Advertisement

There's no such thing as a stupid question, but they're the easiest to answer.
Login
Search

Advertisement

Virus & Other Malware Removal Virus & Other Malware Removal
Search Search
Search for:
Tech Support Guy > > >

Solved: Computer trashed by S.M.A.R.T. Data Recovery


(!)

PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
18-May-2012, 12:53 PM #1
Computer trashed by S.M.A.R.T. Data Recovery
Introduction
My niece apparently fell victim to a fake AV program on March 28, since the that's the date her calendar was stuck on and all directory entries end on that date. I believe that she then was hoodwinked into using the fake data recovery program. Unfortunately, she failed to mention the problem until this Monday, so I'm way behind on trying to fix it. I managed to clear up a few things by using Ad-aware, Spybot S&D and Housecall before running HijackThis. All of those programs were utilized by downloading them onto a DVD onto my laptop and running them from the DVD, which then was completely wiped clean by her computer. While I haven't yet tried this procedure to run the other programs listed in Read This First, I have a preliminary question:
As I shut down her computer for the last time, I noted that her D: directory is called "Data" and is almost full, apparently with gaming stuff. Do I need to do a separate repeat of all the programs on that drive?

Thanks for any answer you could provide to the above question while I'm downloading and, I hope, running the other programs.
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
18-May-2012, 05:56 PM #2
Hi PJL and welcome to TSG, my name is Mark and I will be helping you.

You only need to run the scans as per the instructions.

Does the infected PC have a working internet connection?

Have all the important files on the system been backed up, if not please follow this:


Quote:
Before doing anything further, if you have not already done so, you should back up all your important documents, personal data files and photos to a CD or DVD drive as some infections may render your computer unbootable during or before the disinfection process. If that occurs there may be no option but to reformat and reinstall the OS or perform a full system recovery. The safest practice is not to backup any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.

Last edited by Mark1956; 18-May-2012 at 06:02 PM..
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
19-May-2012, 06:10 PM #3
Thank you for your answer, Mark. I probably understated the extent of the problem in my first message. The screen is totally black and the Start/Program Files show no information. While I might be able to reach the internet or back-up the files, I think the only way I could perform these tasks wold be through MS-DOS commands and I haven't used those in over 30 years.

However, by switcihng back and forth between my working computer and my niece's infected version,
I have managed to get the information you need.

First, the system information from the System Info program:
Quote:
Tech Support Guy System Info Utility version 1.0.0.2 OS Version: Microsoft® Windows Vista™ Home Premium, Service Pack 1, 32 bit Processor: AMD Athlon(tm) X2 Dual-Core QL-60, x64 Family 17 Model 3 Stepping 1 Processor Count: 2 RAM: 2813 Mb Graphics Card: NVIDIA GeForce 9100M G, 256 Mb Hard Drives: C: Total - 71191 MB, Free - 405 MB; D: Total - 71192 MB, Free - 20062 MB; Motherboard: Acer, Inc., Grasmoor Antivirus: None
Next, here's the the HijackThis results:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:30:30 PM, on 3/28/2012
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18639)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\PLFSetI.exe
C:\Users\Laura\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Windows\ehome\ehmsas.exe
C:\ProgramFiles\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_4530
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_4530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_4530
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=...&m=aspire_4530
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: 93.113.196.124 www.google.com
O1 - Hosts: 93.113.196.125 www.bing.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O2 - BHO: (no name) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Ad-Aware Security Toolbar - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BkupTray] "C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe"
O4 - HKLM\..\Run: [PLFSetI] C:\Windows\PLFSetI.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Acer Product Registration] "C:\Program Files\Acer\Acer Registration\ACE1.exe" /startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe
O4 - HKLM\..\Run: [Ad-Aware Browsing Protection] "C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe"
O4 - HKLM\..\Run: [Ad-Aware Antivirus] "C:\Program Files\Ad-Aware Antivirus\AdAwareLauncher" --windows-run
O4 - HKLM\..\Run: [SBRegRebootCleaner] "C:\Program Files\Ad-Aware Antivirus\SBRC.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SanctionedMedia] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer
O4 - HKCU\..\Run: [Adobe] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [edcefafaceccdfdct] "C:\ProgramData\edcefafaceccdfdct.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [SanctionedMedia] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Adobe] rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [dplaysvr] C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe (User 'Default user')
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O20 - AppInit_DLLs: AVGRSSTX.DLL C:\PROGRA~1\GOOGLE\GOOGLE~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware Service - Lavasoft Limited - C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NTI Backup Now 5 Agent Service (BUNAgentSvc) - NewTech Infosystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.9.1005.12335 (GoogleDesktopManager-051210-111108) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - Unknown owner - C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Ad-Aware (SBAMSvc) - GFI Software - C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: WDDMService - WDC - C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
O23 - Service: WD File Management Engine (WDFME) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
O23 - Service: WD File Management Shadow Engine (WDSC) - Unknown owner - C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 10421 bytes
I believe that the two 04 items referinng to [sanctioned media]
and tp "pigpew" are not legitimate, because every time one tries
to start C:,the are listed as "Access Denied"

Finally, here are the DDS.text and Attach.tts files. I did not run GMER, since this is a 64-bit gaming computer.

DDS>txt

DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_26
Run by Laura at 20:16:10 on 2012-03-28

Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2814.1783 [GMT -4:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Acer\Mobility Center\MobilityService.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
C:\Windows\system32\PSIService.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BkupTray.exe
C:\Windows\PLFSetI.exe
C:\Users\Laura\AppData\Local\Temp\RtkBtMnt.exe
C:\Program Files\Launch Manager\QtZgAcer.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\ProgramData\Ad-Aware Browsing Protection\adawarebp.exe
C:\Program Files\NVIDIA Corporation\Display\nvtray.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Pando Networks\Media Booster\PMB.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\AD-AWA~1\AdAware.exe
C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_4530
uDefault_Page_URL = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_4530
mStart Page = hxxp://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&s=2&o=vp32&d=1008&m=aspire_4530
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
BHO: {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Ad-Aware Security Toolbar: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - c:\program files\adawaretb\adawareDx.dll
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [Pando Media Booster] c:\program files\pando networks\media booster\PMB.exe
uRun: [Steam] "c:\program files\steam\Steam.exe" -silent
uRun: [SanctionedMedia] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\temp\sanctionedmedi a\rulgejmj.dll",DllRegisterServer
uRun: [Adobe] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\temp\adobe\pigpew.d ll",DllRegisterServer
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [BkupTray] "c:\program files\newtech infosystems\nti backup now 5\BkupTray.exe"
mRun: [PLFSetI] c:\windows\PLFSetI.exe
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [Acer Assist Launcher] c:\program files\acer\acer assist\launcher.exe
mRun: [Acer Product Registration] "c:\program files\acer\acer registration\ACE1.exe" /startup
mRun: [Google Desktop Search] "c:\program files\google\google desktop search\GoogleDesktop.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
mRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
mRun: [Ad-Aware Browsing Protection] "c:\programdata\ad-aware browsing protection\adawarebp.exe"
mRun: [Ad-Aware Antivirus] "c:\program files\ad-aware antivirus\AdAwareLauncher" --windows-run
mRun: [SBRegRebootCleaner] "c:\program files\ad-aware antivirus\SBRC.exe"
dRun: [dplaysvr] c:\windows\system32\config\systemprofile\appdata\local\dplaysvr.exe
dRun: [edcefafaceccdfdct] "c:\programdata\edcefafaceccdfdct.exe"
dRun: [SanctionedMedia] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\temp\sanctionedmedi a\rulgejmj.dll",DllRegisterServer
dRun: [Adobe] rundll32.exe "c:\windows\system32\config\systemprofile\appdata\local\temp\adobe\pigpew.d ll",DllRegisterServer
StartupFolder: c:\users\laura\appdata\roaming\micros~1\windows\startm~1\programs\startup\o penof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
dPolicies-explorer: HideSCAHealth = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: mswsock.dll
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 65.32.5.111 65.32.5.112 192.168.1.1
TCP: Interfaces\{C45E3F37-A4A2-4EC6-B0DA-D21D750A7935} : DhcpNameServer = 65.32.5.111 65.32.5.112 192.168.1.1
AppInit_DLLs: AVGRSSTX.DLL c:\progra~1\google\google~1\GOEC62~1.DLL
Hosts: 93.113.196.124 www.google.com
Hosts: 93.113.196.125 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\laura\appdata\roaming\mozilla\firefox\profiles\7ml8dt1t.default\
FF - component: c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
FF - component: c:\users\laura\appdata\roaming\mozilla\firefox\profiles\7ml8dt1t.default\ex tensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}\components\dtTransparency.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\pando networks\media booster\npPandoWebPlugin.dll
FF - plugin: c:\program files\unity\webplayer\loader\npUnity3D32.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Ad-Aware Security Toolbar: {87934c42-161d-45bc-8cef-ef18abe2a30c} - %profile%\extensions\{87934c42-161d-45bc-8cef-ef18abe2a30c}
.
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(general.useragent.extra.brc, BRI/1
.
============= SERVICES / DRIVERS ===============
.
R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2012-3-25 223864]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2011-10-26 101112]
R2 Ad-Aware Service;Ad-Aware Service;c:\program files\ad-aware antivirus\AdAwareService.exe [2012-5-3 1226096]
R2 BUNAgentSvc;NTI Backup Now 5 Agent Service;c:\program files\newtech infosystems\nti backup now 5\client\Agentsvc.exe [2008-3-3 16384]
R2 NTIBackupSvc;NTI Backup Now 5 Backup Service;c:\program files\newtech infosystems\nti backup now 5\BackupSvc.exe [2008-4-26 45056]
R2 NTISchedulerSvc;NTI Backup Now 5 Scheduler Service;c:\program files\newtech infosystems\nti backup now 5\SchedulerSvc.exe [2008-4-26 131072]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-11-18 2253120]
R2 SBAMSvc;Ad-Aware;c:\program files\ad-aware antivirus\SBAMSvc.exe [2011-12-19 3289032]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2011-11-29 77816]
R2 WDDMService;WDDMService;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2011-3-9 238592]
R2 WDFME;WD File Management Engine;c:\program files\western digital\wd smartware\front parlor\wdfme\WDFME.exe [2011-3-9 1060864]
R2 WDSC;WD File Management Shadow Engine;c:\program files\western digital\wd smartware\front parlor\WDSC.exe [2011-3-9 484352]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2008-10-10 210432]
R3 SBFWIMCLMP;GFI Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2012-3-25 94584]
R3 sbhips;sbhips;c:\windows\system32\drivers\sbhips.sys [2012-3-25 93816]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 135664]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2012-3-25 1153368]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-1-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-5-12 135664]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2008-7-7 20480]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2008-5-9 174336]
S3 SBFWIMCL;GFI Software Firewall NDIS IM Filter Service;c:\windows\system32\drivers\SbFwIm.sys [2012-3-25 94584]
S3 sbwtis;sbwtis;c:\windows\system32\drivers\sbwtis.sys [2011-12-19 72312]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2008-5-6 11520]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v040 0.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-26 22:24:08 388096 ----a-r- c:\users\laura\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-26 22:24:07 -------- dc----w- C:\ProgramFiles
2012-03-26 11:07:05 14664 ---ha-w- c:\windows\stinger.sys
2012-03-26 11:06:40 159608 ---ha-w- c:\windows\system32\mfevtps.exe.07f5.deleteme
2012-03-26 11:02:10 -------- d-----w- c:\program files\stinger
2012-03-26 00:32:45 -------- d--h--w- c:\programdata\Spybot - Search & Destroy
2012-03-26 00:32:45 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-25 23:59:03 -------- d--h--w- c:\users\laura\appdata\local\adaware
2012-03-25 23:58:42 93816 ----a-w- c:\windows\system32\drivers\sbhips.sys
2012-03-25 23:57:57 94584 ----a-w- c:\windows\system32\drivers\SbFwIm.sys
2012-03-25 23:57:56 223864 ----a-w- c:\windows\system32\drivers\SbFw.sys
2012-03-25 23:57:52 -------- d-----w- c:\windows\system32\drivers\VDD
2012-03-25 23:57:51 -------- d-----w- c:\program files\Ad-Aware Antivirus
2012-03-25 23:57:24 -------- d--h--w- c:\users\laura\appdata\local\adawarebp
2012-03-25 23:57:22 -------- d--h--w- c:\programdata\Ad-Aware Browsing Protection
2012-03-25 23:57:09 -------- d-----w- c:\program files\Toolbar Cleaner
2012-03-25 23:56:46 -------- d-----w- c:\program files\adawaretb
2012-03-25 23:55:39 -------- d--h--w- c:\users\laura\appdata\roaming\Ad-Aware Antivirus
2012-03-25 23:52:27 250880 ---ha-w- c:\programdata\h6uNCcOMeZeaK7.exe
2012-03-25 23:48:24 102400 ---ha-w- c:\windows\RegBootClean.exe
2012-03-25 21:33:56 766816 ----a-w- c:\windows\system32\PerfStringBackup.TMP
.
==================== Find3M ====================
.
2012-03-28 00:30:38 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
2012-03-19 20:59:48 309876581 ---ha-w- c:\windows\DUMP61dd.tmp
.
============= FINISH: 20:18:35.30 ===============


