Solved: Svchost.exe rises to 200k+ usage within minutes and continues to climb!

joyo915 · 27-Mar-2012, 07:08 PM #1

The desktop that is affected is running Windows XP Home Edition, SP3. Literally, within a minute of turning computer on a Svchost.exe will quickly climb to the 200k memory usage range. When I end the process through the task manager, it quickly comes back and climbs just as high all over again. I stepped away for a couple of minutes, and when I came back the computer sounded like it was going to explode: the problematic Svchost.exe was running at 950k! This is horribly impacting the performance of the computer and it is making it practically impossible to use. I've Googled solutions and tried a couple "common" fixes but to no avail. I was also going to try a system restore, but I was unaware that it isn't even turned on, so that plan's a bust. Please, someone help!

**Cookiegal** · 28-Mar-2012, 09:24 AM #2

Please go here to download HijackThis.

To the right of the green arrow under HijackThis downloads click on the Executable button and download the HijackThis.exe file to your desktop.
Double-click the HijackThis.exe file on your desktop to launch the program. If you get a security warning asking if you want to run this software because the publisher couldn't be verified click on Run to allow it.
Click on the Scan button. The scan will not take long and when it's finished the resulting log will open automatically in Notepad.
Click on the Save log button and save the log file to your desktop. Copy and paste the contents of the log in your post.

Please do not fix anything with HijackThis unless you are instructed to do so. Most of what appears in the log will be harmless and/or necessary.

joyo915 · 28-Mar-2012, 12:34 PM #3

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:33:38 AM, on 3/28/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Mike\My Documents\Downloads\procexp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25419
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/s.../SysProExe.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136499180796
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways/p...b/pwlninst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\0051.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8687 bytes

Phantom010 · 28-Mar-2012, 12:40 PM #4

Does disabling Symantec help any?

**Cookiegal** · 28-Mar-2012, 12:43 PM #5

There are signs of infection.

Are you using a proxy server? The entry there looks dodgy.

Please download DDS by sUBs to your desktop from one of the following locations:

http://download.bleepingcomputer.com/sUBs/dds.scr
http://www.forospyware.com/sUBs/dds

Double-click the DDS.scr to run the tool.

When DDS has finished scanning, it will open two logs named as follows:

DDS.txt
Attach.txt

Save them both to your desktop. Copy and paste the contents of the DDS.txt and Attach.txt files in your reply please.

Please download GMER from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.

Open the ark.txt file and copy and paste the contents of the log here please.

Phantom010 · 28-Mar-2012, 12:44 PM #6

Quote:

Originally Posted by Cookiegal

There are signs of infection.

Are you using a proxy server? The entry there looks dodgy.

Yup!

joyo915 · 28-Mar-2012, 10:35 PM #7

To answer your questions, I did try disabling Symantec, but no luck there; and I'm not too sure what a proxy server is, so I really couldn't say either way, sorry :/ .And here are all three logs::

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Mike at 12:24:40 on 2012-03-28
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.832 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Documents and Settings\Mike\My Documents\Downloads\procexp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://att.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:25419
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
dPolicies-system: DisableTaskMgr = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136499180796
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - hxxp://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{B390C276-CE2B-4BB7-9F51-4496F2392921} : DhcpNameServer = 192.168.1.254
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\0051.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\98c72a03.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
.
============= SERVICES / DRIVERS ===============
.
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120327.008\NAVENG.SY S [2012-3-27 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120327.008\NAVEX15 .SYS [2012-3-27 1576312]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2012-03-21 19:27:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A15649F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a15d740]; MOV EAX, [0x8a15d8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A509A30]
3 CLASSPNP[0xF76B7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A447C88]
\Driver\atapi[0x8A415D78] -> IRP_MJ_CREATE -> 0x8A15649F
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A1562C6
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 12:26:53.81 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 8/12/2005 8:26:25 PM
System Uptime: 3/28/2012 10:33:42 AM (2 hours ago)
.
Motherboard: Dell Computer Corp. | | 0TC667
Processor: Intel(R) Celeron(R) CPU 2.66GHz | Microprocessor | 2660/533mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 71 GiB total, 44.016 GiB free.
D: is CDROM (CDFS)
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 3/27/2012 5:42:19 PM - System Checkpoint
.
==== Installed Programs ======================
.
.
2Wire Wireless Client
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.1.4
Adobe Shockwave Player 11.5
AiO_Scan_CDA
AiOSoftwareNPI
AOL Uninstaller (Choose which Products to Remove)
AOLIcon
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AT&T Yahoo! Applications
ATT-PRT22
Audacity 1.2.6
BufferChm
Canon MP Navigator EX 3.0
Canon MP250 series MP Drivers
Canon MP250 series User Registration
Canon Utilities Easy-PhotoPrint EX
Canon Utilities My Printer
Canon Utilities Solution Menu
CCleaner
Compatibility Pack for the 2007 Office system
Conexant D850 56K V.9x DFVc Modem
Coupon Printer for Windows
CP_AtenaShokunin1Config
CP_CalendarTemplates1
CP_Package_Basic1
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
CP_Panorama1Config
Critical Update for Windows Media Player 11 (KB959772)
CueTour
CutePDF Writer 2.7
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Media Experience
Dell Picture Studio v3.0
Dell System Restore
DellSupport
Destinations
DeviceFunctionQFolder
DeviceManagementQFolder
Digital Line Detect
DocProc
DocumentViewer
DocumentViewerQFolder
ESPN Java Check
eSupportQFolder
Fax_CDA
FullDPAppQFolder
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Document Viewer 5.3
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
InstantShareDevices
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
iTunes
LiveUpdate 3.3 (Symantec Corporation)
Macromedia Flash Player
Malwarebytes Anti-Malware version 1.60.1.1000
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2007 Service Pack 3 (SP3)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office File Validation Add-In
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Visio Professional 2003
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2007
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Modem Helper
Mozilla Firefox 10.0 (x86 en-US)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Musicmatch® Jukebox
NetWaiting
NewCopy_CDA
PanoStandAlone
PhotoGallery
PowerDVD 5.5
ProductContextNPI
QuickTime
RandMap
Readme
RealPlayer
SBC Yahoo! DSL Home Networking Installer
Scan
ScannerCopy
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
Security Update for Microsoft Windows (KB2564958)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SkinsHP1
SolutionCenter
Sonic Audio module
Sonic DLA
Sonic MyDVD LE
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sonic_PrimoSDK
Status
Symantec Endpoint Protection
TrayApp
TurboTax ItsDeductible 2006
Unload
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
Update for Windows Internet Explorer 8 (KB975364)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 10
Windows Media Player 11
Windows XP Service Pack 3
WinZip
WordPerfect Office 12
WSOP-USA.com
.
==== Event Viewer Messages From Past Week ========
.
3/21/2012 3:32:04 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {555F3418-D99E-4E51-800A-6E89CFD8B1D7}
3/21/2012 2:49:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
.
==== End Of File ===========================

