1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Svchost.exe rises to 200k+ usage within minutes and continues to climb!

Discussion in 'Virus & Other Malware Removal' started by joyo915, Mar 27, 2012.

Thread Status:
Not open for further replies.
Advertisement
  1. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    The desktop that is affected is running Windows XP Home Edition, SP3. Literally, within a minute of turning computer on a Svchost.exe will quickly climb to the 200k memory usage range. When I end the process through the task manager, it quickly comes back and climbs just as high all over again. I stepped away for a couple of minutes, and when I came back the computer sounded like it was going to explode: the problematic Svchost.exe was running at 950k! This is horribly impacting the performance of the computer and it is making it practically impossible to use. I've Googled solutions and tried a couple "common" fixes but to no avail. I was also going to try a system restore, but I was unaware that it isn't even turned on, so that plan's a bust. Please, someone help!
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,716
    Please go here to download HijackThis.
    • To the right of the green arrow under HijackThis downloads click on the Executable button and download the HijackThis.exe file to your desktop.
    • Double-click the HijackThis.exe file on your desktop to launch the program. If you get a security warning asking if you want to run this software because the publisher couldn't be verified click on Run to allow it.
    • Click on the Scan button. The scan will not take long and when it's finished the resulting log will open automatically in Notepad.
    • Click on the Save log button and save the log file to your desktop. Copy and paste the contents of the log in your post.
    Please do not fix anything with HijackThis unless you are instructed to do so. Most of what appears in the log will be harmless and/or necessary.
     
  3. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 11:33:38 AM, on 3/28/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\Mike\My Documents\Downloads\procexp.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Mike\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25419
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136499180796
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
    O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - AppInit_DLLs: C:\WINDOWS\system32\0051.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

    --
    End of file - 8687 bytes
     
  4. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    Does disabling Symantec help any?
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,716
    There are signs of infection.

    Are you using a proxy server? The entry there looks dodgy.

    Please download DDS by sUBs to your desktop from one of the following locations:

    http://download.bleepingcomputer.com/sUBs/dds.scr
    http://www.forospyware.com/sUBs/dds

    Double-click the DDS.scr to run the tool.

    When DDS has finished scanning, it will open two logs named as follows:

    DDS.txt
    Attach.txt

    Save them both to your desktop. Copy and paste the contents of the DDS.txt and Attach.txt files in your reply please.


    Please download GMER from: http://gmer.net/index.php

    Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

    Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

    Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan.

    If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

    IAT/EAT
    Any drive letter other than the primary system drive (which is generally C).

    Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

    Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the computer during the scan as it may cause it to freeze. You should disable your screen saver as if it comes on it may cause the program to freeze.

    Open the ark.txt file and copy and paste the contents of the log here please.
     
  6. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    Yup! (y) :)
     
  7. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    To answer your questions, I did try disabling Symantec, but no luck there; and I'm not too sure what a proxy server is, so I really couldn't say either way, sorry :/ .And here are all three logs::

    .
    DDS (Ver_2011-08-26.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Mike at 12:24:40 on 2012-03-28
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.832 [GMT -5:00]
    .
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Documents and Settings\Mike\My Documents\Downloads\procexp.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\svchost.exe -k netsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://att.net/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    uInternet Connection Wizard,ShellNext = iexplore
    uInternet Settings,ProxyServer = http=127.0.0.1:25419
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    uURLSearchHooks: H - No File
    BHO: {02478D38-C3F9-4EFB-9B51-7695ECA05670} - No File
    BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
    mRun: [2wSysTray] c:\program files\2wire\2PortalMon.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
    dPolicies-system: DisableTaskMgr = 1 (0x1)
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    IE: {13C1DBF6-7535-495c-91F6-8C13714ED485} - c:\documents and settings\all users\start menu\programs\absolute poker\Absolute Poker.lnk
    IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
    DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
    DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo.walgreens.com/WalgreensActivia.cab
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136499180796
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
    DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
    DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
    DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - hxxp://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
    TCP: DhcpNameServer = 192.168.1.254
    TCP: Interfaces\{B390C276-CE2B-4BB7-9F51-4496F2392921} : DhcpNameServer = 192.168.1.254
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: c:\windows\system32\0051.DLL
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\mike\application data\mozilla\firefox\profiles\98c72a03.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - plugin: c:\program files\canon\easy-photoprint ex\NPEZFFPI.DLL
    FF - plugin: c:\program files\mozilla firefox\plugins\NPcol400.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2009-7-8 108392]
    R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2009-9-17 2477304]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-2-13 106104]
    R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20120327.008\NAVENG.SYS [2012-3-27 86136]
    R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20120327.008\NAVEX15.SYS [2012-3-27 1576312]
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2009-7-14 23888]
    S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
    S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
    .
    =============== Created Last 30 ================
    .
    .
    ==================== Find3M ====================
    .
    2012-03-21 19:27:11 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53:24 1859968 ----a-w- c:\windows\system32\win32k.sys
    2012-01-11 19:06:47 3072 ------w- c:\windows\system32\iacenc.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800BB-75JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A15649F]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a15d740]; MOV EAX, [0x8a15d8b4]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A509A30]
    3 CLASSPNP[0xF76B7FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A447C88]
    \Driver\atapi[0x8A415D78] -> IRP_MJ_CREATE -> 0x8A15649F
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { CLI ; MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; STI ; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62f; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A1562C6
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 12:26:53.81 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-08-26.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume2
    Install Date: 8/12/2005 8:26:25 PM
    System Uptime: 3/28/2012 10:33:42 AM (2 hours ago)
    .
    Motherboard: Dell Computer Corp. | | 0TC667
    Processor: Intel(R) Celeron(R) CPU 2.66GHz | Microprocessor | 2660/533mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 71 GiB total, 44.016 GiB free.
    D: is CDROM (CDFS)
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    RP1: 3/27/2012 5:42:19 PM - System Checkpoint
    .
    ==== Installed Programs ======================
    .
    .
    2Wire Wireless Client
    Adobe Flash Player 11 ActiveX
    Adobe Flash Player 11 Plugin
    Adobe Reader 8.1.4
    Adobe Shockwave Player 11.5
    AiO_Scan_CDA
    AiOSoftwareNPI
    AOL Uninstaller (Choose which Products to Remove)
    AOLIcon
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    AT&T Yahoo! Applications
    ATT-PRT22
    Audacity 1.2.6
    BufferChm
    Canon MP Navigator EX 3.0
    Canon MP250 series MP Drivers
    Canon MP250 series User Registration
    Canon Utilities Easy-PhotoPrint EX
    Canon Utilities My Printer
    Canon Utilities Solution Menu
    CCleaner
    Compatibility Pack for the 2007 Office system
    Conexant D850 56K V.9x DFVc Modem
    Coupon Printer for Windows
    CP_AtenaShokunin1Config
    CP_CalendarTemplates1
    CP_Package_Basic1
    CP_Package_Variety1
    CP_Package_Variety2
    CP_Package_Variety3
    CP_Panorama1Config
    Critical Update for Windows Media Player 11 (KB959772)
    CueTour
    CutePDF Writer 2.7
    Dell Digital Jukebox Driver
    Dell Driver Reset Tool
    Dell Media Experience
    Dell Picture Studio v3.0
    Dell System Restore
    DellSupport
    Destinations
    DeviceFunctionQFolder
    DeviceManagementQFolder
    Digital Line Detect
    DocProc
    DocumentViewer
    DocumentViewerQFolder
    ESPN Java Check
    eSupportQFolder
    Fax_CDA
    FullDPAppQFolder
    HighMAT Extension to Microsoft Windows XP CD Writing Wizard
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Internet Explorer 7 (KB947864)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB2570791)
    Hotfix for Windows XP (KB2633952)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Document Viewer 5.3
    HP Image Zone 5.3
    HP Imaging Device Functions 5.3
    HP PSC & OfficeJet 5.3.A
    HP Software Update
    HP Solution Center & Imaging Support Tools 5.3
    HPProductAssistant
    InstantShareDevices
    Intel(R) Extreme Graphics 2 Driver
    Intel(R) PRO Network Adapters and Drivers
    Intel(R) PROSet for Wired Connections
    Internet Explorer Default Page
    iTunes
    LiveUpdate 3.3 (Symantec Corporation)
    Macromedia Flash Player
    Malwarebytes Anti-Malware version 1.60.1.1000
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2656353)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Base Smart Card Cryptographic Service Provider Package
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 3 (SP3)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office File Validation Add-In
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Visio Professional 2003
    Microsoft Office Word MUI (English) 2007
    Microsoft Plus! Digital Media Edition Installer
    Microsoft Plus! Photo Story 2 LE
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Virtual PC 2007
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
    Modem Helper
    Mozilla Firefox 10.0 (x86 en-US)
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 6 Service Pack 2 (KB954459)
    Musicmatch® Jukebox
    NetWaiting
    NewCopy_CDA
    PanoStandAlone
    PhotoGallery
    PowerDVD 5.5
    ProductContextNPI
    QuickTime
    RandMap
    Readme
    RealPlayer
    SBC Yahoo! DSL Home Networking Installer
    Scan
    ScannerCopy
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
    Security Update for Microsoft Office 2007 suites (KB2596785) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596764) 32-Bit Edition
    Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition
    Security Update for Microsoft Office Publisher 2007 (KB2596705) 32-Bit Edition
    Security Update for Microsoft Windows (KB2564958)
    Security Update for Step By Step Interactive Training (KB898458)
    Security Update for Step By Step Interactive Training (KB923723)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB931768)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Internet Explorer 7 (KB937143)
    Security Update for Windows Internet Explorer 7 (KB938127)
    Security Update for Windows Internet Explorer 7 (KB939653)
    Security Update for Windows Internet Explorer 7 (KB942615)
    Security Update for Windows Internet Explorer 7 (KB944533)
    Security Update for Windows Internet Explorer 7 (KB950759)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Internet Explorer 8 (KB2559049)
    Security Update for Windows Internet Explorer 8 (KB2586448)
    Security Update for Windows Internet Explorer 8 (KB2618444)
    Security Update for Windows Internet Explorer 8 (KB2647516)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2491683)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2507938)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276-v2)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893-v2)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB2555917)
    Security Update for Windows XP (KB2562937)
    Security Update for Windows XP (KB2566454)
    Security Update for Windows XP (KB2567053)
    Security Update for Windows XP (KB2567680)
    Security Update for Windows XP (KB2570222)
    Security Update for Windows XP (KB2570947)
    Security Update for Windows XP (KB2584146)
    Security Update for Windows XP (KB2585542)
    Security Update for Windows XP (KB2592799)
    Security Update for Windows XP (KB2598479)
    Security Update for Windows XP (KB2603381)
    Security Update for Windows XP (KB2618451)
    Security Update for Windows XP (KB2619339)
    Security Update for Windows XP (KB2620712)
    Security Update for Windows XP (KB2624667)
    Security Update for Windows XP (KB2631813)
    Security Update for Windows XP (KB2633171)
    Security Update for Windows XP (KB2639417)
    Security Update for Windows XP (KB2646524)
    Security Update for Windows XP (KB2660465)
    Security Update for Windows XP (KB2661637)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SkinsHP1
    SolutionCenter
    Sonic Audio module
    Sonic DLA
    Sonic MyDVD LE
    Sonic RecordNow Copy
    Sonic RecordNow Data
    Sonic Update Manager
    Sonic_PrimoSDK
    Status
    Symantec Endpoint Protection
    TrayApp
    TurboTax ItsDeductible 2006
    Unload
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 suites (KB2596651) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2596789) 32-Bit Edition
    Update for Microsoft Office 2007 suites (KB2597970) 32-Bit Edition
    Update for Microsoft Office Excel 2007 (KB2596596) 32-Bit Edition
    Update for Windows Internet Explorer 8 (KB975364)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB2607712)
    Update for Windows XP (KB2616676)
    Update for Windows XP (KB2641690)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    WebFldrs XP
    WebReg
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Internet Explorer 7
    Windows Internet Explorer 8
    Windows Media Connect
    Windows Media Format 11 runtime
    Windows Media Format SDK Hotfix - KB891122
    Windows Media Player 10
    Windows Media Player 11
    Windows XP Service Pack 3
    WinZip
    WordPerfect Office 12
    WSOP-USA.com
    .
    ==== Event Viewer Messages From Past Week ========
    .
    3/21/2012 3:32:04 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service ShellHWDetection with arguments "" in order to run the server: {555F3418-D99E-4E51-800A-6E89CFD8B1D7}
    3/21/2012 2:49:31 PM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
    .
    ==== End Of File ===========================