ATTACH.txt
(sorry, but 7.zip wants to hide right now
. UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft® Windows Vista™ Home Premium Boot Device: \Device\HarddiskVolume2 Install Date: 10/1/2008 10:38:17 AM System Uptime: 3/28/2012 8:12:35 PM (0 hours ago) . Motherboard: Acer, Inc. | | Grasmoor Processor: AMD Athlon(tm) X2 Dual-Core QL-60 | Socket M2/S1G1 | 1900/133mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 70 GiB total, 0.595 GiB free. D: is FIXED (NTFS) - 70 GiB total, 19.592 GiB free. E: is CDROM (UDF) . ==== Disabled Device Manager Items ============= . ==== System Restore Points =================== . No restore point in system. . ==== Installed Programs ====================== . Acer Assist Acer Crystal Eye Webcam 2.0.9.1 Acer GridVista Acer Mobility Center Plug-In Acer Registration Acer ScreenSaver Ad-Aware Antivirus Ad-Aware Browsing Protection Ad-Aware Security Toolbar Adobe Flash Player 10 ActiveX Adobe Flash Player 10 Plugin Adobe Reader 8.1.3 Adobe Shockwave Player 11.5 Allods Online 2.0.04.49 Apple Application Support Apple Mobile Device Support Apple Software Update ASIO4ALL Bandisoft MPEG-1 Decoder Bastion Bing Bar Bing Bar Platform Bing Rewards Client Installer Bonjour Coupon Printer for Windows Dungeons of Dredmor Google Desktop Google Update Helper Guild Wars HDAUDIO Soft Data Fax Modem with SmartCP HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) HP Photo Creations HP Photosmart Plus B210 series Basic Device Software HP Photosmart Plus B210 series Help HP Photosmart Plus B210 series Product Improvement Study HP Update iTunes Java Auto Updater Java(TM) 6 Update 26 Java(TM) 6 Update 7 K-Lite Codec Pack 7.0.0 (Standard) Launch Manager LightScribe 1.4.142.1 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft .NET Framework 4 Extended Microsoft Default Manager Microsoft Search Enhancement Pack Microsoft Silverlight Microsoft Visual C++ 2005 Redistributable Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 Microsoft XNA Framework Redistributable 3.1 Microsoft XNA Framework Redistributable 4.0 Mobile Broadband Generic Drivers Mozilla Firefox (3.0.19) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) NTI Backup Now 5 NTI Backup Now Standard NVIDIA Control Panel 285.62 NVIDIA Drivers NVIDIA Graphics Driver 285.62 NVIDIA Install Application NVIDIA PhysX NVIDIA PhysX System Software 260.99 NVIDIA Update 1.5.20 NVIDIA Update Components OpenOffice.org 3.0 Pando Media Booster PhotoNow! QuickTime Realtek High Definition Audio Driver Realtek USB 2.0 Card Reader Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Extended (KB2416472) Spelling Dictionaries Support For Adobe Reader 8 Spybot - Search & Destroy Steam Synaptics Pointing Device Driver System Requirements Lab Terraria The Elder Scrolls V: Skyrim Unity Web Player Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft .NET Framework 4 Client Profile (KB2473228) Ventrilo Client WD SmartWare WinRAR 4.01 (32-bit) World of Warcraft World of Warcraft Public Test Yahoo! Detect . ==== Event Viewer Messages From Past Week ======== . 3/28/2012 7:16:33 PM, Error: EventLog [6008] - The previous system shutdown at 7:14:49 PM on 3/28/2012 was unexpected. 3/28/2012 10:56:52 AM, Error: EventLog [6008] - The previous system shutdown at 9:25:05 PM on 3/27/2012 was unexpected. 3/27/2012 8:45:25 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411249 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.17:123) is working properly. 3/27/2012 8:30:03 PM, Error: EventLog [6008] - The previous system shutdown at 8:27:29 PM on 3/27/2012 was unexpected. 3/27/2012 8:18:29 PM, Error: EventLog [6008] - The previous system shutdown at 8:15:55 PM on 3/27/2012 was unexpected. 3/27/2012 8:12:38 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411248 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.17:123) is working properly. 3/27/2012 8:11:55 PM, Error: EventLog [6008] - The previous system shutdown at 8:10:10 PM on 3/27/2012 was unexpected. 3/27/2012 7:39:37 PM, Error: EventLog [6008] - The previous system shutdown at 7:37:43 PM on 3/27/2012 was unexpected. 3/27/2012 7:09:06 PM, Error: EventLog [6008] - The previous system shutdown at 7:07:36 PM on 3/27/2012 was unexpected. 3/26/2012 7:55:54 AM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss SbFw Smb spldr Tcpip tdx Wanarpv6 3/26/2012 7:54:37 AM, Error: EventLog [6008] - The previous system shutdown at 7:51:09 AM on 3/26/2012 was unexpected. 3/26/2012 7:13:27 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411249 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.13:123) is working properly. 3/26/2012 6:58:09 AM, Error: EventLog [6008] - The previous system shutdown at 9:39:45 PM on 3/25/2012 was unexpected. 3/26/2012 6:14:34 PM, Error: Service Control Manager [7023] - The Vpnva service terminated with the following error: The specified module could not be found. 3/26/2012 2:14:14 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411250 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.24:123) is working properly. 3/26/2012 2:04:42 PM, Error: Service Control Manager [7023] - The PTproct service terminated with the following error: The specified module could not be found. 3/26/2012 2:03:41 PM, Error: Service Control Manager [7023] - The Se2Cunic service terminated with the following error: The specified module could not be found. 3/26/2012 2:02:37 PM, Error: Service Control Manager [7023] - The Id2scaps service terminated with the following error: The specified module could not be found. 3/26/2012 2:01:35 PM, Error: Service Control Manager [7023] - The Nimcdldu service terminated with the following error: The specified module could not be found. 3/26/2012 12:51:09 PM, Error: Service Control Manager [7023] - The Srservice service terminated with the following error: The specified module could not be found. 3/26/2012 1:59:00 PM, Error: EventLog [6008] - The previous system shutdown at 1:56:15 PM on 3/26/2012 was unexpected. 3/26/2012 1:05:04 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411249 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.15:123) is working properly. 3/25/2012 9:32:57 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411249 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.23:123) is working properly. 3/25/2012 9:20:43 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Google Update Service (gupdate) service to connect. 3/25/2012 9:20:43 PM, Error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 3/25/2012 9:18:56 PM, Error: Service Control Manager [7023] - The Contentindex service terminated with the following error: The specified module could not be found. 3/25/2012 9:18:56 PM, Error: Service Control Manager [7001] - The SBSD Security Center Service service depends on the Security Center service which failed to start because of the following error: The account specified for this service is different from the account specified for other services running in the same process. 3/25/2012 9:17:39 PM, Error: EventLog [6008] - The previous system shutdown at 9:15:13 PM on 3/25/2012 was unexpected. 3/25/2012 8:36:24 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411248 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.15:123) is working properly. 3/25/2012 8:10:51 PM, Error: Service Control Manager [7000] - The sbwtis service failed to start due to the following error: There are no more endpoints available from the endpoint mapper. 3/25/2012 8:06:35 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411248 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.13:123) is working properly. 3/25/2012 7:53:25 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Steam Client Service service to connect. 3/25/2012 7:53:25 PM, Error: Service Control Manager [7000] - The Steam Client Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion. 3/25/2012 7:52:45 PM, Error: Service Control Manager [7000] - The Security Center service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process. 3/25/2012 7:36:00 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411248 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.21:123) is working properly. 3/25/2012 7:27:32 PM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the User Profile Service service, but this action failed with the following error: An instance of the service is already running. 3/25/2012 7:20:48 PM, Error: EventLog [6008] - The previous system shutdown at 7:14:05 PM on 3/25/2012 was unexpected. 3/25/2012 7:09:33 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service NVSvc with arguments "" in order to run the server: {DCAB0989-1301-4319-BE5F-ADE89F88581C} 3/25/2012 7:09:23 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {9E175B6D-F52A-11D8-B9A5-505054503030} 3/25/2012 7:09:22 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} 3/25/2012 7:08:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netprofm with arguments "" in order to run the server: {A47979D2-C419-11D9-A5B4-001185AD2B89} 3/25/2012 7:08:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service netman with arguments "" in order to run the server: {BA126AD1-2166-11D1-B1D0-00805FC1270E} 3/25/2012 7:08:49 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1068" attempting to start the service fdPHost with arguments "" in order to run the server: {145B4335-FE2A-4927-A040-7C35AD3180EF} 3/25/2012 7:08:48 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF} 3/25/2012 7:08:41 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1084" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {DD522ACC-F821-461A-A407-50B198B896DC} 3/25/2012 7:08:33 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD DfsC NetBIOS netbt nsiproxy PSched RasAcd rdbss Smb spldr Tcpip tdx Wanarpv6 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Workstation service depends on the Network Store Interface Service service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The WebDav Client Redirector Driver service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The WebClient service depends on the WebDav Client Redirector Driver service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The TCP/IP Registry Compatibility service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The SMB MiniRedirector Wrapper and Engine service depends on the Redirected Buffering Sub Sysytem service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The SMB 2.0 MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The SMB 1.x MiniRedirector service depends on the SMB MiniRedirector Wrapper and Engine service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Network Store Interface Service service depends on the NSI proxy service service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Network Location Awareness service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Network List Service service depends on the Network Location Awareness service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The IP Traffic Filter Driver service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The DNS Client service depends on the NetIO Legacy TDI Support Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The DHCP Client service depends on the Ancilliary Function Driver for Winsock service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the Server service which failed to start because of the following error: The dependency service or group failed to start. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:08:33 PM, Error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning. 3/25/2012 7:07:23 PM, Error: EventLog [6008] - The previous system shutdown at 5:41:14 PM on 3/25/2012 was unexpected. 3/25/2012 5:24:43 PM, Error: EventLog [6008] - The previous system shutdown at 8:34:54 PM on 3/21/2012 was unexpected. 3/21/2012 7:11:06 PM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411252 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.17:123) is working properly. 3/21/2012 6:55:52 PM, Error: EventLog [6008] - The previous system shutdown at 6:54:32 PM on 3/21/2012 was unexpected. 3/21/2012 5:53:54 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running. 3/21/2012 5:53:54 AM, Error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Remote Access Connection Manager service, but this action failed with the following error: An instance of the service is already running. 3/21/2012 3:36:45 AM, Error: Microsoft-Windows-Time-Service [34] - The time service has detected that the system time needs to be changed by +4411250 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com,0x9 (ntp.m|0x9|0.0.0.0:123->65.55.21.21:123) is working properly. 3/21/2012 3:22:49 AM, Error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service. 3/21/2012 3:22:49 AM, Error: Service Control Manager [7003] - The IPsec Policy Agent service depends the following service: BFE. This service might not be installed. 3/21/2012 3:22:49 AM, Error: Service Control Manager [7003] - The IKE and AuthIP IPsec Keying Modules service depends the following service: BFE. This service might not be installed. 3/21/2012 3:22:49 AM, Error: Service Control Manager [7000] - The Spooler service failed to start due to the following error: The system cannot find the file specified. 3/21/2012 3:22:49 AM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. 3/21/2012 3:21:42 AM, Error: Microsoft-Windows-WLAN-AutoConfig [10000] - WLAN Extensibility Module has failed to start. Module Path: C:\Windows\system32\athihvs.dll Error Code: 126 . ==== End Of File ===========================

































t





i
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
20-May-2012, 07:32 AM #4
We need to run Malwarebytes on the infected PC, please follow these instructions. After the scan has been run and the system rebooted, see if there is any improvement in its performance, see if it will connect to the internet and report back. The system is infected and very much out of date so there will be more to do even if Malwarebytes gets it working again. Ad-Aware and Spybot are no longer recommended as good security software so they will also need to be replaced, I'll give instructions for this later.

Let me know if there are any problems encountered and any error messages you receive.