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-03-28 21:25:24
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHC0 rev.06.01C06
Running: v424nrr2.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\ugtdipow.sys

---- System - GMER 1.0.15 ----

SSDT 8A506F88 ZwAlertResumeThread
SSDT 8A41BA38 ZwAlertThread
SSDT 8A4471F0 ZwAllocateVirtualMemory
SSDT 8A41C090 ZwConnectPort
SSDT 8A4D9CB0 ZwCreateMutant
SSDT 8A3C6378 ZwCreateThread
SSDT 8A555468 ZwFreeVirtualMemory
SSDT 8A45A158 ZwImpersonateAnonymousToken
SSDT 8A39ABE0 ZwImpersonateThread
SSDT 8A3F5350 ZwMapViewOfSection
SSDT 8A3AA180 ZwOpenEvent
SSDT 8A4E9A90 ZwOpenProcessToken
SSDT 8A3FB3C0 ZwOpenThreadToken
SSDT 8A39C178 ZwResumeThread
SSDT 8A3BB378 ZwSetContextThread
SSDT 8A3BE2B0 ZwSetInformationProcess
SSDT 8A40C9D0 ZwSetInformationThread
SSDT 8A3A6180 ZwSuspendProcess
SSDT 8A50B9D0 ZwSuspendThread
SSDT 8A3B1178 ZwTerminateProcess
SSDT 8A4E9168 ZwTerminateThread
SSDT 8A3B0748 ZwUnmapViewOfSection
SSDT 8A4EA738 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9A0CF80]
? C:\WINDOWS\system32\Drivers\PROCEXP152.SYS The system cannot find the file specified. !
? C:\DOCUME~1\Mike\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[2352] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0092000C
.text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0134000A
.text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0135000A
.text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0136000A
.text C:\WINDOWS\system32\svchost.exe[2352] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00E4000A

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A1562C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A1562C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A1562C6
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A1562C6

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@RuntimeVersion v2.0.50727
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@Assembly Microsoft.Vsa.Vb.CodeDOMProcessor, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@Class Microsoft.Vsa.Vb.CodeDOM.Location
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ C:\WINDOWS\system32\MSCorEE.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ BDATuner.ChannelTuneRequest.1
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\TypeLib@ {9B085638-018E-11D3-9D8E-00C04F72D980}
Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ BDATuner.ChannelTuneRequest
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ DAO.Group.36

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\LocalService\Cookies\9CJ4M58D.txt 228 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\beacon[5].js 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\en-ZW[1] 15258 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\1104124566[1] 16743 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\search[5].htm 233 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\topscript.js[1].php 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\728x90_top[2].gif 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\plcr_1866424_253135209_1331054440820[1].js 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\quickfashionshop[1].php 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\checkBrowser[1].htm 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\like[4].php 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\default[1].css 2189 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\ad_imp[6].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\bobs-burgers-opening-january_large[1].jpg 15249 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\modernizr[1].js 36607 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\track[1].xml 485 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\combo[1] 10602 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\piggy-back-on-ads[1].js 1111 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\1[1].jpg 4216 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\set[1].gif 43 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\shutter-reloaded[1].js 9027 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\03062012-26v[1].jpg 5852 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\03222012-37v[1].jpg 7715 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\logoLitePlayer[1].js 5728 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4QZOCX87\auth[1].js 54653 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81GEUMTX\icon-music[1].png 374 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBBOE6WO\GetAd[2].aspx 0 bytes
File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBBOE6WO\st[4] 0 bytes

---- EOF - GMER 1.0.15 ----

Phantom010 · 10:54 PM

This is the proxy server setting Cookiegal was referring to:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25419

Malware will often change Lan settings and configure proxy settings by "tunneling" traffic through a certain port (e.g. Local address: 127.0.0.1 Port: 25419).

Open Internet Explorer. Click Tools > Internet Options > Connections > Lan settings > Proxy server > Advanced > delete proxy server settings > click OK > uncheck all boxes > click OK.

In Firefox, click Tools > Options... > General > Advanced > Network > Settings > delete proxy settings > select No proxy > click OK.

joyo915 · 29-Mar-2012, 01:19 PM #9

I followed your instructions Phantom to turning off the proxy server for both Internet Explorer and Firefox. Is there anything I should expect from this?