    GMER 1.0.15.15641 - http://www.gmer.net
    Rootkit scan 2012-03-28 21:25:24
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 WDC_WD800BB-75JHC0 rev.06.01C06
    Running: v424nrr2.exe; Driver: C:\DOCUME~1\Mike\LOCALS~1\Temp\ugtdipow.sys


    ---- System - GMER 1.0.15 ----

    SSDT 8A506F88 ZwAlertResumeThread
    SSDT 8A41BA38 ZwAlertThread
    SSDT 8A4471F0 ZwAllocateVirtualMemory
    SSDT 8A41C090 ZwConnectPort
    SSDT 8A4D9CB0 ZwCreateMutant
    SSDT 8A3C6378 ZwCreateThread
    SSDT 8A555468 ZwFreeVirtualMemory
    SSDT 8A45A158 ZwImpersonateAnonymousToken
    SSDT 8A39ABE0 ZwImpersonateThread
    SSDT 8A3F5350 ZwMapViewOfSection
    SSDT 8A3AA180 ZwOpenEvent
    SSDT 8A4E9A90 ZwOpenProcessToken
    SSDT 8A3FB3C0 ZwOpenThreadToken
    SSDT 8A39C178 ZwResumeThread
    SSDT 8A3BB378 ZwSetContextThread
    SSDT 8A3BE2B0 ZwSetInformationProcess
    SSDT 8A40C9D0 ZwSetInformationThread
    SSDT 8A3A6180 ZwSuspendProcess
    SSDT 8A50B9D0 ZwSuspendThread
    SSDT 8A3B1178 ZwTerminateProcess
    SSDT 8A4E9168 ZwTerminateThread
    SSDT 8A3B0748 ZwUnmapViewOfSection
    SSDT 8A4EA738 ZwWriteVirtualMemory

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9A0CF80]
    ? C:\WINDOWS\system32\Drivers\PROCEXP152.SYS The system cannot find the file specified. !
    ? C:\DOCUME~1\Mike\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[2352] kernel32.dll!WriteFile 7C810E27 5 Bytes JMP 0092000C
    .text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0134000A
    .text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 0135000A
    .text C:\WINDOWS\system32\svchost.exe[2352] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 0136000A
    .text C:\WINDOWS\system32\svchost.exe[2352] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 00E4000A

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

    AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A1562C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A1562C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A1562C6
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 8A1562C6

    AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

    Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

    AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)
    Device tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}@
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@RuntimeVersion v2.0.50727
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@Assembly Microsoft.Vsa.Vb.CodeDOMProcessor, Version=8.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@Class Microsoft.Vsa.Vb.CodeDOM.Location
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{2B281F75-2A00-CEB2-C5CE-143F6EB652C1}\InprocServer32@ C:\WINDOWS\system32\MSCorEE.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{0DE86A54-2BAA-11CF-A229-00AA003D7352}
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ C:\WINDOWS\system32\msvidctl.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\InprocServer32@ThreadingModel Both
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\ProgID@ BDATuner.ChannelTuneRequest.1
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\TypeLib@ {9B085638-018E-11D3-9D8E-00C04F72D980}
    Reg HKLM\SOFTWARE\Classes\CLSID\{31E3FC97-DFA6-BD2D-E982-A7B9DBD87050}\VersionIndependentProgID@ BDATuner.ChannelTuneRequest
    Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ C:\Program Files\Common Files\Microsoft Shared\DAO\dao360.dll
    Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\InprocServer32@ThreadingModel Apartment
    Reg HKLM\SOFTWARE\Classes\CLSID\{77F8D6E9-F0A7-8D50-B905-CAC75B2E221B}\ProgID@ DAO.Group.36

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Files - GMER 1.0.15 ----

    File C:\Documents and Settings\LocalService\Cookies\9CJ4M58D.txt 228 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\beacon[5].js 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\en-ZW[1] 15258 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0QXBP4Y0\1104124566[1] 16743 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\search[5].htm 233 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\topscript.js[1].php 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\728x90_top[2].gif 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\plcr_1866424_253135209_1331054440820[1].js 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\quickfashionshop[1].php 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\0RW8MX2G\checkBrowser[1].htm 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\like[4].php 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\default[1].css 2189 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\ad_imp[6].gif 43 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\2181XO7Q\bobs-burgers-opening-january_large[1].jpg 15249 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\modernizr[1].js 36607 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\track[1].xml 485 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\combo[1] 10602 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\31CUURL0\piggy-back-on-ads[1].js 1111 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\1[1].jpg 4216 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\set[1].gif 43 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\shutter-reloaded[1].js 9027 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\03062012-26v[1].jpg 5852 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\03222012-37v[1].jpg 7715 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\3RWVS7AU\logoLitePlayer[1].js 5728 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4QZOCX87\auth[1].js 54653 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\81GEUMTX\icon-music[1].png 374 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBBOE6WO\GetAd[2].aspx 0 bytes
    File C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\IBBOE6WO\st[4] 0 bytes

    ---- EOF - GMER 1.0.15 ----
     
  8. Phantom010

    Phantom010 Trusted Advisor

    Joined:
    Mar 9, 2009
    Messages:
    34,062
    This is the proxy server setting Cookiegal was referring to:

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25419

    Malware will often change Lan settings and configure proxy settings by "tunneling" traffic through a certain port (e.g. Local address: 127.0.0.1 Port: 25419).

    Open Internet Explorer. Click Tools > Internet Options > Connections > Lan settings > Proxy server > Advanced > delete proxy server settings > click OK > uncheck all boxes > click OK.

    In Firefox, click Tools > Options... > General > Advanced > Network > Settings > delete proxy settings > select No proxy > click OK.
     
  9. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    I followed your instructions Phantom to turning off the proxy server for both Internet Explorer and Firefox. Is there anything I should expect from this?
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,716
    Please visit Combofix Guide & Instructions for instructions for installing the recovery console and downloading and running ComboFix.