Installing and running Malwarebytes with no internet connection


STEP 1
  • Using a working PC with an internet connection click on both of these two links to download Malwarebytes and MBAM Rules.exe and save both to the desktop. Important!! When you save the mbam-setup file, rename it to something random (such as 123abc.exe) before beginning the download.
  • Copy both to a memory stick or a rewritable CD/DVD (a writable CD/DVD will be fine if you have nothing else).
  • Put the memory stick or disc into the infected PC and copy the files onto the desktop.
  • Double click on the Malwarebytes file to install it. Near the end of the installation uncheck the boxes to Update Malwarebytes Anti-Malware and to Launch Malwarebytes Anti-Malware
  • Once installed double click on MBAM Rules.exe file to update the program.
STEP 2
  • Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Double click on the Malwarebytes icon (Decline the offer of the full trial version).
  • Perform Quick Scan should already appear as selected, click on the Scan button and let it run.
  • After completing the scan, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab.
  • Copy the log and transfer it to the PC with internet connection, open the log in Notepad then copy and paste it into your next post. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.
NOTE: Some types of malware will target Malwarebytes and may stop it from running. If that's the case, follow the instructions in this link on the working PC to use Malwarebytes Chameleon.
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
20-May-2012, 07:59 AM #5
I forgot to add, if you need to back up any important data follow the instructions I gave in post 2 and use the last option which uses an Ubuntu live CD, this will run in dos and should give access to the files you may wish to save.
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
21-May-2012, 05:28 PM #6
Log from MalwareBytes
======================

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.21.02

Windows Vista Service Pack 1 x86 NTFS
Internet Explorer 7.0.6001.18000
Laura :: INAC [administrator]

3/31/2012 2:34:50 PM
mbam-log-2012-03-31 (15-02-23).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 214541
Time elapsed: 8 minute(s), 16 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SanctionedMedia (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SanctionedMedia (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> No action taken.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_Show MyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_Show Search (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 19
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\SanctionedMedia \rulgejmj.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.dl l (Trojan.Happili.XGen) -> No action taken.
C:\ProgramData\h6uNCcOMeZeaK7.exe (Rogue.FakeAV) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\SanctionedMedia \ooawh.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\Temp\0.044558822435540546 (Trojan.Happili) -> No action taken.
C:\Windows\Temp\0.13488998419135512 (Trojan.Happili) -> No action taken.
C:\Windows\Temp\0.41624833408118644 (Trojan.Happili) -> No action taken.
C:\Windows\Temp\0.4841467003257599 (Trojan.Happili) -> No action taken.
C:\Windows\Temp\0.6046062653884048 (Trojan.Happili) -> No action taken.
C:\Windows\Temp\5.070198365187197E8.tmp (Trojan.FakeMS) -> No action taken.
C:\Windows\Temp\hwkfwismsweq.exe (Trojan.Cleaman) -> No action taken.
C:\Windows\Temp\tuqhrjcxhxmswqztsvpu.exe (Trojan.Cleaman) -> No action taken.
C:\Windows\Temp\cqyfbpgdmawpcemccgfdhsfkf.exe (Trojan.Cleaman) -> No action taken.
C:\Windows\Temp\xmncsdiibgqcwedc.exe (Rootkit.TDSS) -> No action taken.
C:\Windows\Temp\nsa3776.tmp\ynvul.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\Temp\nscE7A2.tmp\ooawh.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\Temp\nscE7A2.tmp\rulgejmj.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\Temp\nsqF104.tmp\wfibwnka.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\Temp\nsw6A10.tmp\pigpew.dll (Trojan.Happili.XGen) -> No action taken.

(end)
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
21-May-2012, 07:37 PM #7
Ok, a lot of those detections are in Temprary folders so lets clean out all the temporary files following the guide below, then run Malwarebytes again and we will see what we are left to deal with. There is also a TDSS Rootkit detected so please also run TDSSKiller.

Step 1
Download Temporary file cleaner and save it to the desktop.
Double click on the icon to run it (it appears as a dark grey dustbin). For Windows 7 and Vista right click the icon and select Run as Administrator.
When the window opens click on Start. It will close all running programs and clear the desktop icons.
When complete you will be asked to reboot, accept the request and your PC will reboot automatically.

Step 2
Re-run Malwarebytes and post the log.

Step 3
Please download Kaspersky's TDSSKiller and save it to your Desktop. <-Important!
-- The tool is frequently updated...if you used TDSSKiller before, delete that version and download the most current one before using again.

Be sure to print out and follow the instructions for performing a scan.
  • Extract (unzip) the file to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the Desktop.
  • Alternatively, you can download TDSSKiller.exe and use that instead.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If an update is available, TDSSKiller will prompt you to update and download the most current version. Click Load Update. Close TDSSKiller and start again.
  • When the program opens, click the Change parameters.

  • Under "Additional options", check the boxes next to Verify file digital signatures and Detect TDLFS file system, then click OK.

  • Click the Start Scan button.

  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If 'Suspicious objects' are detected, the default action will be Skip. Leave the default set to Skip and click on Continue.
  • If Malicious objects are detected, they will show in the Scan results - Select action for found objects and offer three options.

  • Ensure Cure is selected...then click Continue -> Reboot computer for cure completion.

  • Important! -> If Cure is not available, please choose Skip instead. Do not choose Delete unless instructed. If you choose Delete you may remove critical system files and make your PC unstable or possibly unbootable.
  • A log file named TDSSKiller_version_date_time_log.txt will be created and saved to the root directory (usually Local Disk C.
  • Copy and paste the contents of that file in your next reply.
-- If TDSSKiller does not run, try renaming it. To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to these instructions. In some cases it may be necessary to redownload TDSSKiller and randomly rename it to something else before beginning the download and saving to the computer or to perform the scan in "safe mode".
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
24-May-2012, 04:09 AM #8
Are you still with us PJL?
If you no longer require assistance then please let me know so I can move on to helping others that are waiting.
If you require more time, due to other commitments, then please tell me.
If you are having difficulty with the instructions then please tell me so I can help guide you through them.
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
26-May-2012, 05:09 PM #9
Didn't get the message
Sorry I didn't get the message you had replied. Looks like a bunch to do. Will do as soon as possble and report results.

TX, PJL
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
26-May-2012, 05:54 PM #10
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
26-May-2012, 08:10 PM #11
MB Log
Okay, Mark. here's the latest log from Malware Bytes. I'm off to rendezvous with Kaspersky's Killer:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.21.02

Windows Vista Service Pack 1 x86 UDF
Internet Explorer 7.0.6001.18000
Laura :: INAC [administrator]

4/5/2012 5:53:26 PM
mbam-log-2012-04-05 (18-18-39)

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 212306
Time elapsed: 6 minute(s), 17 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SanctionedMedia (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|SanctionedMedia (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\SanctionedMedi a\rulgejmj.dll",DllRegisterServer -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer -> No action taken.
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Adobe (Trojan.Happili.XGen) -> Data: rundll32.exe "C:\Windows\system32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.d ll",DllRegisterServer -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|dplaysvr (Trojan.QHost.BG) -> Data: C:\Windows\system32\config\systemprofile\AppData\Local\dplaysvr.exe -> No action taken.

Registry Data Items Detected: 5
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_Show MyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_Show Search (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe") Good: (firefox.exe) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> No action taken.
HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command| (Hijack.StartMenuInternet) -> Bad: ("C:\Windows\system32\config\systemprofile\AppData\Local\apq.exe" -a "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> No action taken.

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\SanctionedMedia \rulgejmj.dll (Trojan.Happili.XGen) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\Adobe\pigpew.dl l (Trojan.Happili.XGen) -> No action taken.
C:\Windows\System32\config\systemprofile\AppData\Local\Temp\SanctionedMedia \ooawh.dll (Trojan.Happili.XGen) -> No action taken.

(end)
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
26-May-2012, 10:37 PM #12
The Killer
Finally, I have the results from the TDSSKiller. It took a while since I didn't notice that the Report button up in the top left corner and had to pull out my MS DOS cheat sheet (it's on Wikipedia) in order to find the report and move it to my DVD so that I could change computers and send this to you. Despite all that we've done so far, the screen remains virtually blank as does the whole start bar, including the Program files. The only changes are that some of the programs I've installed are now listed in one or both of those locations.

As to the blank Program Files, there's one thing that I may not have mentioned earlier. After the two suspicious "Access Denied" messages, there appears a box that has text arranged somewhat like this:
-----------------------------------------

System Startup
Global Entry nYdUInRnEpi.exe
__________________________________
Old Data: C:\Programdata\nYdUInRnEpi.exe
-------------------------------------------
Anyway, here's the Killer Message (note that the date and time are advancing but they still cannot be manually corrected):

