Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Rootkit infection: IRP hook

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Rootkit infection: IRP hook

Unread postby DelvinNg » March 30th, 2012, 6:58 am

Hihi,

I'm facing a number of issues with my laptop so unsure which is which.
One error message is "quickset.exe - Bad Image: C:\Windows\system32\Wlanapi.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support".
One of the few other error message is "Microsoft Windows: Dell Wireless WLAN Card Wireless Network Controller stopped working and was close. A problem caused the application to stop working correctly. Windows will notify you if a solution is available."
My anti-virus scan and anti-rootkit scan cannot seem to get rid of the IRP infection due to object being white-listed.
Below are the DDS and Attach details copied and pasted here. Many thanks!

DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by Delvin at 18:42:13 on 2012-03-30
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.65.1033.18.3573.1229 [GMT 8:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\WLTRYSVC.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Windows\OEM02Mon.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\System32\WLTRAY.EXE
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Windows\system32\aestsrv.exe
C:\Windows\system32\atashost.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Citrix\ICA Client\concentr.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Windows\system32\FsUsbExService.Exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Microsoft\BingBar\SeaPort.EXE
C:\Windows\system32\STacSV.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Windows\system32\wermgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Citrix\ICA Client\wfcrun32.exe
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Windows\system32\Macromed\Flash\FlashUtil11g_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AVG\AVG2012\avgscanx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\Program Files\AVG\AVG2012\avgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\Delvin\Desktop\OTL.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uSearch Page = hxxp://www.google.com
uSearch Bar = Preserve
uWindow Title = Internet Explorer provided by Dell
uURLSearchHooks: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - c:\program files\4shared.com\prxtb4sha.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
mURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
mURLSearchHooks: Online Radio India Toolbar: {952d8189-ea25-431b-8ed6-7758dcc933d1} - c:\program files\online_radio_india\tbOnli.dll
mURLSearchHooks: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - c:\program files\4shared.com\prxtb4sha.dll
mURLSearchHooks: H - No File
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - c:\program files\4shared.com\prxtb4sha.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {27b4851a-3207-45a2-b947-be8afe6163ab}: McAfee Phishing Filter
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Online Radio India Toolbar: {952d8189-ea25-431b-8ed6-7758dcc933d1} - c:\program files\online_radio_india\tbOnli.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - "c:\program files\microsoft\bingbar\BingExt.dll"
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
TB: Online Radio India Toolbar: {952d8189-ea25-431b-8ed6-7758dcc933d1} - c:\program files\online_radio_india\tbOnli.dll
TB: Bing Bar: {8dcb7100-df86-4384-8842-8fa844297b3f} - "c:\program files\microsoft\bingbar\BingExt.dll"
TB: 4shared.com Toolbar: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - c:\program files\4shared.com\prxtb4sha.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IAAnotif] "c:\program files\intel\intel matrix storage manager\Iaanotif.exe"
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [NPSStartup]
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [<NO NAME>]
mRun: [nmctxth] "c:\program files\common files\pure networks shared\platform\nmctxth.exe"
mRun: [ConnectionCenter] "c:\program files\citrix\ica client\concentr.exe" /startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\users\delvin\appdata\roaming\micros~1\windows\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quickset.lnk - c:\program files\dell\quickset\quickset.exe
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shoc ... tor/sw.cab
DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} - hxxp://kitchenplanner.ikea.com/US/Core/ ... _Win32.cab
DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - hxxp://messenger.zone.msn.com/Messenger ... 109791.cab
DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} - hxxp://messenger.zone.msn.com/binary/So ... b56986.cab
DPF: {5D6F45B3-9043-443D-A792-115447494D24} - hxxp://messenger.zone.msn.com/Messenger ... E_UNO1.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/200 ... ader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} - hxxp://xserv.dell.com/DellDriverScanner/DellSystem.CAB
DPF: {B151B524-F451-4036-9663-B3944FA710DF} - hxxp://www.cpf.gov.sg/cpf_info/ehelpdesk/ehelpdesk.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/ ... emLite.CAB
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/Me ... b56907.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/Mi ... b56986.cab
TCP: DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
TCP: Interfaces\{28991DB4-F1C4-4706-AD45-4916F2B65107} : DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\delvin\appdata\roaming\mozilla\firefox\profiles\qeffn5z8.default\
FF - prefs.js: browser.search.selectedEngine - AVG Secure Search
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff10.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff8.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff9.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\npjpi160_31.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npicaN.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npMozCouponPrinter.dll
FF - plugin: c:\program files\tvuplayer\npTVUAx.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\programdata\nexonus\ngm\npNxGameUS.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
FF - Ext: AVG Safe Search: {1E73965B-8B48-48be-9C8D-68B920ABC1C4} - c:\program files\avg\avg2012\Firefox4
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-10-7 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R1 ctxusbm;Citrix USB Monitor Driver;c:\windows\system32\drivers\ctxusbm.sys [2009-9-8 65584]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\AEstSrv.exe [2008-10-7 73728]
R2 atashost;WebEx Service Host for Support Center;c:\windows\system32\atashost.exe [2011-10-28 43912]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-10-12 4433248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-5-2 161048]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-21 21504]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-12-11 238952]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-10-7 359952]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134736]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-10-4 16720]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-12-11 36608]
R3 IntcHdmiAddService;Intel(R) High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2008-10-8 111616]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 BBSvc;Bing Bar Update Service;c:\program files\microsoft\bingbar\BBSvc.EXE [2011-2-28 183560]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-29 08:33:36 -------- d-----w- c:\program files\Marvell
2012-03-28 18:56:51 -------- d-----w- c:\program files\Cisco
2012-03-28 18:54:41 18424 ----a-w- c:\windows\system32\drivers\bcm42rly.sys
2012-03-28 18:54:41 1591 ----a-w- c:\windows\system32\Uninst_EAPModules.bat
2012-03-28 18:54:39 65536 ----a-w- c:\windows\system32\wltrynt.dll
2012-03-28 18:54:39 6369280 ----a-w- c:\windows\system32\BCMWLCPL.CPL
2012-03-28 18:54:39 55808 ----a-w- c:\windows\system32\bcmwlrmt.dll
2012-03-28 18:54:39 286720 ----a-w- c:\windows\system32\bcmwlu00.exe
2012-03-28 18:54:38 3563520 ----a-w- c:\windows\system32\WLTRAY.EXE
2012-03-28 18:54:38 2654208 ----a-w- c:\windows\system32\BCMWLTRY.EXE
2012-03-28 18:54:38 24064 ----a-w- c:\windows\system32\WLTRYSVC.EXE
2012-03-28 18:54:37 163840 ----a-w- c:\windows\system32\bcmwlapi.dll
2012-03-28 18:28:50 0 ------w- c:\windows\system32\bcm2C05.tmp
2012-03-28 18:28:41 0 ------w- c:\windows\system32\bcmAF4.tmp
2012-03-24 05:21:25 -------- d-----w- c:\program files\CCleaner
2012-03-24 04:58:31 -------- d-----w- c:\users\delvin\appdata\roaming\ParetoLogic
2012-03-24 04:58:31 -------- d-----w- c:\users\delvin\appdata\roaming\DriverCure
2012-03-24 04:58:20 -------- d-----w- c:\programdata\ParetoLogic
2012-03-24 04:34:42 2044416 ----a-w- c:\windows\system32\win32k.sys
2012-03-24 04:34:40 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-03-24 04:34:40 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-24 04:34:40 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-03-24 04:34:40 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-03-24 04:34:40 1068544 ----a-w- c:\windows\system32\DWrite.dll
2012-03-24 04:34:39 2409784 ----a-w- c:\program files\windows mail\OESpamFilter.dat
2012-03-24 04:34:38 613376 ----a-w- c:\windows\system32\rdpencom.dll
2012-03-24 04:34:38 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
==================== Find3M ====================
.
2012-03-29 08:38:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-21 16:40:09 30208 ----a-w- c:\windows\system32\ddrawex.dll
2012-03-21 16:40:04 130560 ----a-w- c:\windows\system32\dhcpcsvc6.dll
2012-03-21 16:39:57 81920 ----a-w- c:\windows\system32\dwm.exe
2012-03-07 15:04:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-23 01:18:36 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-25 10:23:10 313120 ----a-w- c:\windows\system32\drivers\yk60x86.sys
.
============= FINISH: 18:45:28.41 ===============

Attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft® Windows Vista™ Home Premium
Boot Device: \Device\HarddiskVolume3
Install Date: 7/10/2008 11:59:12 PM
System Uptime: 30/3/2012 3:30:11 PM (3 hours ago)
.
Motherboard: Dell Inc. | | 0U990C
Processor: Intel(R) Core(TM)2 Duo CPU T5800 @ 2.00GHz | Microprocessor | 2000/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 136 GiB total, 74.06 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 5.127 GiB free.
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
.
==== Installed Programs ======================
.
4shared.com Toolbar
Acrobat.com
ADInstruments LabChart 7.1
Adobe AIR
Adobe Flash Player 10 Plugin
Adobe Flash Player 11 ActiveX
Adobe Reader 9.5.0
Adobe Shockwave Player 11
Advanced Audio FX Engine
Advanced Video FX Engine
Avanquest update
AVG 2012
AVG PC Tuneup 2011
Bing Bar
CCleaner
Cisco EAP-FAST Module
Cisco LEAP Module
Cisco PEAP Module
Citrix online plug-in - web
Citrix online plug-in (DV)
Citrix online plug-in (HDX)
Citrix online plug-in (USB)
Citrix online plug-in (Web)
Compatibility Pack for the 2007 Office system
Conduit Engine
Conexant HDA D330 MDC V.92 Modem
Coupon Printer for Windows
D3DX10
Dell Dock
Dell Getting Started Guide
Dell Support Center
Dell Touchpad
Dell Webcam Center
Dell Webcam Manager
Dell Wireless WLAN Card Utility
Digital Line Detect
DVD Decrypter (Remove Only)
EDocs
Google Chrome
Google Toolbar for Internet Explorer
Google Update Helper
Highlight Viewer (Windows Live Toolbar)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
HP Deskjet 1050 J410 series Basic Device Software
HP Deskjet 1050 J410 series Help
HP Photo Creations
HP Update
Intel(R) Matrix Storage Manager
Java Auto Updater
Java(TM) 6 Update 31
Junk Mail filter update
Laptop Integrated Webcam Driver (1.04.01.1011)
Linksys Wireless-G USB Network Adapter
Live! Cam Avatar Creator
Live! Cam Avatar v1.0
Marvell Miniport Driver
MediaDirect
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office XP Professional with FrontPage
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Works
Modem Diagnostic Tool
Motorola Phone Tools
Mozilla Firefox (3.6.12)
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NetWaiting
Network Magic
Online Radio India Toolbar
OutlookAddinSetup
PC Connectivity Solution
Pure Networks Platform
QuickSet
SAMSUNG Intelli-studio
Samsung New PC Studio
SAMSUNG SYMBIAN USB Download Driver
SAMSUNG USB Driver for Mobile Phones
SamsungConnectivityCableDriver
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870)
Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351)
Segoe UI
Skype Toolbars
Skype™ 5.0
Smart Menus (Windows Live Toolbar)
TVUPlayer 2.5.3.1
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft .NET Framework 4 Client Profile (KB2468871)
Update for Microsoft .NET Framework 4 Client Profile (KB2533523)
Update for Microsoft .NET Framework 4 Client Profile (KB2600217)
Veetle TV 0.9.17
WebEx
WebEx Support Manager for Internet Explorer
WIDCOMM Bluetooth Software 6.0.1.3100
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live ID Sign-in Assistant
Windows Live Installer
Windows Live Mail
Windows Live Messenger
Windows Live MIME IFilter
Windows Live Photo Common
Windows Live PIMT Platform
Windows Live SOXE
Windows Live SOXE Definitions
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live UX Platform
Windows Live UX Platform Language Pack
Windows Live Writer
Windows Live Writer Resources
Yahoo! Software Update
Yahoo! Toolbar
Zynga Toolbar
.
==== Event Viewer Messages From Past Week ========
.
30/3/2012 3:39:13 PM, Error: Microsoft-Windows-WindowsUpdateClient [20] - Installation Failure: Windows failed to install the following update with error 0x80070426: Update Rollup for ActiveX Killbits for Windows Vista (KB2647518).
30/3/2012 3:38:08 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB2647518 (Security Update) into Resolved(Resolved) state
30/3/2012 3:34:07 PM, Error: Service Control Manager [7034] - The Pure Networks Platform Service service terminated unexpectedly. It has done this 1 time(s).
30/3/2012 3:33:45 PM, Error: Service Control Manager [7022] - The Pure Networks Platform Service service hung on starting.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The WPDBusEnum service terminated with the following error: WPDBusEnum is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The WLAN AutoConfig service terminated with the following error: WLAN AutoConfig is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The TrkWks service terminated with the following error: TrkWks is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The TabletInputService service terminated with the following error: TabletInputService is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The LanmanServer service terminated with the following error: LanmanServer is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The DPS service terminated with the following error: DPS is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7023] - The CryptSvc service terminated with the following error: CryptSvc is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7001] - The Computer Browser service depends on the LanmanServer service which failed to start because of the following error: Computer Browser is not a valid Win32 application.
30/3/2012 3:32:12 PM, Error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
29/3/2012 4:32:14 PM, Error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
29/3/2012 3:50:30 PM, Error: Service Control Manager [7009] - A timeout was reached (30000 milliseconds) while waiting for the Windows Search service to connect.
29/3/2012 3:50:30 PM, Error: Service Control Manager [7000] - The Windows Search service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
29/3/2012 3:50:29 PM, Error: Microsoft-Windows-DistributedCOM [10005] - DCOM got error "1053" attempting to start the service WSearch with arguments "" in order to run the server: {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39}
29/3/2012 12:03:13 AM, Error: Microsoft-Windows-Dhcp-Client [1001] - Your computer was not assigned an address from the network (by the DHCP Server) for the Network Card with network address 00219BEA4909. The following error occurred: The wait operation timed out.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
29/3/2012 1:32:48 AM, Error: Microsoft-Windows-DistributedCOM [10016] - The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {8BC3F05E-D86B-11D0-A075-00C04FB68820} to the user Delvin-PC\Delvin SID (S-1-5-21-1511430850-4098111590-1355268400-1000) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.
24/3/2012 6:47:10 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 905866-9_neutral_PACKAGE from package KB905866(Update) into Absent(Absent) state
24/3/2012 6:47:10 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KB905866 (Update) into Absent(Absent) state
24/3/2012 6:47:09 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 905866-7_neutral_PACKAGE from package KB905866(Update) into Absent(Absent) state
24/3/2012 6:47:09 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 905866-3_neutral_PACKAGE from package KB905866(Update) into Absent(Absent) state
24/3/2012 6:47:08 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 905866-2_neutral_GDR from package KB905866(Update) into Absent(Absent) state
24/3/2012 6:47:08 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update 905866-1_neutral_LDR from package KB905866(Update) into Absent(Absent) state
24/3/2012 3:24:34 PM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): 'SOFTWARE' was corrupted and it has been recovered. Some data might have been lost.
24/3/2012 3:21:32 PM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\SystemRoot\System32\Config\SOFTWARE' was corrupted and it has been recovered. Some data might have been lost.
24/3/2012 2:55:57 PM, Error: Microsoft-Windows-Kernel-General [5] - {Registry Hive Recovered} Registry hive (file): '\SystemRoot\System32\Config\RegBack\SOFTWARE' was corrupted and it has been recovered. Some data might have been lost.
24/3/2012 12:34:22 PM, Error: Service Control Manager [7000] - The AVG AVI Loader Driver service failed to start due to the following error: AVG AVI Loader Driver is not a valid Win32 application.
24/3/2012 12:27:04 PM, Error: Microsoft-Windows-Dhcp-Client [1002] - The IP address lease 192.168.100.2 for the Network Card with network address 00219BEA4909 has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
24/3/2012 1:30:21 PM, Error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Avgldx86
23/3/2012 12:12:35 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume OS.
23/3/2012 12:12:35 AM, Error: Ntfs [55] - The file system structure on the disk is corrupt and unusable. Please run the chkdsk utility on the volume C:.
23/3/2012 12:05:20 AM, Error: Service Control Manager [7023] - The Portable Device Enumerator Service service terminated with the following error: Invalid access to memory location.
23/3/2012 12:05:20 AM, Error: Service Control Manager [7023] - The Cryptographic Services service terminated with the following error: Invalid access to memory location.
23/3/2012 12:02:22 AM, Error: Service Control Manager [7023] - The Portable Device Enumerator Service service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am
Advertisement
Register to Remove

Re: Rootkit infection: IRP hook

Unread postby mambass » March 31st, 2012, 4:20 pm

Hi DelvinNg, :)

Welcome to the forum.