    The only thing different from the instructions there is that when downloading and saving the ComboFix.exe I would like you to rename it to puppy.exe please.

    Post the log from ComboFix when you've accomplished that along with a new HijackThis log.

    Important notes regarding ComboFix:

    ComboFix may reset a number of Internet Explorer's settings, including making it the default browser. This can easily be changed once we're finished.

    ComboFix also prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you, please let me know. This can be undone manually when we're finished. Read HERE for an article written by dvk01 on why we disable autoruns.
     
  11. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    ComboFix 12-03-29.02 - Mike 03/29/2012 17:39:52.5.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1534.627 [GMT -5:00]
    Running from: c:\documents and settings\Mike\Desktop\puppy.exe
    AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Symantec Endpoint Protection *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\TEMP\DFC5A2B2.TMP
    c:\documents and settings\Joanna\WINDOWS
    c:\documents and settings\Mike\Application Data\HPSU_48BitScanUpdate.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-29 )))))))))))))))))))))))))))))))
    .
    .
    2012-03-27 23:35 . 2012-03-28 22:05 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2012-03-21 19:27 . 2012-01-03 22:52 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2012-01-12 16:53 . 2004-08-04 10:00 1859968 ----a-w- c:\windows\system32\win32k.sys
    2012-01-11 19:06 . 2012-02-15 06:07 3072 ------w- c:\windows\system32\iacenc.dll
    2012-03-29 21:41 . 2012-03-29 21:41 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2009-07-09 115560]
    "2wSysTray"="c:\program files\2Wire\2PortalMon.exe" [2004-09-15 393216]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-8-10 24576]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccEvtMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ccSetMgr]
    @="Service"
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Symantec Antivirus]
    @="Service"
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
    backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
    backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2008-10-15 06:04 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
    2009-10-19 02:12 1983816 ----a-w- c:\program files\Canon\MyPrinter\BJMYPRT.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
    2009-09-04 01:43 767312 ----a-w- c:\program files\Canon\SolutionMenu\CNSLMAIN.EXE
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
    2007-03-15 16:09 460784 ----a-w- c:\program files\DellSupport\DSAgnt.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    2005-02-23 21:19 53248 ------w- c:\program files\CyberLink\PowerDVD\DVDLauncher.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
    2009-02-27 00:36 30040 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    2005-05-12 04:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    2009-11-12 22:33 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
    2006-01-17 18:03 53248 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
    2006-01-17 18:03 135168 ----a-w- c:\program files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 ----a-w- c:\program files\Messenger\msmsgs.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-11-11 05:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    2007-11-08 01:21 214296 ----a-w- c:\program files\Real\RealPlayer\realplay.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2007-11-08 01:20 185632 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Avg7UpdSvc"=2 (0x2)
    "Avg7Alrt"=2 (0x2)
    "iPodService"=3 (0x3)
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\Smc.exe"=
    "c:\\Program Files\\Symantec\\Symantec Endpoint Protection\\SNAC.EXE"=
    "c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"=
    .
    R3 COH_Mon;COH_Mon;c:\windows\system32\Drivers\COH_Mon.sys [2009-07-14 23888]
    R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-22 18688]
    R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-22 8320]
    S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2012-02-13 106104]
    .
    .
    --- Other Services/Drivers In Memory ---
    .
    *Deregistered* - PROCEXP152
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
    2009-03-08 09:32 128512 ----a-w- c:\windows\SYSTEM32\advpack.dll
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2012-03-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2012-03-29 c:\windows\Tasks\User_Feed_Synchronization-{D7D3EEA8-5ED5-449A-A919-5100F9F30A19}.job
    - c:\windows\system32\msfeedssync.exe [2006-10-17 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://att.net/
    uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
    mSearch Bar = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
    uInternet Connection Wizard,ShellNext = iexplore
    uSearchURL,(Default) = hxxp://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.1.254
    DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - hxxp://imikimi.com/download/imikimi_plugin_0.5.1.cab
    FF - ProfilePath - c:\documents and settings\Mike\Application Data\Mozilla\Firefox\Profiles\98c72a03.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
    FF - prefs.js: network.proxy.type - 0
    .
    - - - - ORPHANS REMOVED - - - -
    .
    SafeBoot-Symantec Antvirus
    AddRemove-ESPN Java Check - c:\windows\system32\javaws.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2012-03-29 18:24
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: WDC_WD800BB-75JHC0 rev.06.01C06 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x89FB32C6
    user & kernel MBR OK
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'winlogon.exe'(840)
    c:\windows\system32\WININET.dll
    .
    - - - - - - - > 'lsass.exe'(900)
    c:\windows\system32\WININET.dll
    .
    Completion time: 2012-03-29 18:36:23
    ComboFix-quarantined-files.txt 2012-03-29 23:36
    ComboFix2.txt 2011-02-08 01:25
    .
    Pre-Run: 47,139,483,648 bytes free
    Post-Run: 48,256,032,768 bytes free
    .
    - - End Of File - - A7A10F22349A931262E8B5F1FC05D18F


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 6:47:35 PM, on 3/29/2012
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\2Wire\2PortalMon.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Documents and Settings\Mike\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.net/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../sbcydsl/*http://www.yahoo.com/search/ie.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
    R3 - URLSearchHook: (no name) - {472734EA-242A-422b-ADF8-83D1E48CC825} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
    O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\2PortalMon.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
    O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
    O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SysProExe.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1136499180796
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
    O16 - DPF: {D71F9A27-723E-4B8B-B428-B725E47CBA3E} - http://imikimi.com/download/imikimi_plugin_0.5.1.cab
    O16 - DPF: {E5168F0C-8591-11D4-BCDF-006008B7FEA4} - http://www.platoweb01.com/pathways/pway_iis.dll/pwln/02040611/fullcab/pwlninst.cab
    O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
    O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: McciCMService - Motive Communications, Inc. - C:\Program Files\Common Files\Motive\McciCMService.exe
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: Symantec Management Client (SmcService) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    O23 - Service: Symantec Endpoint Protection (Symantec AntiVirus) - Symantec Corporation - C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe

    --
    End of file - 8348 bytes
     
  12. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,716
    Please download aswMBR.exe and save it to your desktop.

    Double click aswMBR.exe to start the tool (Vista/Windows 7 users - right click to run as administrator) and allow it to download the Avast database.

    Click Scan.

    Upon completion of the scan, click Save log then save it to your desktop and post that log in your next reply for review.
    Note - do NOT attempt any Fix yet.
     
  13. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-30 10:28:34
    -----------------------------
    10:28:34.593 OS Version: Windows 5.1.2600 Service Pack 3
    10:28:34.593 Number of processors: 1 586 0x401
    10:28:34.593 ComputerName: HOME UserName: Mike
    10:28:43.187 Initialize success
    10:35:30.296 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    10:35:30.312 Disk 0 Vendor: WDC_WD800BB-75JHC0 06.01C06 Size: 76293MB BusType: 3
    10:35:30.312 Device \Driver\atapi -> DriverStartIo 89fd72c6
    10:35:30.312 Disk 0 MBR read successfully
    10:35:30.312 Disk 0 MBR scan
    10:35:30.312 Disk 0 TDL4@MBR code has been found
    10:35:30.312 Disk 0 MBR hidden
    10:35:30.312 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 39 MB offset 63
    10:35:30.343 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 72606 MB offset 80325
    10:35:30.375 Disk 0 Partition 3 00 DB CP/M / CTOS MSWIN4.1 3639 MB offset 148777965
    10:35:30.375 Disk 0 MBR [TDL4] **ROOTKIT**
    10:35:30.375 Disk 0 trace - called modules:
    10:35:30.375 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89fd749f]<<
    10:35:30.390 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a509a30]
    10:35:30.656 3 CLASSPNP.SYS[f76b7fd7] -> nt!IofCallDriver -> [0x8a1c4c88]
    10:35:30.671 \Driver\atapi[0x8a1b15d0] -> IRP_MJ_CREATE -> 0x89fd749f
    10:35:30.671 Scan finished successfully
    10:35:53.781 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mike\Desktop\MBR.dat"
    10:35:53.796 The log file has been saved successfully to "C:\Documents and Settings\Mike\Desktop\aswMBR.txt"
     