19:09:52.0334 3740 TDSS rootkit removing tool 2.7.37.0 May 23 2012 08:15:30
19:09:52.0380 3740 ============================================================
19:09:52.0380 3740 Current date / time: 2012/04/05 19:09:52.0380
19:09:52.0380 3740 SystemInfo:
19:09:52.0380 3740
19:09:52.0380 3740 OS Version: 6.0.6001 ServicePack: 1.0
19:09:52.0380 3740 Product type: Workstation
19:09:52.0380 3740 ComputerName: INAC
19:09:52.0381 3740 UserName: Laura
19:09:52.0381 3740 Windows directory: C:\Windows
19:09:52.0381 3740 System windows directory: C:\Windows
19:09:52.0381 3740 Processor architecture: Intel x86
19:09:52.0381 3740 Number of processors: 2
19:09:52.0381 3740 Page size: 0x1000
19:09:52.0381 3740 Boot type: Normal boot
19:09:52.0381 3740 ============================================================
19:09:53.0905 3740 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
19:09:53.0909 3740 ============================================================
19:09:53.0909 3740 \Device\Harddisk0\DR0:
19:09:53.0909 3740 MBR partitions:
19:09:53.0909 3740 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x1400800, BlocksNum 0x8B0C000
19:09:53.0909 3740 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x9F0C800, BlocksNum 0x8B0C800
19:09:53.0909 3740 ============================================================
19:09:53.0941 3740 C: <-> \Device\Harddisk0\DR0\Partition0
19:09:54.0002 3740 D: <-> \Device\Harddisk0\DR0\Partition1
19:09:54.0002 3740 ============================================================
19:09:54.0002 3740 Initialize success
19:09:54.0003 3740 ============================================================
19:10:33.0432 2600 ============================================================
19:10:33.0432 2600 Scan started
19:10:33.0432 2600 Mode: Manual; SigCheck; TDLFS;
19:10:33.0432 2600 ============================================================
19:10:34.0144 2600 ACPI (fcb8c7210f0135e24c6580f7f649c73c) C:\Windows\system32\drivers\acpi.sys
19:10:34.0282 2600 ACPI - ok
19:10:34.0651 2600 Ad-Aware Service (09e61047b0cef21559cfcedf4f14d216) C:\Program Files\Ad-Aware Antivirus\AdAwareService.exe
19:10:34.0720 2600 Ad-Aware Service - ok
19:10:34.0927 2600 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
19:10:34.0992 2600 adp94xx - ok
19:10:35.0050 2600 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
19:10:35.0111 2600 adpahci - ok
19:10:35.0132 2600 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
19:10:35.0151 2600 adpu160m - ok
19:10:35.0198 2600 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
19:10:35.0220 2600 adpu320 - ok
19:10:35.0265 2600 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
19:10:35.0299 2600 AeLookupSvc - ok
19:10:35.0365 2600 AFD (48eb99503533c27ac6135648e5474457) C:\Windows\system32\drivers\afd.sys
19:10:35.0441 2600 AFD - ok
19:10:35.0478 2600 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
19:10:35.0495 2600 agp440 - ok
19:10:35.0520 2600 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
19:10:35.0552 2600 aic78xx - ok
19:10:35.0576 2600 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
19:10:35.0617 2600 ALG - ok
19:10:35.0638 2600 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
19:10:35.0672 2600 aliide - ok
19:10:35.0700 2600 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
19:10:35.0715 2600 amdagp - ok
19:10:35.0740 2600 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
19:10:35.0753 2600 amdide - ok
19:10:35.0778 2600 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
19:10:35.0820 2600 AmdK7 - ok
19:10:35.0849 2600 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
19:10:35.0906 2600 AmdK8 - ok
19:10:35.0947 2600 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
19:10:35.0965 2600 Appinfo - ok
19:10:36.0100 2600 Apple Mobile Device (3debbecf665dcdde3a95d9b902010817) C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
19:10:36.0115 2600 Apple Mobile Device - ok
19:10:36.0142 2600 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
19:10:36.0173 2600 arc - ok
19:10:36.0202 2600 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
19:10:36.0219 2600 arcsas - ok
19:10:36.0324 2600 aspnet_state (776acefa0ca9df0faa51a5fb2f435705) C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
19:10:36.0339 2600 aspnet_state - ok
19:10:36.0391 2600 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
19:10:36.0427 2600 AsyncMac - ok
19:10:36.0453 2600 atapi (0d83c87a801a3dfcd1bf73893fe7518c) C:\Windows\system32\drivers\atapi.sys
19:10:36.0465 2600 atapi - ok
19:10:36.0557 2600 athr (567e669b3b252e0c07850ef3c3e12254) C:\Windows\system32\DRIVERS\athr.sys
19:10:36.0663 2600 athr - ok
19:10:36.0734 2600 AudioEndpointBuilder (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
19:10:36.0776 2600 AudioEndpointBuilder - ok
19:10:36.0790 2600 Audiosrv (42076e29aafa0830a2c5d4e310f58dd1) C:\Windows\System32\Audiosrv.dll
19:10:36.0837 2600 Audiosrv - ok
19:10:37.0023 2600 b57nd60x (7d0f2bfa273831124fa08526af48af18) C:\Windows\system32\DRIVERS\b57nd60x.sys
19:10:37.0062 2600 b57nd60x - ok
19:10:37.0087 2600 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
19:10:37.0123 2600 Beep - ok
19:10:37.0232 2600 BITS (02ed7b4dbc2a3232a389106da7515c3d) C:\Windows\System32\qmgr.dll
19:10:37.0283 2600 BITS - ok
19:10:37.0308 2600 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
19:10:37.0344 2600 blbdrive - ok
19:10:37.0496 2600 Bonjour Service (db5bea73edaf19ac68b2c0fad0f92b1a) C:\Program Files\Bonjour\mDNSResponder.exe
19:10:37.0522 2600 Bonjour Service - ok
19:10:37.0565 2600 bowser (8153396d5551276227fa146900f734e6) C:\Windows\system32\DRIVERS\bowser.sys
19:10:37.0610 2600 bowser - ok
19:10:37.0646 2600 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
19:10:37.0678 2600 BrFiltLo - ok
19:10:37.0694 2600 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
19:10:37.0727 2600 BrFiltUp - ok
19:10:37.0781 2600 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
19:10:37.0819 2600 Browser - ok
19:10:37.0854 2600 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
19:10:38.0054 2600 Brserid - ok
19:10:38.0080 2600 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
19:10:38.0146 2600 BrSerWdm - ok
19:10:38.0168 2600 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
19:10:38.0236 2600 BrUsbMdm - ok
19:10:38.0247 2600 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
19:10:38.0306 2600 BrUsbSer - ok
19:10:38.0338 2600 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
19:10:38.0413 2600 BTHMODEM - ok
19:10:38.0462 2600 BUNAgentSvc (09e6affae6c0e9158bf05c7d08d0107a) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\Client\Agentsvc.exe
19:10:38.0472 2600 BUNAgentSvc ( UnsignedFile.Multi.Generic ) - warning
19:10:38.0472 2600 BUNAgentSvc - detected UnsignedFile.Multi.Generic (1)
19:10:38.0497 2600 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
19:10:38.0536 2600 cdfs - ok
19:10:38.0561 2600 cdrom (1ec25cea0de6ac4718bf89f9e1778b57) C:\Windows\system32\DRIVERS\cdrom.sys
19:10:38.0599 2600 cdrom - ok
19:10:38.0666 2600 cdudf_xp - ok
19:10:38.0691 2600 CertPropSvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
19:10:38.0723 2600 CertPropSvc - ok
19:10:38.0747 2600 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
19:10:38.0796 2600 circlass - ok
19:10:38.0838 2600 CLFS (465745561c832b29f7c48b488aab3842) C:\Windows\system32\CLFS.sys
19:10:38.0883 2600 CLFS - ok
19:10:38.0978 2600 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
19:10:38.0996 2600 clr_optimization_v2.0.50727_32 - ok
19:10:39.0072 2600 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
19:10:39.0101 2600 clr_optimization_v4.0.30319_32 - ok
19:10:39.0131 2600 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
19:10:39.0170 2600 CmBatt - ok
19:10:39.0184 2600 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
19:10:39.0200 2600 cmdide - ok
19:10:39.0236 2600 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
19:10:39.0251 2600 Compbatt - ok
19:10:39.0259 2600 COMSysApp - ok
19:10:39.0278 2600 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
19:10:39.0293 2600 crcdisk - ok
19:10:39.0314 2600 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
19:10:39.0359 2600 Crusoe - ok
19:10:39.0403 2600 CryptSvc (6de363f9f99334514c46aec02d3e3678) C:\Windows\system32\cryptsvc.dll
19:10:39.0438 2600 CryptSvc - ok
19:10:39.0527 2600 DcomLaunch (301ae00e12408650baddc04dbc832830) C:\Windows\system32\rpcss.dll
19:10:39.0555 2600 DcomLaunch - ok
19:10:39.0621 2600 DfsC (a3e9fa213f443ac77c7746119d13feec) C:\Windows\system32\Drivers\dfsc.sys
19:10:39.0683 2600 DfsC - ok
19:10:39.0878 2600 DFSR (fa3463f25f9cc9c3bcf1e7912feff099) C:\Windows\system32\DFSR.exe
19:10:39.0968 2600 DFSR - ok
19:10:40.0119 2600 Dhcp (43a988a9c10333476cb5fb667cbd629d) C:\Windows\System32\dhcpcsvc.dll
19:10:40.0158 2600 Dhcp - ok
19:10:40.0223 2600 disk (64109e623abd6955c8fb110b592e68b7) C:\Windows\system32\drivers\disk.sys
19:10:40.0245 2600 disk - ok
19:10:40.0271 2600 DKbFltr (73baf270d24fe726b9cd7f80bb17a23d) C:\Windows\system32\DRIVERS\DKbFltr.sys
19:10:40.0475 2600 DKbFltr - ok
19:10:40.0540 2600 Dnscache (4805d9a6d281c7a7defd9094dec6af7d) C:\Windows\System32\dnsrslvr.dll
19:10:40.0570 2600 Dnscache - ok
19:10:40.0626 2600 dot3svc (5af620a08c614e24206b79e8153cf1a8) C:\Windows\System32\dot3svc.dll
19:10:40.0678 2600 dot3svc - ok
19:10:40.0703 2600 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
19:10:40.0738 2600 DPS - ok
19:10:40.0750 2600 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
19:10:40.0781 2600 drmkaud - ok
19:10:40.0878 2600 DXGKrnl (85f33880b8cfb554bd3d9ccdb486845a) C:\Windows\System32\drivers\dxgkrnl.sys
19:10:40.0934 2600 DXGKrnl - ok
19:10:40.0987 2600 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
19:10:41.0035 2600 E1G60 - ok
19:10:41.0055 2600 EagleXNt - ok
19:10:41.0110 2600 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
19:10:41.0140 2600 EapHost - ok
19:10:41.0189 2600 Ecache (dd2cd259d83d8b72c02c5f2331ff9d68) C:\Windows\system32\drivers\ecache.sys
19:10:41.0216 2600 Ecache - ok
19:10:41.0300 2600 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
19:10:41.0335 2600 ehRecvr - ok
19:10:41.0373 2600 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
19:10:41.0404 2600 ehSched - ok
19:10:41.0422 2600 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
19:10:41.0439 2600 ehstart - ok
19:10:41.0490 2600 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
19:10:41.0525 2600 elxstor - ok
19:10:41.0603 2600 EMDMgmt (70b1a86df0c8ead17d2bc332edae2c7c) C:\Windows\system32\emdmgmt.dll
19:10:41.0651 2600 EMDMgmt - ok
19:10:41.0666 2600 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
19:10:41.0705 2600 ErrDev - ok
19:10:41.0774 2600 EventSystem (3cb3343d720168b575133a0a20dc2465) C:\Windows\system32\es.dll
19:10:41.0794 2600 EventSystem - ok
19:10:41.0825 2600 exfat (0d858eb20589a34efb25695acaa6aa2d) C:\Windows\system32\drivers\exfat.sys
19:10:41.0872 2600 exfat - ok
19:10:41.0904 2600 fastfat (3c489390c2e2064563727752af8eab9e) C:\Windows\system32\drivers\fastfat.sys
19:10:41.0941 2600 fastfat - ok
19:10:41.0960 2600 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
19:10:41.0995 2600 fdc - ok
19:10:42.0025 2600 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
19:10:42.0060 2600 fdPHost - ok
19:10:42.0067 2600 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
19:10:42.0133 2600 FDResPub - ok
19:10:42.0168 2600 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
19:10:42.0183 2600 FileInfo - ok
19:10:42.0210 2600 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
19:10:42.0245 2600 Filetrace - ok
19:10:42.0378 2600 FLEXnet Licensing Service (227846995afeefa70d328bf5334a86a5) C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
19:10:42.0429 2600 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - warning
19:10:42.0429 2600 FLEXnet Licensing Service - detected UnsignedFile.Multi.Generic (1)
19:10:42.0461 2600 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
19:10:42.0496 2600 flpydisk - ok
19:10:42.0536 2600 FltMgr (05ea53afe985443011e36dab07343b46) C:\Windows\system32\drivers\fltmgr.sys
19:10:42.0555 2600 FltMgr - ok
19:10:42.0652 2600 FontCache3.0.0.0 (c9be08664611ddaf98e2331e9288b00b) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
19:10:42.0665 2600 FontCache3.0.0.0 - ok
19:10:42.0709 2600 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
19:10:42.0737 2600 Fs_Rec - ok
19:10:42.0771 2600 ftpds - ok
19:10:42.0802 2600 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
19:10:42.0819 2600 gagp30kx - ok
19:10:42.0859 2600 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
19:10:42.0870 2600 GEARAspiWDM - ok
19:10:42.0927 2600 GoogleDesktopManager-051210-111108 (9f5f2f0fb0a7f5aa9f16b9a7b6dad89f) C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
19:10:42.0937 2600 GoogleDesktopManager-051210-111108 - ok
19:10:43.0019 2600 gpsvc (d9f1113d9401185245573350712f92fc) C:\Windows\System32\gpsvc.dll
19:10:43.0068 2600 gpsvc - ok
19:10:43.0137 2600 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
19:10:43.0148 2600 gupdate - ok
19:10:43.0154 2600 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
19:10:43.0166 2600 gupdatem - ok
19:10:43.0227 2600 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
19:10:43.0295 2600 HdAudAddService - ok
19:10:43.0333 2600 HDAudBus (c87b1ee051c0464491c1a7b03fa0bc99) C:\Windows\system32\DRIVERS\HDAudBus.sys
19:10:43.0367 2600 HDAudBus - ok
19:10:43.0396 2600 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
19:10:43.0586 2600 HidBth - ok
19:10:43.0613 2600 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
19:10:43.0675 2600 HidIr - ok
19:10:43.0726 2600 hidserv (8fa640195279ace21bea91396a0054fc) C:\Windows\system32\hidserv.dll
19:10:43.0782 2600 hidserv - ok
19:10:43.0877 2600 HidUsb (854ca287ab7faf949617a788306d967e) C:\Windows\system32\DRIVERS\hidusb.sys
19:10:43.0911 2600 HidUsb - ok
19:10:43.0956 2600 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
19:10:43.0991 2600 hkmsvc - ok