**Cookiegal** · 29-Mar-2012, 01:31 PM **#10**

Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

Important notes regarding ComboFix:

ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.

joyo915 · 29-Mar-2012, 07:48 PM **#11**

ComboFix 12-03-29.02 - Mike 03/29/2012 17:39:52.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.627 [GMT -5:00]
Running from: c:\documents and settings\Mike\Desktop\puppy.exe
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
c:\documents and settings\Joanna\WINDOWS
c:\documents and settings\Mike\Application Data\HPSU_48BitScanUpdate.log
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
.
.
2012-03-27 23:35 . 2012-03-28 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-21 19:27 . 2012-01-03 22:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-12 16:53 . 2004-08-04 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:06 . 2012-02-15 06:07 3072 ------w- c:\windows\system32\iacenc.dll
2012-03-29 21:41 . 2012-03-29 21:41 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
"2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-09-15 393216]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-10 24576]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtM gr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetM gr]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symant ec Antivirus]
@="Service"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
2009-10-19 02:12 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
2009-09-04 01:43 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
2006-01-17 18:03 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-17 18:03 135168 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
2007-11-08 01:21 214296 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2007-11-08 01:20 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"iPodService"=3 (0x3)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
"c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
.
R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-07-14 23888]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-13 106104]
.
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP152
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2009-03-08 09:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{D7D3EEA8-5ED5-449A-A919-5100F9F30A19}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://att.net/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.254
DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\98c72a03.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-Symantec Antvirus
AddRemove-ESPN Java Check - c:\windows\system32\javaws.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-29 18:24
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800BB-75JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x89FB32C6
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(840)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'lsass.exe'(900)
c:\windows\system32\WININET.dll
.
Completion time: 2012-03-29 18:36:23
ComboFix-quarantined-files.txt 2012-03-29 23:36
ComboFix2.txt 2011-02-08 01:25
.
Pre-Run: 47,139,483,648 bytes free
Post-Run: 48,256,032,768 bytes free
.
- - End Of File - - A7A10F22349A931262E8B5F1FC05D18F

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:47:35 PM, on 3/29/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\2Wire\2PortalMon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Mike\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/s.../SysProExe.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1136499180796
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways/p...b/pwlninst.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

--
End of file - 8348 bytes

**Cookiegal** · 29-Mar-2012, 09:34 PM **#12**

Please download aswMBR.exe and save it to your desktop.

Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

Click Scan.

Upon completion of the scan, click Save log then save it to your desktop and post that log in your next reply for review.
Note - do NOT attempt any Fix yet.

joyo915 · 30-Mar-2012, 11:37 AM **#13**

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-30 10:28:34
-----------------------------
10:28:34.593 OS Version: Windows 5.1.2600 Service Pack 3
10:28:34.593 Number of processors: 1 586 0x401
10:28:34.593 ComputerName: HOME UserName: Mike
10:28:43.187 Initialize success
10:35:30.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
10:35:30.312 Disk 0 Vendor: WDC_WD800BB-75JHC0 06.01C06 Size: 76293MB BusType: 3
10:35:30.312 Device \Driver\atapi -> DriverStartIo 89fd72c6
10:35:30.312 Disk 0 MBR read successfully
10:35:30.312 Disk 0 MBR scan
10:35:30.312 Disk 0 TDL4@MBR code has been found
10:35:30.312 Disk 0 MBR hidden
10:35:30.312 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
10:35:30.343 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72606 MB offset 80325
10:35:30.375 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3639 MB offset 148777965
10:35:30.375 Disk 0 MBR [TDL4] **ROOTKIT**
10:35:30.375 Disk 0 trace - called modules:
10:35:30.375 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89fd749f]<<
10:35:30.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a509a30]
10:35:30.656 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> [0x8a1c4c88]
10:35:30.671 \Driver\atapi[0x8a1b15d0] -> IRP_MJ_CREATE -> 0x89fd749f
10:35:30.671 Scan finished successfully
10:35:53.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mike\Desktop\MBR.dat"
10:35:53.796 The log file has been saved successfully to "C:\Documents and Settings\Mike\Desktop\aswMBR.txt"

**Cookiegal** · 30-Mar-2012, 01:46 PM **#14**

Please go to the following link and download and run TDSSKiller:

http://support.kaspersky.com/viruses...?qid=208280684

Allow it cure anything if prompted.

Please post the log back here.