  14. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,716
  15. joyo915

    joyo915 Thread Starter

    Joined:
    Jul 24, 2010
    Messages:
    51
    10:30:10.0281 2148 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
    10:30:10.0859 2148 ============================================================
    10:30:10.0859 2148 Current date / time: 2012/03/31 10:30:10.0859
    10:30:10.0859 2148 SystemInfo:
    10:30:10.0859 2148
    10:30:10.0875 2148 OS Version: 5.1.2600 ServicePack: 3.0
    10:30:10.0875 2148 Product type: Workstation
    10:30:10.0875 2148 ComputerName: HOME
    10:30:10.0875 2148 UserName: Mike
    10:30:10.0875 2148 Windows directory: C:\WINDOWS
    10:30:10.0875 2148 System windows directory: C:\WINDOWS
    10:30:10.0875 2148 Processor architecture: Intel x86
    10:30:10.0875 2148 Number of processors: 1
    10:30:10.0875 2148 Page size: 0x1000
    10:30:10.0875 2148 Boot type: Normal boot
    10:30:10.0875 2148 ============================================================
    10:30:17.0781 2148 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
    10:30:17.0812 2148 \Device\Harddisk0\DR0:
    10:30:17.0812 2148 MBR used
    10:30:17.0812 2148 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x8DCF228
    10:30:18.0171 2148 Initialize success
    10:30:18.0171 2148 ============================================================
    10:30:26.0906 4000 ============================================================
    10:30:26.0906 4000 Scan started
    10:30:26.0906 4000 Mode: Manual;
    10:30:26.0906 4000 ============================================================
    10:30:28.0781 4000 Abiosdsk - ok
    10:30:29.0156 4000 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
    10:30:29.0218 4000 abp480n5 - ok
    10:30:30.0000 4000 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    10:30:30.0078 4000 ACPI - ok
    10:30:30.0437 4000 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    10:30:30.0484 4000 ACPIEC - ok
    10:30:31.0093 4000 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
    10:30:31.0203 4000 adpu160m - ok
    10:30:31.0718 4000 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    10:30:31.0765 4000 aec - ok
    10:30:32.0250 4000 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
    10:30:32.0328 4000 AFD - ok
    10:30:32.0828 4000 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    10:30:32.0875 4000 agp440 - ok
    10:30:33.0390 4000 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
    10:30:33.0437 4000 agpCPQ - ok
    10:30:34.0000 4000 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
    10:30:34.0015 4000 Aha154x - ok
    10:30:34.0703 4000 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
    10:30:34.0875 4000 aic78u2 - ok
    10:30:35.0390 4000 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
    10:30:35.0437 4000 aic78xx - ok
    10:30:35.0937 4000 Alerter (a9a3daa780ca6c9671a19d52456705b4) C:\WINDOWS\system32\alrsvc.dll
    10:30:36.0000 4000 Alerter - ok
    10:30:36.0343 4000 ALG (8c515081584a38aa007909cd02020b3d) C:\WINDOWS\System32\alg.exe
    10:30:36.0343 4000 ALG - ok
    10:30:36.0984 4000 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
    10:30:37.0031 4000 AliIde - ok
    10:30:37.0593 4000 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
    10:30:37.0656 4000 alim1541 - ok
    10:30:38.0296 4000 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
    10:30:38.0406 4000 amdagp - ok
    10:30:38.0984 4000 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
    10:30:39.0234 4000 amsint - ok
    10:30:39.0578 4000 Apple Mobile Device (4b5ae15e5c73eb4dc8dbec2788230d41) C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    10:30:39.0593 4000 Apple Mobile Device - ok
    10:30:40.0015 4000 AppMgmt - ok
    10:30:40.0625 4000 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
    10:30:40.0703 4000 asc - ok
    10:30:41.0234 4000 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
    10:30:41.0265 4000 asc3350p - ok
    10:30:41.0750 4000 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
    10:30:41.0796 4000 asc3550 - ok
    10:30:42.0250 4000 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
    10:30:42.0796 4000 aspnet_state - ok
    10:30:43.0250 4000 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    10:30:43.0281 4000 AsyncMac - ok
    10:30:43.0906 4000 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    10:30:43.0906 4000 atapi - ok
    10:30:44.0375 4000 Atdisk - ok
    10:30:45.0046 4000 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    10:30:45.0109 4000 Atmarpc - ok
    10:30:45.0546 4000 AudioSrv (def7a7882bec100fe0b2ce2549188f9d) C:\WINDOWS\System32\audiosrv.dll
    10:30:45.0640 4000 AudioSrv - ok
    10:30:46.0234 4000 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    10:30:46.0265 4000 audstub - ok
    10:30:46.0765 4000 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    10:30:46.0765 4000 Beep - ok
    10:30:47.0343 4000 BITS (574738f61fca2935f5265dc4e5691314) C:\WINDOWS\system32\qmgr.dll
    10:30:47.0750 4000 BITS - ok
    10:30:48.0203 4000 Browser (a06ce3399d16db864f55faeb1f1927a9) C:\WINDOWS\System32\browser.dll
    10:30:48.0218 4000 Browser - ok
    10:30:48.0781 4000 bvrp_pci - ok
    10:30:48.0953 4000 catchme - ok
    10:30:49.0515 4000 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
    10:30:49.0640 4000 cbidf - ok
    10:30:50.0156 4000 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    10:30:50.0156 4000 cbidf2k - ok
    10:30:50.0406 4000 ccEvtMgr (27d036fb3d22ca8a6662fe960d1a937d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    10:30:50.0453 4000 ccEvtMgr - ok
    10:30:50.0500 4000 ccSetMgr (27d036fb3d22ca8a6662fe960d1a937d) C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    10:30:50.0500 4000 ccSetMgr - ok
    10:30:50.0984 4000 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
    10:30:51.0328 4000 cd20xrnt - ok
    10:30:51.0859 4000 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    10:30:51.0875 4000 Cdaudio - ok
    10:30:52.0453 4000 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    10:30:52.0484 4000 Cdfs - ok
    10:30:53.0125 4000 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    10:30:53.0171 4000 Cdrom - ok
    10:30:53.0781 4000 Changer - ok
    10:30:54.0250 4000 CiSvc (1cfe720eb8d93a7158a4ebc3ab178bde) C:\WINDOWS\system32\cisvc.exe
    10:30:54.0500 4000 CiSvc - ok
    10:30:54.0984 4000 ClipSrv (34cbe729f38138217f9c80212a2a0c82) C:\WINDOWS\system32\clipsrv.exe
    10:30:55.0171 4000 ClipSrv - ok
    10:30:55.0468 4000 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    10:30:56.0406 4000 clr_optimization_v2.0.50727_32 - ok
    10:30:56.0953 4000 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
    10:30:57.0000 4000 CmdIde - ok
    10:30:57.0515 4000 COH_Mon (c586875ece5318c6309ed1ab79d0e55f) C:\WINDOWS\system32\Drivers\COH_Mon.sys
    10:30:57.0531 4000 COH_Mon - ok
    10:30:57.0937 4000 COMSysApp - ok
    10:30:58.0343 4000 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
    10:30:58.0437 4000 Cpqarray - ok
    10:30:58.0984 4000 CryptSvc (3d4e199942e29207970e04315d02ad3b) C:\WINDOWS\System32\cryptsvc.dll
    10:30:59.0000 4000 CryptSvc - ok
    10:30:59.0546 4000 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
    10:30:59.0687 4000 dac2w2k - ok
    10:31:00.0203 4000 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
    10:31:00.0406 4000 dac960nt - ok
    10:31:00.0968 4000 DcomLaunch (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\system32\rpcss.dll
    10:31:01.0140 4000 DcomLaunch - ok
    10:31:01.0671 4000 Dhcp (5e38d7684a49cacfb752b046357e0589) C:\WINDOWS\System32\dhcpcsvc.dll
    10:31:01.0750 4000 Dhcp - ok
    10:31:02.0234 4000 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    10:31:02.0437 4000 Disk - ok
    10:31:02.0796 4000 dmadmin - ok
    10:31:03.0515 4000 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    10:31:04.0296 4000 dmboot - ok
    10:31:04.0921 4000 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    10:31:05.0187 4000 dmio - ok
    10:31:05.0765 4000 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    10:31:05.0828 4000 dmload - ok
    10:31:06.0390 4000 dmserver (57edec2e5f59f0335e92f35184bc8631) C:\WINDOWS\System32\dmserver.dll
    10:31:06.0671 4000 dmserver - ok
    10:31:07.0187 4000 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    10:31:07.0250 4000 DMusic - ok
    10:31:07.0656 4000 Dnscache (5f7e24fa9eab896051ffb87f840730d2) C:\WINDOWS\System32\dnsrslvr.dll
    10:31:07.0703 4000 Dnscache - ok