19:10:44.0039 2600 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
19:10:44.0083 2600 HpCISSs - ok
19:10:44.0124 2600 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
19:10:44.0184 2600 HSFHWAZL - ok
19:10:44.0326 2600 HSF_DPV (fadd7095163cb3cb4073793ebb50fe75) C:\Windows\system32\DRIVERS\HSX_DPV.sys
19:10:44.0451 2600 HSF_DPV - ok
19:10:44.0498 2600 HSXHWAZL (058783bedd17615d1fece09f77960436) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
19:10:44.0522 2600 HSXHWAZL - ok
19:10:44.0600 2600 HTTP (96e241624c71211a79c84f50a8e71cab) C:\Windows\system32\drivers\HTTP.sys
19:10:44.0678 2600 HTTP - ok
19:10:44.0721 2600 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
19:10:44.0739 2600 i2omp - ok
19:10:44.0760 2600 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
19:10:44.0789 2600 i8042prt - ok
19:10:44.0855 2600 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
19:10:44.0880 2600 iaStorV - ok
19:10:45.0044 2600 idsvc (7b630acaed64fef0c3e1cf255cb56686) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
19:10:45.0123 2600 idsvc - ok
19:10:45.0164 2600 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
19:10:45.0179 2600 iirsp - ok
19:10:45.0247 2600 IKEEXT (a3bc480a2bf8aa8e4dabd2d5dce0afac) C:\Windows\System32\ikeext.dll
19:10:45.0288 2600 IKEEXT - ok
19:10:45.0490 2600 IntcAzAudAddService (fbbe3f1697d393be685cd6192b1ec95a) C:\Windows\system32\drivers\RTKVHDA.sys
19:10:45.0628 2600 IntcAzAudAddService - ok
19:10:45.0793 2600 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
19:10:45.0813 2600 intelide - ok
19:10:45.0832 2600 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
19:10:45.0867 2600 intelppm - ok
19:10:45.0940 2600 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
19:10:46.0007 2600 IPBusEnum - ok
19:10:46.0025 2600 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
19:10:46.0063 2600 IpFilterDriver - ok
19:10:46.0071 2600 IpInIp - ok
19:10:46.0100 2600 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
19:10:46.0136 2600 IPMIDRV - ok
19:10:46.0165 2600 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
19:10:46.0213 2600 IPNAT - ok
19:10:46.0343 2600 iPod Service (178fe38b7740f598391eb2f51ae4ccac) C:\Program Files\iPod\bin\iPodService.exe
19:10:46.0377 2600 iPod Service - ok
19:10:46.0420 2600 IPSECSHM - ok
19:10:46.0469 2600 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
19:10:46.0505 2600 IRENUM - ok
19:10:46.0535 2600 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
19:10:46.0550 2600 isapnp - ok
19:10:46.0588 2600 iScsiPrt (f247eec28317f6c739c16de420097301) C:\Windows\system32\DRIVERS\msiscsi.sys
19:10:46.0602 2600 iScsiPrt - ok
19:10:46.0628 2600 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
19:10:46.0642 2600 iteatapi - ok
19:10:46.0670 2600 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
19:10:46.0683 2600 iteraid - ok
19:10:46.0706 2600 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
19:10:46.0722 2600 kbdclass - ok
19:10:46.0743 2600 kbdhid (18247836959ba67e3511b62846b9c2e0) C:\Windows\system32\DRIVERS\kbdhid.sys
19:10:46.0777 2600 kbdhid - ok
19:10:46.0818 2600 KeyIso (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
19:10:46.0853 2600 KeyIso - ok
19:10:46.0912 2600 KSecDD (7a0cf7908b6824d6a2a1d313e5ae3dca) C:\Windows\system32\Drivers\ksecdd.sys
19:10:46.0954 2600 KSecDD - ok
19:10:47.0027 2600 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
19:10:47.0071 2600 KtmRm - ok
19:10:47.0125 2600 LanmanServer (1925e63c91cf1610ae41bfd539062079) C:\Windows\system32\srvsvc.dll
19:10:47.0145 2600 LanmanServer - ok
19:10:47.0201 2600 LanmanWorkstation (2ae2e1628c5d3f1c0a46a67c9fa1df15) C:\Windows\System32\wkssvc.dll
19:10:47.0221 2600 LanmanWorkstation - ok
19:10:47.0328 2600 LightScribeService (793ff718477345cd5d232c50bed1e452) C:\Program Files\Common Files\LightScribe\LSSrvc.exe
19:10:47.0338 2600 LightScribeService ( UnsignedFile.Multi.Generic ) - warning
19:10:47.0338 2600 LightScribeService - detected UnsignedFile.Multi.Generic (1)
19:10:47.0398 2600 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
19:10:47.0435 2600 lltdio - ok
19:10:47.0489 2600 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
19:10:47.0530 2600 lltdsvc - ok
19:10:47.0545 2600 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
19:10:47.0603 2600 lmhosts - ok
19:10:47.0635 2600 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
19:10:47.0651 2600 LSI_FC - ok
19:10:47.0679 2600 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
19:10:47.0705 2600 LSI_SAS - ok
19:10:47.0732 2600 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
19:10:47.0759 2600 LSI_SCSI - ok
19:10:47.0794 2600 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
19:10:47.0849 2600 luafv - ok
19:10:47.0869 2600 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
19:10:47.0891 2600 Mcx2Svc - ok
19:10:47.0903 2600 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
19:10:47.0923 2600 mdmxsdk - ok
19:10:47.0948 2600 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
19:10:47.0962 2600 megasas - ok
19:10:48.0008 2600 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
19:10:48.0039 2600 MegaSR - ok
19:10:48.0062 2600 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
19:10:48.0102 2600 MMCSS - ok
19:10:48.0155 2600 MobilityService - ok
19:10:48.0178 2600 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
19:10:48.0210 2600 Modem - ok
19:10:48.0233 2600 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
19:10:48.0267 2600 monitor - ok
19:10:48.0295 2600 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
19:10:48.0309 2600 mouclass - ok
19:10:48.0332 2600 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
19:10:48.0368 2600 mouhid - ok
19:10:48.0398 2600 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
19:10:48.0412 2600 MountMgr - ok
19:10:48.0439 2600 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
19:10:48.0468 2600 mpio - ok
19:10:48.0499 2600 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
19:10:48.0529 2600 mpsdrv - ok
19:10:48.0554 2600 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
19:10:48.0569 2600 Mraid35x - ok
19:10:48.0601 2600 MRxDAV (ae3de84536b6799d2267443cec8edbb9) C:\Windows\system32\drivers\mrxdav.sys
19:10:48.0651 2600 MRxDAV - ok
19:10:48.0699 2600 mrxsmb (5734a0f2be7e495f7d3ed6efd4b9f5a1) C:\Windows\system32\DRIVERS\mrxsmb.sys
19:10:48.0750 2600 mrxsmb - ok
19:10:48.0798 2600 mrxsmb10 (6b5fa5adfacac9dbbe0991f4566d7d55) C:\Windows\system32\DRIVERS\mrxsmb10.sys
19:10:48.0838 2600 mrxsmb10 - ok
19:10:48.0864 2600 mrxsmb20 (5c80d8159181c7abf1b14ba703b01e0b) C:\Windows\system32\DRIVERS\mrxsmb20.sys
19:10:48.0897 2600 mrxsmb20 - ok
19:10:48.0923 2600 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
19:10:48.0940 2600 msahci - ok
19:10:48.0962 2600 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
19:10:48.0989 2600 msdsm - ok
19:10:49.0023 2600 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
19:10:49.0072 2600 MSDTC - ok
19:10:49.0090 2600 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
19:10:49.0131 2600 Msfs - ok
19:10:49.0150 2600 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
19:10:49.0166 2600 msisadrv - ok
19:10:49.0207 2600 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
19:10:49.0256 2600 MSiSCSI - ok
19:10:49.0286 2600 msiserver - ok
19:10:49.0309 2600 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
19:10:49.0350 2600 MSKSSRV - ok
19:10:49.0370 2600 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
19:10:49.0405 2600 MSPCLOCK - ok
19:10:49.0432 2600 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
19:10:49.0466 2600 MSPQM - ok
19:10:49.0498 2600 MsRPC (b5614aecb05a9340aa0fb55bf561cc63) C:\Windows\system32\drivers\MsRPC.sys
19:10:49.0524 2600 MsRPC - ok
19:10:49.0550 2600 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
19:10:49.0562 2600 mssmbios - ok
19:10:49.0578 2600 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
19:10:49.0615 2600 MSTEE - ok
19:10:49.0649 2600 Mup (6dfd1d322de55b0b7db7d21b90bec49c) C:\Windows\system32\Drivers\mup.sys
19:10:49.0663 2600 Mup - ok
19:10:49.0723 2600 napagent (c43b25863fbd65b6d2a142af3ae320ca) C:\Windows\system32\qagentRT.dll
19:10:49.0764 2600 napagent - ok
19:10:49.0807 2600 NativeWifiP (3c21ce48ff529bb73dadb98770b54025) C:\Windows\system32\DRIVERS\nwifi.sys
19:10:49.0840 2600 NativeWifiP - ok
19:10:49.0900 2600 NDIS (9bdc71790fa08f0a0b5f10462b1bd0b1) C:\Windows\system32\drivers\ndis.sys
19:10:49.0923 2600 NDIS - ok
19:10:49.0945 2600 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
19:10:49.0974 2600 NdisTapi - ok
19:10:49.0996 2600 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
19:10:50.0032 2600 Ndisuio - ok
19:10:50.0059 2600 NdisWan (3d14c3b3496f88890d431e8aa022a411) C:\Windows\system32\DRIVERS\ndiswan.sys
19:10:50.0108 2600 NdisWan - ok
19:10:50.0136 2600 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
19:10:50.0165 2600 NDProxy - ok
19:10:50.0216 2600 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
19:10:50.0253 2600 NetBIOS - ok
19:10:50.0291 2600 netbt (7c5fee5b1c5728507cd96fb4a13e7a02) C:\Windows\system32\DRIVERS\netbt.sys
19:10:50.0350 2600 netbt - ok
19:10:50.0387 2600 Netlogon (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
19:10:50.0403 2600 Netlogon - ok
19:10:50.0466 2600 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
19:10:50.0503 2600 Netman - ok
19:10:50.0592 2600 NetMsmqActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:10:50.0609 2600 NetMsmqActivator - ok
19:10:50.0614 2600 NetPipeActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:10:50.0628 2600 NetPipeActivator - ok
19:10:50.0665 2600 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
19:10:50.0702 2600 netprofm - ok
19:10:50.0707 2600 NetTcpActivator (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:10:50.0720 2600 NetTcpActivator - ok
19:10:50.0730 2600 NetTcpPortSharing (d22cd77d4f0d63d1169bb35911bff12d) C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
19:10:50.0743 2600 NetTcpPortSharing - ok
19:10:50.0784 2600 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
19:10:50.0799 2600 nfrd960 - ok
19:10:50.0836 2600 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
19:10:50.0873 2600 NlaSvc - ok
19:10:50.0896 2600 Npfs (ecb5003f484f9ed6c608d6d6c7886cbb) C:\Windows\system32\drivers\Npfs.sys
19:10:50.0932 2600 Npfs - ok
19:10:50.0970 2600 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
19:10:51.0003 2600 nsi - ok
19:10:51.0030 2600 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
19:10:51.0064 2600 nsiproxy - ok
19:10:51.0182 2600 Ntfs (b4effe29eb4f15538fd8a9681108492d) C:\Windows\system32\drivers\Ntfs.sys
19:10:51.0253 2600 Ntfs - ok
19:10:51.0344 2600 NTIBackupSvc (a2b6583a5652a385dff5e4f49ad48761) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
19:10:51.0352 2600 NTIBackupSvc ( UnsignedFile.Multi.Generic ) - warning
19:10:51.0352 2600 NTIBackupSvc - detected UnsignedFile.Multi.Generic (1)
19:10:51.0378 2600 NTIDrvr (2757d2ba59aee155209e24942ab127c9) C:\Windows\system32\DRIVERS\NTIDrvr.sys
19:10:51.0424 2600 NTIDrvr - ok
19:10:51.0460 2600 NTISchedulerSvc (40b87fe8a1a9a5ac9e5a91d96f212bcd) C:\Program Files\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
19:10:51.0968 2600 NTISchedulerSvc ( UnsignedFile.Multi.Generic ) - warning
19:10:51.0968 2600 NTISchedulerSvc - detected UnsignedFile.Multi.Generic (1)
19:10:52.0030 2600 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
19:10:52.0093 2600 ntrigdigi - ok
19:10:52.0108 2600 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
19:10:52.0142 2600 Null - ok
19:10:52.0982 2600 nvlddmkm (66b4bf606fcc7f0622d4a21bb1461089) C:\Windows\system32\DRIVERS\nvlddmkm.sys
19:10:53.0394 2600 nvlddmkm - ok
19:10:53.0649 2600 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
19:10:53.0676 2600 nvraid - ok
19:10:53.0688 2600 nvsmu (0fb6bf3ab170fc5bd403d25e134eafde) C:\Windows\system32\DRIVERS\nvsmu.sys
19:10:53.0715 2600 nvsmu - ok
19:10:53.0746 2600 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
19:10:53.0760 2600 nvstor - ok
19:10:53.0899 2600 nvsvc (d122f7c5f79c68868f5dc28cefeb2ecf) C:\Windows\system32\nvvsvc.exe
19:10:54.0111 2600 nvsvc - ok
19:10:54.0458 2600 nvUpdatusService (003cb0a155568b4a53a301f07c734233) C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
19:10:54.0618 2600 nvUpdatusService - ok
19:10:54.0856 2600 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
19:10:54.0877 2600 nv_agp - ok
19:10:54.0933 2600 NWADI (0973c0c696780161f4526586d5eac422) C:\Windows\system32\DRIVERS\NWADIenum.sys
19:10:54.0951 2600 NWADI - ok
19:10:54.0957 2600 NwlnkFlt - ok
19:10:54.0970 2600 NwlnkFwd - ok
19:10:54.0998 2600 NWUSBCDFIL (1fde5b2d61d97d803594df4b3bc28c4b) C:\Windows\system32\DRIVERS\NwUsbCdFil.sys
19:10:55.0017 2600 NWUSBCDFIL - ok
19:10:55.0086 2600 NWUSBModem (65b471bb7e57c416a1e685ec07d4abfa) C:\Windows\system32\DRIVERS\nwusbmdm.sys
19:10:55.0137 2600 NWUSBModem - ok
19:10:55.0172 2600 NWUSBPort (65b471bb7e57c416a1e685ec07d4abfa) C:\Windows\system32\DRIVERS\nwusbser.sys
19:10:55.0212 2600 NWUSBPort - ok
19:10:55.0287 2600 NWUSBPort2 (65b471bb7e57c416a1e685ec07d4abfa) C:\Windows\system32\DRIVERS\nwusbser2.sys
19:10:55.0370 2600 NWUSBPort2 - ok
19:10:55.0453 2600 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
19:10:55.0512 2600 ohci1394 - ok
19:10:55.0639 2600 p2pimsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
19:10:55.0723 2600 p2pimsvc - ok
19:10:55.0734 2600 p2psvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
19:10:55.0766 2600 p2psvc - ok
19:10:55.0807 2600 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
19:10:55.0871 2600 Parport - ok
19:10:55.0902 2600 partmgr (3b38467e7c3daed009dfe359e17f139f) C:\Windows\system32\drivers\partmgr.sys
19:10:55.0917 2600 partmgr - ok
19:10:55.0948 2600 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
19:10:56.0020 2600 Parvdm - ok
19:10:56.0058 2600 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
19:10:56.0077 2600 PcaSvc - ok