joyo915 · 31-Mar-2012, 12:34 PM **#15**

10:30:10.0281 2148 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
10:30:10.0859 2148 ============================================================
10:30:10.0859 2148 Current date / time: 2012/03/31 10:30:10.0859
10:30:10.0859 2148 SystemInfo:
10:30:10.0859 2148
10:30:10.0875 2148 OS Version: 5.1.2600 ServicePack: 3.0
10:30:10.0875 2148 Product type: Workstation
10:30:10.0875 2148 ComputerName: HOME
10:30:10.0875 2148 UserName: Mike
10:30:10.0875 2148 Windows directory: C:\WINDOWS
10:30:10.0875 2148 System windows directory: C:\WINDOWS
10:30:10.0875 2148 Processor architecture: Intel x86
10:30:10.0875 2148 Number of processors: 1
10:30:10.0875 2148 Page size: 0x1000
10:30:10.0875 2148 Boot type: Normal boot
10:30:10.0875 2148 ============================================================
10:30:17.0781 2148 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
10:30:17.0812 2148 \Device\Harddisk0\DR0:
10:30:17.0812 2148 MBR used
10:30:17.0812 2148 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8DCF228
10:30:18.0171 2148 Initialize success
10:30:18.0171 2148 ============================================================
10:30:26.0906 4000 ============================================================
10:30:26.0906 4000 Scan started
10:30:26.0906 4000 Mode: Manual;
10:30:26.0906 4000 ============================================================
10:30:28.0781 4000 Abiosdsk - ok
10:30:29.0156 4000 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
10:30:29.0218 4000 abp480n5 - ok
10:30:30.0000 4000 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:30:30.0078 4000 ACPI - ok
10:30:30.0437 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:30:30.0484 4000 ACPIEC - ok
10:30:31.0093 4000 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
10:30:31.0203 4000 adpu160m - ok
10:30:31.0718 4000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:30:31.0765 4000 aec - ok
10:30:32.0250 4000 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:30:32.0328 4000 AFD - ok
10:30:32.0828 4000 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
10:30:32.0875 4000 agp440 - ok
10:30:33.0390 4000 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
10:30:33.0437 4000 agpCPQ - ok
10:30:34.0000 4000 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
10:30:34.0015 4000 Aha154x - ok
10:30:34.0703 4000 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
10:30:34.0875 4000 aic78u2 - ok
10:30:35.0390 4000 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
10:30:35.0437 4000 aic78xx - ok
10:30:35.0937 4000 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
10:30:36.0000 4000 Alerter - ok
10:30:36.0343 4000 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
10:30:36.0343 4000 ALG - ok
10:30:36.0984 4000 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
10:30:37.0031 4000 AliIde - ok
10:30:37.0593 4000 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
10:30:37.0656 4000 alim1541 - ok
10:30:38.0296 4000 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
10:30:38.0406 4000 amdagp - ok
10:30:38.0984 4000 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
10:30:39.0234 4000 amsint - ok
10:30:39.0578 4000 Apple Mobile Device (4b5ae15e5c73eb4dc8dbec2788230d41) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
10:30:39.0593 4000 Apple Mobile Device - ok
10:30:40.0015 4000 AppMgmt - ok
10:30:40.0625 4000 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
10:30:40.0703 4000 asc - ok
10:30:41.0234 4000 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
10:30:41.0265 4000 asc3350p - ok
10:30:41.0750 4000 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
10:30:41.0796 4000 asc3550 - ok
10:30:42.0250 4000 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:30:42.0796 4000 aspnet_state - ok
10:30:43.0250 4000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:30:43.0281 4000 AsyncMac - ok
10:30:43.0906 4000 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:30:43.0906 4000 atapi - ok
10:30:44.0375 4000 Atdisk - ok
10:30:45.0046 4000 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:30:45.0109 4000 Atmarpc - ok
10:30:45.0546 4000 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
10:30:45.0640 4000 AudioSrv - ok
10:30:46.0234 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:30:46.0265 4000 audstub - ok
10:30:46.0765 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:30:46.0765 4000 Beep - ok
10:30:47.0343 4000 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
10:30:47.0750 4000 BITS - ok
10:30:48.0203 4000 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
10:30:48.0218 4000 Browser - ok
10:30:48.0781 4000 bvrp_pci - ok
10:30:48.0953 4000 catchme - ok
10:30:49.0515 4000 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
10:30:49.0640 4000 cbidf - ok
10:30:50.0156 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:30:50.0156 4000 cbidf2k - ok
10:30:50.0406 4000 ccEvtMgr (27d036fb3d22ca8a6662fe960d1a937d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:30:50.0453 4000 ccEvtMgr - ok
10:30:50.0500 4000 ccSetMgr (27d036fb3d22ca8a6662fe960d1a937d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
10:30:50.0500 4000 ccSetMgr - ok
10:30:50.0984 4000 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
10:30:51.0328 4000 cd20xrnt - ok
10:30:51.0859 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:30:51.0875 4000 Cdaudio - ok
10:30:52.0453 4000 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:30:52.0484 4000 Cdfs - ok
10:30:53.0125 4000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:30:53.0171 4000 Cdrom - ok
10:30:53.0781 4000 Changer - ok
10:30:54.0250 4000 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
10:30:54.0500 4000 CiSvc - ok
10:30:54.0984 4000 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
10:30:55.0171 4000 ClipSrv - ok
10:30:55.0468 4000 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:30:56.0406 4000 clr_optimization_v2.0.50727_32 - ok
10:30:56.0953 4000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
10:30:57.0000 4000 CmdIde - ok
10:30:57.0515 4000 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
10:30:57.0531 4000 COH_Mon - ok
10:30:57.0937 4000 COMSysApp - ok
10:30:58.0343 4000 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
10:30:58.0437 4000 Cpqarray - ok
10:30:58.0984 4000 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
10:30:59.0000 4000 CryptSvc - ok
10:30:59.0546 4000 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
10:30:59.0687 4000 dac2w2k - ok
10:31:00.0203 4000 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
10:31:00.0406 4000 dac960nt - ok
10:31:00.0968 4000 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
10:31:01.0140 4000 DcomLaunch - ok
10:31:01.0671 4000 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
10:31:01.0750 4000 Dhcp - ok
10:31:02.0234 4000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:31:02.0437 4000 Disk - ok
10:31:02.0796 4000 dmadmin - ok
10:31:03.0515 4000 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:31:04.0296 4000 dmboot - ok
10:31:04.0921 4000 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:31:05.0187 4000 dmio - ok
10:31:05.0765 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:31:05.0828 4000 dmload - ok
10:31:06.0390 4000 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
10:31:06.0671 4000 dmserver - ok
10:31:07.0187 4000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:31:07.0250 4000 DMusic - ok
10:31:07.0656 4000 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
10:31:07.0703 4000 Dnscache - ok
10:31:08.0250 4000 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
10:31:08.0312 4000 Dot3svc - ok
10:31:08.0781 4000 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
10:31:08.0812 4000 dpti2o - ok
10:31:09.0328 4000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:31:09.0328 4000 drmkaud - ok
10:31:09.0890 4000 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
10:31:09.0937 4000 drvmcdb - ok
10:31:10.0687 4000 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
10:31:10.0703 4000 drvnddm - ok
10:31:10.0921 4000 DSBrokerService (fe80901578e7e3da70299a5aeb2b7fbd) C:\Program Files\DellSupport\brkrsvc.exe
10:31:11.0718 4000 DSBrokerService - ok
10:31:11.0984 4000 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
10:31:12.0140 4000 DSproct - ok
10:31:12.0515 4000 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
10:31:12.0531 4000 dsunidrv - ok
10:31:13.0031 4000 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
10:31:13.0093 4000 E100B - ok
10:31:13.0453 4000 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
10:31:13.0500 4000 EapHost - ok
10:31:13.0984 4000 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
10:31:14.0203 4000 eeCtrl - ok
10:31:14.0468 4000 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
10:31:14.0500 4000 EraserUtilRebootDrv - ok
10:31:15.0015 4000 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
10:31:15.0031 4000 ERSvc - ok
10:31:15.0515 4000 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:31:15.0531 4000 Eventlog - ok
10:31:16.0109 4000 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
10:31:16.0171 4000 EventSystem - ok
10:31:16.0625 4000 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:31:16.0937 4000 Fastfat - ok
10:31:17.0421 4000 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:31:17.0453 4000 FastUserSwitchingCompatibility - ok
10:31:18.0250 4000 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
10:31:18.0562 4000 Fax - ok
10:31:19.0140 4000 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:31:19.0250 4000 Fdc - ok
10:31:19.0734 4000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:31:19.0765 4000 Fips - ok
10:31:20.0312 4000 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:31:20.0343 4000 Flpydisk - ok
10:31:20.0984 4000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:31:21.0171 4000 FltMgr - ok
10:31:21.0546 4000 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:31:21.0703 4000 FontCache3.0.0.0 - ok
10:31:22.0234 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:31:22.0234 4000 Fs_Rec - ok
10:31:22.0796 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:31:22.0890 4000 Ftdisk - ok
10:31:23.0437 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:31:23.0531 4000 GEARAspiWDM - ok
10:31:23.0968 4000 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:31:24.0015 4000 Gpc - ok
10:31:24.0234 4000 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:31:24.0250 4000 helpsvc - ok
10:31:24.0546 4000 HidServ - ok
10:31:24.0937 4000 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
10:31:25.0000 4000 hkmsvc - ok
10:31:25.0390 4000 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
10:31:25.0468 4000 hpn - ok
10:31:25.0906 4000 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:31:25.0953 4000 HPZid412 - ok
10:31:26.0437 4000 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:31:26.0484 4000 HPZipr12 - ok
10:31:27.0031 4000 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:31:27.0093 4000 HPZius12 - ok
10:31:27.0843 4000 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
10:31:27.0984 4000 HSFHWBS2 - ok
10:31:28.0906 4000 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
10:31:29.0312 4000 HSF_DP - ok
10:31:29.0937 4000 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:31:30.0078 4000 HTTP - ok
10:31:30.0484 4000 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
10:31:30.0500 4000 HTTPFilter - ok
10:31:31.0187 4000 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
10:31:31.0203 4000 i2omgmt - ok
10:31:31.0812 4000 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
10:31:31.0890 4000 i2omp - ok
10:31:32.0515 4000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:31:32.0593 4000 i8042prt - ok
10:31:33.0640 4000 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
10:31:34.0453 4000 ialm - ok
10:31:34.0859 4000 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
10:31:34.0953 4000 IDriverT - ok
10:31:35.0812 4000 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:31:36.0671 4000 idsvc - ok
10:31:37.0296 4000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:31:37.0328 4000 Imapi - ok
10:31:37.0953 4000 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
10:31:38.0015 4000 ImapiService - ok
10:31:38.0578 4000 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
10:31:38.0781 4000 ini910u - ok
10:31:39.0531 4000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
10:31:39.0578 4000 IntelIde - ok
10:31:40.0328 4000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
10:31:40.0406 4000 intelppm - ok
10:31:41.0046 4000 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:31:41.0109 4000 Ip6Fw - ok
10:31:41.0640 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:31:41.0687 4000 IpFilterDriver - ok
10:31:42.0343 4000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:31:42.0375 4000 IpInIp - ok
10:31:42.0984 4000 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:31:43.0031 4000 IpNat - ok
10:31:43.0437 4000 iPod Service (7a3611564fce7c8be50b03f58cb3eb7d) C:\Program Files\iPod\bin\iPodService.exe
10:31:43.0875 4000 iPod Service - ok
10:31:44.0359 4000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:31:44.0406 4000 IPSec - ok
10:31:44.0875 4000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:31:44.0921 4000 IRENUM - ok
10:31:45.0484 4000 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:31:45.0546 4000 isapnp - ok
10:31:46.0046 4000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:31:46.0109 4000 Kbdclass - ok
10:31:46.0625 4000 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:31:46.0687 4000 kmixer - ok
10:31:47.0187 4000 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:31:47.0281 4000 KSecDD - ok
10:31:47.0671 4000 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
10:31:47.0718 4000 lanmanserver - ok
10:31:48.0343 4000 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
10:31:48.0390 4000 lanmanworkstation - ok
10:31:48.0703 4000 lbrtfdc - ok
10:31:50.0140 4000 LiveUpdate (e34152d03caaaaa81dd66d803f392522) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
10:31:51.0671 4000 LiveUpdate - ok
10:31:52.0125 4000 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
10:31:52.0125 4000 LmHosts - ok
10:31:52.0515 4000 McciCMService (67b6f4e0db57dd2020a2415294ba4ed8) C:\Program Files\Common Files\Motive\McciCMService.exe
10:31:52.0515 4000 McciCMService - ok
10:31:53.0000 4000 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
10:31:53.0015 4000 MDC8021X - ok
10:31:53.0531 4000 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
10:31:53.0546 4000 mdmxsdk - ok
10:31:53.0953 4000 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
10:31:53.0984 4000 Messenger - ok
10:31:54.0453 4000 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
10:31:54.0671 4000 Microsoft Office Groove Audit Service - ok
10:31:55.0140 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:31:55.0156 4000 mnmdd - ok
10:31:55.0734 4000 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
10:31:55.0812 4000 mnmsrvc - ok
10:31:56.0406 4000 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:31:56.0406 4000 Modem - ok
10:31:56.0984 4000 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
10:31:57.0015 4000 MODEMCSA - ok
10:31:57.0609 4000 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
10:31:57.0671 4000 motccgp - ok
10:31:58.0203 4000 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
10:31:58.0234 4000 motccgpfl - ok
10:31:58.0781 4000 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
10:31:58.0859 4000 motmodem - ok
10:31:59.0343 4000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:31:59.0375 4000 Mouclass - ok
10:31:59.0906 4000 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:31:59.0953 4000 MountMgr - ok
10:32:00.0515 4000 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
10:32:00.0593 4000 mraid35x - ok
10:32:00.0953 4000 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
10:32:01.0000 4000 MREMP50 - ok
10:32:01.0171 4000 MREMP50a64 - ok
10:32:01.0312 4000 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
10:32:01.0359 4000 MRESP50 - ok
10:32:01.0562 4000 MRESP50a64 - ok
10:32:02.0218 4000 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:32:02.0578 4000 MRxDAV - ok
10:32:03.0359 4000 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:32:03.0515 4000 MRxSmb - ok
10:32:04.0000 4000 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
10:32:04.0015 4000 MSDTC - ok
10:32:04.0453 4000 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:32:04.0484 4000 Msfs - ok
10:32:04.0796 4000 MSIServer - ok
10:32:05.0171 4000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:32:05.0250 4000 MSKSSRV - ok
10:32:05.0734 4000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:32:05.0828 4000 MSPCLOCK - ok
10:32:06.0484 4000 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:32:06.0515 4000 MSPQM - ok
10:32:07.0062 4000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:32:07.0078 4000 mssmbios - ok
10:32:07.0593 4000 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:32:07.0687 4000 Mup - ok
10:32:08.0343 4000 NAL (58c3368bd8991cd5c6c848c9dbb25d2b) C:\WINDOWS\system32\Drivers\iqvw32.sys
10:32:08.0406 4000 NAL - ok
10:32:08.0890 4000 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
10:32:09.0078 4000 napagent - ok
10:32:09.0500 4000 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120327.008\NAVENG.SYS
10:32:09.0515 4000 NAVENG - ok
10:32:10.0687 4000 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120327.008\NAVEX15.SYS
10:32:10.0703 4000 NAVEX15 - ok
10:32:11.0250 4000 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:32:11.0421 4000 NDIS - ok
10:32:11.0984 4000 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:32:12.0031 4000 NdisTapi - ok
10:32:12.0515 4000 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:32:12.0546 4000 Ndisuio - ok
10:32:13.0156 4000 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:32:13.0250 4000 NdisWan - ok
10:32:13.0828 4000 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:32:14.0000 4000 NDProxy - ok
10:32:14.0656 4000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:32:14.0687 4000 NetBIOS - ok
10:32:15.0468 4000 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:32:15.0531 4000 NetBT - ok
10:32:16.0093 4000 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:32:16.0375 4000 NetDDE - ok
10:32:16.0437 4000 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
10:32:16.0437 4000 NetDDEdsdm - ok
10:32:16.0781 4000 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:32:16.0781 4000 Netlogon - ok
10:32:17.0453 4000 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
10:32:17.0515 4000 Netman - ok
10:32:17.0718 4000 NetSvc (02d0798f376fcbd0210eda58476d0b1b) C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
10:32:17.0812 4000 NetSvc - ok
10:32:18.0421 4000 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:32:18.0828 4000 NetTcpPortSharing - ok
10:32:19.0578 4000 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
10:32:19.0609 4000 Nla - ok
10:32:20.0453 4000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:32:20.0468 4000 Npfs - ok
10:32:21.0343 4000 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:32:21.0796 4000 Ntfs - ok
10:32:22.0421 4000 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:32:22.0421 4000 NtLmSsp - ok
10:32:23.0031 4000 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
10:32:23.0328 4000 NtmsSvc - ok
10:32:23.0890 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:32:23.0906 4000 Null - ok
10:32:25.0687 4000 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:32:27.0062 4000 nv - ok
10:32:27.0656 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:32:27.0750 4000 NwlnkFlt - ok
10:32:28.0218 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:32:28.0437 4000 NwlnkFwd - ok
10:32:28.0937 4000 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:32:29.0265 4000 odserv - ok
10:32:29.0640 4000 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:32:29.0812 4000 ose - ok
10:32:30.0531 4000 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:32:30.0640 4000 Parport - ok
10:32:31.0203 4000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:32:31.0265 4000 PartMgr - ok
10:32:31.0859 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:32:31.0937 4000 ParVdm - ok
10:32:32.0687 4000 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:32:32.0734 4000 PCI - ok
10:32:33.0265 4000 PCIDump - ok
10:32:33.0828 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:32:33.0937 4000 PCIIde - ok
10:32:34.0703 4000 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:32:34.0890 4000 Pcmcia - ok
10:32:35.0515 4000 PDCOMP - ok
10:32:35.0953 4000 PDFRAME - ok
10:32:36.0515 4000 PDRELI - ok
10:32:37.0015 4000 PDRFRAME - ok
10:32:37.0812 4000 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
10:32:37.0890 4000 perc2 - ok
10:32:38.0859 4000 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
10:32:39.0031 4000 perc2hib - ok
10:32:39.0750 4000 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
10:32:39.0750 4000 PlugPlay - ok
10:32:40.0437 4000 Pml Driver HPZ12 (2d091a99624fb9e7eef0a86d872ec0c3) C:\WINDOWS\system32\HPZipm12.exe
10:32:40.0500 4000 Pml Driver HPZ12 - ok
10:32:41.0250 4000 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:32:41.0250 4000 PolicyAgent - ok
10:32:42.0281 4000 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:32:42.0421 4000 PptpMiniport - ok
10:32:43.0703 4000 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:32:43.0703 4000 ProtectedStorage - ok
10:32:44.0765 4000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:32:44.0796 4000 PSched - ok
10:32:45.0671 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:32:45.0828 4000 Ptilink - ok
10:32:46.0578 4000 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
10:32:46.0625 4000 PxHelp20 - ok
10:32:47.0250 4000 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
10:32:47.0312 4000 ql1080 - ok
10:32:47.0906 4000 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
10:32:47.0984 4000 Ql10wnt - ok