    10:31:08.0250 4000 Dot3svc (0f0f6e687e5e15579ef4da8dd6945814) C:\WINDOWS\System32\dot3svc.dll
    10:31:08.0312 4000 Dot3svc - ok
    10:31:08.0781 4000 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
    10:31:08.0812 4000 dpti2o - ok
    10:31:09.0328 4000 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    10:31:09.0328 4000 drmkaud - ok
    10:31:09.0890 4000 drvmcdb (96bc8f872f0270c10edc3931f1c03776) C:\WINDOWS\system32\drivers\drvmcdb.sys
    10:31:09.0937 4000 drvmcdb - ok
    10:31:10.0687 4000 drvnddm (5afbec7a6ac61b211633dfdb1d9e0c89) C:\WINDOWS\system32\drivers\drvnddm.sys
    10:31:10.0703 4000 drvnddm - ok
    10:31:10.0921 4000 DSBrokerService (fe80901578e7e3da70299a5aeb2b7fbd) C:\Program Files\DellSupport\brkrsvc.exe
    10:31:11.0718 4000 DSBrokerService - ok
    10:31:11.0984 4000 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
    10:31:12.0140 4000 DSproct - ok
    10:31:12.0515 4000 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
    10:31:12.0531 4000 dsunidrv - ok
    10:31:13.0031 4000 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    10:31:13.0093 4000 E100B - ok
    10:31:13.0453 4000 EapHost (2187855a7703adef0cef9ee4285182cc) C:\WINDOWS\System32\eapsvc.dll
    10:31:13.0500 4000 EapHost - ok
    10:31:13.0984 4000 eeCtrl (579a6b6135d32b857faf0e3a974535d8) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
    10:31:14.0203 4000 eeCtrl - ok
    10:31:14.0468 4000 EraserUtilRebootDrv (028d50f059bd0d2ccb209e9011b9a9a4) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
    10:31:14.0500 4000 EraserUtilRebootDrv - ok
    10:31:15.0015 4000 ERSvc (bc93b4a066477954555966d77fec9ecb) C:\WINDOWS\System32\ersvc.dll
    10:31:15.0031 4000 ERSvc - ok
    10:31:15.0515 4000 Eventlog (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    10:31:15.0531 4000 Eventlog - ok
    10:31:16.0109 4000 EventSystem (d4991d98f2db73c60d042f1aef79efae) C:\WINDOWS\system32\es.dll
    10:31:16.0171 4000 EventSystem - ok
    10:31:16.0625 4000 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    10:31:16.0937 4000 Fastfat - ok
    10:31:17.0421 4000 FastUserSwitchingCompatibility (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    10:31:17.0453 4000 FastUserSwitchingCompatibility - ok
    10:31:18.0250 4000 Fax (e97d6a8684466df94ff3bc24fb787a07) C:\WINDOWS\system32\fxssvc.exe
    10:31:18.0562 4000 Fax - ok
    10:31:19.0140 4000 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    10:31:19.0250 4000 Fdc - ok
    10:31:19.0734 4000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    10:31:19.0765 4000 Fips - ok
    10:31:20.0312 4000 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    10:31:20.0343 4000 Flpydisk - ok
    10:31:20.0984 4000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    10:31:21.0171 4000 FltMgr - ok
    10:31:21.0546 4000 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
    10:31:21.0703 4000 FontCache3.0.0.0 - ok
    10:31:22.0234 4000 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    10:31:22.0234 4000 Fs_Rec - ok
    10:31:22.0796 4000 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    10:31:22.0890 4000 Ftdisk - ok
    10:31:23.0437 4000 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    10:31:23.0531 4000 GEARAspiWDM - ok
    10:31:23.0968 4000 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    10:31:24.0015 4000 Gpc - ok
    10:31:24.0234 4000 helpsvc (4fcca060dfe0c51a09dd5c3843888bcd) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
    10:31:24.0250 4000 helpsvc - ok
    10:31:24.0546 4000 HidServ - ok
    10:31:24.0937 4000 hkmsvc (8878bd685e490239777bfe51320b88e9) C:\WINDOWS\System32\kmsvc.dll
    10:31:25.0000 4000 hkmsvc - ok
    10:31:25.0390 4000 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
    10:31:25.0468 4000 hpn - ok
    10:31:25.0906 4000 HPZid412 (9f1d80908658eb7f1bf70809e0b51470) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    10:31:25.0953 4000 HPZid412 - ok
    10:31:26.0437 4000 HPZipr12 (f7e3e9d50f9cd3de28085a8fdaa0a1c3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    10:31:26.0484 4000 HPZipr12 - ok
    10:31:27.0031 4000 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    10:31:27.0093 4000 HPZius12 - ok
    10:31:27.0843 4000 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    10:31:27.0984 4000 HSFHWBS2 - ok
    10:31:28.0906 4000 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    10:31:29.0312 4000 HSF_DP - ok
    10:31:29.0937 4000 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    10:31:30.0078 4000 HTTP - ok
    10:31:30.0484 4000 HTTPFilter (6100a808600f44d999cebdef8841c7a3) C:\WINDOWS\System32\w3ssl.dll
    10:31:30.0500 4000 HTTPFilter - ok
    10:31:31.0187 4000 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
    10:31:31.0203 4000 i2omgmt - ok
    10:31:31.0812 4000 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
    10:31:31.0890 4000 i2omp - ok
    10:31:32.0515 4000 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    10:31:32.0593 4000 i8042prt - ok
    10:31:33.0640 4000 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    10:31:34.0453 4000 ialm - ok
    10:31:34.0859 4000 IDriverT (1cf03c69b49acb70c722df92755c0c8c) C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    10:31:34.0953 4000 IDriverT - ok
    10:31:35.0812 4000 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
    10:31:36.0671 4000 idsvc - ok
    10:31:37.0296 4000 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    10:31:37.0328 4000 Imapi - ok
    10:31:37.0953 4000 ImapiService (30deaf54a9755bb8546168cfe8a6b5e1) C:\WINDOWS\system32\imapi.exe
    10:31:38.0015 4000 ImapiService - ok
    10:31:38.0578 4000 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
    10:31:38.0781 4000 ini910u - ok
    10:31:39.0531 4000 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    10:31:39.0578 4000 IntelIde - ok
    10:31:40.0328 4000 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    10:31:40.0406 4000 intelppm - ok
    10:31:41.0046 4000 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    10:31:41.0109 4000 Ip6Fw - ok
    10:31:41.0640 4000 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    10:31:41.0687 4000 IpFilterDriver - ok
    10:31:42.0343 4000 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    10:31:42.0375 4000 IpInIp - ok
    10:31:42.0984 4000 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    10:31:43.0031 4000 IpNat - ok
    10:31:43.0437 4000 iPod Service (7a3611564fce7c8be50b03f58cb3eb7d) C:\Program Files\iPod\bin\iPodService.exe
    10:31:43.0875 4000 iPod Service - ok
    10:31:44.0359 4000 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    10:31:44.0406 4000 IPSec - ok
    10:31:44.0875 4000 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    10:31:44.0921 4000 IRENUM - ok
    10:31:45.0484 4000 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    10:31:45.0546 4000 isapnp - ok
    10:31:46.0046 4000 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    10:31:46.0109 4000 Kbdclass - ok
    10:31:46.0625 4000 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    10:31:46.0687 4000 kmixer - ok
    10:31:47.0187 4000 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    10:31:47.0281 4000 KSecDD - ok
    10:31:47.0671 4000 lanmanserver (3a7c3cbe5d96b8ae96ce81f0b22fb527) C:\WINDOWS\System32\srvsvc.dll
    10:31:47.0718 4000 lanmanserver - ok
    10:31:48.0343 4000 lanmanworkstation (a8888a5327621856c0cec4e385f69309) C:\WINDOWS\System32\wkssvc.dll
    10:31:48.0390 4000 lanmanworkstation - ok
    10:31:48.0703 4000 lbrtfdc - ok
    10:31:50.0140 4000 LiveUpdate (e34152d03caaaaa81dd66d803f392522) C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    10:31:51.0671 4000 LiveUpdate - ok
    10:31:52.0125 4000 LmHosts (a7db739ae99a796d91580147e919cc59) C:\WINDOWS\System32\lmhsvc.dll
    10:31:52.0125 4000 LmHosts - ok
    10:31:52.0515 4000 McciCMService (67b6f4e0db57dd2020a2415294ba4ed8) C:\Program Files\Common Files\Motive\McciCMService.exe
    10:31:52.0515 4000 McciCMService - ok
    10:31:53.0000 4000 MDC8021X (d7010580bf4e45d5e793a1fe75758c69) C:\WINDOWS\system32\DRIVERS\mdc8021x.sys
    10:31:53.0015 4000 MDC8021X - ok
    10:31:53.0531 4000 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    10:31:53.0546 4000 mdmxsdk - ok
    10:31:53.0953 4000 Messenger (986b1ff5814366d71e0ac5755c88f2d3) C:\WINDOWS\System32\msgsvc.dll
    10:31:53.0984 4000 Messenger - ok
    10:31:54.0453 4000 Microsoft Office Groove Audit Service (123271bd5237ab991dc5c21fdf8835eb) C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe
    10:31:54.0671 4000 Microsoft Office Groove Audit Service - ok
    10:31:55.0140 4000 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    10:31:55.0156 4000 mnmdd - ok
    10:31:55.0734 4000 mnmsrvc (d18f1f0c101d06a1c1adf26eed16fcdd) C:\WINDOWS\system32\mnmsrvc.exe
    10:31:55.0812 4000 mnmsrvc - ok
    10:31:56.0406 4000 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    10:31:56.0406 4000 Modem - ok
    10:31:56.0984 4000 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    10:31:57.0015 4000 MODEMCSA - ok
    10:31:57.0609 4000 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\WINDOWS\system32\DRIVERS\motccgp.sys
    10:31:57.0671 4000 motccgp - ok
    10:31:58.0203 4000 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\WINDOWS\system32\DRIVERS\motccgpfl.sys
    10:31:58.0234 4000 motccgpfl - ok
    10:31:58.0781 4000 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    10:31:58.0859 4000 motmodem - ok
    10:31:59.0343 4000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    10:31:59.0375 4000 Mouclass - ok
    10:31:59.0906 4000 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    10:31:59.0953 4000 MountMgr - ok
    10:32:00.0515 4000 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
    10:32:00.0593 4000 mraid35x - ok
    10:32:00.0953 4000 MREMP50 (9bd4dcb5412921864a7aacdedfbd1923) C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS
    10:32:01.0000 4000 MREMP50 - ok
    10:32:01.0171 4000 MREMP50a64 - ok
    10:32:01.0312 4000 MRESP50 (07c02c892e8e1a72d6bf35004f0e9c5e) C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS
    10:32:01.0359 4000 MRESP50 - ok
    10:32:01.0562 4000 MRESP50a64 - ok
    10:32:02.0218 4000 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    10:32:02.0578 4000 MRxDAV - ok
    10:32:03.0359 4000 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    10:32:03.0515 4000 MRxSmb - ok
    10:32:04.0000 4000 MSDTC (a137f1470499a205abbb9aafb3b6f2b1) C:\WINDOWS\system32\msdtc.exe
    10:32:04.0015 4000 MSDTC - ok
    10:32:04.0453 4000 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    10:32:04.0484 4000 Msfs - ok
    10:32:04.0796 4000 MSIServer - ok
    10:32:05.0171 4000 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    10:32:05.0250 4000 MSKSSRV - ok
    10:32:05.0734 4000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    10:32:05.0828 4000 MSPCLOCK - ok
    10:32:06.0484 4000 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    10:32:06.0515 4000 MSPQM - ok
    10:32:07.0062 4000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    10:32:07.0078 4000 mssmbios - ok
    10:32:07.0593 4000 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    10:32:07.0687 4000 Mup - ok
    10:32:08.0343 4000 NAL (58c3368bd8991cd5c6c848c9dbb25d2b) C:\WINDOWS\system32\Drivers\iqvw32.sys
    10:32:08.0406 4000 NAL - ok
    10:32:08.0890 4000 napagent (0102140028fad045756796e1c685d695) C:\WINDOWS\System32\qagentrt.dll
    10:32:09.0078 4000 napagent - ok
    10:32:09.0500 4000 NAVENG (862f55824ac81295837b0ab63f91071f) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120327.008\NAVENG.SYS
    10:32:09.0515 4000 NAVENG - ok
    10:32:10.0687 4000 NAVEX15 (529d571b551cb9da44237389b936f1ae) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20120327.008\NAVEX15.SYS
    10:32:10.0703 4000 NAVEX15 - ok
    10:32:11.0250 4000 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    10:32:11.0421 4000 NDIS - ok
    10:32:11.0984 4000 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    10:32:12.0031 4000 NdisTapi - ok
    10:32:12.0515 4000 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    10:32:12.0546 4000 Ndisuio - ok
    10:32:13.0156 4000 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    10:32:13.0250 4000 NdisWan - ok
    10:32:13.0828 4000 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    10:32:14.0000 4000 NDProxy - ok
    10:32:14.0656 4000 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    10:32:14.0687 4000 NetBIOS - ok
    10:32:15.0468 4000 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    10:32:15.0531 4000 NetBT - ok
    10:32:16.0093 4000 NetDDE (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    10:32:16.0375 4000 NetDDE - ok
    10:32:16.0437 4000 NetDDEdsdm (b857ba82860d7ff85ae29b095645563b) C:\WINDOWS\system32\netdde.exe
    10:32:16.0437 4000 NetDDEdsdm - ok
    10:32:16.0781 4000 Netlogon (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    10:32:16.0781 4000 Netlogon - ok
    10:32:17.0453 4000 Netman (13e67b55b3abd7bf3fe7aae5a0f9a9de) C:\WINDOWS\System32\netman.dll
    10:32:17.0515 4000 Netman - ok
    10:32:17.0718 4000 NetSvc (02d0798f376fcbd0210eda58476d0b1b) C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    10:32:17.0812 4000 NetSvc - ok
    10:32:18.0421 4000 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
    10:32:18.0828 4000 NetTcpPortSharing - ok
    10:32:19.0578 4000 Nla (943337d786a56729263071623bbb9de5) C:\WINDOWS\System32\mswsock.dll
    10:32:19.0609 4000 Nla - ok
    10:32:20.0453 4000 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    10:32:20.0468 4000 Npfs - ok
    10:32:21.0343 4000 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    10:32:21.0796 4000 Ntfs - ok
    10:32:22.0421 4000 NtLmSsp (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    10:32:22.0421 4000 NtLmSsp - ok
    10:32:23.0031 4000 NtmsSvc (156f64a3345bd23c600655fb4d10bc08) C:\WINDOWS\system32\ntmssvc.dll
    10:32:23.0328 4000 NtmsSvc - ok
    10:32:23.0890 4000 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    10:32:23.0906 4000 Null - ok
    10:32:25.0687 4000 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    10:32:27.0062 4000 nv - ok
    10:32:27.0656 4000 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    10:32:27.0750 4000 NwlnkFlt - ok
    10:32:28.0218 4000 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    10:32:28.0437 4000 NwlnkFwd - ok
    10:32:28.0937 4000 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
    10:32:29.0265 4000 odserv - ok
    10:32:29.0640 4000 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    10:32:29.0812 4000 ose - ok
    10:32:30.0531 4000 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    10:32:30.0640 4000 Parport - ok
    10:32:31.0203 4000 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    10:32:31.0265 4000 PartMgr - ok
    10:32:31.0859 4000 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    10:32:31.0937 4000 ParVdm - ok
    10:32:32.0687 4000 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    10:32:32.0734 4000 PCI - ok
    10:32:33.0265 4000 PCIDump - ok
    10:32:33.0828 4000 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    10:32:33.0937 4000 PCIIde - ok
    10:32:34.0703 4000 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    10:32:34.0890 4000 Pcmcia - ok
    10:32:35.0515 4000 PDCOMP - ok
    10:32:35.0953 4000 PDFRAME - ok
    10:32:36.0515 4000 PDRELI - ok
    10:32:37.0015 4000 PDRFRAME - ok
    10:32:37.0812 4000 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
    10:32:37.0890 4000 perc2 - ok
    10:32:38.0859 4000 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
    10:32:39.0031 4000 perc2hib - ok
    10:32:39.0750 4000 PlugPlay (65df52f5b8b6e9bbd183505225c37315) C:\WINDOWS\system32\services.exe
    10:32:39.0750 4000 PlugPlay - ok
    10:32:40.0437 4000 Pml Driver HPZ12 (2d091a99624fb9e7eef0a86d872ec0c3) C:\WINDOWS\system32\HPZipm12.exe
    10:32:40.0500 4000 Pml Driver HPZ12 - ok
    10:32:41.0250 4000 PolicyAgent (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    10:32:41.0250 4000 PolicyAgent - ok
    10:32:42.0281 4000 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    10:32:42.0421 4000 PptpMiniport - ok
    10:32:43.0703 4000 ProtectedStorage (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    10:32:43.0703 4000 ProtectedStorage - ok
    10:32:44.0765 4000 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    10:32:44.0796 4000 PSched - ok
    10:32:45.0671 4000 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    10:32:45.0828 4000 Ptilink - ok
    10:32:46.0578 4000 PxHelp20 (7c81ae3c9b82ba2da437ed4d31bc56cf) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    10:32:46.0625 4000 PxHelp20 - ok
    10:32:47.0250 4000 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
    10:32:47.0312 4000 ql1080 - ok
    10:32:47.0906 4000 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
    10:32:47.0984 4000 Ql10wnt - ok
    10:32:48.0734 4000 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