19:10:56.0126 2600 pci (01b94418deb235dff777cc80076354b4) C:\Windows\system32\drivers\pci.sys
19:10:56.0193 2600 pci - ok
19:10:56.0232 2600 pciide (fc175f5ddab666d7f4d17449a547626f) C:\Windows\system32\drivers\pciide.sys
19:10:56.0264 2600 pciide - ok
19:10:56.0307 2600 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
19:10:56.0332 2600 pcmcia - ok
19:10:56.0450 2600 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
19:10:56.0572 2600 PEAUTH - ok
19:10:56.0775 2600 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
19:10:56.0870 2600 pla - ok
19:10:57.0120 2600 PlugPlay (78f975cb6d18265be6f492edb2d7bc7b) C:\Windows\system32\umpnpmgr.dll
19:10:57.0158 2600 PlugPlay - ok
19:10:57.0257 2600 PNRPAutoReg (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
19:10:57.0291 2600 PNRPAutoReg - ok
19:10:57.0353 2600 PNRPsvc (5de1a3972fd3112c75eb17bdcf454169) C:\Windows\system32\p2psvc.dll
19:10:57.0390 2600 PNRPsvc - ok
19:10:57.0456 2600 PolicyAgent (47b8f37aa18b74d8c2e1bc1a7a2c8f8a) C:\Windows\System32\ipsecsvc.dll
19:10:57.0480 2600 PolicyAgent - ok
19:10:57.0540 2600 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
19:10:57.0576 2600 PptpMiniport - ok
19:10:57.0621 2600 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\DRIVERS\processr.sys
19:10:57.0656 2600 Processor - ok
19:10:57.0710 2600 ProfSvc (b627e4fc8585e8843c5905d4d3587a90) C:\Windows\system32\profsvc.dll
19:10:57.0747 2600 ProfSvc - ok
19:10:57.0769 2600 ProtectedStorage (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
19:10:57.0803 2600 ProtectedStorage - ok
19:10:58.0011 2600 ProtexisLicensing (f115af58abe5605d7d709cbfbd83f418) C:\Windows\system32\PSIService.exe
19:10:58.0030 2600 ProtexisLicensing - ok
19:10:58.0045 2600 proxyserverservice - ok
19:10:58.0139 2600 PSched (bfef604508a0ed1eae2a73e872555ffb) C:\Windows\system32\DRIVERS\pacer.sys
19:10:58.0188 2600 PSched - ok
19:10:58.0248 2600 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\Windows\system32\Drivers\PxHelp20.sys
19:10:58.0301 2600 PxHelp20 - ok
19:11:00.0227 2600 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
19:11:00.0408 2600 ql2300 - ok
19:11:00.0511 2600 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
19:11:00.0528 2600 ql40xx - ok
19:11:00.0590 2600 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
19:11:00.0622 2600 QWAVE - ok
19:11:00.0647 2600 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
19:11:00.0667 2600 QWAVEdrv - ok
19:11:00.0687 2600 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
19:11:00.0725 2600 RasAcd - ok
19:11:00.0750 2600 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
19:11:00.0799 2600 RasAuto - ok
19:11:00.0834 2600 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
19:11:00.0870 2600 Rasl2tp - ok
19:11:00.0913 2600 RasMan (6e7c284fc5c4ec07ad164d93810385a6) C:\Windows\System32\rasmans.dll
19:11:00.0954 2600 RasMan - ok
19:11:00.0986 2600 RasPppoe (3e9d9b048107b40d87b97df2e48e0744) C:\Windows\system32\DRIVERS\raspppoe.sys
19:11:01.0022 2600 RasPppoe - ok
19:11:01.0064 2600 RasSstp (a7d141684e9500ac928a772ed8e6b671) C:\Windows\system32\DRIVERS\rassstp.sys
19:11:01.0099 2600 RasSstp - ok
19:11:01.0160 2600 rdbss (6e1c5d0457622f9ee35f683110e93d14) C:\Windows\system32\DRIVERS\rdbss.sys
19:11:01.0209 2600 rdbss - ok
19:11:01.0236 2600 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
19:11:01.0271 2600 RDPCDD - ok
19:11:01.0314 2600 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
19:11:01.0377 2600 rdpdr - ok
19:11:01.0386 2600 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
19:11:01.0427 2600 RDPENCDD - ok
19:11:01.0490 2600 RDPWD (e1c18f4097a5abcec941dc4b2f99db7e) C:\Windows\system32\drivers\RDPWD.sys
19:11:01.0544 2600 RDPWD - ok
19:11:01.0618 2600 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
19:11:01.0687 2600 RemoteAccess - ok
19:11:01.0741 2600 RemoteRegistry (cc4e32400f3c7253400cf8f3f3a0b676) C:\Windows\system32\regsvc.dll
19:11:01.0801 2600 RemoteRegistry - ok
19:11:01.0849 2600 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
19:11:01.0871 2600 RpcLocator - ok
19:11:01.0955 2600 RpcSs (301ae00e12408650baddc04dbc832830) C:\Windows\system32\rpcss.dll
19:11:01.0986 2600 RpcSs - ok
19:11:02.0067 2600 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
19:11:02.0103 2600 rspndr - ok
19:11:02.0117 2600 rsvp - ok
19:11:02.0160 2600 RTSTOR (830b682cb24206f457ea8a617605209f) C:\Windows\system32\drivers\RTSTOR.SYS
19:11:02.0199 2600 RTSTOR - ok
19:11:02.0261 2600 SamSs (a911ecac81f94adeafbe8e3f7873edb0) C:\Windows\system32\lsass.exe
19:11:02.0279 2600 SamSs - ok
19:11:04.0664 2600 SBAMSvc (bce943896289a91ad75cc5652620b1c6) C:\Program Files\Ad-Aware Antivirus\SBAMSvc.exe
19:11:04.0859 2600 SBAMSvc - ok
19:11:05.0067 2600 sbapifs (3fff8cda4d2f29ca06f1557e85163c30) C:\Windows\system32\DRIVERS\sbapifs.sys
19:11:05.0181 2600 sbapifs - ok
19:11:05.0249 2600 SbFw (bcf3ba30c1cfa2942cf26c31384b37c7) C:\Windows\system32\drivers\SbFw.sys
19:11:05.0360 2600 SbFw - ok
19:11:05.0434 2600 SBFWIMCL (1dcad90cc9c0ddc7d060fd97854f8518) C:\Windows\system32\DRIVERS\sbfwim.sys
19:11:05.0498 2600 SBFWIMCL - ok
19:11:05.0528 2600 SBFWIMCLMP (1dcad90cc9c0ddc7d060fd97854f8518) C:\Windows\system32\DRIVERS\SBFWIM.sys
19:11:05.0577 2600 SBFWIMCLMP - ok
19:11:05.0682 2600 sbhips (1afd7178ab9c4fce2d332da7aa474fa6) C:\Windows\system32\drivers\sbhips.sys
19:11:05.0743 2600 sbhips - ok
19:11:05.0825 2600 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
19:11:05.0851 2600 sbp2port - ok
19:11:05.0893 2600 SBRE (1fd538c4feb36b793d2121f20bbdc16f) C:\Windows\system32\drivers\SBREdrv.sys
19:11:05.0957 2600 SBRE - ok
19:11:06.0478 2600 SBSDWSCService (794d4b48dfb6e999537c7c3947863463) C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
19:11:06.0576 2600 SBSDWSCService - ok
19:11:07.0219 2600 sbwtis (9bdf801a6c78e3f1e6fa1c5ca90baa8a) C:\Windows\system32\DRIVERS\sbwtis.sys
19:11:07.0272 2600 sbwtis - ok
19:11:07.0385 2600 SCardSvr (11387e32642269c7e62e8b52c060b3c6) C:\Windows\System32\SCardSvr.dll
19:11:07.0453 2600 SCardSvr - ok
19:11:07.0542 2600 Schedule (7b587b8a6d4a99f79d2902d0385f29bd) C:\Windows\system32\schedsvc.dll
19:11:07.0582 2600 Schedule - ok
19:11:07.0666 2600 SCPolicySvc (87c2d0377b23e2d8a41093c2f5fb1a5b) C:\Windows\System32\certprop.dll
19:11:07.0700 2600 SCPolicySvc - ok
19:11:07.0808 2600 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
19:11:07.0836 2600 SDRSVC - ok
19:11:08.0012 2600 SeaPort (331e7bde228914574fc9ae6cd520dafa) C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
19:11:08.0034 2600 SeaPort - ok
19:11:08.0127 2600 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
19:11:08.0192 2600 secdrv - ok
19:11:08.0267 2600 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
19:11:08.0301 2600 seclogon - ok
19:11:08.0365 2600 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\System32\sens.dll
19:11:08.0410 2600 SENS - ok
19:11:08.0497 2600 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
19:11:08.0555 2600 Serenum - ok
19:11:08.0590 2600 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
19:11:08.0675 2600 Serial - ok
19:11:08.0708 2600 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
19:11:08.0744 2600 sermouse - ok
19:11:08.0807 2600 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
19:11:08.0844 2600 SessionEnv - ok
19:11:08.0872 2600 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
19:11:08.0902 2600 sffdisk - ok
19:11:08.0947 2600 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
19:11:08.0984 2600 sffp_mmc - ok
19:11:09.0005 2600 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
19:11:09.0046 2600 sffp_sd - ok
19:11:09.0072 2600 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
19:11:09.0148 2600 sfloppy - ok
19:11:09.0231 2600 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
19:11:09.0303 2600 SharedAccess - ok
19:11:09.0365 2600 ShellHWDetection (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\System32\shsvcs.dll
19:11:09.0393 2600 ShellHWDetection - ok
19:11:09.0433 2600 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
19:11:09.0449 2600 sisagp - ok
19:11:09.0469 2600 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
19:11:09.0486 2600 SiSRaid2 - ok
19:11:09.0511 2600 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
19:11:09.0551 2600 SiSRaid4 - ok
19:11:09.0956 2600 slsvc (0ba91e1358ad25236863039bb2609a2e) C:\Windows\system32\SLsvc.exe
19:11:10.0077 2600 slsvc - ok
19:11:10.0529 2600 SLUINotify (7c6dc44ca0bfa6291629ab764200d1d4) C:\Windows\system32\SLUINotify.dll
19:11:10.0568 2600 SLUINotify - ok
19:11:10.0656 2600 Smb (788f295f36909b0c8cc214665cbbbe8f) C:\Windows\system32\DRIVERS\smb.sys
19:11:10.0660 2600 Suspicious file (Forged): C:\Windows\system32\DRIVERS\smb.sys. Real md5: 788f295f36909b0c8cc214665cbbbe8f, Fake md5: 031e6bcd53c9b2b9ace111eafec347b6
19:11:10.0661 2600 Smb ( Virus.Win32.ZAccess.k ) - infected
19:11:10.0661 2600 Smb - detected Virus.Win32.ZAccess.k (0)
19:11:10.0696 2600 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
19:11:10.0715 2600 SNMPTRAP - ok
19:11:10.0757 2600 sony_ssm.sys - ok
19:11:10.0779 2600 SPFDRV - ok
19:11:10.0813 2600 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
19:11:10.0834 2600 spldr - ok
19:11:10.0861 2600 Spooler - ok
19:11:10.0920 2600 srv (2252aef839b1093d16761189f45af885) C:\Windows\system32\DRIVERS\srv.sys
19:11:10.0981 2600 srv - ok
19:11:11.0033 2600 srv2 (b7ff59408034119476b00a81bb53d5d1) C:\Windows\system32\DRIVERS\srv2.sys
19:11:11.0067 2600 srv2 - ok
19:11:11.0113 2600 srvnet (2accc9b12af02030f531e6cca6f8b76e) C:\Windows\system32\DRIVERS\srvnet.sys
19:11:11.0135 2600 srvnet - ok
19:11:11.0212 2600 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
19:11:11.0281 2600 SSDPSRV - ok
19:11:11.0306 2600 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
19:11:11.0352 2600 SstpSvc - ok
19:11:11.0556 2600 Steam Client Service - ok
19:11:11.0579 2600 StillCam (ef70b3d22b4bffda6ea851ecb063efaa) C:\Windows\system32\DRIVERS\serscan.sys
19:11:11.0611 2600 StillCam - ok
19:11:11.0734 2600 stisvc (7dd08a597bc56051f320da0baf69e389) C:\Windows\System32\wiaservc.dll
19:11:11.0792 2600 stisvc - ok
19:11:11.0812 2600 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
19:11:11.0830 2600 swenum - ok
19:11:11.0910 2600 swprv (b36c7cdb86f7f7a8e884479219766950) C:\Windows\System32\swprv.dll
19:11:11.0974 2600 swprv - ok
19:11:12.0015 2600 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
19:11:12.0030 2600 Symc8xx - ok
19:11:12.0050 2600 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
19:11:12.0064 2600 Sym_hi - ok
19:11:12.0083 2600 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
19:11:12.0100 2600 Sym_u3 - ok
19:11:12.0137 2600 SynTP (bf7aa84d5af0faa0978c840e63b17dbf) C:\Windows\system32\DRIVERS\SynTP.sys
19:11:12.0218 2600 SynTP - ok
19:11:12.0336 2600 SysMain (8710a92d0024b03b5fb9540df1f71f1d) C:\Windows\system32\sysmain.dll
19:11:12.0384 2600 SysMain - ok
19:11:12.0432 2600 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
19:11:12.0468 2600 TabletInputService - ok
19:11:12.0508 2600 TapiSrv (680916bb09ee0f3a6aca7c274b0d633f) C:\Windows\System32\tapisrv.dll
19:11:12.0547 2600 TapiSrv - ok
19:11:12.0576 2600 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
19:11:12.0619 2600 TBS - ok
19:11:12.0928 2600 Tcpip (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\drivers\tcpip.sys
19:11:13.0036 2600 Tcpip - ok
19:11:13.0072 2600 Tcpip6 (782568ab6a43160a159b6215b70bcce9) C:\Windows\system32\DRIVERS\tcpip.sys
19:11:13.0127 2600 Tcpip6 - ok
19:11:13.0176 2600 tcpipreg (d4a2e4a4b011f3a883af77315a5ae76b) C:\Windows\system32\drivers\tcpipreg.sys
19:11:13.0212 2600 tcpipreg - ok
19:11:13.0232 2600 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
19:11:13.0269 2600 TDPIPE - ok
19:11:13.0309 2600 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
19:11:13.0346 2600 TDTCP - ok
19:11:13.0386 2600 tdx (d09276b1fab033ce1d40dcbdf303d10f) C:\Windows\system32\DRIVERS\tdx.sys
19:11:13.0423 2600 tdx - ok
19:11:13.0469 2600 TermDD (a048056f5e1a96a9bf3071b91741a5aa) C:\Windows\system32\DRIVERS\termdd.sys
19:11:13.0484 2600 TermDD - ok
19:11:13.0563 2600 TermService (d605031e225aaccbceb5b76a4f1603a6) C:\Windows\System32\termsrv.dll
19:11:13.0608 2600 TermService - ok
19:11:13.0665 2600 Themes (1e3fdb80e40a3ce645f229dfbdfb7694) C:\Windows\system32\shsvcs.dll
19:11:13.0689 2600 Themes - ok
19:11:13.0856 2600 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
19:11:13.0896 2600 THREADORDER - ok
19:11:13.0987 2600 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
19:11:14.0025 2600 TrkWks - ok
19:11:14.0153 2600 TrustedInstaller (16613a1bad034d4ecf957af18b7c2ff5) C:\Windows\servicing\TrustedInstaller.exe
19:11:14.0196 2600 TrustedInstaller - ok
19:11:14.0944 2600 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
19:11:15.0004 2600 tssecsrv - ok
19:11:15.0602 2600 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
19:11:15.0644 2600 tunmp - ok
19:11:15.0674 2600 tunnel (6042505ff6fa9ac1ef7684d0e03b6940) C:\Windows\system32\DRIVERS\tunnel.sys
19:11:15.0711 2600 tunnel - ok
19:11:15.0748 2600 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
19:11:15.0797 2600 uagp35 - ok
19:11:15.0844 2600 udfs (8b5088058fa1d1cd897a2113ccff6c58) C:\Windows\system32\DRIVERS\udfs.sys
19:11:15.0978 2600 udfs - ok
19:11:16.0063 2600 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
19:11:16.0101 2600 UI0Detect - ok
19:11:16.0187 2600 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
19:11:16.0208 2600 uliagpkx - ok
19:11:16.0253 2600 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
19:11:16.0278 2600 uliahci - ok
19:11:16.0301 2600 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
19:11:16.0327 2600 UlSata - ok
19:11:16.0347 2600 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
19:11:16.0374 2600 ulsata2 - ok
19:11:16.0397 2600 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
19:11:16.0451 2600 umbus - ok
19:11:16.0470 2600 upnp - ok
19:11:16.0551 2600 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