My nickname is mambass and I'll be helping you with any malware problems.

Before we begin...please read and follow these important guidelines so things will proceed smoothly.

  1. If you haven't done so already, please read this topic ALL USERS OF THIS FORUM MUST READ THIS FIRST where the conditions for receiving help here are explained.
  2. The instructions being given are for YOUR computer and system only!
    Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
  3. Please read all instructions carefully before executing them and perform the steps in the order given.
    lf you have any questions or problems executing these instructions then <<STOP>> do not proceed but rather post back with the question or problem.
  4. Your security programs may give warnings for some of the tools I will ask you to use. Be assured that any links I give are safe.
  5. You must have Administrator rights permissions for this computer.
  6. DO NOT run any other fix or removal tools unless instructed to do so!
  7. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
  8. Only post your problem at one (1) help site. Applying fixes from multiple help sites can cause problems.
  9. Only reply to this thread. Do not start another thread.
  10. The absence of symptoms does not imply the absence of malware. Please continue responding until I give you the "All Clean".
  11. You might want to place a link to this thread in your Favorites/Bookmarks for easy access.
  12. No Reply Within 3 Days Will Result In Your Topic Being Closed! Please let me know in advance if you will not be able to reply within this time limit.
  13. The logs I request can take a while to research so please be patient.
Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection. I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system or to necessitate you taking your computer to a repair shop.

Because of this I advise you to backup any personal files and folders before you start.

How to back up or transfer your data on a Windows-based computer

-----------------------------------------------------------

I am currently reviewing your log and will return as soon as possible with additional instructions.

Thanks,

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby mambass » March 31st, 2012, 9:50 pm

Hi DelvinNg, :)

Please let me know if this computer is ever connected to an educational network or used for business.

If not please let me know what the following programs are used for.
Citrix programs

mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 1st, 2012, 9:23 am

hihi mambass,

i don't use it myself but i think my wife did tried connecting to her company network before using my laptop. however from what we rem, don't think it was successful nor did she continue to use it again.

Rdgs,
Delvin
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 1st, 2012, 10:23 am

Hi DelvinNg, :)

  1. Check hard Drive for Errors
    1. Open Notepad and then copy and paste the following line into Notepad (Notepad is in Start, Programs, Accessories):
      Code: Select all
      cmd  /c  chkdsk  c:  |find  /v  "percent"  >> "%userprofile%\desktop\checkhd.txt"
    2. Save the NotePad file like this:
      • Click on File from the top menu bar.
      • Select Save As, use Filename: testhd.bat and Save As Type: All Files.
      • Choose Desktop as the location
      • Click Save.
    3. Right click on testhd.bat on your desktop and select Run As Administrator to run it. OK the UAC.
    4. A Command Prompt box will pop up, then close after a couple minutes.
    5. Please post the contents of the checkhd.txt file from your desktop.
      If the file is very long, just copy and paste the LAST 20 or 30 lines into your reply.

  2. Run a Scan with OTL
    1. Click here to download OTL.exe by Old Timer and save it to your Desktop.
    2. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    3. Check the boxes labeled :
      • Scan All Users
      • LOP check
      • Purity check
      • Extra Registry > Use SafeList
    4. Make sure all other windows are closed so that it can run uninterrupted.
    5. Click on the Run Scan button at the top left hand corner. Do not change any settings unless otherwise told to do so. The scan won't take long.
    6. When the scan completes, it will open two notepad windows. OTL.Txt will be displayed and Extras.Txt will be minimized. These are saved in the same location as OTL. (desktop)
    7. Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them as a reply. Use separate replies if more convenient.

  3. aswMBR
    1. Click here to download aswMBR.exe and save it to your Desktop.
    2. Right-click the aswMBR.exe icon and select Run As Administrator to run it.
    3. Click Yes if prompted to download Avast! virus definitions. This may take a while so please be patient.
    4. Set the AVscan to Quick Scan and then click the Scan button. The scan may take a while so please be patient.
    5. After the "Scan finished successfully" message is displayed, click Save log & save the log to your desktop.
    6. Click OK. Two files will be created, aswMBR.txt & a file named MBR.dat
    7. Save MBR.dat to a USB flash drive. This is a backup of your MBR (Master Boot record). Do not delete this file.
    8. NOTE: Do not click to fix anything at this stage!
    9. Click EXIT.
    10. Copy & Paste the contents of aswMBR.txt into your next reply.


Please include in your reply (use separate replies if more convenient):
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the checkhd.txt log.
  3. The contents of the OTL.txt and Extras.txt logs.
  4. The contents of the aswMBR.txt log.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 4:12 am

The contents of the checkhd.txt log:

The type of the file system is NTFS.
Volume label is OS.

WARNING! F parameter not specified.
Running CHKDSK in read-only mode.

CHKDSK is verifying files (stage 1 of 3)...
File verification completed.
997 large file records processed.

0 bad file records processed.

0 EA records processed.

44 reparse records processed.

CHKDSK is verifying indexes (stage 2 of 3)...
Index verification completed.
0 unindexed files processed.

CHKDSK is verifying security descriptors (stage 3 of 3)...
Security descriptor verification completed.
22925 data files processed.

CHKDSK is verifying Usn Journal...
Usn Journal verification completed.
The Volume Bitmap is incorrect.
Windows found problems with the file system.
Run CHKDSK with the /F (fix) option to correct these.

143084539 KB total disk space.
65905636 KB in 115124 files.
78852 KB in 22926 indexes.
0 KB in bad sectors.
276427 KB in use by the system.
65536 KB occupied by the log file.
76823624 KB available on disk.

4096 bytes in each allocation unit.
35771134 total allocation units on disk.
19205906 allocation units available on disk.
Access Denied as you do not have sufficient privileges.
You have to invoke this utility running in elevated mode.
Access Denied as you do not have sufficient privileges.
You have to invoke this utility running in elevated mode.
Access Denied as you do not have sufficient privileges.
You have to invoke this utility running in elevated mode.
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 4:22 am

The contents of the OTL.txt logs:

OTL logfile created on: 2/4/2012 4:16:11 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 1.96 Gb Available Physical Memory | 56.25% Memory free
7.17 Gb Paging File | 5.63 Gb Available in Paging File | 78.42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 73.85 Gb Free Space | 54.12% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/04/02 16:13:08 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
PRC - [2012/03/05 13:55:40 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe
PRC - [2012/01/24 17:24:26 | 002,416,480 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgtray.exe
PRC - [2011/11/28 01:19:04 | 001,229,664 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgnsx.exe
PRC - [2011/11/07 18:28:34 | 000,043,912 | ---- | M] (WebEx Communications, Inc.) -- C:\Windows\System32\atashost.exe
PRC - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
PRC - [2011/09/08 20:53:26 | 000,743,264 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgrsx.exe
PRC - [2011/08/15 06:21:40 | 000,337,760 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgcsrvx.exe
PRC - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe
PRC - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE
PRC - [2010/07/29 15:50:16 | 000,238,952 | ---- | M] (Teruten) -- C:\Windows\System32\FsUsbExService.Exe
PRC - [2009/09/12 23:09:10 | 000,103,768 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\concentr.exe
PRC - [2009/09/12 23:09:04 | 000,550,232 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\Citrix\ICA Client\wfcrun32.exe
PRC - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee\MSK\msksrver.exe
PRC - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe
PRC - [2009/04/11 14:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/07 15:34:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
PRC - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/07/15 11:12:48 | 001,226,024 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DellDock.exe
PRC - [2008/05/04 17:25:32 | 000,040,960 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\hidfind.exe
PRC - [2008/05/04 17:25:26 | 000,167,936 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\Apoint.exe
PRC - [2008/05/04 17:25:26 | 000,049,152 | ---- | M] (Alps Electric Co., Ltd.) -- C:\Program Files\DellTPad\ApntEx.exe
PRC - [2008/05/02 14:09:04 | 000,161,048 | ---- | M] (Stardock Corporation) -- C:\Program Files\Dell\DellDock\DockLogin.exe
PRC - [2008/03/04 13:05:24 | 000,036,864 | ---- | M] (Creative Technology Ltd.) -- C:\Windows\OEM02Mon.exe
PRC - [2008/01/21 10:23:43 | 000,056,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wermgr.exe
PRC - [2007/12/21 10:58:06 | 000,184,320 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\MediaDirect\PCMService.exe
PRC - [2007/11/12 19:07:24 | 000,405,504 | ---- | M] (IDT, Inc.) -- C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
PRC - [2007/11/12 19:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\stacsv.exe
PRC - [2007/11/12 19:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\AEstSrv.exe
PRC - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
PRC - [2007/03/21 13:00:00 | 000,174,872 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
PRC - [2006/11/03 17:55:50 | 000,703,280 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
PRC - [2006/11/03 17:55:48 | 001,583,920 | ---- | M] (Broadcom Corporation.) -- c:\Program Files\WIDCOMM\Bluetooth Software\BTStackServer.exe


========== Modules (No Company Name) ==========

MOD - [2012/02/27 15:48:11 | 015,881,216 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MenuSkinning\b446e070c697bcde99455fb9d2d23444\MenuSkinning.ni.dll
MOD - [2012/02/27 15:47:45 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\e100f2c927dbb107291c21482fdb4052\System.Runtime.Remoting.ni.dll
MOD - [2012/02/27 15:47:36 | 000,284,160 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\VistaBridgeLibrary\6f1bab399434075465c8f1564222af0a\VistaBridgeLibrary.ni.dll
MOD - [2012/02/27 15:47:32 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\820791f89653e9df46efe41c00efae48\System.Management.ni.dll
MOD - [2012/02/27 15:47:31 | 002,261,504 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\DellDock\8320ac350e711c9f129afd4d9d4e5d33\DellDock.ni.exe
MOD - [2012/02/27 15:47:30 | 000,249,856 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\MyDock.Util\9e03762d0cfcd79faa816931137bd223\MyDock.Util.ni.dll
MOD - [2012/02/27 15:47:19 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ea918174326bc2a310308b11cb80721\System.Configuration.ni.dll
MOD - [2012/02/27 15:45:51 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\313f790d68a283f7545637411cba47c7\System.Xml.ni.dll
MOD - [2012/02/27 15:45:33 | 012,430,848 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\79dd363816fceb437bf6e8e73a7dbdb0\System.Windows.Forms.ni.dll
MOD - [2012/02/27 15:45:23 | 001,587,200 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\b0ccf39346a1a31a18a232624160549f\System.Drawing.ni.dll
MOD - [2012/02/27 15:44:03 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\4651b4ee1d7f85b55e2e8c8783f990dd\System.ni.dll
MOD - [2011/10/12 23:51:39 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\e8bc8d1dbf06ea7cfd5a9ce85db5ed63\Accessibility.ni.dll
MOD - [2011/10/12 23:38:58 | 011,490,816 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38d7c2518832a98b9bdda59abda43b86\mscorlib.ni.dll
MOD - [2009/01/20 15:36:20 | 000,055,808 | ---- | M] () -- C:\Windows\System32\bcmwlrmt.dll
MOD - [2006/11/03 17:46:24 | 000,126,976 | ---- | M] () -- C:\Program Files\WIDCOMM\Bluetooth Software\BTKeyInd.dll
MOD - [2006/11/03 17:25:56 | 000,389,120 | ---- | M] () -- C:\Windows\System32\btwhidcs.dll


========== Win32 Services (SafeList) ==========

SRV - [2011/11/07 18:28:34 | 000,043,912 | ---- | M] (WebEx Communications, Inc.) [Auto | Running] -- C:\Windows\System32\atashost.exe -- (atashost)
SRV - [2011/10/12 06:25:22 | 004,433,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe -- (AVGIDSAgent)
SRV - [2011/08/02 06:09:08 | 000,192,776 | ---- | M] (AVG Technologies CZ, s.r.o.) [Auto | Running] -- C:\Program Files\AVG\AVG2012\avgwdsvc.exe -- (avgwd)
SRV - [2011/02/28 18:44:14 | 000,183,560 | ---- | M] (Microsoft Corporation.) [On_Demand | Stopped] -- C:\Program Files\Microsoft\BingBar\BBSvc.EXE -- (BBSvc)
SRV - [2011/02/25 10:46:22 | 000,249,648 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\BingBar\SeaPort.EXE -- (SeaPort)
SRV - [2010/09/07 00:20:29 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\srvsvc.dll -- (LanmanServer)
SRV - [2010/07/29 15:50:16 | 000,238,952 | ---- | M] (Teruten) [Auto | Running] -- C:\Windows\System32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2009/10/01 09:01:54 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\wpdbusenum.dll -- (WPDBusEnum)
SRV - [2009/07/08 14:48:48 | 000,026,640 | ---- | M] (McAfee, Inc.) [Auto | Running] -- C:\Program Files\McAfee\MSK\msksrver.exe -- (MSK80Service)
SRV - [2009/07/08 11:54:34 | 000,359,952 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\Common Files\McAfee\McProxy\McProxy.exe -- (McProxy)
SRV - [2009/04/11 14:28:24 | 000,000,000 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\System32\regsvc.dll -- (RemoteRegistry)
SRV - [2009/04/11 14:28:18 | 000,000,000 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\cryptsvc.dll -- (CryptSvc)
SRV - [2009/04/07 15:34:40 | 000,642,856 | ---- | M] (Cisco Systems, Inc.) [Auto | Stopped] -- C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe -- (nmservice)
SRV - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/05/02 14:09:04 | 000,161,048 | ---- | M] (Stardock Corporation) [Auto | Running] -- C:\Program Files\Dell\DellDock\DockLogin.exe -- (DockLoginService)
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2008/01/21 10:24:35 | 000,134,656 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\dps.dll -- (DPS)
SRV - [2008/01/21 10:24:05 | 000,075,264 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\trkwks.dll -- (TrkWks)
SRV - [2008/01/21 10:23:32 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2008/01/21 10:23:27 | 000,104,960 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\System32\sdrsvc.dll -- (SDRSVC)
SRV - [2007/11/12 19:07:20 | 000,102,400 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\stacsv.exe -- (STacSV)
SRV - [2007/11/12 19:07:16 | 000,073,728 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\AEstSrv.exe -- (AESTFilters)
SRV - [2007/03/21 13:00:04 | 000,355,096 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe -- (IAANTMON) Intel(R)
SRV - [2006/11/02 20:35:24 | 000,068,096 | ---- | M] () [Auto | Stopped] -- C:\Windows\System32\TabSvc.dll -- (TabletInputService)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp)
DRV - [2011/10/07 06:23:48 | 000,230,608 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgldx86.sys -- (Avgldx86)
DRV - [2011/10/04 06:21:16 | 000,016,720 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSShim.sys -- (AVGIDSShim)
DRV - [2011/09/13 06:30:10 | 000,032,592 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | Boot | Running] -- C:\Windows\System32\drivers\avgrkx86.sys -- (Avgrkx86)
DRV - [2011/08/08 06:08:58 | 000,040,016 | ---- | M] (AVG Technologies CZ, s.r.o.) [File_System | System | Running] -- C:\Windows\System32\drivers\avgmfx86.sys -- (Avgmfx86)
DRV - [2011/07/11 01:14:38 | 000,295,248 | ---- | M] (AVG Technologies CZ, s.r.o.) [Kernel | System | Running] -- C:\Windows\System32\drivers\avgtdix.sys -- (Avgtdix)
DRV - [2011/07/11 01:14:02 | 000,024,272 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSFilter.sys -- (AVGIDSFilter)
DRV - [2011/07/11 01:14:00 | 000,023,120 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AVGIDSEH.sys -- (AVGIDSEH)
DRV - [2011/07/11 01:13:58 | 000,134,736 | ---- | M] (AVG Technologies CZ, s.r.o. ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AVGIDSDriver.sys -- (AVGIDSDriver)
DRV - [2010/06/14 08:32:54 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\System32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/09/08 18:13:16 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2009/07/16 12:32:26 | 000,130,424 | ---- | M] (McAfee, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\Mpfp.sys -- (MPFP)
DRV - [2009/04/07 15:33:08 | 000,026,416 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\purendis.sys -- (purendis)
DRV - [2009/04/07 15:33:08 | 000,024,880 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\pnarp.sys -- (pnarp)
DRV - [2009/01/20 15:36:12 | 000,018,424 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\bcm42rly.sys -- (BCM42RLY)
DRV - [2008/06/23 20:45:44 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio)
DRV - [2008/05/04 17:25:24 | 000,164,400 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService)
DRV - [2008/03/06 15:58:44 | 000,111,616 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R)
DRV - [2008/03/04 13:05:34 | 000,007,424 | ---- | M] (EyePower Games Pte. Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Vfx.sys -- (OEM02Vfx)
DRV - [2008/03/04 13:05:18 | 000,235,648 | ---- | M] (Creative Technology Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\OEM02Dev.sys -- (OEM02Dev)
DRV - [2008/01/21 10:23:25 | 000,220,672 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\e1e6032.sys -- (e1express) Intel(R)
DRV - [2007/11/12 19:07:28 | 000,330,240 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/09/07 00:35:16 | 000,037,376 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/09/07 00:35:14 | 000,039,936 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/09/07 00:35:12 | 000,042,496 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2006/11/02 15:36:43 | 002,028,032 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\atikmdag.sys -- (R300)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
IE - HKLM\..\URLSearchHook: {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKLM\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703


