. This is a file that I had identified previosly as a problem. I just renamed the file as virus to make sure that the program cannot find it. Original name was B38.exe.

Virustotal log is at https://www.virustotal.com/file/f10591fd4fa3c352ad5d43fea21921a9211fba0185627b2878a5cfe4d0a633be/analysis/1330283429/

5. Deleted folders -

c:\programdata\IObit

c:\users\Arvind Raje\AppData\Roaming\IObit

6. To remove proxy

a, If I go to Internet options--> connections --> Lan Settings, all boxes are unchecked

b. If I go to Internet options --> connections --> Reliance Netconnect Broadband + (my internet provider name) --> settings. again all boxes are unchecked.

Previously a. was set with proxy. When I unchecked it, option b. got set with proxy. Now it seems that there is another option which I am not seeing.

I will run rkill and post the results in next post.

Share this post


Link to post
Share on other sites

after running rkill, IE works fine.

rkill log follows.

This log file is located at C:\rkill.log.

Please post this only if requested to by the person helping you.

Otherwise you can close this log when you wish.

Rkill was run on 27-02-2012 at 1:02:00.

Operating System: Windows Vista Home Premium

Processes terminated by Rkill or while it was running:

C:\Users\Arvind Raje\AppData\Roaming\Dropbox\bin\Dropbox.exe

C:\Program Files\Vim\vim73\gvim.exe

Rkill completed on 27-02-2012 at 1:02:09.

Share this post


Link to post
Share on other sites

Sorry for the late reply.

Please delete these folders:

c:\users\Arvind Raje\AppData\Roaming\BB06E

c:\users\Arvind Raje\AppData\Roaming\Microsoft\99B3

c:\users\Arvind Raje\AppData\Roaming\341BB

MrC

Share this post


Link to post
Share on other sites

I'm grateful for the help.

I've deleted the folders. What next.

Share this post


Link to post
Share on other sites

Please Update and run a Quick Scan with MBAM, post the report.

Please let me know how it is, MrC

Share this post


Link to post
Share on other sites

The scan came back clean. results are attached. But I don't think that I am rid of this virus yet.

Malwarebytes Anti-Malware 1.60.1.1000

www.malwarebytes.org

Database version: v2012.02.27.02

Windows Vista Service Pack 2 x86 NTFS

Internet Explorer 9.0.8112.16421

Arvind Raje :: LAPTOPPC [administrator]

27-02-2012 22:58:08

mbam-log-2012-02-27 (22-58-08).txt

Scan type: Quick scan

Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM

Scan options disabled: P2P

Objects scanned: 203644

Time elapsed: 7 minute(s), 31 second(s)

Memory Processes Detected: 0

(No malicious items detected)

Memory Modules Detected: 0

(No malicious items detected)

Registry Keys Detected: 0

(No malicious items detected)

Registry Values Detected: 0

(No malicious items detected)

Registry Data Items Detected: 0

(No malicious items detected)

Folders Detected: 0

(No malicious items detected)

Files Detected: 0

(No malicious items detected)

(end)

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.