    10:32:48.0796 4000 ql12160 - ok
    10:32:49.0359 4000 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
    10:32:49.0390 4000 ql1240 - ok
    10:32:50.0234 4000 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
    10:32:50.0296 4000 ql1280 - ok
    10:32:51.0687 4000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    10:32:51.0687 4000 RasAcd - ok
    10:32:52.0156 4000 RasAuto (ad188be7bdf94e8df4ca0a55c00a5073) C:\WINDOWS\System32\rasauto.dll
    10:32:52.0265 4000 RasAuto - ok
    10:32:52.0890 4000 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    10:32:52.0953 4000 Rasl2tp - ok
    10:32:53.0453 4000 RasMan (76a9a3cbeadd68cc57cda5e1d7448235) C:\WINDOWS\System32\rasmans.dll
    10:32:53.0656 4000 RasMan - ok
    10:32:54.0156 4000 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    10:32:54.0265 4000 RasPppoe - ok
    10:32:54.0796 4000 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    10:32:54.0812 4000 Raspti - ok
    10:32:55.0515 4000 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    10:32:55.0578 4000 Rdbss - ok
    10:32:56.0171 4000 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    10:32:56.0171 4000 RDPCDD - ok
    10:32:56.0734 4000 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    10:32:56.0843 4000 rdpdr - ok
    10:32:57.0531 4000 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
    10:32:57.0625 4000 RDPWD - ok
    10:32:58.0078 4000 RDSessMgr (3c37bf86641bda977c3bf8a840f3b7fa) C:\WINDOWS\system32\sessmgr.exe
    10:32:58.0203 4000 RDSessMgr - ok
    10:32:58.0750 4000 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    10:32:58.0843 4000 redbook - ok
    10:32:59.0406 4000 RemoteAccess (7e699ff5f59b5d9de5390e3c34c67cf5) C:\WINDOWS\System32\mprdim.dll
    10:32:59.0546 4000 RemoteAccess - ok
    10:32:59.0937 4000 RpcLocator (aaed593f84afa419bbae8572af87cf6a) C:\WINDOWS\system32\locator.exe
    10:33:00.0015 4000 RpcLocator - ok
    10:33:00.0734 4000 RpcSs (6b27a5c03dfb94b4245739065431322c) C:\WINDOWS\System32\rpcss.dll
    10:33:00.0750 4000 RpcSs - ok
    10:33:01.0312 4000 RSVP (471b3f9741d762abe75e9deea4787e47) C:\WINDOWS\system32\rsvp.exe
    10:33:01.0421 4000 RSVP - ok
    10:33:01.0796 4000 SamSs (bf2466b3e18e970d8a976fb95fc1ca85) C:\WINDOWS\system32\lsass.exe
    10:33:01.0796 4000 SamSs - ok
    10:33:02.0234 4000 SCardSvr (86d007e7a654b9a71d1d7d856b104353) C:\WINDOWS\System32\SCardSvr.exe
    10:33:02.0375 4000 SCardSvr - ok
    10:33:02.0796 4000 Schedule (0a9a7365a1ca4319aa7c1d6cd8e4eafa) C:\WINDOWS\system32\schedsvc.dll
    10:33:02.0859 4000 Schedule - ok
    10:33:03.0359 4000 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    10:33:03.0437 4000 Secdrv - ok
    10:33:03.0906 4000 seclogon (cbe612e2bb6a10e3563336191eda1250) C:\WINDOWS\System32\seclogon.dll
    10:33:03.0921 4000 seclogon - ok
    10:33:04.0968 4000 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    10:33:05.0546 4000 senfilt - ok
    10:33:05.0968 4000 SENS (7fdd5d0684eca8c1f68b4d99d124dcd0) C:\WINDOWS\system32\sens.dll
    10:33:06.0000 4000 SENS - ok
    10:33:06.0578 4000 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    10:33:06.0593 4000 serenum - ok
    10:33:07.0062 4000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    10:33:07.0125 4000 Serial - ok
    10:33:07.0750 4000 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    10:33:07.0953 4000 Sfloppy - ok
    10:33:08.0562 4000 SharedAccess (83f41d0d89645d7235c051ab1d9523ac) C:\WINDOWS\System32\ipnathlp.dll
    10:33:08.0687 4000 SharedAccess - ok
    10:33:09.0140 4000 ShellHWDetection (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    10:33:09.0156 4000 ShellHWDetection - ok
    10:33:09.0734 4000 Simbad - ok
    10:33:10.0187 4000 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
    10:33:10.0218 4000 sisagp - ok
    10:33:11.0234 4000 SmcService (a58c1a086d9c09c6572c948f22cc0e94) C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
    10:33:11.0984 4000 SmcService - ok
    10:33:12.0546 4000 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    10:33:12.0734 4000 smwdm - ok
    10:33:13.0281 4000 SNAC (d2c222441255131e29de351475f98f6d) C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE
    10:33:13.0906 4000 SNAC - ok
    10:33:14.0390 4000 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
    10:33:14.0453 4000 SONYPVU1 - ok
    10:33:15.0015 4000 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
    10:33:15.0078 4000 Sparrow - ok
    10:33:15.0578 4000 SPBBCDrv (e621bb5839cf45fa477f48092edd2b40) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
    10:33:15.0828 4000 SPBBCDrv - ok
    10:33:16.0328 4000 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    10:33:16.0453 4000 splitter - ok
    10:33:16.0937 4000 Spooler (60784f891563fb1b767f70117fc2428f) C:\WINDOWS\system32\spoolsv.exe
    10:33:16.0937 4000 Spooler - ok
    10:33:17.0468 4000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    10:33:17.0531 4000 sr - ok
    10:33:18.0140 4000 srservice (3805df0ac4296a34ba4bf93b346cc378) C:\WINDOWS\system32\srsvc.dll
    10:33:18.0203 4000 srservice - ok
    10:33:19.0000 4000 SRTSP (2abf82c8452ab0b9ffc74a2d5da91989) C:\WINDOWS\system32\Drivers\SRTSP.SYS
    10:33:19.0218 4000 SRTSP - ok
    10:33:19.0921 4000 SRTSPL (e2f9e5887bea5bd8784d337e06eda31b) C:\WINDOWS\system32\Drivers\SRTSPL.SYS
    10:33:20.0203 4000 SRTSPL - ok
    10:33:20.0968 4000 SRTSPX (3b974c158fabd910186f98df8d3e23f3) C:\WINDOWS\system32\Drivers\SRTSPX.SYS
    10:33:21.0015 4000 SRTSPX - ok
    10:33:21.0828 4000 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    10:33:22.0281 4000 Srv - ok
    10:33:23.0015 4000 sscdbhk5 (98625722ad52b40305e74aaa83c93086) C:\WINDOWS\system32\drivers\sscdbhk5.sys
    10:33:23.0062 4000 sscdbhk5 - ok
    10:33:23.0640 4000 SSDPSRV (0a5679b3714edab99e357057ee88fca6) C:\WINDOWS\System32\ssdpsrv.dll
    10:33:23.0796 4000 SSDPSRV - ok
    10:33:24.0343 4000 ssrtln (d79412e3942c8a257253487536d5a994) C:\WINDOWS\system32\drivers\ssrtln.sys
    10:33:24.0406 4000 ssrtln - ok
    10:33:24.0843 4000 stisvc (8bad69cbac032d4bbacfce0306174c30) C:\WINDOWS\system32\wiaservc.dll
    10:33:24.0875 4000 stisvc - ok
    10:33:25.0546 4000 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    10:33:25.0593 4000 swenum - ok
    10:33:26.0171 4000 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    10:33:26.0218 4000 swmidi - ok
    10:33:26.0625 4000 SwPrv - ok
    10:33:27.0843 4000 Symantec AntiVirus (ba2fb8f8ab24d0279caa98a4c118150e) C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
    10:33:27.0875 4000 Symantec AntiVirus - ok
    10:33:28.0406 4000 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
    10:33:28.0421 4000 symc810 - ok
    10:33:29.0109 4000 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
    10:33:29.0218 4000 symc8xx - ok
    10:33:29.0953 4000 SymEvent (a54ff04bd6e75dc4d8cb6f3e352635e0) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
    10:33:30.0062 4000 SymEvent - ok
    10:33:30.0546 4000 SymIM - ok
    10:33:31.0015 4000 SymIMMP - ok
    10:33:31.0546 4000 SYMREDRV (394b2368212114d538316812af60fddd) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
    10:33:31.0562 4000 SYMREDRV - ok
    10:33:32.0125 4000 SYMTDI (d46676bb414c7531bdffe637a33f5033) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
    10:33:32.0187 4000 SYMTDI - ok
    10:33:32.0812 4000 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
    10:33:32.0843 4000 sym_hi - ok
    10:33:33.0296 4000 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
    10:33:33.0390 4000 sym_u3 - ok
    10:33:34.0015 4000 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    10:33:34.0046 4000 sysaudio - ok
    10:33:34.0562 4000 SysmonLog (c7abbc59b43274b1109df6b24d617051) C:\WINDOWS\system32\smlogsvc.exe
    10:33:34.0703 4000 SysmonLog - ok
    10:33:35.0187 4000 TapiSrv (3cb78c17bb664637787c9a1c98f79c38) C:\WINDOWS\System32\tapisrv.dll
    10:33:35.0265 4000 TapiSrv - ok
    10:33:36.0093 4000 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    10:33:36.0234 4000 Tcpip - ok
    10:33:36.0781 4000 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    10:33:36.0906 4000 TDPIPE - ok
    10:33:37.0453 4000 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    10:33:37.0531 4000 TDTCP - ok
    10:33:38.0109 4000 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    10:33:38.0171 4000 TermDD - ok
    10:33:38.0781 4000 TermService (ff3477c03be7201c294c35f684b3479f) C:\WINDOWS\System32\termsrv.dll
    10:33:38.0781 4000 TermService - ok