IE - HKU\.DEFAULT\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\..\URLSearchHook: {A3BC75A2-1F87-4686-AA43-5347D756017C} - No CLSID value found
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = Preserve
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://xin.msn.com/
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://xin.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-sg
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 50 62 B9 BE C5 6A CC 01 [binary data]
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\URLSearchHook: {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?FORM=WLETDF&PC=WLEM&q={searchTerms}&src=IE-SearchBox
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GGLL_en
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{A16B4E67-8316-4F56-953F-3EE0264EAEAB}: "URL" = http://search.avg.com/route/?d=4b7656a7 ... =chrome&q={searchTerms}&lng={language}&iy=&ychte=us
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2233703
IE - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "AVG Secure Search"
FF - prefs.js..browser.search.selectedEngine: "AVG Secure Search"
FF - prefs.js..extensions.enabledItems: {1E73965B-8B48-48be-9C8D-68B920ABC1C4}:12.0.0.1912
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@ei.FilmFanatic.com/Plugin: C:\Program Files\FilmFanaticEI\Installr\1.bin\NPpaEISB.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.1.10111.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@nexon.net/NxGame: C:\ProgramData\NexonUS\NGM\npNxGameUS.dll (Nexon)
FF - HKLM\Software\MozillaPlugins\@pages.tvunetworks.com/WebPlayer: C:\Program Files\TVUPlayer\npTVUAx.dll (TVU networks)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@veetle.com/vbp;version=0.9.17: C:\Program Files\Veetle\VLCBroadcast\npvbp.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetleCorePlugin,version=0.9.17: C:\Program Files\Veetle\plugins\npVeetle.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\@veetle.com/veetlePlayerPlugin,version=0.9.17: C:\Program Files\Veetle\Player\npvlc.dll (Veetle Inc)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 9.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{1E73965B-8B48-48be-9C8D-68B920ABC1C4}: C:\Program Files\AVG\AVG2012\Firefox4\ [2012/02/02 00:33:38 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/01/19 22:41:49 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/03/29 15:50:58 | 000,000,000 | ---D | M]

[2010/12/05 14:41:18 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Extensions
[2011/02/15 10:03:30 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Firefox\Profiles\qeffn5z8.default\extensions
[2011/02/15 10:03:30 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Users\Delvin\AppData\Roaming\Mozilla\Firefox\Profiles\qeffn5z8.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2012/03/29 16:39:11 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2010/12/05 20:10:50 | 000,000,000 | ---D | M] (Skype extension) -- C:\Program Files\Mozilla Firefox\extensions\{AB2CE124-6272-4b12-94A9-7303C7397BD1}
[2011/02/15 10:04:48 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
[2011/03/06 16:35:37 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
[2011/07/15 16:01:49 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
[2012/03/29 16:39:11 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}
[2012/02/02 00:33:38 | 000,000,000 | ---D | M] (AVG Safe Search) -- C:\PROGRAM FILES\AVG\AVG2012\FIREFOX4
[2009/09/12 23:05:42 | 000,124,240 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2009/09/12 23:06:22 | 000,070,488 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2009/09/12 23:06:32 | 000,091,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2009/09/12 23:06:28 | 000,022,360 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2010/10/07 08:18:35 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npCouponPrinter.dll
[2012/03/29 16:38:53 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2009/09/12 23:08:36 | 000,406,864 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2010/10/07 08:18:37 | 000,091,552 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npMozCouponPrinter.dll
[2009/09/12 23:06:24 | 000,023,896 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll

========== Chrome ==========

CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?client=chrome&hl={language}&q={searchTerms}
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\pdf.dll
CHR - plugin: Google Gears 0.5.33.0 (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gears.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\9.0.597.98\gcswf32.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll
CHR - plugin: TVU Web Player for FireFox (Enabled) = C:\Program Files\TVUPlayer\npTVUAx.dll
CHR - plugin: Veetle TV Player (Enabled) = C:\Program Files\Veetle\Player\npvlc.dll
CHR - plugin: Veetle Broadcaster Plugin (Enabled) = C:\Program Files\Veetle\VLCBroadcast\npvbp.dll
CHR - plugin: Veetle TV Core (Enabled) = C:\Program Files\Veetle\plugins\npVeetle.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\Windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = c:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin
CHR - Extension: Entanglement = C:\Users\Delvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aciahcmjmecflokailenpkdchphgkefd\2.1.1_0\
CHR - Extension: Poppit = C:\Users\Delvin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mcbkbpnkkkipelfledbfocopglifcfmi\2.2_0\

O1 HOSTS File: ([2006/09/19 05:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (4shared.com Toolbar) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
O2 - BHO: (no name) - {27B4851A-3207-45A2-B947-BE8AFE6163AB} - No CLSID value found.
O2 - BHO: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O2 - BHO: (Online Radio India Toolbar) - {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Bing Bar Helper) - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (4shared.com Toolbar) - {09ec805c-cb2e-4d53-b0d3-a75a428b81c7} - C:\Program Files\4shared.com\prxtb4sha.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Conduit Engine) - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Program Files\ConduitEngine\prxConduitEngine.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Zynga Toolbar) - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Bing Bar) - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\Microsoft\BingBar\BingExt.dll (Microsoft Corporation.)
O3 - HKLM\..\Toolbar: (Online Radio India Toolbar) - {952d8189-ea25-431b-8ed6-7758dcc933d1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No CLSID value found.
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\Toolbar\WebBrowser: (Zynga Toolbar) - {7B13EC3E-999A-4B70-B9CB-2617B8323822} - C:\Program Files\Zynga\tbZyng.dll (Conduit Ltd.)
O3 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000\..\Toolbar\WebBrowser: (Online Radio India Toolbar) - {952D8189-EA25-431B-8ED6-7758DCC933D1} - C:\Program Files\Online_Radio_India\tbOnli.dll (Conduit Ltd.)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Apoint] C:\Program Files\DellTPad\Apoint.exe (Alps Electric Co., Ltd.)
O4 - HKLM..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG2012\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [ConnectionCenter] C:\Program Files\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [dscactivate] C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe ( )
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe (Intel Corporation)
O4 - HKLM..\Run: [nmctxth] C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe (Cisco Systems, Inc.)
O4 - HKLM..\Run: [NPSStartup] File not found
O4 - HKLM..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe (Creative Technology Ltd.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\MediaDirect\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [SigmatelSysTrayApp] C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation)
O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation)
O4 - HKU\S-1-5-21-1511430850-4098111590-1355268400-1000..\Run: [AutoStartNPSAgent] C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe (Samsung Electronics Co., Ltd.)
O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock First Run.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O4 - Startup: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dell Dock.lnk = C:\Program Files\Dell\DellDock\DellDock.exe (Stardock Corporation)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shoc ... tor/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {1C11B948-582A-433F-A98D-A8C4D5CC64F2} http://kitchenplanner.ikea.com/US/Core/ ... _Win32.cab (20-20 3D Viewer)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} http://messenger.zone.msn.com/Messenger ... 109791.cab ()
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} http://messenger.zone.msn.com/binary/So ... b56986.cab (Solitaire Showdown Class)
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} http://messenger.zone.msn.com/Messenger ... E_UNO1.cab (UnoCtrl Class)
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} http://upload.facebook.com/controls/200 ... ader55.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {8CFCF42C-1C64-47D6-AEEC-F9D001832ED3} http://xserv.dell.com/DellDriverScanner/DellSystem.CAB (DellSystem.Scanner)
O16 - DPF: {B151B524-F451-4036-9663-B3944FA710DF} http://www.cpf.gov.sg/cpf_info/ehelpdesk/ehelpdesk.cab (ExecuteAgent2p Class)
O16 - DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} http://support.dell.com/systemprofiler/ ... emLite.CAB (DellSystemLite.Scanner)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Me ... b56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (Reg Error: Value error.)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/Mi ... b56986.cab (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{28991DB4-F1C4-4706-AD45-4916F2B65107}: DhcpNameServer = 218.186.1.58 218.186.2.16 218.186.2.6
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\pure-go {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\Platform\puresp4.dll (Cisco Systems, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O24 - Desktop BackupWallPaper: C:\Users\Delvin\AppData\Roaming\Microsoft\Windows Photo Gallery\Windows Photo Gallery Wallpaper.jpg
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2006/09/19 05:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\AutoRun\command - "" = F:\U3ROM/system.exe
O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\explore\command - "" = F:\U3ROM/system.exe
O33 - MountPoints2\{c7993c90-d9b0-11df-868f-001fe2de3da9}\Shell\open\command - "" = F:\U3ROM/system.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O34 - HKLM BootExecute: (C:\PROGRA~1\AVG\AVG2012\avgrsx.exe /sync /restart)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2012/04/02 16:13:06 | 000,593,920 | ---- | C] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
[2012/03/30 18:46:10 | 000,000,000 | ---D | C] -- C:\Users\Delvin\Desktop\Rootkit infection_IRP hook
[2012/03/29 16:39:08 | 000,157,472 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/03/29 16:39:08 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/03/29 16:39:08 | 000,149,280 | ---- | C] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/03/29 16:38:48 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2012/03/29 16:33:36 | 000,000,000 | ---D | C] -- C:\Program Files\Marvell
[2012/03/29 15:57:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\CCleaner
[2012/03/29 15:50:16 | 000,000,000 | -HSD | C] -- C:\Config.Msi
[2012/03/29 02:56:51 | 000,000,000 | ---D | C] -- C:\Program Files\Cisco
[2012/03/29 02:55:20 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Dell Wireless
[2012/03/29 02:54:41 | 000,018,424 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\drivers\bcm42rly.sys
[2012/03/29 02:54:39 | 006,369,280 | ---- | C] (Dell Inc.) -- C:\Windows\System32\BCMWLCPL.CPL
[2012/03/29 02:54:39 | 000,286,720 | ---- | C] (Dell Inc.) -- C:\Windows\System32\bcmwlu00.exe
[2012/03/29 02:54:39 | 000,065,536 | ---- | C] (Broadcom Corporation) -- C:\Windows\System32\wltrynt.dll
[2012/03/29 02:54:37 | 000,163,840 | ---- | C] (Broadcom Corp.) -- C:\Windows\System32\bcmwlapi.dll
[2012/03/29 02:54:26 | 000,000,000 | ---D | C] -- C:\Users\Delvin\AppData\Roaming\InstallShield
[2012/03/24 13:21:25 | 000,000,000 | ---D | C] -- C:\Program Files\CCleaner
[2012/03/24 12:58:31 | 000,000,000 | ---D | C] -- C:\Users\Delvin\AppData\Roaming\ParetoLogic
[2012/03/24 12:58:31 | 000,000,000 | ---D | C] -- C:\Users\Delvin\AppData\Roaming\DriverCure
[2012/03/24 12:58:20 | 000,000,000 | ---D | C] -- C:\ProgramData\ParetoLogic
[2012/03/24 12:34:42 | 002,044,416 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2012/03/24 12:34:40 | 001,172,480 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10warp.dll
[2012/03/24 12:34:40 | 001,068,544 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\DWrite.dll
[2012/03/24 12:34:40 | 000,683,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d2d1.dll
[2012/03/24 12:34:40 | 000,219,648 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1core.dll
[2012/03/24 12:34:40 | 000,160,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3d10_1.dll
[2012/03/24 12:34:38 | 000,613,376 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\rdpencom.dll
[7 C:\Users\Delvin\Desktop\*.tmp files -> C:\Users\Delvin\Desktop\*.tmp -> ]
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2 C:\Users\Delvin\Documents\*.tmp files -> C:\Users\Delvin\Documents\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/04/02 16:13:08 | 000,593,920 | ---- | M] (OldTimer Tools) -- C:\Users\Delvin\Desktop\OTL.exe
[2012/04/02 16:00:07 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2012/04/02 15:43:58 | 093,316,310 | ---- | M] () -- C:\Windows\System32\drivers\AVG\incavi.avm
[2012/04/02 15:39:04 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0
[2012/04/02 15:39:04 | 000,003,616 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0
[2012/04/02 15:39:03 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2012/04/02 15:38:56 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2012/04/02 15:38:29 | 3747,655,680 | -HS- | M] () -- C:\hiberfil.sys
[2012/03/30 19:48:54 | 000,001,076 | ---- | M] () -- C:\Windows\bthservsdp.dat
[2012/03/30 18:10:25 | 000,001,906 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120330_181021.reg
[2012/03/29 16:38:53 | 000,157,472 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaws.exe
[2012/03/29 16:38:53 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\javaw.exe
[2012/03/29 16:38:53 | 000,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\java.exe
[2012/03/29 16:38:52 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.) -- C:\Windows\System32\deployJava1.dll
[2012/03/29 16:09:28 | 000,001,278 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120329_160915.reg
[2012/03/29 02:54:54 | 000,772,936 | ---- | M] () -- C:\Windows\System32\oem108.inf
[2012/03/27 00:26:30 | 000,000,994 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120327_002618.reg
[2012/03/24 22:10:03 | 000,000,372 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120324_220953.reg
[2012/03/24 19:07:42 | 000,285,336 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2012/03/24 14:56:27 | 000,000,830 | ---- | M] () -- C:\Users\Delvin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner - Shortcut.lnk
[2012/03/24 13:24:51 | 000,150,176 | ---- | M] () -- C:\Users\Delvin\Documents\cc_20120324_132418.reg
[2012/03/24 12:34:22 | 000,113,461 | ---- | M] () -- C:\Windows\System32\drivers\AVG\iavichjw.avm
[2012/03/22 00:40:09 | 000,030,208 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\ddrawex.dll
[2012/03/22 00:40:04 | 000,130,560 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dhcpcsvc6.dll
[2012/03/07 23:54:32 | 000,103,988 | ---- | M] () -- C:\Users\Delvin\Desktop\ang mo kio medical centre.jpg
[2012/03/07 23:04:13 | 000,414,368 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[7 C:\Users\Delvin\Desktop\*.tmp files -> C:\Users\Delvin\Desktop\*.tmp -> ]
[2 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]
[2 C:\Users\Delvin\Documents\*.tmp files -> C:\Users\Delvin\Documents\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/03/30 18:10:23 | 000,001,906 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120330_181021.reg
[2012/03/29 16:09:19 | 000,001,278 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120329_160915.reg
[2012/03/29 15:50:58 | 000,001,804 | ---- | C] () -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader 9.lnk
[2012/03/29 02:55:13 | 000,772,936 | ---- | C] () -- C:\Windows\System32\oem108.inf
[2012/03/29 02:54:41 | 000,001,591 | ---- | C] () -- C:\Windows\System32\Uninst_EAPModules.bat
[2012/03/29 02:54:39 | 000,055,808 | ---- | C] () -- C:\Windows\System32\bcmwlrmt.dll
[2012/03/29 02:54:38 | 000,024,064 | ---- | C] () -- C:\Windows\System32\WLTRYSVC.EXE
[2012/03/29 02:24:42 | 000,772,296 | ---- | C] () -- C:\Windows\System32\oem8.inf
[2012/03/27 00:26:21 | 000,000,994 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120327_002618.reg
[2012/03/24 22:09:56 | 000,000,372 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120324_220953.reg
[2012/03/24 14:56:27 | 000,000,830 | ---- | C] () -- C:\Users\Delvin\Application Data\Microsoft\Internet Explorer\Quick Launch\CCleaner - Shortcut.lnk
[2012/03/24 13:24:30 | 000,150,176 | ---- | C] () -- C:\Users\Delvin\Documents\cc_20120324_132418.reg
[2012/03/07 23:54:32 | 000,103,988 | ---- | C] () -- C:\Users\Delvin\Desktop\ang mo kio medical centre.jpg
[2011/10/28 21:28:34 | 008,892,928 | ---- | C] () -- C:\ProgramData\atscie.msi
[2011/02/24 01:18:09 | 000,000,000 | ---- | C] () -- C:\Windows\System32\WsmRes.dll
[2010/12/11 13:05:21 | 000,110,592 | ---- | C] () -- C:\Windows\System32\FsUsbExDevice.Dll
[2010/12/11 13:05:21 | 000,036,608 | ---- | C] () -- C:\Windows\System32\FsUsbExDisk.Sys
[2010/12/05 20:11:35 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/10/15 01:06:20 | 000,000,000 | ---- | C] () -- C:\Windows\System32\srvsvc.dll