10:32:48.0734 4000 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
10:32:48.0796 4000 ql12160 - ok
10:32:49.0359 4000 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
10:32:49.0390 4000 ql1240 - ok
10:32:50.0234 4000 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
10:32:50.0296 4000 ql1280 - ok
10:32:51.0687 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:32:51.0687 4000 RasAcd - ok
10:32:52.0156 4000 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
10:32:52.0265 4000 RasAuto - ok
10:32:52.0890 4000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:32:52.0953 4000 Rasl2tp - ok
10:32:53.0453 4000 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
10:32:53.0656 4000 RasMan - ok
10:32:54.0156 4000 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:32:54.0265 4000 RasPppoe - ok
10:32:54.0796 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:32:54.0812 4000 Raspti - ok
10:32:55.0515 4000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:32:55.0578 4000 Rdbss - ok
10:32:56.0171 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:32:56.0171 4000 RDPCDD - ok
10:32:56.0734 4000 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:32:56.0843 4000 rdpdr - ok
10:32:57.0531 4000 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:32:57.0625 4000 RDPWD - ok
10:32:58.0078 4000 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
10:32:58.0203 4000 RDSessMgr - ok
10:32:58.0750 4000 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:32:58.0843 4000 redbook - ok
10:32:59.0406 4000 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
10:32:59.0546 4000 RemoteAccess - ok
10:32:59.0937 4000 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
10:33:00.0015 4000 RpcLocator - ok
10:33:00.0734 4000 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
10:33:00.0750 4000 RpcSs - ok
10:33:01.0312 4000 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
10:33:01.0421 4000 RSVP - ok
10:33:01.0796 4000 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
10:33:01.0796 4000 SamSs - ok
10:33:02.0234 4000 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
10:33:02.0375 4000 SCardSvr - ok
10:33:02.0796 4000 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
10:33:02.0859 4000 Schedule - ok
10:33:03.0359 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:33:03.0437 4000 Secdrv - ok
10:33:03.0906 4000 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
10:33:03.0921 4000 seclogon - ok
10:33:04.0968 4000 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
10:33:05.0546 4000 senfilt - ok
10:33:05.0968 4000 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
10:33:06.0000 4000 SENS - ok
10:33:06.0578 4000 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:33:06.0593 4000 serenum - ok
10:33:07.0062 4000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:33:07.0125 4000 Serial - ok
10:33:07.0750 4000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:33:07.0953 4000 Sfloppy - ok
10:33:08.0562 4000 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
10:33:08.0687 4000 SharedAccess - ok
10:33:09.0140 4000 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:33:09.0156 4000 ShellHWDetection - ok
10:33:09.0734 4000 Simbad - ok
10:33:10.0187 4000 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
10:33:10.0218 4000 sisagp - ok
10:33:11.0234 4000 SmcService (a58c1a086d9c09c6572c948f22cc0e94) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
10:33:11.0984 4000 SmcService - ok
10:33:12.0546 4000 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
10:33:12.0734 4000 smwdm - ok
10:33:13.0281 4000 SNAC (d2c222441255131e29de351475f98f6d) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
10:33:13.0906 4000 SNAC - ok
10:33:14.0390 4000 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
10:33:14.0453 4000 SONYPVU1 - ok
10:33:15.0015 4000 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
10:33:15.0078 4000 Sparrow - ok
10:33:15.0578 4000 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
10:33:15.0828 4000 SPBBCDrv - ok
10:33:16.0328 4000 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:33:16.0453 4000 splitter - ok
10:33:16.0937 4000 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
10:33:16.0937 4000 Spooler - ok
10:33:17.0468 4000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:33:17.0531 4000 sr - ok
10:33:18.0140 4000 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
10:33:18.0203 4000 srservice - ok
10:33:19.0000 4000 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
10:33:19.0218 4000 SRTSP - ok
10:33:19.0921 4000 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
10:33:20.0203 4000 SRTSPL - ok
10:33:20.0968 4000 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
10:33:21.0015 4000 SRTSPX - ok
10:33:21.0828 4000 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:33:22.0281 4000 Srv - ok
10:33:23.0015 4000 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
10:33:23.0062 4000 sscdbhk5 - ok
10:33:23.0640 4000 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
10:33:23.0796 4000 SSDPSRV - ok
10:33:24.0343 4000 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
10:33:24.0406 4000 ssrtln - ok
10:33:24.0843 4000 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
10:33:24.0875 4000 stisvc - ok
10:33:25.0546 4000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:33:25.0593 4000 swenum - ok
10:33:26.0171 4000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:33:26.0218 4000 swmidi - ok
10:33:26.0625 4000 SwPrv - ok
10:33:27.0843 4000 Symantec AntiVirus (ba2fb8f8ab24d0279caa98a4c118150e) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
10:33:27.0875 4000 Symantec AntiVirus - ok
10:33:28.0406 4000 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
10:33:28.0421 4000 symc810 - ok
10:33:29.0109 4000 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
10:33:29.0218 4000 symc8xx - ok
10:33:29.0953 4000 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
10:33:30.0062 4000 SymEvent - ok
10:33:30.0546 4000 SymIM - ok
10:33:31.0015 4000 SymIMMP - ok
10:33:31.0546 4000 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
10:33:31.0562 4000 SYMREDRV - ok
10:33:32.0125 4000 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
10:33:32.0187 4000 SYMTDI - ok
10:33:32.0812 4000 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
10:33:32.0843 4000 sym_hi - ok
10:33:33.0296 4000 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
10:33:33.0390 4000 sym_u3 - ok
10:33:34.0015 4000 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:33:34.0046 4000 sysaudio - ok
10:33:34.0562 4000 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
10:33:34.0703 4000 SysmonLog - ok
10:33:35.0187 4000 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
10:33:35.0265 4000 TapiSrv - ok
10:33:36.0093 4000 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:33:36.0234 4000 Tcpip - ok
10:33:36.0781 4000 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:33:36.0906 4000 TDPIPE - ok
10:33:37.0453 4000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:33:37.0531 4000 TDTCP - ok
10:33:38.0109 4000 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:33:38.0171 4000 TermDD - ok
10:33:38.0781 4000 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
10:33:38.0781 4000 TermService - ok
10:33:39.0296 4000 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
10:33:39.0312 4000 tfsnboio - ok
10:33:39.0953 4000 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
10:33:39.0968 4000 tfsncofs - ok
10:33:40.0593 4000 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
10:33:40.0593 4000 tfsndrct - ok
10:33:41.0171 4000 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
10:33:41.0171 4000 tfsndres - ok
10:33:41.0781 4000 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
10:33:41.0812 4000 tfsnifs - ok
10:33:42.0562 4000 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
10:33:42.0578 4000 tfsnopio - ok
10:33:43.0125 4000 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
10:33:43.0125 4000 tfsnpool - ok
10:33:43.0718 4000 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
10:33:43.0750 4000 tfsnudf - ok
10:33:44.0281 4000 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
10:33:44.0328 4000 tfsnudfa - ok
10:33:44.0890 4000 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
10:33:44.0906 4000 Themes - ok
10:33:45.0343 4000 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
10:33:45.0406 4000 TosIde - ok
10:33:45.0921 4000 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
10:33:46.0031 4000 TrkWks - ok
10:33:46.0687 4000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:33:46.0750 4000 Udfs - ok
10:33:47.0296 4000 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
10:33:47.0328 4000 ultra - ok
10:33:48.0109 4000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:33:48.0453 4000 Update - ok
10:33:48.0953 4000 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
10:33:48.0968 4000 upnphost - ok
10:33:49.0406 4000 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
10:33:49.0515 4000 UPS - ok
10:33:50.0078 4000 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:33:50.0109 4000 USBAAPL - ok
10:33:50.0765 4000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:33:50.0796 4000 usbccgp - ok
10:33:51.0484 4000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:33:51.0562 4000 usbehci - ok
10:33:52.0125 4000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:33:52.0171 4000 usbhub - ok
10:33:52.0796 4000 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:33:52.0828 4000 usbprint - ok
10:33:53.0406 4000 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:33:53.0500 4000 usbscan - ok
10:33:54.0062 4000 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:33:54.0203 4000 USBSTOR - ok
10:33:54.0890 4000 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:33:54.0921 4000 usbuhci - ok
10:33:55.0562 4000 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:33:55.0593 4000 VgaSave - ok
10:33:56.0093 4000 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
10:33:56.0187 4000 viaagp - ok
10:33:56.0781 4000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:33:56.0859 4000 ViaIde - ok
10:33:57.0453 4000 vmm (e41fef9e3056fe88c71e411f705be41e) C:\WINDOWS\system32\Drivers\vmm.sys
10:33:57.0578 4000 vmm - ok
10:33:58.0171 4000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:33:58.0281 4000 VolSnap - ok
10:33:58.0968 4000 VPCNetS2 (f96a678debdccb0b4bb7f38cb2580589) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
10:33:59.0000 4000 VPCNetS2 - ok
10:33:59.0671 4000 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
10:33:59.0828 4000 VSS - ok
10:34:00.0250 4000 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
10:34:00.0265 4000 w32time - ok
10:34:00.0921 4000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:34:00.0937 4000 Wanarp - ok
10:34:01.0359 4000 wanatw - ok
10:34:02.0218 4000 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
10:34:03.0046 4000 Wdf01000 - ok
10:34:03.0359 4000 WDICA - ok
10:34:04.0156 4000 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:34:04.0187 4000 wdmaud - ok
10:34:04.0718 4000 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
10:34:04.0796 4000 WebClient - ok
10:34:05.0468 4000 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
10:34:05.0937 4000 winachsf - ok
10:34:06.0453 4000 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:34:06.0500 4000 winmgmt - ok
10:34:07.0031 4000 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
10:34:07.0062 4000 WmdmPmSN - ok
10:34:07.0531 4000 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:34:07.0656 4000 WmiApSrv - ok
10:34:08.0218 4000 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
10:34:08.0218 4000 WMPNetworkSvc - ok
10:34:08.0718 4000 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
10:34:08.0796 4000 WpdUsb - ok
10:34:09.0250 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
10:34:09.0265 4000 WS2IFSL - ok
10:34:09.0781 4000 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
10:34:09.0890 4000 wscsvc - ok
10:34:10.0312 4000 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
10:34:10.0359 4000 wuauserv - ok
10:34:10.0968 4000 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:34:11.0015 4000 WudfPf - ok
10:34:11.0562 4000 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:34:11.0718 4000 WudfRd - ok
10:34:12.0171 4000 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
10:34:12.0234 4000 WudfSvc - ok
10:34:12.0984 4000 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
10:34:13.0046 4000 WZCSVC - ok
10:34:13.0421 4000 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
10:34:13.0500 4000 xmlprov - ok
10:34:13.0609 4000 MBR (0x1B8) (dbfb101d7442c448a7964bbb128e1250) \Device\Harddisk0\DR0
10:34:13.0687 4000 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
10:34:13.0687 4000 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
10:34:13.0734 4000 Boot (0x1200) (0f979d99d0a22a8c1d19ef089d35c150) \Device\Harddisk0\DR0\Partition0
10:34:13.0765 4000 \Device\Harddisk0\DR0\Partition0 - ok
10:34:13.0765 4000 ============================================================
10:34:13.0765 4000 Scan finished
10:34:13.0765 4000 ============================================================
10:34:13.0796 3620 Detected object count: 1
10:34:13.0796 3620 Actual detected object count: 1
10:34:36.0984 3620 \Device\Harddisk0\DR0\# - copied to quarantine
10:34:37.0046 3620 \Device\Harddisk0\DR0 - copied to quarantine
10:34:38.0484 3620 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
10:34:38.0671 3620 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
10:34:40.0453 3620 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
10:34:41.0687 3620 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
10:34:41.0812 3620 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
10:34:42.0390 3620 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
10:34:42.0656 3620 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
10:34:45.0015 3620 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
10:34:45.0187 3620 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
10:34:45.0343 3620 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
10:34:45.0515 3620 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
10:34:45.0687 3620 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
10:34:45.0984 3620 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
10:34:45.0984 3620 \Device\Harddisk0\DR0 - ok
10:34:46.0000 3620 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
10:36:58.0687 3272 Deinitialize success

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Solved: Svchost.exe rises to 200k+ usage within minutes and continues to climb!

Find the solution to your computer problem!

Find the solution to your
computer problem!