19:11:16.0628 2600 upnphost - ok
19:11:16.0674 2600 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\Windows\system32\Drivers\usbaapl.sys
19:11:16.0703 2600 USBAAPL - ok
19:11:16.0730 2600 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
19:11:16.0778 2600 usbccgp - ok
19:11:16.0804 2600 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
19:11:16.0864 2600 usbcir - ok
19:11:16.0888 2600 usbehci (cebe90821810e76320155beba722fcf9) C:\Windows\system32\DRIVERS\usbehci.sys
19:11:16.0933 2600 usbehci - ok
19:11:16.0999 2600 usbhub (cc6b28e4ce39951357963119ce47b143) C:\Windows\system32\DRIVERS\usbhub.sys
19:11:17.0041 2600 usbhub - ok
19:11:17.0056 2600 usbohci (7bdb7b0e7d45ac0402d78b90789ef47c) C:\Windows\system32\DRIVERS\usbohci.sys
19:11:17.0103 2600 usbohci - ok
19:11:17.0133 2600 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
19:11:17.0172 2600 usbprint - ok
19:11:17.0196 2600 USBSTOR (87ba6b83c5d19b69160968d07d6e2982) C:\Windows\system32\DRIVERS\USBSTOR.SYS
19:11:17.0235 2600 USBSTOR - ok
19:11:17.0266 2600 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
19:11:17.0294 2600 usbuhci - ok
19:11:17.0325 2600 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
19:11:17.0373 2600 usbvideo - ok
19:11:17.0418 2600 UxSms (032a0acc3909ae7215d524e29d536797) C:\Windows\System32\uxsms.dll
19:11:17.0458 2600 UxSms - ok
19:11:18.0002 2600 vds (b13bc395b9d6116628f5af47e0802ac4) C:\Windows\System32\vds.exe
19:11:18.0080 2600 vds - ok
19:11:18.0105 2600 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
19:11:18.0142 2600 vga - ok
19:11:18.0158 2600 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
19:11:18.0223 2600 VgaSave - ok
19:11:18.0249 2600 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
19:11:18.0264 2600 viaagp - ok
19:11:18.0284 2600 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
19:11:18.0325 2600 ViaC7 - ok
19:11:18.0341 2600 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
19:11:18.0357 2600 viaide - ok
19:11:18.0367 2600 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
19:11:18.0383 2600 volmgr - ok
19:11:18.0418 2600 volmgrx (98f5ffe6316bd74e9e2c97206c190196) C:\Windows\system32\drivers\volmgrx.sys
19:11:18.0448 2600 volmgrx - ok
19:11:18.0473 2600 volsnap (d8b4a53dd2769f226b3eb374374987c9) C:\Windows\system32\drivers\volsnap.sys
19:11:18.0495 2600 volsnap - ok
19:11:18.0522 2600 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
19:11:18.0547 2600 vsmraid - ok
19:11:18.0725 2600 VSS (d5fb73d19c46ade183f968e13f186b23) C:\Windows\system32\vssvc.exe
19:11:18.0856 2600 VSS - ok
19:11:18.0928 2600 W32Time (1cf9206966a8458cda9a8b20df8ab7d3) C:\Windows\system32\w32time.dll
19:11:18.0970 2600 W32Time - ok
19:11:19.0087 2600 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
19:11:19.0151 2600 WacomPen - ok
19:11:19.0192 2600 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:11:19.0221 2600 Wanarp - ok
19:11:19.0240 2600 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
19:11:19.0269 2600 Wanarpv6 - ok
19:11:19.0362 2600 wcncsvc (f3a5c2e1a6533192b070d06ecf6be796) C:\Windows\System32\wcncsvc.dll
19:11:19.0389 2600 wcncsvc - ok
19:11:19.0416 2600 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
19:11:19.0449 2600 WcsPlugInService - ok
19:11:19.0484 2600 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
19:11:19.0501 2600 Wd - ok
19:11:19.0553 2600 WDC_SAM (d6efaf429fd30c5df613d220e344cce7) C:\Windows\system32\DRIVERS\wdcsam.sys
19:11:19.0816 2600 WDC_SAM - ok
19:11:20.0422 2600 WDDMService (bf847a3972cc6b5ce26e0ea742dd52d9) C:\Program Files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe
19:11:21.0149 2600 WDDMService ( UnsignedFile.Multi.Generic ) - warning
19:11:21.0149 2600 WDDMService - detected UnsignedFile.Multi.Generic (1)
19:11:21.0223 2600 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
19:11:21.0270 2600 Wdf01000 - ok
19:11:21.0452 2600 WDFME (b5966f1dff6e20576f3c8c2d93d129fd) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDFME\WDFME.exe
19:11:21.0559 2600 WDFME ( UnsignedFile.Multi.Generic ) - warning
19:11:21.0559 2600 WDFME - detected UnsignedFile.Multi.Generic (1)
19:11:22.0304 2600 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
19:11:22.0339 2600 WdiServiceHost - ok
19:11:22.0347 2600 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
19:11:22.0387 2600 WdiSystemHost - ok
19:11:22.0455 2600 WDSC (92f0088ca18bb08bb596ef2608256f8a) C:\Program Files\Western Digital\WD SmartWare\Front Parlor\WDSC.exe
19:11:22.0693 2600 WDSC ( UnsignedFile.Multi.Generic ) - warning
19:11:22.0693 2600 WDSC - detected UnsignedFile.Multi.Generic (1)
19:11:22.0723 2600 WebClient (cf9a5f41789b642db967021de06a2713) C:\Windows\System32\webclnt.dll
19:11:22.0792 2600 WebClient - ok
19:11:22.0830 2600 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
19:11:22.0871 2600 Wecsvc - ok
19:11:22.0908 2600 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
19:11:22.0945 2600 wercplsupport - ok
19:11:22.0990 2600 WerSvc (fd1965aaa112c6818a30ab02742d0461) C:\Windows\System32\WerSvc.dll
19:11:23.0012 2600 WerSvc - ok
19:11:23.0123 2600 winachsf (bb9cbaf6ac20452b245c324f1f50ee81) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
19:11:23.0177 2600 winachsf - ok
19:11:23.0301 2600 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
19:11:23.0317 2600 WinDefend - ok
19:11:23.0338 2600 WinHttpAutoProxySvc - ok
19:11:23.0441 2600 Winmgmt (00b79a7c984678f24cf052e5beb3a2f5) C:\Windows\system32\wbem\WMIsvc.dll
19:11:23.0497 2600 Winmgmt - ok
19:11:23.0628 2600 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
19:11:23.0722 2600 WinRM - ok
19:11:23.0817 2600 Wlansvc (275f4346e569df56cfb95243bd6f6ff0) C:\Windows\System32\wlansvc.dll
19:11:23.0867 2600 Wlansvc - ok
19:11:23.0944 2600 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
19:11:23.0970 2600 WmiAcpi - ok
19:11:24.0067 2600 wmiApSrv (aba4cf9f856d9a3a25f4ddd7690a6e9d) C:\Windows\system32\wbem\WmiApSrv.exe
19:11:24.0113 2600 wmiApSrv - ok
19:11:24.0240 2600 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
19:11:24.0302 2600 WMPNetworkSvc - ok
19:11:24.0370 2600 WPCSvc (5d94cd167751294962ba238d82dd1bb8) C:\Windows\System32\wpcsvc.dll
19:11:24.0403 2600 WPCSvc - ok
19:11:24.0440 2600 WPDBusEnum (396d406292b0cd26e3504ffe82784702) C:\Windows\system32\wpdbusenum.dll
19:11:24.0479 2600 WPDBusEnum - ok
19:11:24.0622 2600 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
19:11:24.0694 2600 WPFFontCache_v0400 - ok
19:11:24.0755 2600 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
19:11:24.0793 2600 ws2ifsl - ok
19:11:24.0835 2600 wscsvc (683dd16b590372f2c9661d277f35e49c) C:\Windows\system32\wscsvc.dll
19:11:24.0860 2600 wscsvc - ok
19:11:24.0872 2600 WSearch - ok
19:11:25.0107 2600 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
19:11:25.0186 2600 wuauserv - ok
19:11:25.0381 2600 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
19:11:25.0419 2600 WUDFRd - ok
19:11:25.0467 2600 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
19:11:25.0519 2600 wudfsvc - ok
19:11:25.0561 2600 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
19:11:25.0581 2600 XAudio - ok
19:11:25.0631 2600 XAudioService (cd5f291a1161f15896d1a4d63daff5df) C:\Windows\system32\DRIVERS\xaudio.exe
19:11:25.0656 2600 XAudioService - ok
19:11:25.0661 2600 XDva390 - ok
19:11:25.0690 2600 MBR (0x1B8) (a60bd2fea1c3064c80a4c68111d1f68a) \Device\Harddisk0\DR0
19:11:25.0720 2600 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
19:11:25.0720 2600 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
19:11:25.0789 2600 \Device\Harddisk0\DR0 ( TDSS File System ) - warning
19:11:25.0789 2600 \Device\Harddisk0\DR0 - detected TDSS File System (1)
19:11:25.0826 2600 Boot (0x1200) (6fab7cbcff75202df9067bc4772e2263) \Device\Harddisk0\DR0\Partition0
19:11:25.0829 2600 \Device\Harddisk0\DR0\Partition0 - ok
19:11:25.0852 2600 Boot (0x1200) (b797b578c45626505cc991ee4a67bba7) \Device\Harddisk0\DR0\Partition1
19:11:25.0854 2600 \Device\Harddisk0\DR0\Partition1 - ok
19:11:25.0858 2600 ============================================================
19:11:25.0858 2600 Scan finished
19:11:25.0858 2600 ============================================================
19:11:25.0886 2968 Detected object count: 11
19:11:25.0886 2968 Actual detected object count: 11
19:16:32.0360 2968 BUNAgentSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:32.0361 2968 BUNAgentSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:32.0366 2968 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:32.0366 2968 FLEXnet Licensing Service ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:32.0370 2968 LightScribeService ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:32.0370 2968 LightScribeService ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:32.0373 2968 NTIBackupSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:32.0374 2968 NTIBackupSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:32.0378 2968 NTISchedulerSvc ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:32.0378 2968 NTISchedulerSvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:32.0473 2968 C:\Windows\system32\DRIVERS\smb.sys - copied to quarantine
19:16:32.0517 2968 C:\Windows\$NtUninstallKB54505$\2284739783\@ - copied to quarantine
19:16:32.0547 2968 C:\Windows\$NtUninstallKB54505$\2284739783\bckfg.tmp - copied to quarantine
19:16:32.0560 2968 C:\Windows\$NtUninstallKB54505$\2284739783\cfg.ini - copied to quarantine
19:16:32.0571 2968 C:\Windows\$NtUninstallKB54505$\2284739783\Desktop.ini - copied to quarantine
19:16:32.0602 2968 C:\Windows\$NtUninstallKB54505$\2284739783\keywords - copied to quarantine
19:16:32.0638 2968 C:\Windows\$NtUninstallKB54505$\2284739783\kwrd.dll - copied to quarantine
19:16:32.0664 2968 C:\Windows\$NtUninstallKB54505$\2284739783\L\qnbwvoto - copied to quarantine
19:16:32.0693 2968 C:\Windows\$NtUninstallKB54505$\2284739783\lsflt7.ver - copied to quarantine
19:16:32.0704 2968 C:\Windows\$NtUninstallKB54505$\2284739783\oemid - copied to quarantine
19:16:32.0747 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000001.@ - copied to quarantine
19:16:32.0800 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000002.@ - copied to quarantine
19:16:32.0834 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000004.@ - copied to quarantine
19:16:32.0871 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000000.@ - copied to quarantine
19:16:32.0887 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000004.@ - copied to quarantine
19:16:32.0924 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000032.@ - copied to quarantine
19:16:32.0955 2968 C:\Windows\$NtUninstallKB54505$\2284739783\version - copied to quarantine
19:16:33.0037 2968 Backup copy found, using it..
19:16:33.0051 2968 C:\Windows\system32\DRIVERS\smb.sys - will be cured on reboot
19:16:36.0010 2968 C:\Windows\$NtUninstallKB54505$\2284739783\@ - will be deleted on reboot
19:16:36.0030 2968 C:\Windows\$NtUninstallKB54505$\2284739783\bckfg.tmp - will be deleted on reboot
19:16:36.0031 2968 C:\Windows\$NtUninstallKB54505$\2284739783\cfg.ini - will be deleted on reboot
19:16:36.0032 2968 C:\Windows\$NtUninstallKB54505$\2284739783\Desktop.ini - will be deleted on reboot
19:16:36.0042 2968 C:\Windows\$NtUninstallKB54505$\2284739783\keywords - will be deleted on reboot
19:16:36.0043 2968 C:\Windows\$NtUninstallKB54505$\2284739783\kwrd.dll - will be deleted on reboot
19:16:36.0046 2968 C:\Windows\$NtUninstallKB54505$\2284739783\lsflt7.ver - will be deleted on reboot
19:16:36.0047 2968 C:\Windows\$NtUninstallKB54505$\2284739783\oemid - will be deleted on reboot
19:16:36.0048 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000001.@ - will be deleted on reboot
19:16:36.0049 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000002.@ - will be deleted on reboot
19:16:36.0050 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\00000004.@ - will be deleted on reboot
19:16:36.0051 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000000.@ - will be deleted on reboot
19:16:36.0052 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000004.@ - will be deleted on reboot
19:16:36.0052 2968 C:\Windows\$NtUninstallKB54505$\2284739783\U\80000032.@ - will be deleted on reboot
19:16:36.0054 2968 C:\Windows\$NtUninstallKB54505$\2284739783\version - will be deleted on reboot
19:16:36.0056 2968 C:\Windows\$NtUninstallKB54505$\751360520 - will be deleted on reboot
19:16:36.0061 2968 Smb ( Virus.Win32.ZAccess.k ) - User select action: Cure
19:16:36.0065 2968 WDDMService ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:36.0065 2968 WDDMService ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:36.0070 2968 WDFME ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:36.0070 2968 WDFME ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:36.0074 2968 WDSC ( UnsignedFile.Multi.Generic ) - skipped by user
19:16:36.0074 2968 WDSC ( UnsignedFile.Multi.Generic ) - User select action: Skip
19:16:39.0483 2968 \Device\Harddisk0\DR0\# - copied to quarantine
19:16:39.0494 2968 \Device\Harddisk0\DR0 - copied to quarantine
19:16:39.0614 2968 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
19:16:39.0622 2968 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
19:16:39.0644 2968 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
19:16:39.0653 2968 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
19:16:39.0664 2968 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
19:16:39.0675 2968 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
19:16:39.0702 2968 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
19:16:39.0745 2968 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
19:16:39.0746 2968 \Device\Harddisk0\DR0 - ok
19:16:40.0039 2968 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
19:16:40.0042 2968 \Device\Harddisk0\DR0 ( TDSS File System ) - skipped by user
19:16:40.0042 2968 \Device\Harddisk0\DR0 ( TDSS File System ) - User select action: Skip
19:16:46.0119 3808 Deinitialize success

















0
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
27-May-2012, 05:30 AM #13
Please follow this to check your settings for notifications.

Click on My Account at the top of the page, then select Edit Options on the left hand side. Check under Default Thread Subscription Mode that it is set to Instant email notification, if not then change it. Click on Save Changes at the bottom of the page. At the top of this thread click on the Thread Tools tab, if it shows Unsubscribe then leave it as it is, if it shows Subscribe to thread then select it.
If you still fail to get notifications then you should contact the Administarator Cookiegal


Now back to the faulty PC, the TDSSKiller scan has confirmed it is infected with a Rootkit, in fact there appears to be more than one. Please read this and decide if you wish to continue:

IMPORTANT NOTE: One or more of the identified infections is related to an advanced rootkit.
Rootkits, backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. Rootkits are used by backdoor Trojans to conceal its presence (hide from view) in order to prevent detection of an attacker's software and make removal more difficult. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker.
You should disconnect the computer from the Internet and from any networked computers until it is cleaned. If your computer was used for online banking, paying bills, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for taxes, email, eBay, paypal and any other online activities. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password before connecting again.



Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired so you can never be sure that you have completely removed all components of a rootkit. The malware may leave so many remnants behind that security tools cannot find them. Tools that claim to be able to remove rootkits cannot guarantee that all traces of it will be removed. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:
Quote:
Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:
• Reimaging the system
• Restoring the entire system using a full system backup from before the backdoor infection
• Reformatting and reinstalling the system
Backdoors and What They Mean to You
This is what Jesper M. Johansson, Security Program Manager at Microsoft TechNet has to say: Help: I Got Hacked. Now What Do I Do?.
Quote:
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
If you wish to continue please follow this:



Please run Malwarebytes and post the log as follows:
  • Open Malwarebytes, then run a Quick Scan.
  • When finished, a message box will say "The scan completed successfully. Click Show Results to display all objects found".
  • Click OK to close the message box, then click the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked and then click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab .
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows the database version and your operating system.
  • Exit Malwarebytes when done.
If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

Now run another scan with TDSSKiller and post the new log.
PJL's Avatar
PJL PJL is offline
Member with 8 posts.
THREAD STARTER
 
Join Date: May 2012
27-May-2012, 05:48 PM #14
Thanks for confirming what I suspected after that TDSSKiller run; rather than trying to empty the ocean with a spoon, we're going to go the flatten and rebuild route.
I assume that reformat is accomplished by going to C: and typing del *.* But since the computer in question also has a separate DATA drive, I'm guessing that I should start with C:> del d:\*.* I will then have one license free from a Win7 three-pack but, as I recall, I had to install Win XP on the the computer that had been running Ubuntu before I could install Win7. If I'm wrong about the procedure, or there's an easier way to do this, I'd appreciate any additional advice you have.
Thank you again for all of your expert assistance.
Penny, a/k/a PJL
Mark1956's Avatar
Malware Removal Specialist with 13,931 posts.
 
Join Date: May 2011
Location: Spain
Experience: Advanced
28-May-2012, 04:34 AM #15
You can install Windows 7 directly from the disc without doing anything else. Simply insert the disc in the CD/DVD drive and reboot the PC. If it does not boot from the disc you may need to boot into the Bios and set the CD/DVD drive to 1st in the boot order. You will get a choice of which drive to install Windows onto so just make sure you select the correct drive and it will format the drive during the installation.

As a precaution I would run a Full scan on the Data drive with Malwarebytes just to make sure nothing harmfull has been copied to it before running the re-install. If you open Malwarebytes and then select Full Scan you will be given a choice of which drive to run it on. Anything found by it should be selected for removal, if in doubt please do ask.

I have supplied some information below to help you better protect the PC in the future.

Also, you should read the note below about Ad-Aware and Spybot and I would recommend that you install Microsoft Security Essentials for Anti Virus protection.

You should also make sure Windows Update is turned on, the existing Vista installation was still on Service Pack 1, it should have been on SP2. Windows updates do include a lot of additional security protection and bug fixes.

FYI: mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products).

Quote:
Ad-Aware...have gone into a downhill spiral over the past five years and recently sold the company to Solaria... Majorgeeks stopped listing Ad-Aware as a “pick” some years ago as we watched the quality of the company slip over the years...it can’t stand up to the new generation of anti-spyware applications...
What does the future hold for Ad-Aware?
Ad-Aware has even been placed into the Installers Hall of Shame for bundling and pre-checking Google Chrome during the installation. Also read Lavasoft Turning to the Dark Side? written by a former volunteer (now a MVP) who provided support for Ad-Aware but no longer uses the program.
As for Spybot S&D, most people don't understand how to use TeaTimer and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows Registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. If you don't have understanding how a particular security tool works, then you probably should not be using it. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and in some cases it will even prevent disinfection of malware by those tools.



Some additional security measures.
If your present security software does not include a third party Firewall or AntiSpyware.
Go Here for a selection of third party Firewalls.
Go Here or Here for Anti Spyware.

Always keep your Java, Adobe and Flash Player up to date.
Why you should update Java
Why you should update Adobe
Why you should update Flash Player

Malwarebytes free version (which you may have used during this thread) is worth having for regular scans of your system, always check for updates before using it. If you can afford the Malwarebytes Pro version it will provide even better protection with a full time active scanner. Never have more than one active anti virus, anti spyware or firewall running on your system as it can cause conflicts and slow down the PC. You can safely run the Pro version of Malwarebytes with any Anti Virus software.

WOT (Web OF Trust) Will warn you (in most cases) about dangerous web sites.

Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Attacks exploiting vulnerable programs and plug-ins are rarely blocked by traditional anti-virus and are therefore increasingly "popular"among criminals.

WinPatrol is a useful facility to have. WinPatrol takes snapshots of your critical system resources and alerts you to any changes that may occur without your knowledge. It can also be used to control all your start up programs.

If you have no further questions please let me know and I will mark the thread as solved.
As Seen On

BBC, Reader's Digest, PC Magazine, Today Show, Money Magazine
WELCOME TO TECH SUPPORT GUY!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.


(clock)
THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools


WELCOME
You Are Using: Server ID
Trusted Website Back to the Top ↑