========== LOP Check ==========

[2010/10/20 13:43:39 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\ADInstruments
[2010/12/09 17:02:54 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\AVG
[2011/10/14 19:44:45 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\AVG2012
[2010/03/05 19:47:13 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\AVG9
[2012/03/24 12:58:31 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\DriverCure
[2012/01/19 22:58:03 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\ICAClient
[2012/03/24 12:58:31 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\ParetoLogic
[2010/12/11 13:33:58 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\PC Suite
[2010/12/11 13:05:14 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\Samsung
[2011/02/14 21:47:14 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\tmp
[2010/12/15 05:20:45 | 000,000,000 | ---D | M] -- C:\Users\Delvin\AppData\Roaming\Windows Live Writer
[2012/03/30 19:48:56 | 000,032,616 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 138 bytes -> C:\ProgramData\TEMP:0B4227B4

< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 4:24 am

The contents of the Extras.txt logs:

OTL Extras logfile created on: 2/4/2012 4:16:11 PM - Run 2
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 1.96 Gb Available Physical Memory | 56.25% Memory free
7.17 Gb Paging File | 5.63 Gb Available in Paging File | 78.42% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 73.85 Gb Free Space | 54.12% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = ChromeHTML] -- C:\Program Files\Google\Chrome\Application\chrome.exe (Google Inc.)

[HKEY_USERS\S-1-5-21-1511430850-4098111590-1355268400-1000\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
https [open] -- "C:\Program Files\Google\Chrome\Application\chrome.exe" -- "%1" (Google Inc.)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"VistaSp2" = Reg Error: Unknown registry data type -- File not found

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0

========== Authorized Applications List ==========


========== Vista Active Open Ports Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{040E9309-2874-4534-81B2-1D7B1F5CD984}" = lport=137 | protocol=17 | dir=in | app=system |
"{051C9E49-EE18-4F9A-B42B-46B3A5142AE0}" = lport=rpc | protocol=6 | dir=in | svc=spooler | app=%systemroot%\system32\spoolsv.exe |
"{0929011D-DE46-4F17-A277-892EEDDADCAF}" = lport=1900 | protocol=17 | dir=in | name=windows live communications platform (ssdp) |
"{18BFEE6A-604C-4B17-9AAE-711C4725048B}" = lport=139 | protocol=6 | dir=in | app=system |
"{1CD021AD-8F6C-44A4-A780-613780CC9FFC}" = lport=rpc-epmap | protocol=6 | dir=in | svc=rpcss | name=@firewallapi.dll,-28539 |
"{368B625A-1813-4FA9-BBC6-C5C003964CB1}" = lport=138 | protocol=17 | dir=in | app=system |
"{4F575EE3-0603-48E5-AB4F-4577D3BD0F0D}" = rport=139 | protocol=6 | dir=out | app=system |
"{568C053F-514C-41EB-9E45-E8833AD00C65}" = lport=67 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{5A8F5662-A7C0-4ECB-85B1-7524453BAA25}" = lport=2869 | protocol=6 | dir=in | app=system |
"{5D45647D-402E-41C3-AC35-A9B5D9E81386}" = rport=138 | protocol=17 | dir=out | app=system |
"{5E8FA4D7-BDB6-479F-B667-02A9CCF85CCF}" = rport=2869 | protocol=6 | dir=out | app=system |
"{5EDAAAE5-8004-4D31-9975-6D2D421AA294}" = rport=1900 | protocol=17 | dir=out | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{6B006F45-A3A6-4A07-9379-72D6461AC087}" = lport=68 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{7FB41FFD-1711-477D-A406-987C08B8448A}" = lport=53 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{899B0A38-EDA4-4F75-955E-3011B7339F6C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=%systemroot%\system32\svchost.exe |
"{9C7E3495-151D-4091-B7F1-69764B219F76}" = rport=137 | protocol=17 | dir=out | app=system |
"{9E1080A7-4502-488F-8685-6BF69BA143EE}" = lport=2869 | protocol=6 | dir=in | name=windows live communications platform (upnp) |
"{B5CBD735-4487-4872-8B96-448402C7C68C}" = lport=1900 | protocol=17 | dir=in | svc=ssdpsrv | app=svchost.exe |
"{C5702CE9-93B4-43CA-AC77-BBFB7FC551D3}" = lport=547 | protocol=17 | dir=in | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{CB8CFC8D-2215-44AD-98C8-166A06903B3D}" = rport=445 | protocol=6 | dir=out | app=system |
"{D8BB16F3-2DE0-4E82-8F55-36D62E5E7C1C}" = lport=2869 | protocol=6 | dir=in | app=system |
"{F2CF22C0-FA18-43EA-9C42-59BBF3D45375}" = lport=445 | protocol=6 | dir=in | app=system |

========== Vista Active Application Exception List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{015EB128-73E9-4327-8E13-FD2AC18DD301}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{02F9789E-037B-4A8B-8E32-DBA8A6925785}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{0381A04E-905C-454F-9C02-760B71D6C483}" = dir=in | app=c:\program files\windows live\messenger\msnmsgr.exe |
"{062B54B3-E411-4903-A130-13D7D10B2B8B}" = protocol=58 | dir=in | name=@hnetcfg.dll,-148 |
"{0F3BB19F-BFE9-407F-B4C0-EF270BC50928}" = dir=out | svc=sharedaccess | app=%systemroot%\system32\svchost.exe |
"{11A29F3E-7DE9-4BCC-9916-C3BB00457E03}" = dir=in | app=c:\program files\skype\phone\skype.exe |
"{13BEB933-7755-4042-8F19-320FA8A40A73}" = protocol=6 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{1C1B5074-2900-4FF7-BB12-4CDAB9748C8B}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{228498CD-29FE-440C-9963-2CE8BD6380D4}" = protocol=6 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{30DB115B-833F-4384-A3E7-7EF9E6C4228B}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{3CA08911-C0B8-4DAA-AB68-EAD12D3C3978}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{5C8E6816-281C-4B8A-86AD-30FAC5A3E6F5}" = protocol=58 | dir=out | name=@firewallapi.dll,-28546 |
"{5F03FDFB-1AC5-4F7D-B448-2FED22ECC162}" = protocol=6 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"{63387967-5AF5-4CC1-AF02-54760DB9B9CF}" = protocol=58 | dir=in | name=@firewallapi.dll,-28545 |
"{6CA4FF73-C218-4167-985A-69FA532E4CBD}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgmfapx.exe |
"{746C5026-C88E-474D-9378-13C06ADE0EB6}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{74B7EE73-3A6E-4D05-A7B3-43DDC5F516DA}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{84375BBC-59F6-4A2C-9576-0F2DF1B53B5C}" = protocol=1 | dir=in | name=@firewallapi.dll,-28543 |
"{8BBC98C7-6F0E-4547-9DE4-BF4838144A5E}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{91B29949-60F0-4897-9B3E-4C86D3104A6E}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgnsx.exe |
"{A62A342B-B4F2-46EF-8554-8F9DEC7E8F5A}" = protocol=17 | dir=in | app=c:\program files\hp\hp deskjet 1050 j410 series\bin\usbsetup.exe |
"{A830840D-DEC5-41F2-8DC5-395BE4B902CB}" = protocol=17 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsasvr.exe |
"{B770275F-08D3-44CF-BE47-391ED77B8B58}" = dir=in | app=c:\program files\windows live\contacts\wlcomm.exe |
"{BFCCB262-DD77-4D1F-B4E3-F65423FE848E}" = protocol=6 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{C70893E3-5BAD-4CBC-8C36-2B37501FD423}" = protocol=1 | dir=out | name=@firewallapi.dll,-28544 |
"{C7AF6FFE-8AFF-4FA3-8504-55C9C6D392A7}" = protocol=17 | dir=in | app=c:\program files\common files\pure networks shared\platform\nmsrvc.exe |
"{D5B52B22-C8FE-4EC1-9513-753317065C7B}" = protocol=17 | dir=in | app=c:\program files\avg\avg2012\avgdiagex.exe |
"{DC9E3D9C-906F-4284-A728-531D14223F6B}" = protocol=6 | dir=in | app=c:\program files\samsung\samsung new pc studio\npsvsvr.exe |
"{E4EECD26-FA85-402C-B309-83CA65ECFC7D}" = dir=in | app=c:\program files\dell\mediadirect\pcmservice.exe |
"{F220603B-51A1-4F32-B6AA-4EADB0352E36}" = protocol=6 | dir=out | svc=upnphost | app=%systemroot%\system32\svchost.exe |
"{F50F1CD0-E648-486C-96D0-A6C566599DF9}" = protocol=17 | dir=in | app=c:\programdata\nexonus\ngm\ngm.exe |
"TCP Query User{4D33D729-DC29-4A79-ABDF-2ED4EF43A3B6}C:\program files\tvuplayer\tvuplayer.exe" = protocol=6 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"TCP Query User{73B79C17-9FAA-49BF-8E92-5F4403CE89BA}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"TCP Query User{D55CEA56-DB6E-464D-8971-7A23B8E11E44}C:\program files\tvuplayer\tvuplayer.exe" = protocol=6 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"TCP Query User{FAE476D7-35D1-4B88-981C-832D59E01214}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{372892F2-AD01-457E-9BB0-B19FF030E58D}C:\program files\tvuplayer\tvuplayer.exe" = protocol=17 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"UDP Query User{4405F7F7-A577-4711-9A0B-6C82577430C2}C:\program files\tvuplayer\tvuplayer.exe" = protocol=17 | dir=in | app=c:\program files\tvuplayer\tvuplayer.exe |
"UDP Query User{D0DC45D9-1181-4C0A-AAB2-748329FE0B3D}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |
"UDP Query User{DAB819D9-4759-49FE-B278-51A42B3C6E39}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe |

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00203668-8170-44A0-BE44-B632FA4D780F}" = Adobe AIR
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0BCA9EFD-F2D6-4638-B053-8693BA0404BE}" = Citrix online plug-in (Web)
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1D5E29AD-39A9-4D0A-A8B6-46A6FCD8C995}" = Live! Cam Avatar v1.0
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{226837D8-0BF8-4CBE-BAB2-8F07E2C2B4DD}" = HP Deskjet 1050 J410 series Basic Device Software
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{294EAADF-E50F-4DD8-AD8D-19587EA10512}" = Modem Diagnostic Tool
"{341201D4-4F61-4ADB-987E-9CCE4D83A58D}" = Windows Live Toolbar Extension (Windows Live Toolbar)
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = NetWaiting
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4B6AD248-D3BF-426A-8D64-847288154F13}" = QuickSet
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{4EFC72DA-2314-4E5D-AC8E-1C954CDB8BBF}" = AVG 2012
"{50316C0A-CC2A-460A-9EA5-F486E54AC17D}_is1" = AVG PC Tuneup 2011
"{55392E52-1AAD-44C4-BE49-258FFE72434F}" = Citrix online plug-in (USB)
"{5BA1D11C-B981-4CAA-B2B5-B8ADF413EBA5}" = Pure Networks Platform
"{5C90D8CF-F12A-41C6-9007-3B651A1F0D78}" = HP Deskjet 1050 J410 series Help
"{5DD4FCBD-A3C1-4155-9E17-4161C70AAABA}" = Segoe UI
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{65D0C510-D7B6-4438-9FC8-E6B91115AB0D}" = Live! Cam Avatar Creator
"{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}" = Cisco PEAP Module
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6B7B6D4D-8F9B-4CB3-8CA4-BCA9CC4C1A22}" = EDocs
"{6D3963B0-E13B-4FC3-B0FF-506A304BB043}" = Cisco EAP-FAST Module
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{75CDF2CA-5F89-4BC8-9556-CF70782CBD17}" = Motorola Phone Tools
"{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}" = Avanquest update
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{77DCDCE3-2DED-62F3-8154-05E745472D07}" = Acrobat.com
"{77F8A71E-3515-4832-B8B2-2F1EDBD2E0F1}" = Bing Bar
"{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}" = Windows Live Favorites for Windows Live Toolbar
"{7DB9F1E5-9ACB-410D-A7DC-7A3D023CE045}" = Dell Getting Started Guide
"{7E84FAC8-C518-40F9-9807-7455301D6D25}" = SamsungConnectivityCableDriver
"{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}" = WebEx Support Manager for Internet Explorer
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{812424AC-A8B5-44E6-8D48-07E939D1AD9A}" = Citrix online plug-in (HDX)
"{83770D14-21B9-44B3-8689-F7B523F94560}" = Cisco LEAP Module
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage
"{9068B2BE-D93A-4C0A-861C-5E35E2C0E09E}" = Intel(R) Matrix Storage Manager
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9BDEF074-020E-458D-ADC5-8FF68E0C9B56}" = OutlookAddinSetup
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9C6978E8-B6D0-4AB7-A7A0-D81A74FBF745}" = MediaDirect
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = Dell Touchpad
"{A13E07E1-A423-44FB-9DEE-B24C75C1BAF2}" = WIDCOMM Bluetooth Software 6.0.1.3100
"{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}" = Highlight Viewer (Windows Live Toolbar)
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AC599724-5755-48C1-ABE7-ABB857652930}" = PC Connectivity Solution
"{AC76BA86-7AD7-1033-7B44-A95000000001}" = Adobe Reader 9.5.0
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}" = HP Update
"{BAD8CA9C-77C0-4663-B00B-A8D3B13C341B}" = Motorola Phone Tools
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{C7EEF2B9-8C16-4A04-B98D-B1A952A47E55}" = Linksys Wireless-G USB Network Adapter
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CF53CF7C-D996-43EB-9904-DBED57C25625}" = Citrix online plug-in (DV)
"{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}" = SAMSUNG USB Driver for Mobile Phones
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D8CE69B0-9274-4b8c-BA49-0FF6A20A3C65}" = SAMSUNG SYMBIAN USB Download Driver
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E3BFEE55-39E2-4BE0-B966-89FE583822C1}" = Dell Support Center
"{E633D396-5188-4E9D-8F6B-BFB8BF3467E8}" = Skype™ 5.0
"{E646DCF0-5A68-11D5-B229-002078017FBF}" = Digital Line Detect
"{E7E84E23-C5C0-4B15-B13A-C63149E59C98}" = AVG 2012
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{F084395C-40FB-4DB3-981C-B51E74E1E83D}" = Smart Menus (Windows Live Toolbar)
"{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"{F6CB42B9-F033-4152-8813-FF11DA8E6A78}" = Dell Dock
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FE51E68C-C4A7-4F74-8B09-CF61662EE304}" = ADInstruments LabChart 7.1
"3A5DEFA413DDE699DBA6EBE0A63534ACA524D30F" = Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
"4shared.com Toolbar" = 4shared.com Toolbar
"ActiveTouchMeetingClient" = WebEx
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Advanced Audio FX Engine" = Advanced Audio FX Engine
"Advanced Video FX Engine" = Advanced Video FX Engine
"AVG" = AVG 2012
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card Utility
"CCleaner" = CCleaner
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2C06&SUBSYS_14F1000F" = Conexant HDA D330 MDC V.92 Modem
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"conduitEngine" = Conduit Engine
"Coupon Printer for Windows5.0.0.0" = Coupon Printer for Windows
"Creative OEM002" = Laptop Integrated Webcam Driver (1.04.01.1011)
"Dell Webcam Center" = Dell Webcam Center
"Dell Webcam Manager" = Dell Webcam Manager
"DVD Decrypter" = DVD Decrypter (Remove Only)
"Google Chrome" = Google Chrome
"HP Photo Creations" = HP Photo Creations
"InstallShield_{F193FC0E-9E18-40FC-A974-509A1BDD240A}" = Samsung New PC Studio
"Intelli-studio" = SAMSUNG Intelli-studio
"Marvell Miniport Driver" = Marvell Miniport Driver
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Network MagicUninstall" = Network Magic
"Online_Radio_India Toolbar" = Online Radio India Toolbar
"TVUPlayer" = TVUPlayer 2.5.3.1
"Veetle TV" = Veetle TV 0.9.17
"WinLiveSuite" = Windows Live Essentials
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Software Update" = Yahoo! Software Update
"Zynga Toolbar" = Zynga Toolbar