    10:33:39.0296 4000 tfsnboio (d0177776e11b0b3f272eebd262a69661) C:\WINDOWS\system32\dla\tfsnboio.sys
    10:33:39.0312 4000 tfsnboio - ok
    10:33:39.0953 4000 tfsncofs (599804bc938b8305a5422319774da871) C:\WINDOWS\system32\dla\tfsncofs.sys
    10:33:39.0968 4000 tfsncofs - ok
    10:33:40.0593 4000 tfsndrct (a1902c00adc11c4d83f8e3ed947a6a32) C:\WINDOWS\system32\dla\tfsndrct.sys
    10:33:40.0593 4000 tfsndrct - ok
    10:33:41.0171 4000 tfsndres (d8ddb3f2b1bef15cff6728d89c042c61) C:\WINDOWS\system32\dla\tfsndres.sys
    10:33:41.0171 4000 tfsndres - ok
    10:33:41.0781 4000 tfsnifs (c4f2dea75300971cdaee311007de138d) C:\WINDOWS\system32\dla\tfsnifs.sys
    10:33:41.0812 4000 tfsnifs - ok
    10:33:42.0562 4000 tfsnopio (272925be0ea919f08286d2ee6f102b0f) C:\WINDOWS\system32\dla\tfsnopio.sys
    10:33:42.0578 4000 tfsnopio - ok
    10:33:43.0125 4000 tfsnpool (7b7d955e5cebc2fb88b03ef875d52a2f) C:\WINDOWS\system32\dla\tfsnpool.sys
    10:33:43.0125 4000 tfsnpool - ok
    10:33:43.0718 4000 tfsnudf (e3d01263109d800c1967c12c10a0b018) C:\WINDOWS\system32\dla\tfsnudf.sys
    10:33:43.0750 4000 tfsnudf - ok
    10:33:44.0281 4000 tfsnudfa (b9e9c377906e3a65bc74598fff7f7458) C:\WINDOWS\system32\dla\tfsnudfa.sys
    10:33:44.0328 4000 tfsnudfa - ok
    10:33:44.0890 4000 Themes (99bc0b50f511924348be19c7c7313bbf) C:\WINDOWS\System32\shsvcs.dll
    10:33:44.0906 4000 Themes - ok
    10:33:45.0343 4000 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
    10:33:45.0406 4000 TosIde - ok
    10:33:45.0921 4000 TrkWks (55bca12f7f523d35ca3cb833c725f54e) C:\WINDOWS\system32\trkwks.dll
    10:33:46.0031 4000 TrkWks - ok
    10:33:46.0687 4000 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    10:33:46.0750 4000 Udfs - ok
    10:33:47.0296 4000 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
    10:33:47.0328 4000 ultra - ok
    10:33:48.0109 4000 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    10:33:48.0453 4000 Update - ok
    10:33:48.0953 4000 upnphost (1ebafeb9a3fbdc41b8d9c7f0f687ad91) C:\WINDOWS\System32\upnphost.dll
    10:33:48.0968 4000 upnphost - ok
    10:33:49.0406 4000 UPS (05365fb38fca1e98f7a566aaaf5d1815) C:\WINDOWS\System32\ups.exe
    10:33:49.0515 4000 UPS - ok
    10:33:50.0078 4000 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\WINDOWS\system32\Drivers\usbaapl.sys
    10:33:50.0109 4000 USBAAPL - ok
    10:33:50.0765 4000 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    10:33:50.0796 4000 usbccgp - ok
    10:33:51.0484 4000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    10:33:51.0562 4000 usbehci - ok
    10:33:52.0125 4000 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    10:33:52.0171 4000 usbhub - ok
    10:33:52.0796 4000 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    10:33:52.0828 4000 usbprint - ok
    10:33:53.0406 4000 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    10:33:53.0500 4000 usbscan - ok
    10:33:54.0062 4000 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    10:33:54.0203 4000 USBSTOR - ok
    10:33:54.0890 4000 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    10:33:54.0921 4000 usbuhci - ok
    10:33:55.0562 4000 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    10:33:55.0593 4000 VgaSave - ok
    10:33:56.0093 4000 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
    10:33:56.0187 4000 viaagp - ok
    10:33:56.0781 4000 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    10:33:56.0859 4000 ViaIde - ok
    10:33:57.0453 4000 vmm (e41fef9e3056fe88c71e411f705be41e) C:\WINDOWS\system32\Drivers\vmm.sys
    10:33:57.0578 4000 vmm - ok
    10:33:58.0171 4000 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    10:33:58.0281 4000 VolSnap - ok
    10:33:58.0968 4000 VPCNetS2 (f96a678debdccb0b4bb7f38cb2580589) C:\WINDOWS\system32\DRIVERS\VMNetSrv.sys
    10:33:59.0000 4000 VPCNetS2 - ok
    10:33:59.0671 4000 VSS (7a9db3a67c333bf0bd42e42b8596854b) C:\WINDOWS\System32\vssvc.exe
    10:33:59.0828 4000 VSS - ok
    10:34:00.0250 4000 w32time (54af4b1d5459500ef0937f6d33b1914f) C:\WINDOWS\system32\w32time.dll
    10:34:00.0265 4000 w32time - ok
    10:34:00.0921 4000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    10:34:00.0937 4000 Wanarp - ok
    10:34:01.0359 4000 wanatw - ok
    10:34:02.0218 4000 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    10:34:03.0046 4000 Wdf01000 - ok
    10:34:03.0359 4000 WDICA - ok
    10:34:04.0156 4000 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    10:34:04.0187 4000 wdmaud - ok
    10:34:04.0718 4000 WebClient (77a354e28153ad2d5e120a5a8687bc06) C:\WINDOWS\System32\webclnt.dll
    10:34:04.0796 4000 WebClient - ok
    10:34:05.0468 4000 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    10:34:05.0937 4000 winachsf - ok
    10:34:06.0453 4000 winmgmt (2d0e4ed081963804ccc196a0929275b5) C:\WINDOWS\system32\wbem\WMIsvc.dll
    10:34:06.0500 4000 winmgmt - ok
    10:34:07.0031 4000 WmdmPmSN (c51b4a5c05a5475708e3c81c7765b71d) C:\WINDOWS\system32\MsPMSNSv.dll
    10:34:07.0062 4000 WmdmPmSN - ok
    10:34:07.0531 4000 WmiApSrv (e0673f1106e62a68d2257e376079f821) C:\WINDOWS\system32\wbem\wmiapsrv.exe
    10:34:07.0656 4000 WmiApSrv - ok
    10:34:08.0218 4000 WMPNetworkSvc (f74e3d9a7fa9556c3bbb14d4e5e63d3b) C:\Program Files\Windows Media Player\WMPNetwk.exe
    10:34:08.0218 4000 WMPNetworkSvc - ok
    10:34:08.0718 4000 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    10:34:08.0796 4000 WpdUsb - ok
    10:34:09.0250 4000 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    10:34:09.0265 4000 WS2IFSL - ok
    10:34:09.0781 4000 wscsvc (7c278e6408d1dce642230c0585a854d5) C:\WINDOWS\system32\wscsvc.dll
    10:34:09.0890 4000 wscsvc - ok
    10:34:10.0312 4000 wuauserv (35321fb577cdc98ce3eb3a3eb9e4610a) C:\WINDOWS\system32\wuauserv.dll
    10:34:10.0359 4000 wuauserv - ok
    10:34:10.0968 4000 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    10:34:11.0015 4000 WudfPf - ok
    10:34:11.0562 4000 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    10:34:11.0718 4000 WudfRd - ok
    10:34:12.0171 4000 WudfSvc (05231c04253c5bc30b26cbaae680ed89) C:\WINDOWS\System32\WUDFSvc.dll
    10:34:12.0234 4000 WudfSvc - ok
    10:34:12.0984 4000 WZCSVC (81dc3f549f44b1c1fff022dec9ecf30b) C:\WINDOWS\System32\wzcsvc.dll
    10:34:13.0046 4000 WZCSVC - ok
    10:34:13.0421 4000 xmlprov (295d21f14c335b53cb8154e5b1f892b9) C:\WINDOWS\System32\xmlprov.dll
    10:34:13.0500 4000 xmlprov - ok
    10:34:13.0609 4000 MBR (0x1B8) (dbfb101d7442c448a7964bbb128e1250) \Device\Harddisk0\DR0
    10:34:13.0687 4000 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - infected
    10:34:13.0687 4000 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.b (0)
    10:34:13.0734 4000 Boot (0x1200) (0f979d99d0a22a8c1d19ef089d35c150) \Device\Harddisk0\DR0\Partition0
    10:34:13.0765 4000 \Device\Harddisk0\DR0\Partition0 - ok
    10:34:13.0765 4000 ============================================================
    10:34:13.0765 4000 Scan finished
    10:34:13.0765 4000 ============================================================
    10:34:13.0796 3620 Detected object count: 1
    10:34:13.0796 3620 Actual detected object count: 1
    10:34:36.0984 3620 \Device\Harddisk0\DR0\# - copied to quarantine
    10:34:37.0046 3620 \Device\Harddisk0\DR0 - copied to quarantine
    10:34:38.0484 3620 \Device\Harddisk0\DR0\TDLFS\phm - copied to quarantine
    10:34:38.0671 3620 \Device\Harddisk0\DR0\TDLFS\ph.dll - copied to quarantine
    10:34:40.0453 3620 \Device\Harddisk0\DR0\TDLFS\phx.dll - copied to quarantine
    10:34:41.0687 3620 \Device\Harddisk0\DR0\TDLFS\sub.dll - copied to quarantine
    10:34:41.0812 3620 \Device\Harddisk0\DR0\TDLFS\subx.dll - copied to quarantine
    10:34:42.0390 3620 \Device\Harddisk0\DR0\TDLFS\phd - copied to quarantine
    10:34:42.0656 3620 \Device\Harddisk0\DR0\TDLFS\phdx - copied to quarantine
    10:34:45.0015 3620 \Device\Harddisk0\DR0\TDLFS\phs - copied to quarantine
    10:34:45.0187 3620 \Device\Harddisk0\DR0\TDLFS\phdata - copied to quarantine
    10:34:45.0343 3620 \Device\Harddisk0\DR0\TDLFS\phld - copied to quarantine
    10:34:45.0515 3620 \Device\Harddisk0\DR0\TDLFS\phln - copied to quarantine
    10:34:45.0687 3620 \Device\Harddisk0\DR0\TDLFS\phlx - copied to quarantine
    10:34:45.0984 3620 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - will be cured on reboot
    10:34:45.0984 3620 \Device\Harddisk0\DR0 - ok
    10:34:46.0000 3620 \Device\Harddisk0\DR0 ( Rootkit.Boot.Pihar.b ) - User select action: Cure
    10:36:58.0687 3272 Deinitialize success
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1046875