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 2/10/2011 12:42:06 PM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 2/10/2011 4:10:00 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4622
Description =

Error - 3/10/2011 3:58:15 AM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 3/10/2011 5:54:28 AM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 3/10/2011 11:24:03 AM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 3/10/2011 4:29:38 PM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 3/10/2011 10:46:14 PM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 4/10/2011 3:36:16 AM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

Error - 4/10/2011 6:46:42 AM | Computer Name = Delvin-PC | Source = EventSystem | ID = 4621
Description =

Error - 4/10/2011 12:06:44 PM | Computer Name = Delvin-PC | Source = LoadPerf | ID = 3002
Description =

[ Broadcom Wireless LAN Events ]
Error - 24/9/2011 1:02:27 PM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 01:02:27, Sun, Sep 25, 11 Error - User "" does not have administrative
privileges on this system

Error - 12/10/2011 6:53:35 AM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 18:53:35, Wed, Oct 12, 11 Error - User "" does not have administrative
privileges on this system

Error - 11/12/2011 1:30:31 AM | Computer Name = Delvin-PC | Source = WLAN-Tray | ID = 0
Description = 13:30:31, Sun, Dec 11, 11 Error - User "" does not have administrative
privileges on this system

[ System Events ]
Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7001
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7000
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/4/2012 3:40:05 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7023
Description =

Error - 2/4/2012 3:40:53 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7022
Description =

Error - 2/4/2012 3:41:58 AM | Computer Name = Delvin-PC | Source = Service Control Manager | ID = 7034
Description =

Error - 2/4/2012 4:16:47 AM | Computer Name = Delvin-PC | Source = iaStor | ID = 262153
Description = The device, \Device\Ide\iaStor0, did not respond within the timeout
period.


< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 5:02 am

The contents of the aswMBR.txt log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-04-02 16:25:53
-----------------------------
16:25:53.536 OS Version: Windows 6.0.6002 Service Pack 2
16:25:53.536 Number of processors: 2 586 0xF0D
16:25:53.536 ComputerName: DELVIN-PC UserName: Delvin
16:25:55.127 Initialize success
16:28:14.104 AVAST engine defs: 12040101
16:29:45.993 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0
16:29:45.993 Disk 0 Vendor: WDC_WD16 11.0 Size: 152627MB BusType: 3
16:29:46.025 Disk 0 MBR read successfully
16:29:46.025 Disk 0 MBR scan
16:29:46.040 Disk 0 Windows VISTA default MBR code
16:29:46.040 Disk 0 Partition 1 00 DE Dell Utility Dell 8.0 94 MB offset 63
16:29:46.087 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 10240 MB offset 194560
16:29:46.103 Disk 0 Partition 3 80 (A) 07 HPFS/NTFS NTFS 139730 MB offset 21166080
16:29:46.118 Disk 0 Partition - 00 0F Extended LBA 2560 MB offset 307335168
16:29:46.149 Disk 0 Partition 4 00 DD MSDOS5.0 2559 MB offset 307337216
16:29:46.165 Disk 0 scanning sectors +312578048
16:29:46.227 Disk 0 scanning C:\Windows\system32\drivers
16:30:00.439 Service scanning
16:30:29.406 Modules scanning
16:30:36.161 Disk 0 trace - called modules:
16:30:36.192 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
16:30:36.192 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85d49468]
16:30:36.192 3 CLASSPNP.SYS[8b5ab8b3] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-0[0x85289030]
16:30:38.314 AVAST engine scan C:\Windows
16:30:41.106 AVAST engine scan C:\Windows\system32
16:35:35.451 AVAST engine scan C:\Windows\system32\drivers
16:36:03.090 AVAST engine scan C:\Users\Delvin
16:51:43.723 AVAST engine scan C:\ProgramData
16:58:44.579 Scan finished successfully
17:00:16.801 Disk 0 MBR has been saved successfully to "C:\Users\Delvin\Desktop\MBR.dat"
17:00:16.817 The log file has been saved successfully to "C:\Users\Delvin\Desktop\aswMBR.txt"
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 2nd, 2012, 8:53 pm

Hi DelvinNg, :)

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Scan your system using GMER

    IMPORTANT: These types of scans can produce false positives. DO NOT take any action on any "<--- ROOTKIT" entries unless advised by a trained Security Analyst.

    1. Click here to download GMER by GMER and save it to your Desktop. The program will be saved using a random filename such as a123bc4d.exe but the program's icon will appear as Image
    2. Close all applications (including this browser).
      • Note: Do not run any other applications while GMER is running.
    3. Right-click the GMER icon on your desktop and select Run As Administrator to run the program.
    4. Click NO if GMER displays a warning about rootkit activity and asks if you want to run a scan.
    5. Uncheck (untick) the following items in the right panel of the GMER window:
      • IAT/EAT
      • Drives/Partition other than the System drive (which is typically C:\)
      • Show all <<< make sure this one is unchecked (unticked)
      Image

    6. Click the Scan button.
      • The scan may take a while to run so please be patient.
      • Remember not to run any other application while the GMER scan is running.
      • While running, the Scan button that you clicked to begin the scan will be relabeled Stop. This button will be relabeled back to Scan upon completion of the scan.
      • Wait for the scan to complete.
    7. Click the Save… button and then type "Gmer.txt" in the filename area (include the quotation marks in the filename) and save the file to your Desktop.
    8. Close the GMER window.
    9. Include the contents of the Gmer.txt log in your reply.

  2. TDSSKiller
    1. Click here to download TDSSKiller and save it to your Desktop.
    2. Right-click the TDSSKiller.exe icon on your Desktop and select Run As Administrator to launch it.
    3. Click on Start Scan, to start the scan.
    4. When the scan has finished, if it finds anything where "Cure" is an option, please click on the drop down arrow next to Cure and select Skip
    5. Now click on Report to open the log file created by TDSSKiller in your root directory C:\
    6. To find the log go to Start > Computer > C:
    7. Post the contents of that log in your next reply please.
    8. DO NOT TRY TO FIX (CURE) ANYTHING AT THIS POINT

  3. Question concerning Anti-virus warning
    In your initial post you stated
    My anti-virus scan and anti-rootkit scan cannot seem to get rid of the IRP infection due to object being white-listed.
    Could you please provide the entire text of the message and identify the file which it indicated was white-listed?

  4. Malware symptoms
    Please mention in your reply how your computer is running and any Malware symptoms that are still present.


Please include in your reply (post separate replies if more convenient):
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the Gmer.txt log.
  3. The contents of the TDSSKiller log.
  4. The full text of the Anti-virus message and the file specification of the white-listed file.
  5. A description of how your computer is running and any Malware symptoms that are present.


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 10:09 pm

The contents of the Gmer.txt log:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-04-03 10:07:14
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.11.0
Running: mkoc00xv.exe; Driver: C:\Users\Delvin\AppData\Local\Temp\pxdirpob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xADE69F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xADE69FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xADE6A080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xADE6A11C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 3F1 81EB4B74 4 Bytes [3C, 9F, E6, AD] {CMP AL, 0x9f; OUT 0xad, AL}
.text ntkrnlpa.exe!KeSetEvent + 621 81EB4DA4 8 Bytes [E4, 9F, E6, AD, 80, A0, E6, ...]
.text ntkrnlpa.exe!KeSetEvent + 681 81EB4E04 4 Bytes [1C, A1, E6, AD] {SBB AL, 0xa1; OUT 0xad, AL}

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2de3da9
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2de3da9@0017e405a7f3 0x73 0x68 0x31 0x93 ...
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2de3da9 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2de3da9@0017e405a7f3 0x73 0x68 0x31 0x93 ...
Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report14ddf0a7

---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\WER8C79.tmp.version.txt 0 bytes
File C:\Windows\Temp\WER8C7A.tmp.appcompat.txt 0 bytes
File C:\Windows\Temp\WER8C9A.tmp.hdmp 0 bytes

---- EOF - GMER 1.0.15 ----
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 10:16 pm

The contents of the TDSSKiller log:

10:10:56.0427 4468 TDSS rootkit removing tool 2.7.24.0 Apr 2 2012 10:31:48
10:10:57.0027 4468 ============================================================
10:10:57.0027 4468 Current date / time: 2012/04/03 10:10:57.0027
10:10:57.0027 4468 SystemInfo:
10:10:57.0027 4468
10:10:57.0027 4468 OS Version: 6.0.6002 ServicePack: 2.0
10:10:57.0027 4468 Product type: Workstation
10:10:57.0027 4468 ComputerName: DELVIN-PC
10:10:57.0027 4468 UserName: Delvin
10:10:57.0027 4468 Windows directory: C:\Windows
10:10:57.0027 4468 System windows directory: C:\Windows
10:10:57.0027 4468 Processor architecture: Intel x86
10:10:57.0027 4468 Number of processors: 2
10:10:57.0027 4468 Page size: 0x1000
10:10:57.0027 4468 Boot type: Normal boot
10:10:57.0027 4468 ============================================================
10:10:57.0517 4468 Drive \Device\Harddisk0\DR0 - Size: 0x25433D6000 (149.05 Gb), SectorSize: 0x200, Cylinders: 0x4C01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:10:57.0517 4468 \Device\Harddisk0\DR0:
10:10:57.0517 4468 MBR used
10:10:57.0527 4468 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x2F800, BlocksNum 0x1400000
10:10:57.0527 4468 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x142F800, BlocksNum 0x110E97F8
10:10:57.0627 4468 Initialize success
10:10:57.0627 4468 ============================================================
10:11:20.0811 3900 ============================================================
10:11:20.0811 3900 Scan started
10:11:20.0811 3900 Mode: Manual;
10:11:20.0811 3900 ============================================================
10:11:21.0411 3900 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
10:11:21.0411 3900 ACPI - ok
10:11:21.0481 3900 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
10:11:21.0491 3900 adp94xx - ok
10:11:21.0521 3900 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
10:11:21.0531 3900 adpahci - ok
10:11:21.0561 3900 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
10:11:21.0571 3900 adpu160m - ok
10:11:21.0611 3900 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
10:11:21.0611 3900 adpu320 - ok
10:11:21.0651 3900 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
10:11:21.0661 3900 AeLookupSvc - ok
10:11:21.0731 3900 AESTFilters (ef1142512bec12f1c2c87735da1755be) C:\Windows\system32\aestsrv.exe
10:11:21.0731 3900 AESTFilters - ok
10:11:21.0841 3900 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
10:11:21.0841 3900 AFD - ok
10:11:21.0921 3900 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
10:11:21.0921 3900 agp440 - ok
10:11:21.0971 3900 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
10:11:21.0971 3900 aic78xx - ok
10:11:22.0001 3900 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
10:11:22.0011 3900 ALG - ok
10:11:22.0041 3900 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
10:11:22.0041 3900 aliide - ok
10:11:22.0091 3900 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
10:11:22.0091 3900 amdagp - ok
10:11:22.0121 3900 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
10:11:22.0121 3900 amdide - ok
10:11:22.0141 3900 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
10:11:22.0141 3900 AmdK7 - ok
10:11:22.0171 3900 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
10:11:22.0171 3900 AmdK8 - ok
10:11:22.0271 3900 ApfiltrService (a80230bd04f0b8bf05185b369bb1cbb8) C:\Windows\system32\DRIVERS\Apfiltr.sys
10:11:22.0271 3900 ApfiltrService - ok
10:11:22.0351 3900 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
10:11:22.0351 3900 Appinfo - ok
10:11:22.0411 3900 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
10:11:22.0411 3900 arc - ok
10:11:22.0491 3900 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
10:11:22.0491 3900 arcsas - ok
10:11:22.0531 3900 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
10:11:22.0531 3900 AsyncMac - ok
10:11:22.0561 3900 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
10:11:22.0561 3900 atapi - ok
10:11:22.0661 3900 atashost (1941d70c83bdff19a5f47043a5883678) C:\Windows\system32\atashost.exe
10:11:22.0671 3900 atashost - ok
10:11:22.0761 3900 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
10:11:22.0761 3900 AudioEndpointBuilder - ok
10:11:22.0791 3900 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
10:11:22.0791 3900 Audiosrv - ok
10:11:23.0061 3900 AVGIDSAgent (6d440ff3f44ca72edfd6176c6d6a89c0) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
10:11:23.0191 3900 AVGIDSAgent - ok
10:11:23.0291 3900 AVGIDSDriver (4cbb56fbc9c0cbc517e6e3a6889ebddc) C:\Windows\system32\DRIVERS\AVGIDSDriver.Sys
10:11:23.0291 3900 AVGIDSDriver - ok
10:11:23.0351 3900 AVGIDSEH (459bce188232e2fe6152423efef65d76) C:\Windows\system32\DRIVERS\AVGIDSEH.Sys
10:11:23.0351 3900 AVGIDSEH - ok
10:11:23.0371 3900 AVGIDSFilter (91d9abe7e88eac7c167cba4ed4d983bf) C:\Windows\system32\DRIVERS\AVGIDSFilter.Sys
10:11:23.0371 3900 AVGIDSFilter - ok
10:11:23.0411 3900 AVGIDSShim (3fc2714e185c04308215d46730d41a94) C:\Windows\system32\DRIVERS\AVGIDSShim.Sys
10:11:23.0411 3900 AVGIDSShim - ok
10:11:23.0441 3900 Avgldx86 (bf8118cd5e2255387b715b534d64acd1) C:\Windows\system32\DRIVERS\avgldx86.sys
10:11:23.0451 3900 Avgldx86 - ok
10:11:23.0471 3900 Avgmfx86 (1c77ef67f196466adc9924cb288afe87) C:\Windows\system32\DRIVERS\avgmfx86.sys
10:11:23.0471 3900 Avgmfx86 - ok
10:11:23.0561 3900 Avgrkx86 (f2038ed7284b79dcef581468121192a9) C:\Windows\system32\DRIVERS\avgrkx86.sys
10:11:23.0561 3900 Avgrkx86 - ok
10:11:23.0641 3900 Avgtdix (a6d562b612216d8d02a35ebeb92366bd) C:\Windows\system32\DRIVERS\avgtdix.sys
10:11:23.0651 3900 Avgtdix - ok
10:11:23.0791 3900 avgwd (6699ece24fe4b3f752a66c66a602ee86) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
10:11:23.0791 3900 avgwd - ok
10:11:23.0911 3900 BBSvc (825f81a6f7dd073509db101f0ba6dc59) C:\Program Files\Microsoft\BingBar\BBSvc.EXE
10:11:23.0911 3900 BBSvc - ok
10:11:24.0031 3900 BCM42RLY (31a7cf8b26035fcf58bd1dbf36b1e69a) C:\Windows\system32\drivers\BCM42RLY.sys
10:11:24.0031 3900 BCM42RLY - ok
10:11:24.0141 3900 BCM43XX (fa6707a346cd122407f3b0bad1c47639) C:\Windows\system32\DRIVERS\bcmwl6.sys
10:11:24.0151 3900 BCM43XX - ok
10:11:24.0281 3900 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
10:11:24.0281 3900 Beep - ok
10:11:24.0391 3900 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
10:11:24.0391 3900 BFE - ok
10:11:24.0471 3900 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\System32\qmgr.dll
10:11:24.0491 3900 BITS - ok
10:11:24.0591 3900 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
10:11:24.0591 3900 blbdrive - ok
10:11:24.0651 3900 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
10:11:24.0661 3900 bowser - ok
10:11:24.0751 3900 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
10:11:24.0751 3900 BrFiltLo - ok
10:11:24.0771 3900 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
10:11:24.0771 3900 BrFiltUp - ok
10:11:24.0841 3900 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
10:11:24.0841 3900 Browser - ok
10:11:24.0921 3900 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
10:11:24.0921 3900 Brserid - ok
10:11:24.0981 3900 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
10:11:24.0981 3900 BrSerWdm - ok
10:11:25.0021 3900 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
10:11:25.0021 3900 BrUsbMdm - ok
10:11:25.0051 3900 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
10:11:25.0051 3900 BrUsbSer - ok
10:11:25.0171 3900 BthEnum (6d39c954799b63ba866910234cf7d726) C:\Windows\system32\DRIVERS\BthEnum.sys
10:11:25.0171 3900 BthEnum - ok
10:11:25.0311 3900 BTHMODEM (9a966a8e86d1771911ae34a20d11bff3) C:\Windows\system32\DRIVERS\bthmodem.sys
10:11:25.0311 3900 BTHMODEM - ok
10:11:25.0421 3900 BthPan (5904efa25f829bf84ea6fb045134a1d8) C:\Windows\system32\DRIVERS\bthpan.sys
10:11:25.0421 3900 BthPan - ok
10:11:25.0631 3900 BTHPORT (611ff3f2f095c8d4a6d4cfd9dcc09793) C:\Windows\system32\Drivers\BTHport.sys
10:11:25.0641 3900 BTHPORT - ok
10:11:25.0761 3900 BthServ (a4c8377fa4a994e07075107dbe2e3dce) C:\Windows\System32\bthserv.dll
10:11:25.0771 3900 BthServ - ok
10:11:25.0831 3900 BTHUSB (d330803eab2a15caec7f011f1d4cb30e) C:\Windows\system32\Drivers\BTHUSB.sys
10:11:25.0831 3900 BTHUSB - ok
10:11:25.0961 3900 btwaudio (4a28e7bd365377d0512b7ef8c7596d2c) C:\Windows\system32\drivers\btwaudio.sys
10:11:25.0961 3900 btwaudio - ok
10:11:26.0071 3900 btwavdt (5ffde57253d665067b0886612817eb11) C:\Windows\system32\drivers\btwavdt.sys
10:11:26.0071 3900 btwavdt - ok
10:11:26.0191 3900 btwrchid (ab07dc8b05c31a4f95fc73019be9db15) C:\Windows\system32\DRIVERS\btwrchid.sys
10:11:26.0191 3900 btwrchid - ok
10:11:26.0291 3900 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
10:11:26.0291 3900 cdfs - ok
10:11:26.0421 3900 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
10:11:26.0421 3900 cdrom - ok
10:11:26.0561 3900 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
10:11:26.0561 3900 CertPropSvc - ok
10:11:26.0671 3900 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
10:11:26.0671 3900 circlass - ok
10:11:26.0811 3900 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
10:11:26.0811 3900 CLFS - ok
10:11:26.0961 3900 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:11:26.0961 3900 clr_optimization_v2.0.50727_32 - ok
10:11:27.0121 3900 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
10:11:27.0131 3900 clr_optimization_v4.0.30319_32 - ok
10:11:27.0241 3900 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
10:11:27.0251 3900 CmBatt - ok
10:11:27.0321 3900 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
10:11:27.0331 3900 cmdide - ok
10:11:27.0401 3900 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
10:11:27.0401 3900 Compbatt - ok
10:11:27.0461 3900 COMSysApp - ok
10:11:27.0511 3900 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
10:11:27.0511 3900 crcdisk - ok
10:11:27.0581 3900 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
10:11:27.0581 3900 Crusoe - ok
10:11:27.0671 3900 CryptSvc - ok
10:11:27.0821 3900 ctxusbm (cb6ff7012bb5d59d7c12350db795ce1f) C:\Windows\system32\DRIVERS\ctxusbm.sys
10:11:27.0821 3900 ctxusbm - ok
10:11:27.0951 3900 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
10:11:27.0971 3900 DcomLaunch - ok
10:11:28.0091 3900 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
10:11:28.0091 3900 DfsC - ok
10:11:28.0291 3900 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
10:11:28.0371 3900 DFSR - ok
10:11:28.0501 3900 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
10:11:28.0511 3900 Dhcp - ok
10:11:28.0631 3900 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
10:11:28.0631 3900 disk - ok
10:11:28.0751 3900 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
10:11:28.0751 3900 Dnscache - ok
10:11:28.0871 3900 DockLoginService (13511564cac5a005255765e322c16967) C:\Program Files\Dell\DellDock\DockLogin.exe
10:11:28.0871 3900 DockLoginService - ok
10:11:28.0961 3900 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
10:11:28.0971 3900 dot3svc - ok
10:11:29.0081 3900 DPS (d04618c97c7a948bd1f983dc99cdd608) C:\Windows\system32\dps.dll
10:11:29.0091 3900 DPS - ok
10:11:29.0281 3900 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
10:11:29.0281 3900 drmkaud - ok
10:11:29.0401 3900 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
10:11:29.0401 3900 DXGKrnl - ok
10:11:29.0531 3900 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
10:11:29.0531 3900 e1express - ok
10:11:29.0631 3900 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
10:11:29.0641 3900 E1G60 - ok
10:11:29.0751 3900 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
10:11:29.0751 3900 EapHost - ok
10:11:29.0891 3900 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
10:11:29.0891 3900 Ecache - ok
10:11:29.0961 3900 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
10:11:29.0971 3900 ehRecvr - ok
10:11:29.0991 3900 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
10:11:29.0991 3900 ehSched - ok
10:11:30.0011 3900 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
10:11:30.0011 3900 ehstart - ok
10:11:30.0121 3900 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
10:11:30.0131 3900 elxstor - ok
10:11:30.0251 3900 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
10:11:30.0271 3900 EMDMgmt - ok
10:11:30.0361 3900 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
10:11:30.0361 3900 ErrDev - ok
10:11:30.0461 3900 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
10:11:30.0471 3900 EventSystem - ok
10:11:30.0591 3900 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
10:11:30.0591 3900 exfat - ok
10:11:30.0701 3900 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
10:11:30.0711 3900 fastfat - ok
10:11:30.0821 3900 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
10:11:30.0821 3900 fdc - ok
10:11:30.0891 3900 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
10:11:30.0901 3900 fdPHost - ok
10:11:30.0911 3900 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
10:11:30.0921 3900 FDResPub - ok
10:11:31.0031 3900 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
10:11:31.0031 3900 FileInfo - ok
10:11:31.0101 3900 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
10:11:31.0111 3900 Filetrace - ok
10:11:31.0191 3900 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
10:11:31.0191 3900 flpydisk - ok
10:11:31.0421 3900 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
10:11:31.0431 3900 FltMgr - ok
10:11:31.0591 3900 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
10:11:31.0611 3900 FontCache - ok
10:11:31.0721 3900 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
10:11:31.0721 3900 FontCache3.0.0.0 - ok
10:11:31.0841 3900 FsUsbExDisk (cbe5f69a5e5b918225f420ba748f3742) C:\Windows\system32\FsUsbExDisk.SYS
10:11:31.0841 3900 FsUsbExDisk - ok
10:11:31.0981 3900 FsUsbExService (346086a99e6347c11e20d3fcbaeeab77) C:\Windows\system32\FsUsbExService.Exe
10:11:31.0981 3900 FsUsbExService - ok
10:11:32.0071 3900 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
10:11:32.0071 3900 Fs_Rec - ok
10:11:32.0161 3900 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
10:11:32.0161 3900 gagp30kx - ok
10:11:32.0261 3900 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
10:11:32.0291 3900 gpsvc - ok
10:11:32.0451 3900 gupdate (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:11:32.0451 3900 gupdate - ok
10:11:32.0461 3900 gupdatem (8f0de4fef8201e306f9938b0905ac96a) C:\Program Files\Google\Update\GoogleUpdate.exe
10:11:32.0461 3900 gupdatem - ok
10:11:32.0631 3900 gusvc (cc839e8d766cc31a7710c9f38cf3e375) C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
10:11:32.0631 3900 gusvc - ok
10:11:32.0771 3900 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
10:11:32.0771 3900 HDAudBus - ok
10:11:32.0871 3900 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
10:11:32.0871 3900 HidBth - ok
10:11:32.0971 3900 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
10:11:32.0971 3900 HidIr - ok
10:11:33.0051 3900 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\system32\hidserv.dll
10:11:33.0051 3900 hidserv - ok
10:11:33.0151 3900 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
10:11:33.0151 3900 HidUsb - ok
10:11:33.0241 3900 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
10:11:33.0241 3900 hkmsvc - ok
10:11:33.0331 3900 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
10:11:33.0331 3900 HpCISSs - ok
10:11:33.0491 3900 HSF_DPV (99f85640054ba65190b860d878a7c9ae) C:\Windows\system32\DRIVERS\HSX_DPV.sys
10:11:33.0501 3900 HSF_DPV - ok
10:11:33.0631 3900 HSXHWAZL (cfbc2b81972e298f0e19ee68fa9e73da) C:\Windows\system32\DRIVERS\HSXHWAZL.sys
10:11:33.0641 3900 HSXHWAZL - ok
10:11:33.0751 3900 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
10:11:33.0761 3900 HTTP - ok
10:11:33.0851 3900 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
10:11:33.0851 3900 i2omp - ok
10:11:33.0991 3900 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
10:11:33.0991 3900 i8042prt - ok
10:11:34.0101 3900 IAANTMON (ae38a12f79a4980ddb88f36514f8a1da) C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
10:11:34.0101 3900 IAANTMON - ok
10:11:34.0291 3900 iaStor (997e8f5939f2d12cd9f2e6b395724c16) C:\Windows\system32\drivers\iastor.sys
10:11:34.0301 3900 iaStor - ok
10:11:34.0401 3900 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
10:11:34.0401 3900 iaStorV - ok
10:11:34.0521 3900 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:11:34.0551 3900 idsvc - ok
10:11:34.0731 3900 igfx (c134e69ce901422d1f2d7ea8d69098fe) C:\Windows\system32\DRIVERS\igdkmd32.sys
10:11:34.0751 3900 igfx - ok
10:11:34.0851 3900 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
10:11:34.0851 3900 iirsp - ok
10:11:34.0911 3900 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
10:11:34.0921 3900 IKEEXT - ok
10:11:35.0041 3900 IntcHdmiAddService (98d303ccb3415e9202e82043b37d66dc) C:\Windows\system32\drivers\IntcHdmi.sys
10:11:35.0041 3900 IntcHdmiAddService - ok
10:11:35.0071 3900 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\DRIVERS\intelide.sys
10:11:35.0071 3900 intelide - ok
10:11:35.0151 3900 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
10:11:35.0151 3900 intelppm - ok
10:11:35.0191 3900 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
10:11:35.0191 3900 IPBusEnum - ok
10:11:35.0331 3900 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
10:11:35.0331 3900 IpFilterDriver - ok
10:11:35.0381 3900 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
10:11:35.0381 3900 iphlpsvc - ok
10:11:35.0461 3900 IpInIp - ok
10:11:35.0521 3900 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
10:11:35.0521 3900 IPMIDRV - ok
10:11:35.0641 3900 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
10:11:35.0641 3900 IPNAT - ok
10:11:35.0671 3900 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
10:11:35.0671 3900 IRENUM - ok
10:11:35.0751 3900 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
10:11:35.0751 3900 isapnp - ok
10:11:35.0921 3900 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
10:11:35.0921 3900 iScsiPrt - ok
10:11:36.0011 3900 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
10:11:36.0011 3900 iteatapi - ok
10:11:36.0141 3900 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
10:11:36.0141 3900 iteraid - ok
10:11:36.0161 3900 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
10:11:36.0161 3900 kbdclass - ok
10:11:36.0201 3900 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
10:11:36.0201 3900 kbdhid - ok
10:11:36.0281 3900 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
10:11:36.0281 3900 KeyIso - ok
10:11:36.0331 3900 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
10:11:36.0341 3900 KSecDD - ok
10:11:36.0451 3900 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
10:11:36.0461 3900 KtmRm - ok
10:11:36.0491 3900 LanmanServer - ok
10:11:36.0581 3900 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
10:11:36.0581 3900 LanmanWorkstation - ok
10:11:36.0641 3900 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
10:11:36.0641 3900 lltdio - ok
10:11:36.0681 3900 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
10:11:36.0691 3900 lltdsvc - ok
10:11:36.0771 3900 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
10:11:36.0771 3900 lmhosts - ok
10:11:36.0841 3900 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
10:11:36.0851 3900 LSI_FC - ok
10:11:36.0921 3900 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
10:11:36.0931 3900 LSI_SAS - ok
10:11:37.0061 3900 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
10:11:37.0061 3900 LSI_SCSI - ok
10:11:37.0081 3900 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
10:11:37.0081 3900 luafv - ok
10:11:37.0311 3900 McProxy (c85968d24449e37653b891b03188140c) c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
10:11:37.0321 3900 McProxy - ok
10:11:37.0391 3900 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
10:11:37.0401 3900 Mcx2Svc - ok
10:11:37.0511 3900 mdmxsdk (0cea2d0d3fa284b85ed5b68365114f76) C:\Windows\system32\DRIVERS\mdmxsdk.sys
10:11:37.0511 3900 mdmxsdk - ok
10:11:37.0621 3900 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
10:11:37.0631 3900 megasas - ok
10:11:37.0761 3900 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
10:11:37.0761 3900 MegaSR - ok
10:11:37.0851 3900 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
10:11:37.0861 3900 MMCSS - ok
10:11:37.0891 3900 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
10:11:37.0901 3900 Modem - ok
10:11:37.0971 3900 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
10:11:37.0971 3900 monitor - ok
10:11:38.0051 3900 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
10:11:38.0051 3900 mouclass - ok
10:11:38.0111 3900 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
10:11:38.0111 3900 mouhid - ok
10:11:38.0161 3900 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
10:11:38.0171 3900 MountMgr - ok
10:11:38.0251 3900 MPFP (95675c3398dcc084c8d1dc35cc4e9e01) C:\Windows\system32\Drivers\Mpfp.sys
10:11:38.0251 3900 MPFP - ok
10:11:38.0351 3900 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
10:11:38.0351 3900 mpio - ok
10:11:38.0431 3900 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
10:11:38.0431 3900 mpsdrv - ok
10:11:38.0561 3900 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
10:11:38.0581 3900 MpsSvc - ok
10:11:38.0701 3900 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
10:11:38.0701 3900 Mraid35x - ok
10:11:38.0821 3900 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
10:11:38.0821 3900 MRxDAV - ok
10:11:38.0941 3900 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
10:11:38.0941 3900 mrxsmb - ok
10:11:39.0081 3900 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
10:11:39.0081 3900 mrxsmb10 - ok
10:11:39.0181 3900 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
10:11:39.0191 3900 mrxsmb20 - ok
10:11:39.0331 3900 msahci (f70590424eefbf5c27a40c67afdb8383) C:\Windows\system32\drivers\msahci.sys
10:11:39.0331 3900 msahci - ok
10:11:39.0421 3900 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
10:11:39.0421 3900 msdsm - ok
10:11:39.0511 3900 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
10:11:39.0511 3900 MSDTC - ok
10:11:39.0641 3900 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
10:11:39.0641 3900 Msfs - ok
10:11:39.0741 3900 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
10:11:39.0741 3900 msisadrv - ok
10:11:39.0841 3900 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
10:11:39.0841 3900 MSiSCSI - ok
10:11:39.0901 3900 msiserver - ok
10:11:40.0081 3900 MSK80Service (cf3c267356f458be85c5034bfc382022) C:\Program Files\McAfee\MSK\MskSrver.exe
10:11:40.0081 3900 MSK80Service - ok
10:11:40.0161 3900 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
10:11:40.0161 3900 MSKSSRV - ok
10:11:40.0301 3900 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
10:11:40.0301 3900 MSPCLOCK - ok
10:11:40.0501 3900 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
10:11:40.0501 3900 MSPQM - ok
10:11:40.0611 3900 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
10:11:40.0611 3900 MsRPC - ok
10:11:40.0701 3900 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
10:11:40.0701 3900 mssmbios - ok
10:11:40.0781 3900 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
10:11:40.0791 3900 MSTEE - ok
10:11:40.0891 3900 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
10:11:40.0891 3900 Mup - ok
10:11:41.0871 3900 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
10:11:41.0881 3900 napagent - ok
10:11:42.0091 3900 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
10:11:42.0101 3900 NativeWifiP - ok
10:11:42.0361 3900 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
10:11:42.0361 3900 NDIS - ok
10:11:42.0461 3900 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
10:11:42.0461 3900 NdisTapi - ok
10:11:42.0561 3900 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
10:11:42.0561 3900 Ndisuio - ok
10:11:42.0711 3900 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
10:11:42.0711 3900 NdisWan - ok
10:11:42.0811 3900 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
10:11:42.0811 3900 NDProxy - ok
10:11:42.0911 3900 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
10:11:42.0911 3900 NetBIOS - ok
10:11:43.0131 3900 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
10:11:43.0131 3900 netbt - ok
10:11:43.0231 3900 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
10:11:43.0241 3900 Netlogon - ok
10:11:43.0421 3900 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
10:11:43.0421 3900 Netman - ok
10:11:43.0581 3900 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
10:11:43.0581 3900 netprofm - ok
10:11:43.0841 3900 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:11:43.0841 3900 NetTcpPortSharing - ok
10:11:44.0041 3900 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
10:11:44.0041 3900 nfrd960 - ok
10:11:44.0831 3900 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
10:11:44.0841 3900 NlaSvc - ok
10:11:45.0431 3900 nmservice (cd2fe9c33cfd0fe0af124e05907e5c3d) C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
10:11:45.0451 3900 nmservice - ok
10:11:46.0201 3900 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
10:11:46.0211 3900 Npfs - ok
10:11:46.0591 3900 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
10:11:46.0591 3900 nsi - ok
10:11:46.0811 3900 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
10:11:46.0811 3900 nsiproxy - ok
10:11:46.0961 3900 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
10:11:46.0971 3900 Ntfs - ok
10:11:47.0101 3900 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
10:11:47.0101 3900 ntrigdigi - ok
10:11:47.0171 3900 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
10:11:47.0171 3900 Null - ok
10:11:47.0271 3900 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
10:11:47.0271 3900 nvraid - ok
10:11:47.0391 3900 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
10:11:47.0391 3900 nvstor - ok
10:11:47.0511 3900 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
10:11:47.0511 3900 nv_agp - ok
10:11:47.0591 3900 NwlnkFlt - ok
10:11:47.0601 3900 NwlnkFwd - ok
10:11:47.0761 3900 OEM02Dev (19cac780b858822055f46c58a111723c) C:\Windows\system32\DRIVERS\OEM02Dev.sys
10:11:47.0771 3900 OEM02Dev - ok
10:11:47.0881 3900 OEM02Vfx (86326062a90494bdd79ce383511d7d69) C:\Windows\system32\DRIVERS\OEM02Vfx.sys
10:11:47.0881 3900 OEM02Vfx - ok
10:11:48.0021 3900 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
10:11:48.0031 3900 ohci1394 - ok
10:11:48.0151 3900 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
10:11:48.0261 3900 p2pimsvc - ok
10:11:48.0301 3900 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
10:11:48.0311 3900 p2psvc - ok
10:11:48.0451 3900 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
10:11:48.0461 3900 Parport - ok
10:11:48.0571 3900 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
10:11:48.0581 3900 partmgr - ok
10:11:48.0761 3900 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
10:11:48.0761 3900 Parvdm - ok
10:11:48.0841 3900 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
10:11:48.0841 3900 PcaSvc - ok
10:11:48.0991 3900 pccsmcfd (175cc28dcf819f78caa3fbd44ad9e52a) C:\Windows\system32\DRIVERS\pccsmcfd.sys
10:11:48.0991 3900 pccsmcfd - ok
10:11:49.0081 3900 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
10:11:49.0091 3900 pci - ok
10:11:49.0231 3900 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
10:11:49.0231 3900 pciide - ok
10:11:49.0311 3900 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
10:11:49.0321 3900 pcmcia - ok
10:11:49.0461 3900 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
10:11:49.0471 3900 PEAUTH - ok
10:11:49.0611 3900 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
10:11:49.0661 3900 pla - ok
10:11:49.0771 3900 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
10:11:49.0771 3900 PlugPlay - ok
10:11:49.0931 3900 pnarp (63200893c9d5934a7504d20f68276cc7) C:\Windows\system32\DRIVERS\pnarp.sys
10:11:49.0931 3900 pnarp - ok
10:11:50.0001 3900 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
10:11:50.0001 3900 PNRPAutoReg - ok
10:11:50.0031 3900 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
10:11:50.0041 3900 PNRPsvc - ok
10:11:50.0151 3900 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
10:11:50.0161 3900 PolicyAgent - ok
10:11:50.0251 3900 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
10:11:50.0251 3900 PptpMiniport - ok
10:11:50.0321 3900 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
10:11:50.0321 3900 Processor - ok
10:11:50.0491 3900 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
10:11:50.0491 3900 ProfSvc - ok
10:11:50.0551 3900 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
10:11:50.0551 3900 ProtectedStorage - ok
10:11:50.0681 3900 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
10:11:50.0681 3900 PSched - ok
10:11:50.0861 3900 purendis (748bcab4eff5959ed347c05a1c1a0af8) C:\Windows\system32\DRIVERS\purendis.sys
10:11:50.0861 3900 purendis - ok
10:11:51.0041 3900 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
10:11:51.0081 3900 ql2300 - ok
10:11:51.0221 3900 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
10:11:51.0221 3900 ql40xx - ok
10:11:51.0331 3900 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
10:11:51.0341 3900 QWAVE - ok
10:11:51.0481 3900 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
10:11:51.0491 3900 QWAVEdrv - ok
10:11:51.0701 3900 R300 (e642b131fb74caf4bb8a014f31113142) C:\Windows\system32\DRIVERS\atikmdag.sys
10:11:51.0771 3900 R300 - ok
10:11:51.0901 3900 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
10:11:51.0901 3900 RasAcd - ok
10:11:52.0001 3900 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
10:11:52.0011 3900 RasAuto - ok
10:11:52.0151 3900 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
10:11:52.0151 3900 Rasl2tp - ok
10:11:52.0251 3900 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
10:11:52.0251 3900 RasMan - ok
10:11:52.0381 3900 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
10:11:52.0381 3900 RasPppoe - ok
10:11:52.0531 3900 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
10:11:52.0531 3900 RasSstp - ok
10:11:52.0651 3900 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
10:11:52.0651 3900 rdbss - ok
10:11:52.0741 3900 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
10:11:52.0741 3900 RDPCDD - ok
10:11:52.0871 3900 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
10:11:52.0871 3900 rdpdr - ok
10:11:52.0981 3900 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
10:11:52.0981 3900 RDPENCDD - ok
10:11:53.0121 3900 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
10:11:53.0121 3900 RDPWD - ok
10:11:53.0461 3900 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
10:11:53.0471 3900 RemoteAccess - ok
10:11:53.0541 3900 RemoteRegistry - ok
10:11:53.0611 3900 RFCOMM (6482707f9f4da0ecbab43b2e0398a101) C:\Windows\system32\DRIVERS\rfcomm.sys
10:11:53.0621 3900 RFCOMM - ok
10:11:53.0741 3900 rimmptsk (355aac141b214bef1dbc1483afd9bd50) C:\Windows\system32\DRIVERS\rimmptsk.sys
10:11:53.0741 3900 rimmptsk - ok
10:11:53.0811 3900 rimsptsk (a4216c71dd4f60b26418ccfd99cd0815) C:\Windows\system32\DRIVERS\rimsptsk.sys
10:11:53.0811 3900 rimsptsk - ok
10:11:53.0891 3900 rismxdp (d231b577024aa324af13a42f3a807d10) C:\Windows\system32\DRIVERS\rixdptsk.sys
10:11:53.0891 3900 rismxdp - ok
10:11:53.0961 3900 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
10:11:53.0961 3900 RpcLocator - ok
10:11:54.0021 3900 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
10:11:54.0031 3900 RpcSs - ok
10:11:54.0131 3900 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
10:11:54.0131 3900 rspndr - ok
10:11:54.0241 3900 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
10:11:54.0241 3900 SamSs - ok
10:11:54.0291 3900 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
10:11:54.0291 3900 sbp2port - ok
10:11:54.0401 3900 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
10:11:54.0401 3900 SCardSvr - ok
10:11:54.0501 3900 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
10:11:54.0531 3900 Schedule - ok
10:11:54.0631 3900 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
10:11:54.0631 3900 SCPolicySvc - ok
10:11:54.0711 3900 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
10:11:54.0711 3900 sdbus - ok
10:11:54.0791 3900 SDRSVC (c515d79b2ef26cc77838375423c1bee6) C:\Windows\System32\SDRSVC.dll
10:11:54.0791 3900 SDRSVC - ok
10:11:54.0891 3900 SeaPort (cc781378e7eda615d2cdca3b17829fa4) C:\Program Files\Microsoft\BingBar\SeaPort.EXE
10:11:54.0901 3900 SeaPort - ok
10:11:55.0001 3900 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
10:11:55.0001 3900 secdrv - ok
10:11:55.0081 3900 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
10:11:55.0081 3900 seclogon - ok
10:11:55.0111 3900 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\System32\sens.dll
10:11:55.0111 3900 SENS - ok
10:11:55.0171 3900 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
10:11:55.0171 3900 Serenum - ok
10:11:55.0261 3900 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
10:11:55.0261 3900 Serial - ok
10:11:55.0341 3900 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
10:11:55.0341 3900 sermouse - ok
10:11:55.0431 3900 ServiceLayer (9d38320bb32230349379df5ddbbf7fce) C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
10:11:55.0481 3900 ServiceLayer - ok
10:11:55.0581 3900 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
10:11:55.0581 3900 SessionEnv - ok
10:11:55.0681 3900 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
10:11:55.0681 3900 sffdisk - ok
10:11:55.0741 3900 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
10:11:55.0751 3900 sffp_mmc - ok
10:11:55.0831 3900 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
10:11:55.0831 3900 sffp_sd - ok
10:11:55.0921 3900 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
10:11:55.0921 3900 sfloppy - ok
10:11:55.0981 3900 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
10:11:55.0991 3900 SharedAccess - ok
10:11:56.0091 3900 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
10:11:56.0101 3900 ShellHWDetection - ok
10:11:56.0201 3900 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
10:11:56.0201 3900 sisagp - ok
10:11:56.0321 3900 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
10:11:56.0331 3900 SiSRaid2 - ok
10:11:56.0471 3900 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
10:11:56.0471 3900 SiSRaid4 - ok
10:11:56.0741 3900 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
10:11:56.0861 3900 slsvc - ok
10:11:56.0971 3900 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
10:11:56.0981 3900 SLUINotify - ok
10:11:57.0101 3900 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
10:11:57.0101 3900 Smb - ok
10:11:57.0231 3900 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
10:11:57.0241 3900 SNMPTRAP - ok
10:11:57.0361 3900 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
10:11:57.0371 3900 spldr - ok
10:11:57.0591 3900 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
10:11:57.0601 3900 Spooler - ok
10:11:57.0731 3900 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
10:11:57.0731 3900 srv - ok
10:11:57.0851 3900 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
10:11:57.0851 3900 srv2 - ok
10:11:57.0971 3900 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
10:11:57.0981 3900 srvnet - ok
10:11:58.0061 3900 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
10:11:58.0071 3900 SSDPSRV - ok
10:11:58.0181 3900 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
10:11:58.0191 3900 SstpSvc - ok
10:11:58.0271 3900 STacSV (7e6dd4b34acd36af6c711d2bde91b040) C:\Windows\system32\STacSV.exe
10:11:58.0271 3900 STacSV - ok
10:11:58.0381 3900 STHDA (6a2a5e809c2c0178326d92b19ee4aad3) C:\Windows\system32\drivers\stwrt.sys
10:11:58.0391 3900 STHDA - ok
10:11:58.0491 3900 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
10:11:58.0511 3900 stisvc - ok
10:11:58.0621 3900 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
10:11:58.0621 3900 swenum - ok
10:11:58.0721 3900 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
10:11:58.0731 3900 swprv - ok
10:11:58.0831 3900 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
10:11:58.0831 3900 Symc8xx - ok
10:11:58.0921 3900 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
10:11:58.0921 3900 Sym_hi - ok
10:11:59.0001 3900 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
10:11:59.0001 3900 Sym_u3 - ok
10:11:59.0111 3900 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
10:11:59.0131 3900 SysMain - ok
10:11:59.0351 3900 TabletInputService (3a0c1787dfe2ee4c62ec1d0fefdc32e2) C:\Windows\System32\TabSvc.dll
10:11:59.0351 3900 TabletInputService - ok
10:11:59.0421 3900 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
10:11:59.0431 3900 TapiSrv - ok
10:11:59.0511 3900 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
10:11:59.0511 3900 TBS - ok
10:11:59.0651 3900 Tcpip (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\drivers\tcpip.sys
10:11:59.0651 3900 Tcpip - ok
10:11:59.0791 3900 Tcpip6 (814a1c66fbd4e1b310a517221f1456bf) C:\Windows\system32\DRIVERS\tcpip.sys
10:11:59.0801 3900 Tcpip6 - ok
10:11:59.0891 3900 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
10:11:59.0891 3900 tcpipreg - ok
10:11:59.0961 3900 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
10:11:59.0961 3900 TDPIPE - ok
10:12:00.0031 3900 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
10:12:00.0041 3900 TDTCP - ok
10:12:00.0131 3900 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
10:12:00.0141 3900 tdx - ok
10:12:00.0241 3900 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
10:12:00.0241 3900 TermDD - ok
10:12:00.0331 3900 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
10:12:00.0351 3900 TermService - ok
10:12:00.0471 3900 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
10:12:00.0471 3900 Themes - ok
10:12:00.0551 3900 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
10:12:00.0551 3900 THREADORDER - ok
10:12:00.0591 3900 TrkWks (467ae88eabcfa17ec8a3e7fa907c7ce3) C:\Windows\System32\trkwks.dll
10:12:00.0591 3900 TrkWks - ok
10:12:00.0671 3900 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
10:12:00.0671 3900 TrustedInstaller - ok
10:12:00.0751 3900 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
10:12:00.0751 3900 tssecsrv - ok
10:12:00.0821 3900 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
10:12:00.0821 3900 tunmp - ok
10:12:00.0951 3900 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
10:12:00.0951 3900 tunnel - ok
10:12:01.0041 3900 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
10:12:01.0051 3900 uagp35 - ok
10:12:01.0151 3900 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
10:12:01.0161 3900 udfs - ok
10:12:01.0261 3900 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
10:12:01.0261 3900 UI0Detect - ok
10:12:01.0351 3900 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
10:12:01.0351 3900 uliagpkx - ok
10:12:01.0451 3900 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
10:12:01.0461 3900 uliahci - ok
10:12:01.0561 3900 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
10:12:01.0571 3900 UlSata - ok
10:12:01.0661 3900 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
10:12:01.0661 3900 ulsata2 - ok
10:12:01.0761 3900 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
10:12:01.0761 3900 umbus - ok
10:12:01.0851 3900 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
10:12:01.0861 3900 upnphost - ok
10:12:01.0991 3900 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
10:12:02.0001 3900 usbccgp - ok
10:12:02.0101 3900 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
10:12:02.0101 3900 usbcir - ok
10:12:02.0321 3900 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
10:12:02.0321 3900 usbehci - ok
10:12:02.0421 3900 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
10:12:02.0421 3900 usbhub - ok
10:12:02.0511 3900 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
10:12:02.0511 3900 usbohci - ok
10:12:02.0591 3900 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
10:12:02.0591 3900 usbprint - ok
10:12:02.0731 3900 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
10:12:02.0731 3900 usbscan - ok
10:12:02.0841 3900 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
10:12:02.0841 3900 USBSTOR - ok
10:12:02.0941 3900 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
10:12:02.0941 3900 usbuhci - ok
10:12:03.0031 3900 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
10:12:03.0041 3900 UxSms - ok
10:12:03.0101 3900 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
10:12:03.0121 3900 vds - ok
10:12:03.0231 3900 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
10:12:03.0231 3900 vga - ok
10:12:03.0301 3900 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
10:12:03.0311 3900 VgaSave - ok
10:12:03.0331 3900 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
10:12:03.0331 3900 viaagp - ok
10:12:03.0421 3900 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
10:12:03.0421 3900 ViaC7 - ok
10:12:03.0521 3900 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
10:12:03.0521 3900 viaide - ok
10:12:03.0591 3900 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
10:12:03.0591 3900 volmgr - ok
10:12:03.0661 3900 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
10:12:03.0661 3900 volmgrx - ok
10:12:03.0781 3900 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
10:12:03.0781 3900 volsnap - ok
10:12:03.0881 3900 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
10:12:03.0881 3900 vsmraid - ok
10:12:04.0001 3900 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
10:12:04.0031 3900 VSS - ok
10:12:04.0131 3900 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
10:12:04.0141 3900 W32Time - ok
10:12:04.0271 3900 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
10:12:04.0271 3900 WacomPen - ok
10:12:04.0371 3900 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:12:04.0371 3900 Wanarp - ok
10:12:04.0381 3900 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
10:12:04.0381 3900 Wanarpv6 - ok
10:12:04.0501 3900 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
10:12:04.0521 3900 wcncsvc - ok
10:12:04.0621 3900 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
10:12:04.0621 3900 WcsPlugInService - ok
10:12:04.0721 3900 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
10:12:04.0721 3900 Wd - ok
10:12:04.0831 3900 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
10:12:04.0831 3900 Wdf01000 - ok
10:12:04.0911 3900 WdiServiceHost (b8fcc9948d9af748fa47d66934986dbe) C:\Windows\system32\wdi.dll
10:12:04.0921 3900 WdiServiceHost - ok
10:12:04.0921 3900 WdiSystemHost (b8fcc9948d9af748fa47d66934986dbe) C:\Windows\system32\wdi.dll
10:12:04.0931 3900 WdiSystemHost - ok
10:12:05.0031 3900 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
10:12:05.0041 3900 WebClient - ok
10:12:05.0141 3900 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
10:12:05.0151 3900 Wecsvc - ok
10:12:05.0251 3900 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
10:12:05.0261 3900 wercplsupport - ok
10:12:05.0361 3900 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
10:12:05.0371 3900 WerSvc - ok
10:12:05.0491 3900 winachsf (72cc6a8ca7891031d6380db5025c773c) C:\Windows\system32\DRIVERS\HSX_CNXT.sys
10:12:05.0491 3900 winachsf - ok
10:12:05.0581 3900 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
10:12:05.0581 3900 WinDefend - ok
10:12:05.0591 3900 WinHttpAutoProxySvc - ok
10:12:05.0721 3900 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
10:12:05.0731 3900 Winmgmt - ok
10:12:05.0851 3900 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
10:12:05.0891 3900 WinRM - ok
10:12:05.0991 3900 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
10:12:06.0011 3900 Wlansvc - ok
10:12:06.0201 3900 wlidsvc (0a70f4022ec2e14c159efc4f69aa2477) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
10:12:06.0251 3900 wlidsvc - ok
10:12:06.0361 3900 wltrysvc - ok
10:12:06.0441 3900 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
10:12:06.0441 3900 WmiAcpi - ok
10:12:06.0561 3900 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
10:12:06.0561 3900 wmiApSrv - ok
10:12:06.0661 3900 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
10:12:06.0681 3900 WMPNetworkSvc - ok
10:12:06.0791 3900 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
10:12:06.0801 3900 WPCSvc - ok
10:12:06.0891 3900 WPDBusEnum - ok
10:12:07.0091 3900 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
10:12:07.0111 3900 WPFFontCache_v0400 - ok
10:12:07.0241 3900 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
10:12:07.0241 3900 ws2ifsl - ok
10:12:07.0381 3900 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\System32\wscsvc.dll
10:12:07.0381 3900 wscsvc - ok
10:12:07.0461 3900 WSearch - ok
10:12:07.0711 3900 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
10:12:07.0791 3900 wuauserv - ok
10:12:07.0931 3900 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
10:12:07.0931 3900 WUDFRd - ok
10:12:08.0021 3900 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
10:12:08.0021 3900 wudfsvc - ok
10:12:08.0121 3900 XAudio (dab33cfa9dd24251aaa389ff36b64d4b) C:\Windows\system32\DRIVERS\xaudio.sys
10:12:08.0121 3900 XAudio - ok
10:12:08.0231 3900 XAudioService (cd5f291a1161f15896d1a4d63daff5df) C:\Windows\system32\DRIVERS\xaudio.exe
10:12:08.0241 3900 XAudioService - ok
10:12:08.0381 3900 YahooAUService (dd0042f0c3b606a6a8b92d49afb18ad6) C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
10:12:08.0401 3900 YahooAUService - ok
10:12:08.0521 3900 yukonwlh (e745b9d5fe1fda8a50913fdcc8ff9fdc) C:\Windows\system32\DRIVERS\yk60x86.sys
10:12:08.0531 3900 yukonwlh - ok
10:12:08.0611 3900 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
10:12:08.0661 3900 \Device\Harddisk0\DR0 - ok
10:12:08.0681 3900 Boot (0x1200) (644cf78f5a0a04acd94e78126e3e6f93) \Device\Harddisk0\DR0\Partition0
10:12:08.0681 3900 \Device\Harddisk0\DR0\Partition0 - ok
10:12:08.0681 3900 Boot (0x1200) (5d03193f16bb4bd992875ba4643fba9b) \Device\Harddisk0\DR0\Partition1
10:12:08.0691 3900 \Device\Harddisk0\DR0\Partition1 - ok
10:12:08.0691 3900 ============================================================
10:12:08.0691 3900 Scan finished
10:12:08.0691 3900 ============================================================
10:12:08.0701 5544 Detected object count: 0
10:12:08.0701 5544 Actual detected object count: 0
10:15:43.0219 5984 Deinitialize success
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 2nd, 2012, 10:30 pm

4. The full text of the Anti-virus message and the file specification of the white-listed file.
5. A description of how your computer is running and any Malware symptoms that are present.

4. Under Rootkits scan message:
File: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Infection: IRP hook, \Driver\HidUsb IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2484
Result: Object is white-listed (critical/system file that should not be removed)

File: C:\Windows\system32\DRIVERS\HIDCLASS.SYS
Infection: IRP hook, \Driver\HidUsb IRP_MJ_PNP -> HIDCLASS.SYS +0x2484
Result: Object is white-listed (critical/system file that should not be removed)

5. My laptop is still having the same issues/symptoms.
One error message is "quickset.exe - Bad Image: C:\Windows\system32\Wlanapi.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support".
One of the few other error message is "Microsoft Windows: Dell Wireless WLAN Card Wireless Network Controller stopped working and was close. A problem caused the application to stop working correctly. Windows will notify you if a solution is available." --> one main impact to me is I can't connect to wireless network.

AVG Resident Shield Alert:
File Name: c:\Users\Delvin\AppData\Roaming\Microsoft\Windows\Cookies\Low\6VKLLAKN.txt
Information: Found Tracking cookie.Serving-sys. Detected on open.
Adding to the exceptions list has failed. Object has already been cleaned or scanning has failed. md5 is not valid and PUP cannot be defined.
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am

Re: Rootkit infection: IRP hook

Unread postby mambass » April 3rd, 2012, 9:26 am

Hi DelvinNg, :)

Please print these instructions because you will not have access to the Internet while performing some of the tasks below.

  1. Run a custom scan with OTL
    1. Right-click the OTL icon on your Desktop and select Run As Administrator to run the program.
    2. In the Custom Scans/Fixes box at the bottom, paste in the following lines from the Code box (Do not include the word "Code"):
      Code: Select all
      C:\hidclass.sys /md5 /s
      C:\hidusb.sys /md5 /s
      C:\vfbu.exe /md5 /s
      
    3. Click the None button.
    4. Click the Run Scan button at the top.
    5. A Notepad window will open when the scan completes.
    6. Copy the contents of that file and post it in your next reply. The log can also be found on you Desktop as OTL.txt.

  2. Identify system drive letter as seen within the Recovery Environment

    We need to get into the Windows Recovery Environment briefly, to verify the Drive Letter used by the Recovery Environment for the Windows System.
    It may not be the same as the usual drive letter C:
    If your Recovery Environment is pre-installed, you can get into it by tapping the F8 key as the machine boots, and choosing the option to Repair Your Computer.
    If you cannot, even after several tries, get the F8 key to bring up the System Recovery Options screen, you will need to boot from the Windows Vista disc to get to that System Recovery Options screen.
    The System Recovery screen looks like this:
    Image

    Once you get into the Recovery Environment, you need to enter it the same way for every task we do that follows, so the drive letters used will be correct.
    Please note the drive letter at the top of the window where it says Operating system: Windows on D: Local disk.
    The drive letter may not be D: and it may change if you enter the Recovery Environment using a different method.

    After you note the correct drive letter to use for your system, Don't choose ANY of the Options, just hit Restart.
    Please post back and tell me the what method you used to get into the Recovery Environment (either F8 or Windows CD), and what drive letter you noted.


Please include in your reply:
  1. The text of any error messages and/or a description of any problems you encountered while performing these steps.
  2. The contents of the OTL.txt log.
  3. The drive letter for the system drive as seen from within the Recovery Environment


mambass
User avatar
mambass
Retired Graduate
 
Posts: 826
Joined: April 23rd, 2010, 9:26 am

Re: Rootkit infection: IRP hook

Unread postby DelvinNg » April 3rd, 2012, 12:33 pm

2. The contents of the OTL.txt log.
3. The drive letter for the system drive as seen from within the Recovery Environment

3. Using the F8 key -> Repair Your Computer method, i observed that the drive letter is C.
2.
OTL logfile created on: 4/4/2012 12:20:50 AM - Run 3
OTL by OldTimer - Version 3.2.39.2 Folder = C:\Users\Delvin\Desktop\Rootkit infection_IRP hook
Windows Vista Home Premium Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00004809 | Country: Singapore | Language: ENE | Date Format: d/M/yyyy

3.49 Gb Total Physical Memory | 2.01 Gb Available Physical Memory | 57.49% Memory free
7.17 Gb Paging File | 5.80 Gb Available in Paging File | 80.89% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 136.46 Gb Total Space | 76.22 Gb Free Space | 55.85% Space Free | Partition Type: NTFS
Drive D: | 10.00 Gb Total Space | 5.13 Gb Free Space | 51.27% Space Free | Partition Type: NTFS

Computer Name: DELVIN-PC | User Name: Delvin | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< C:\hidclass.sys /md5 /s >
[2009/04/11 12:42:48 | 000,039,424 | ---- | M] (Microsoft Corporation) MD5=5961CADB7CAD938368D2028725EF771D -- C:\Windows\System32\drivers\hidclass.sys
[2009/04/11 12:42:48 | 000,039,424 | ---- | M] (Microsoft Corporation) MD5=5961CADB7CAD938368D2028725EF771D -- C:\Windows\System32\DriverStore\FileRepository\input.inf_45f308e6\hidclass.sys
[2006/11/02 16:55:01 | 000,038,912 | ---- | M] (Microsoft Corporation) MD5=081655939FA6C09EEC56DA090F461ECC -- C:\Windows\System32\DriverStore\FileRepository\input.inf_53578522\hidclass.sys
[2008/01/21 10:23:26 | 000,038,912 | ---- | M] (Microsoft Corporation) MD5=04F49DDD00A26C6CA984A9B480FDAA33 -- C:\Windows\System32\DriverStore\FileRepository\input.inf_a7cfdec8\hidclass.sys
[2008/01/21 10:23:26 | 000,038,912 | ---- | M] (Microsoft Corporation) MD5=04F49DDD00A26C6CA984A9B480FDAA33 -- C:\Windows\winsxs\x86_input.inf_31bf3856ad364e35_6.0.6001.18000_none_206f99c7201dafdb\hidclass.sys
[2009/04/11 12:42:48 | 000,039,424 | ---- | M] (Microsoft Corporation) MD5=5961CADB7CAD938368D2028725EF771D -- C:\Windows\winsxs\x86_input.inf_31bf3856ad364e35_6.0.6002.18005_none_225b12d31d3f7b27\hidclass.sys

< C:\hidusb.sys /md5 /s >
[2009/04/11 12:42:48 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=CCA4B519B17E23A00B826C55716809CC -- C:\Windows\System32\drivers\hidusb.sys
[2009/04/11 12:42:48 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=CCA4B519B17E23A00B826C55716809CC -- C:\Windows\System32\DriverStore\FileRepository\input.inf_45f308e6\hidusb.sys
[2006/11/02 16:55:01 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=3C64042B95E583B366BA4E5D2450235E -- C:\Windows\System32\DriverStore\FileRepository\input.inf_53578522\hidusb.sys
[2008/01/21 10:23:26 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=854CA287AB7FAF949617A788306D967E -- C:\Windows\System32\DriverStore\FileRepository\input.inf_a7cfdec8\hidusb.sys
[2008/01/21 10:23:26 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=854CA287AB7FAF949617A788306D967E -- C:\Windows\winsxs\x86_input.inf_31bf3856ad364e35_6.0.6001.18000_none_206f99c7201dafdb\hidusb.sys
[2009/04/11 12:42:48 | 000,012,800 | ---- | M] (Microsoft Corporation) MD5=CCA4B519B17E23A00B826C55716809CC -- C:\Windows\winsxs\x86_input.inf_31bf3856ad364e35_6.0.6002.18005_none_225b12d31d3f7b27\hidusb.sys

< C:\vfbu.exe /md5 /s >

< End of report >
DelvinNg
Regular Member
 
Posts: 40
Joined: March 30th, 2012, 6:34 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 72 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware