Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Slow windows XP laptop with rootkit evidence

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 19th, 2013, 10:30 am

Hello. First, my apologies for dropping the ball recently. I do appreciate the effort put in by the volunteers here, but unfortunately got sidetracked and allowed my previous post to go dormant, and all I succeeded in doing was wasting some of DeltaLima's time, which is fair to no one. It won't happen again. I am resubmitting new logs with my original description and will await new instructions. I will not perform any of the previously suggested actions unless they are repeated here.

This laptop has been running slow, along with a few odd hang ups and log-offs, prompting me to run MBAM. MBAM returned four files marked as Extension.Mismatch

These have not yet been removed or quarantined, but I did examine one of them (a supposed jpg) in notepad, it had the MV opening suggesting an executable and I found this line:

INE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Taskman Q HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoRun 1 Q HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFolderOptions 1 Q HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer NoFind 1 Q HKEY_CURRENT_USER Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" Q HKEY_CURRENT_USER Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" Q %SystemRoot%\mdelk.exe Q %SystemRoot%\ban_list.txt Q HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\Security Center\Svc EnableLUA 16 Q HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system EnableLUA 0 1 Q %SystemRoot%\drivers\down Q HKEY_LOCAL_MACHINE SYSTEM\ControlSet001\Services\srosa Q %SystemRoot%\drivers\srosa.sys Q %SystemRoot%\drivers\hldrrr.exe

At that point I figured it was time to turn back to one of your experts.

Here are the required logs:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.7.2
Run by Marc at 9:17:36 on 2013-01-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.655 [GMT -8:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ================
.
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre7\bin\jqs.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\AirPort\APAgent.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
c:\Program Files\Microsoft Security Client\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: DriveLetterAccess: {5CA3D70E-1895-11CF-8E15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Java(tm) Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.8313.1002\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Google Update] "c:\documents and settings\marc\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil32_11_5_502_110_ActiveX.exe -update activex
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [AirPort Base Station Agent] "c:\program files\airport\APAgent.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Dell Wireless Manager UI] c:\windows\system32\WLTRAY
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microso ... 8251347437
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} - hxxp://acs.pandasoftware.com/activescan ... stubie.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{D9763973-0C33-4E47-A318-80EAF73A78BC} : DHCPNameServer = 192.168.0.1
Notify: igfxcui - igfxsrvc.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
.
============= SERVICES / DRIVERS ===============
.
R0 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 193552]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2012-8-7 28552]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-1-9 40776]
.
=============== Created Last 30 ================
.
2013-01-12 00:50:40 6812136 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\{303a70b5-4fce-4466-9c9a-73820316cfcd}\mpengine.dll
2013-01-09 15:39:50 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-01-09 15:38:12 -------- d-----w- c:\documents and settings\marc\application data\Malwarebytes
2013-01-09 15:37:55 -------- d-----w- c:\documents and settings\all users.windows\application data\Malwarebytes
2013-01-09 15:37:53 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-09 15:37:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-05 08:14:25 6812136 ----a-w- c:\documents and settings\all users.windows\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
.
==================== Find3M ====================
.
2013-01-09 03:31:20 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 03:31:19 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23:59 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25:12 1866368 ------w- c:\windows\system32\win32k.sys
2012-11-02 02:02:42 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17:54 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17:54 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17:54 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35:34 385024 ------w- c:\windows\system32\html.iec
.
============= FINISH: 9:19:55.62 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2012-11-20.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 3/8/2010 11:03:05 AM
System Uptime: 1/15/2013 5:52:38 AM (76 hours ago)
.
Motherboard: Dell Inc. | | 0U8082
Processor: Intel(R) Pentium(R) M processor 1.60GHz | Microprocessor | 1596/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 74 GiB total, 47.458 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_104C&DEV_8038&SUBSYS_01821028&REV_00\4&2FA23535&0&0DF0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_104C&DEV_8038&SUBSYS_01821028&REV_00\4&2FA23535&0&0DF0
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Modem
Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Manufacturer:
Name: PCI Modem
PNP Device ID: PCI\VEN_8086&DEV_266D&SUBSYS_542314F1&REV_03\3&61AAA01&0&F3
Service:
.
Class GUID: {6BDD1FC6-810F-11D0-BEC7-08002BE2092F}
Description: Photosmart C6200 series
Device ID: ROOT\IMAGE\0000
Manufacturer: HP
Name: HP Photosmart C6200
PNP Device ID: ROOT\IMAGE\0000
Service: StillCam
.
Class GUID: {4D36E971-E325-11CE-BFC1-08002BE10318}
Description: Photosmart C6200 series
Device ID: ROOT\MULTIFUNCTION\0000
Manufacturer: HP
Name: Photosmart C6200 series
PNP Device ID: ROOT\MULTIFUNCTION\0000
Service:
.
==== System Restore Points ===================
.
RP320: 10/1/2012 12:34:41 PM - Software Distribution Service 3.0
RP321: 10/5/2012 6:16:32 PM - Removed Adobe Reader 9.5.1.
RP322: 10/5/2012 6:17:30 PM - Installed Adobe Reader X (10.1.4).
RP323: 10/7/2012 6:53:17 AM - Software Distribution Service 3.0
RP324: 10/8/2012 5:18:56 PM - Software Distribution Service 3.0
RP325: 10/8/2012 5:45:55 PM - Software Distribution Service 3.0
RP326: 10/10/2012 5:18:32 PM - Software Distribution Service 3.0
RP327: 10/11/2012 5:26:54 PM - Software Distribution Service 3.0
RP328: 10/13/2012 8:50:21 AM - Software Distribution Service 3.0
RP329: 10/14/2012 6:15:47 PM - System Checkpoint
RP330: 10/17/2012 5:42:43 PM - Software Distribution Service 3.0
RP331: 10/19/2012 9:51:28 AM - Software Distribution Service 3.0
RP332: 10/21/2012 9:15:51 PM - Software Distribution Service 3.0
RP333: 10/23/2012 4:28:12 PM - Software Distribution Service 3.0
RP334: 11/13/2012 9:25:40 PM - System Checkpoint
RP335: 11/14/2012 7:37:45 AM - Software Distribution Service 3.0
RP336: 11/14/2012 7:46:01 AM - Software Distribution Service 3.0
RP337: 11/14/2012 8:35:45 AM - Software Distribution Service 3.0
RP338: 11/15/2012 9:00:43 AM - Software Distribution Service 3.0
RP339: 11/16/2012 9:51:12 AM - Software Distribution Service 3.0
RP340: 11/16/2012 10:11:50 AM - Software Distribution Service 3.0
RP341: 11/17/2012 9:39:43 AM - Software Distribution Service 3.0
RP342: 11/17/2012 2:58:35 PM - Software Distribution Service 3.0
RP343: 11/18/2012 9:48:12 PM - Software Distribution Service 3.0
RP344: 11/19/2012 8:01:11 AM - Software Distribution Service 3.0
RP345: 11/19/2012 11:46:32 AM - Software Distribution Service 3.0
RP346: 11/20/2012 9:14:57 AM - Software Distribution Service 3.0
RP347: 11/21/2012 8:33:57 AM - Software Distribution Service 3.0
RP348: 11/21/2012 9:00:20 AM - Software Distribution Service 3.0
RP349: 11/22/2012 9:57:02 AM - Software Distribution Service 3.0
RP350: 11/23/2012 9:19:17 AM - Software Distribution Service 3.0
RP351: 11/23/2012 9:32:09 AM - Software Distribution Service 3.0
RP352: 11/24/2012 9:53:16 AM - Software Distribution Service 3.0
RP353: 11/25/2012 10:39:23 PM - Software Distribution Service 3.0
RP354: 11/25/2012 10:56:42 PM - Software Distribution Service 3.0
RP355: 11/26/2012 8:07:53 PM - Software Distribution Service 3.0
RP356: 11/27/2012 7:51:38 PM - Software Distribution Service 3.0
RP357: 11/27/2012 8:01:45 PM - Software Distribution Service 3.0
RP358: 11/28/2012 5:51:35 PM - Software Distribution Service 3.0
RP359: 11/29/2012 10:34:32 PM - Software Distribution Service 3.0
RP360: 11/29/2012 10:44:53 PM - Software Distribution Service 3.0
RP361: 11/30/2012 1:10:02 PM - Software Distribution Service 3.0
RP362: 12/1/2012 9:38:09 AM - Software Distribution Service 3.0
RP363: 12/1/2012 5:47:30 PM - Software Distribution Service 3.0
RP364: 12/2/2012 7:43:49 PM - Software Distribution Service 3.0
RP365: 12/3/2012 4:46:18 PM - Software Distribution Service 3.0
RP366: 12/3/2012 4:56:34 PM - Software Distribution Service 3.0
RP367: 12/4/2012 5:46:13 PM - Software Distribution Service 3.0
RP368: 12/5/2012 9:37:54 PM - Software Distribution Service 3.0
RP369: 12/5/2012 9:47:34 PM - Software Distribution Service 3.0
RP370: 12/6/2012 6:50:29 PM - Software Distribution Service 3.0
RP371: 12/7/2012 9:01:51 AM - Software Distribution Service 3.0
RP372: 12/7/2012 12:57:06 PM - Software Distribution Service 3.0
RP373: 12/8/2012 9:35:10 AM - Software Distribution Service 3.0
RP374: 12/9/2012 8:03:19 PM - Software Distribution Service 3.0
RP375: 12/9/2012 8:13:46 PM - Software Distribution Service 3.0
RP376: 12/10/2012 2:21:09 PM - Software Distribution Service 3.0
RP377: 12/11/2012 7:59:00 PM - Software Distribution Service 3.0
RP378: 12/11/2012 8:46:01 PM - Software Distribution Service 3.0
RP379: 12/13/2012 11:53:28 PM - Software Distribution Service 3.0
RP380: 12/14/2012 12:02:51 AM - Software Distribution Service 3.0
RP381: 12/14/2012 7:42:28 PM - Software Distribution Service 3.0
RP382: 12/15/2012 9:00:30 AM - Software Distribution Service 3.0
RP383: 12/15/2012 8:49:19 PM - Software Distribution Service 3.0
RP384: 12/16/2012 8:23:08 PM - Software Distribution Service 3.0
RP385: 12/17/2012 5:59:29 PM - Software Distribution Service 3.0
RP386: 12/17/2012 6:09:26 PM - Software Distribution Service 3.0
RP387: 12/18/2012 7:08:21 PM - Software Distribution Service 3.0
RP388: 12/19/2012 4:55:48 PM - Software Distribution Service 3.0
RP389: 12/19/2012 5:10:06 PM - Software Distribution Service 3.0
RP390: 12/20/2012 9:23:18 AM - Software Distribution Service 3.0
RP391: 12/21/2012 11:47:31 AM - Software Distribution Service 3.0
RP392: 12/21/2012 12:08:00 PM - Software Distribution Service 3.0
RP393: 12/22/2012 9:49:35 AM - Software Distribution Service 3.0
RP394: 12/23/2012 8:09:25 AM - Software Distribution Service 3.0
RP395: 12/23/2012 10:08:32 AM - Software Distribution Service 3.0
RP396: 12/24/2012 9:00:24 AM - Software Distribution Service 3.0
RP397: 12/25/2012 9:50:47 AM - Software Distribution Service 3.0
RP398: 12/25/2012 10:04:03 AM - Software Distribution Service 3.0
RP399: 12/26/2012 7:37:35 PM - Software Distribution Service 3.0
RP400: 12/27/2012 4:43:09 PM - Software Distribution Service 3.0
RP401: 12/27/2012 4:56:24 PM - Software Distribution Service 3.0
RP402: 12/28/2012 9:46:22 AM - Software Distribution Service 3.0
RP403: 12/29/2012 9:09:01 AM - Software Distribution Service 3.0
RP404: 12/29/2012 9:51:17 AM - Software Distribution Service 3.0
RP405: 12/30/2012 4:13:03 PM - Software Distribution Service 3.0
RP406: 12/31/2012 10:46:41 AM - Software Distribution Service 3.0
RP407: 1/1/2013 7:39:12 PM - Software Distribution Service 3.0
RP408: 1/2/2013 6:56:45 PM - Software Distribution Service 3.0
RP409: 1/3/2013 5:16:58 PM - Software Distribution Service 3.0
RP410: 1/4/2013 9:00:35 AM - Software Distribution Service 3.0
RP411: 1/5/2013 9:01:52 AM - Software Distribution Service 3.0
RP412: 1/6/2013 6:57:08 PM - Software Distribution Service 3.0
RP413: 1/7/2013 6:47:34 PM - Software Distribution Service 3.0
RP414: 1/9/2013 9:01:17 AM - Software Distribution Service 3.0
RP415: 1/10/2013 10:26:38 PM - Software Distribution Service 3.0
RP416: 1/11/2013 9:00:44 AM - Software Distribution Service 3.0
RP417: 1/12/2013 10:12:59 AM - Software Distribution Service 3.0
RP418: 1/14/2013 8:23:56 PM - Software Distribution Service 3.0
RP419: 1/15/2013 8:03:21 PM - Software Distribution Service 3.0
RP420: 1/16/2013 7:11:58 PM - Software Distribution Service 3.0
RP421: 1/17/2013 7:28:22 PM - Software Distribution Service 3.0
RP422: 1/18/2013 9:02:39 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
32 Bit HP CIO Components Installer
Acrobat.com
Adobe AIR
Adobe Flash Player 11 ActiveX
Adobe Reader X (10.1.4)
AIO_Scan
AirPort
Broadcom Gigabit Integrated Controller
C-Major Audio
Coupon Printer for Windows
Dell ResourceCD
Dell Wireless WLAN Card
Fax
Google Chrome
Google SketchUp 8
Google Toolbar for Internet Explorer
Google Update Helper
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB2756822)
Hotfix for Windows XP (KB2779562)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB979306)
HP Photosmart All-In-One Software 9.0
Intel(R) Graphics Media Accelerator Driver for Mobile
Intel(R) PROSet/Wireless Software
Java 7 Update 7
Java Auto Updater
Java(TM) 6 Update 31
Malwarebytes Anti-Malware version 1.70.0.1100
mCore
mDriver
mDrWiFi
mHlpDell
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office File Validation Add-In
Microsoft Office Professional Edition 2003
Microsoft Security Client
Microsoft Security Essentials
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
mIWA
mIWCA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mToolkit
mWlsSafe
mXML
mZConfig
NetDeviceManager
Panda ActiveScan 2.0
PowerDVD 5.1
PS_AIO_02_Software_min
Scan
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB2618444)
Security Update for Windows Internet Explorer 8 (KB2647516)
Security Update for Windows Internet Explorer 8 (KB2675157)
Security Update for Windows Internet Explorer 8 (KB2699988)
Security Update for Windows Internet Explorer 8 (KB2722913)
Security Update for Windows Internet Explorer 8 (KB2744842)
Security Update for Windows Internet Explorer 8 (KB2761465)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2655992)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2691442)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2698365)
Security Update for Windows XP (KB2705219)
Security Update for Windows XP (KB2707511)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB2712808)
Security Update for Windows XP (KB2718523)
Security Update for Windows XP (KB2719985)
Security Update for Windows XP (KB2723135)
Security Update for Windows XP (KB2724197)
Security Update for Windows XP (KB2731847)
Security Update for Windows XP (KB2753842-v2)
Security Update for Windows XP (KB2753842)
Security Update for Windows XP (KB2758857)
Security Update for Windows XP (KB2761226)
Security Update for Windows XP (KB2770660)
Security Update for Windows XP (KB2779030)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Sonic DLA
Sonic RecordNow! Plus
Sonic Update Manager
Toolbox
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2661254-v2)
Update for Windows XP (KB2718704)
Update for Windows XP (KB2736233)
Update for Windows XP (KB2749655)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows XP Service Pack 3
.
==== Event Viewer Messages From Past Week ========
.
1/17/2013 9:35:54 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/17/2013 9:35:54 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/17/2013 7:27:51 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the JavaQuickStarterService service.
1/16/2013 7:55:15 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/16/2013 7:55:15 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/16/2013 7:11:19 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/16/2013 7:11:19 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/15/2013 8:02:58 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/15/2013 8:02:58 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/14/2013 8:23:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/14/2013 8:23:08 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/12/2013 11:20:23 AM, error: W32Time [34] - The time service has detected that the system time needs to be changed by +75771 seconds. The time service will not change the system time by more than +54000 seconds. Verify that your time and time zone are correct, and that the time source time.windows.com (ntp.m|0x1|192.168.0.183:123->65.55.21.24:123) is working properly.
1/12/2013 10:12:08 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/12/2013 10:12:07 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3797.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/11/2013 7:38:26 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3243.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
1/11/2013 7:38:26 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.141.3243.0 Update Source: Microsoft Update Server Update Stage: Download Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error code: 0x80240022 Error description: The program can't check for definition updates.
.
==== End Of File ===========================
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm
Advertisement
Register to Remove

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 19th, 2013, 5:09 pm

Hi again helpintoledo,

Welcome to the forum.

Please be aware that removing Malware is a potentially hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

Because of this, I advise you to backup any personal files and folders before you start.

Please note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please do not run any scans or make any changes to the system unless I ask you too.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.

Download and run OTL
Download OTL by Old Timer and save it to your Desktop.
  • Double click on OTL.exe to run it.
  • Under Output, ensure that Minimal Output is selected.
  • Under Extra Registry section, select Use SafeList.
  • Click the Scan All Users checkbox.
  • Click on Run Scan at the top left hand corner.
  • When done, two Notepad files will open.
    • OTL.txt <-- Will be opened
    • Extras.txt <-- Will be minimized
  • Please post the contents of these 2 Notepad files in your next reply.

Please download GMER Rootkit Scanner from here.
  • Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE
Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log along with OTL.txt and Extras.txt from the OTL scan into your next reply.

Upload a File to Virustotal

Please go to Virustotal

Clcik on Choose File then navigate to one of the files that MBAM identified as Extension.Mismatch
Press Scan it - this will submit the file for testing.
Please wait for all the scanners to finish then copy and paste the results in your next response.

Repeat the above process for the remaining files that MBAM identified and post all the results in your next reply.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 3:21 am

OK, here are the logs from OTL (OTL & Extras), GMER log will be in next post.

OTL logfile created on: 1/19/2013 1:47:05 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Marc\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 61.69% Memory free
2.96 Gb Paging File | 2.21 Gb Available in Paging File | 74.68% Paging File free
Paging file location(s): c:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 47.44 Gb Free Space | 63.71% Space Free | Partition Type: NTFS

Computer Name: KELLYSPUTIE | User Name: Marc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Marc\My Documents\Downloads\OTL.exe (OldTimer Tools)
PRC - C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\chrome.exe (Google Inc.)
PRC - C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
PRC - C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
PRC - c:\Program Files\Microsoft Security Client\MpCmdRun.exe (Microsoft Corporation)
PRC - c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
PRC - C:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\Java\Java Update\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
PRC - C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe (Intel Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)
PRC - C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe (Intel Corporation)


========== Modules (No Company Name) ==========

MOD - C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\ppgooglenaclpluginchrome.dll ()
MOD - C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\PepperFlash\pepflashplayer.dll ()
MOD - C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\pdf.dll ()
MOD - C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\ffmpegsumo.dll ()
MOD - C:\WINDOWS\system32\msdmo.dll ()
MOD - C:\WINDOWS\system32\devenum.dll ()


========== Services (SafeList) ==========

SRV - (AppMgmt) -- %SystemRoot%\System32\appmgmts.dll File not found
SRV - (AdobeFlashPlayerUpdateSvc) -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe (Adobe Systems Incorporated)
SRV - (JavaQuickStarterService) -- C:\Program Files\Java\jre7\bin\jqs.exe (Oracle Corporation)
SRV - (MsMpSvc) -- c:\Program Files\Microsoft Security Client\MsMpEng.exe (Microsoft Corporation)
SRV - (EapHost) -- C:\WINDOWS\system32\eapsvc.dll ()
SRV - (WLANKEEPER) -- C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe (Intel® Corporation)


========== Driver Services (SafeList) ==========

DRV - (WDICA) -- File not found
DRV - (PDRFRAME) -- File not found
DRV - (PDRELI) -- File not found
DRV - (PDFRAME) -- File not found
DRV - (PDCOMP) -- File not found
DRV - (PCIDump) -- File not found
DRV - (mbr) -- C:\DOCUME~1\Marc\LOCALS~1\Temp\mbr.sys File not found
DRV - (lbrtfdc) -- File not found
DRV - (i2omgmt) -- File not found
DRV - (Changer) -- File not found
DRV - (MBAMSwissArmy) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys (Malwarebytes Corporation)
DRV - (pavboot) -- C:\WINDOWS\system32\drivers\pavboot.sys (Panda Security, S.L.)
DRV - (STAC97) -- C:\WINDOWS\system32\drivers\STAC97.sys (SigmaTel, Inc.)
DRV - (BCM43XX) -- C:\WINDOWS\system32\drivers\BCMWL5.SYS (Broadcom Corporation)
DRV - (s24trans) -- C:\WINDOWS\system32\drivers\s24trans.sys (Intel Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (OMCI) -- C:\WINDOWS\system32\drivers\omci.sys (Dell Computer Corporation)
DRV - (BrPar) -- C:\WINDOWS\system32\drivers\BRPAR.SYS (Brother Industries Ltd.)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1708537768-152049171-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1708537768-152049171-725345543-1004\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990}
IE - HKU\S-1-5-21-1708537768-152049171-725345543-1004\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKU\S-1-5-21-1708537768-152049171-725345543-1004\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADFA_enUS370
IE - HKU\S-1-5-21-1708537768-152049171-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@pandasecurity.com/activescan: C:\Program Files\Panda Security\ActiveScan 2.0\npwrapper.dll (Panda Security, S.L.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll ()
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll ()


[2010/03/06 12:33:49 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2005/09/23 13:52:26 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions
[2005/09/23 13:52:26 | 000,000,000 | ---D | M] (Firefox (default)) -- C:\Program Files\Mozilla Firefox\defaults\profile\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2005/09/15 17:26:00 | 000,094,208 | ---- | M] () -- C:\Program Files\mozilla firefox\components\BrandRes.dll
[2005/09/15 17:26:00 | 000,150,912 | ---- | M] (Full Circle Software, Inc.) -- C:\Program Files\mozilla firefox\components\fullsoft.dll
[2005/09/15 17:26:00 | 000,041,573 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jar50.dll
[2005/09/15 17:26:00 | 000,048,223 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\jsd3250.dll
[2005/09/15 17:26:00 | 000,008,813 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\qfaservices.dll
[2005/09/15 17:26:00 | 000,160,871 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\xpinstal.dll
[2007/10/26 11:00:35 | 000,233,472 | ---- | M] (Coupons, Inc.) -- C:\Program Files\mozilla firefox\plugins\npcpbrk7.dll
[2005/09/15 17:26:00 | 000,000,680 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.png
[2005/09/15 17:26:00 | 000,000,735 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazondotcom.src
[2005/09/15 17:26:00 | 000,000,356 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.png
[2005/09/15 17:26:00 | 000,000,976 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\creativecommons.src
[2005/09/15 17:26:00 | 000,000,557 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.png
[2005/09/15 17:26:00 | 000,000,692 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\dictionary.src
[2005/09/15 17:26:00 | 000,000,210 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.gif
[2005/09/15 17:26:00 | 000,001,064 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay.src
[2005/09/15 17:26:00 | 000,001,076 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.gif
[2005/09/15 17:26:00 | 000,000,687 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.src
[2006/11/27 13:01:40 | 000,000,703 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.png
[2006/11/27 13:01:40 | 000,000,531 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\GoogleDesktopMozilla.src
[2005/09/15 17:26:00 | 000,000,088 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.gif
[2005/09/15 17:26:00 | 000,001,098 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo.src

========== Chrome ==========

CHR - homepage: http://www.google.com
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:assistedQueryStats}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}&sugkey={google:suggestAPIKeyParameter}
CHR - homepage: http://www.google.com
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\24.0.1312.52\gcswf32.dll
CHR - plugin: Shockwave Flash (Disabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: CouponNetwork Coupon Activator Netscape Plugin v. 5.0.0.0 (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\plugins\NPcol400.dll
CHR - plugin: Coupons Inc., Coupon Printer Manager (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\Application\plugins\npMozCouponPrinter.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Java(TM) Platform SE 6 U31 (Enabled) = C:\Program Files\Java\jre6\bin\plugin2\npjp2.dll
CHR - Extension: YouTube = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_1\
CHR - Extension: Google Search = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_1\
CHR - Extension: Gmail = C:\Documents and Settings\Marc\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_1\

O1 HOSTS File: ([2004/08/04 04:00:00 | 000,000,734 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (DriveLetterAccess) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll (Sonic Solutions)
O2 - BHO: (Java(tm) Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.8313.1002\swg.dll (Google Inc.)
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [AirPort Base Station Agent] C:\Program Files\AirPort\APAgent.exe (Apple Inc.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] C:\WINDOWS\System32\bthprops.cpl (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe (Intel Corporation)
O4 - HKLM..\Run: [MSC] c:\Program Files\Microsoft Security Client\msseces.exe (Microsoft Corporation)
O4 - HKLM..\Run: [UpdateManager] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe (Sonic Solutions)
O4 - HKLM..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKU\S-1-5-21-1708537768-152049171-725345543-1004..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_11_5_502_110_ActiveX.exe -update activex File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CheckPages.exe ()
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk = C:\Program Files\palmOne\Hotsync.exe (PalmSource, Inc)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\ClientShell.exe (Intellisync Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1708537768-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microso ... 8251347437 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Reg Error: Value error.)
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} http://acs.pandasoftware.com/activescan ... stubie.cab (ActiveScan 2.0 Installer Class)
O16 - DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinsta ... s-i586.cab (Java Plug-in 1.6.0_31)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{D9763973-0C33-4E47-A318-80EAF73A78BC}: DhcpNameServer = 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - (igfxsrvc.dll) - C:\WINDOWS\System32\igfxsrvc.dll (Intel Corporation)
O20 - Winlogon\Notify\IntelWireless: DllName - (C:\Program Files\Intel\Wireless\Bin\LgNotify.dll) - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll (Intel Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/10 10:04:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/11 11:47:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\All Users.WINDOWS\Documents\My Videos
[2013/01/11 11:47:10 | 000,000,000 | R--D | C] -- C:\Documents and Settings\Marc\Start Menu\Programs\Administrative Tools
[2013/01/09 12:37:21 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2013/01/09 07:39:50 | 000,040,776 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/01/09 07:38:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Marc\Application Data\Malwarebytes
[2013/01/09 07:37:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
[2013/01/09 07:37:53 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2013/01/09 07:37:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2013/01/19 01:49:31 | 000,000,974 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-152049171-725345543-1004UA.job
[2013/01/18 21:34:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/18 21:30:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/18 09:34:01 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/12 10:49:02 | 000,000,922 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-152049171-725345543-1004Core.job
[2013/01/11 08:07:25 | 000,002,295 | ---- | M] () -- C:\Documents and Settings\Marc\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2013/01/11 08:07:24 | 000,002,277 | ---- | M] () -- C:\Documents and Settings\Marc\Desktop\Google Chrome.lnk
[2013/01/09 08:30:28 | 000,000,000 | -H-- | M] () -- C:\Documents and Settings\Marc\My Documents\Default.rdp
[2013/01/09 07:39:50 | 000,040,776 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2013/01/09 07:37:57 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2013/01/08 19:31:20 | 000,697,864 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2013/01/08 19:31:19 | 000,074,248 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/12/21 12:25:05 | 000,315,076 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2012/12/21 12:25:05 | 000,041,238 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2012/12/21 12:06:22 | 000,000,384 | -H-- | M] () -- C:\WINDOWS\tasks\Microsoft Antimalware Scheduled Scan.job
[2012/12/21 11:56:09 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/12/21 11:56:07 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/12/21 11:56:05 | 000,189,792 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2013/01/09 08:30:28 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\Marc\My Documents\Default.rdp
[2013/01/09 07:37:57 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users.WINDOWS\Desktop\Malwarebytes Anti-Malware.lnk
[2013/01/03 22:36:02 | 000,000,803 | ---- | C] () -- C:\Documents and Settings\Marc\Desktop\Internet Explorer.lnk
[2013/01/03 22:26:38 | 000,000,830 | ---- | C] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/02/19 06:57:18 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/11/14 12:56:50 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2011/11/06 07:49:31 | 000,130,461 | ---- | C] () -- C:\WINDOWS\hpoins21.dat
[2011/11/06 07:49:31 | 000,008,138 | ---- | C] () -- C:\WINDOWS\hpomdl21.dat
[2011/09/05 15:20:59 | 000,008,192 | ---- | C] () -- C:\Documents and Settings\Marc\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/02/19 23:03:12 | 000,043,344 | ---- | C] () -- C:\WINDOWS\System32\mfc100kor.dll

========== ZeroAccess Check ==========


[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 16:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 04:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/13 16:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >





OTL Extras logfile created on: 1/19/2013 1:47:05 AM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Marc\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.24 Gb Total Physical Memory | 0.77 Gb Available Physical Memory | 61.69% Memory free
2.96 Gb Paging File | 2.21 Gb Available in Paging File | 74.68% Paging File free
Paging file location(s): c:\pagefile.sys 1908 3816 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 74.46 Gb Total Space | 47.44 Gb Free Space | 63.71% Space Free | Partition Type: NTFS

Computer Name: KELLYSPUTIE | User Name: Marc | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*

[HKEY_USERS\S-1-5-21-1708537768-152049171-725345543-1004\SOFTWARE\Classes\<extension>]
.html [@ = ChromeHTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%*
exefile [open] -- "%1" %*
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

========== System Restore Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]
"DisableSR" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr]
"Start" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService]
"Start" = 2

========== Firewall Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"5353:UDP" = 5353:UDP:*:Enabled:Bonjour

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)
"C:\Program Files\AirPort\APAgent.exe" = C:\Program Files\AirPort\APAgent.exe:*:Enabled:APAgent -- (Apple Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Documents and Settings\Marc\Local Settings\Temp\7zS2305\setup\HPZnui01.exe" = C:\Documents and Settings\Marc\Local Settings\Temp\7zS2305\setup\HPZnui01.exe:*:Enabled:hpznui01.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpofxm08.exe:*:Enabled:hpofxm08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe" = C:\Program Files\HP\Digital Imaging\bin\hposfx08.exe:*:Enabled:hposfx08.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqscnvw.exe:*:Enabled:hpqscnvw.exe -- ()
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe -- (Hewlett-Packard)
"C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe" = C:\Program Files\HP\Digital Imaging\bin\hpzwiz01.exe:*:Enabled:hpzwiz01.exe -- (Hewlett-Packard Co.)
"C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe" = C:\Program Files\HP\Digital Imaging\bin\hpqnrs08.exe:*:Enabled:hpqnrs08.exe -- (Hewlett-Packard Co.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06BE8AFD-A8E2-4B63-BAE7-287016D16ACB}" = mSSO
"{09DA4F91-2A09-4232-AB8C-6BC740096DE3}" = Sonic Update Manager
"{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}" = mLogView
"{1206EF92-2E83-4859-ACCB-2048C3CB7DA6}" = Sonic DLA
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23FB368F-1399-4EAC-817C-4B83ECBE3D83}" = mProSafe
"{26A24AE4-039D-4CA4-87B4-2F83216031FF}" = Java(TM) 6 Update 31
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{28DA872A-0848-48CF-B749-19A198157A2A}" = mDriver
"{2F28B3C9-2C89-4206-8B33-8ADC9577C49B}" = Scan
"{324CEC09-007A-48eb-90E0-9D42D4D5EB0A}" = NetDeviceManager
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3544DED1-07DB-40C0-98F3-435A6DA195C7}" = Google SketchUp 8
"{3E8DD348-4174-4fe8-8FDC-238AAFBD2488}" = HP Photosmart All-In-One Software 9.0
"{3E9D596A-61D4-4239-BD19-2DB984D2A16F}" = mIWA
"{44B2E182-DD85-45FC-9F51-326B81D7C7F1}" = Fax
"{49D687E5-6784-431B-A0A2-2F23B8CC5A1B}" = mHlpDell
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{6421F085-1FAA-DE13-D02A-CFB412C522A4}" = Acrobat.com
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.1
"{6DE14BE4-6F04-4935-8ABD-A0A19FE2E55A}" = mCore
"{6FFFE74E-3FBD-4E2E-97F9-5E9A2A077626}" = mIWCA
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel(R) Graphics Media Accelerator Driver for Mobile
"{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}" = mPfMgr
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{90140000-2005-0000-0000-0000000FF1CE}" = Microsoft Office File Validation Add-In
"{90B0D222-8C21-4B35-9262-53B042F18AF9}" = mPfWiz
"{94658027-9F16-4509-BBD7-A59FE57C3023}" = mZConfig
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9541FED0-327F-4DF0-8B96-EF57EF622F19}" = Sonic RecordNow! Plus
"{98EABC7F-B1A1-43A5-B505-5B4EC3908DCD}" = Microsoft Security Client
"{9CC89556-3578-48DD-8408-04E66EBEF401}" = mXML
"{9D10CF26-88F1-4E53-A00F-CDAC448C67BF}" = AirPort
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}" = C-Major Audio
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.4)
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"{CA9BAADB-C262-4E05-B2E2-CEE8CE9809EC}" = mToolkit
"{D78653C3-A8FF-415F-92E6-D774E634FF2D}" = Dell ResourceCD
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{EF0D2E55-6FE2-4e35-BE22-A742E85D84E3}" = PS_AIO_02_Software_min
"{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}" = mMHouse
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F6090A17-0967-4A8A-B3C3-422A1B514D49}" = mDrWiFi
"{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}" = mWlsSafe
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Broadcom 802.11b Network Adapter" = Dell Wireless WLAN Card
"com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Acrobat.com
"Coupon Printer for Windows5.0.0.1" = Coupon Printer for Windows
"ie8" = Windows Internet Explorer 8
"InstallShield_{BE6890C7-31EF-478C-812E-1E2899ABFCA9}" = Broadcom Gigabit Integrated Controller
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft Security Client" = Microsoft Security Essentials
"ProInst" = Intel(R) PROSet/Wireless Software
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Windows XP Service Pack" = Windows XP Service Pack 3

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1708537768-152049171-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 4/22/2012 12:11:34 AM | Computer Name = KELLYSPUTIE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 8024402c, P2 endsearch, P3 search, P4 3.0.8402.0,
P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P8 NIL, P9 NIL, P10 NIL.

Error - 4/22/2012 12:15:27 AM | Computer Name = KELLYSPUTIE | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 18.0.1025.162, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 4/24/2012 11:40:23 PM | Computer Name = KELLYSPUTIE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 80240022, P2 processdownloadresults, P3
download, P4 3.0.8402.0, P5 mpsigdwn.dll, P6 3.0.8402.0, P7 microsoft security essentials
(edb4fa23-53b8-4afa-8c5d-99752cca7094), P8 NIL, P9 NIL, P10 NIL.

Error - 4/25/2012 8:17:10 PM | Computer Name = KELLYSPUTIE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 0x80070003, P2 moac, P3 cachereset, P4 4.0.1526.0,
P5 unspecified, P6 unspecified, P7 unspecified, P8 NIL, P9 NIL, P10 NIL.

Error - 4/28/2012 9:23:37 PM | Computer Name = KELLYSPUTIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 4/28/2012 9:23:37 PM | Computer Name = KELLYSPUTIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/9/2012 10:52:26 AM | Computer Name = KELLYSPUTIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/9/2012 10:52:26 AM | Computer Name = KELLYSPUTIE | Source = crypt32 | ID = 131083
Description = Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file.

Error - 5/11/2012 1:12:21 PM | Computer Name = KELLYSPUTIE | Source = Application Hang | ID = 1002
Description = Hanging application chrome.exe, version 18.0.1025.162, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 7/2/2012 6:52:42 PM | Computer Name = KELLYSPUTIE | Source = MPSampleSubmission | ID = 5000
Description = EventType mptelemetry, P1 microsoft security essentials (edb4fa23-53b8-4afa-8c5d-99752cca7094),
P2 4.0.1526.0, P3 timeout, P4 1.1.8502.0, P5 fixed, P6 1 _ 2048, P7 5 _ not boot,
P8 NIL, P9 NIL, P10 NIL.

[ System Events ]
Error - 1/18/2013 9:56:38 PM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.9002.0 Error code: 0x8000ffff Error description: Catastrophic
failure

Error - 1/19/2013 12:40:58 AM | Computer Name = KELLYSPUTIE | Source = Service Control Manager | ID = 7011
Description = Timeout (30000 milliseconds) waiting for a transaction response from
the Netman service.

Error - 1/19/2013 12:41:28 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 1/19/2013 12:41:28 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 1/19/2013 12:42:31 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.9002.0 Error code: 0x8000ffff Error description: Catastrophic
failure

Error - 1/19/2013 12:42:31 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.9002.0 Error code: 0x8000ffff Error description: Catastrophic
failure

Error - 1/19/2013 5:34:50 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 1/19/2013 5:34:50 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%859 Update Stage:
%%853 Source Path: http://www.microsoft.com Signature Type: %%800 Update Type: %%803

User:
NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.9002.0 Error
code: 0x80240022 Error description: The program can't check for definition updates.


Error - 1/19/2013 5:36:13 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature
Type: %%800 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.9002.0 Error code: 0x8000ffff Error description: Catastrophic
failure

Error - 1/19/2013 5:36:13 AM | Computer Name = KELLYSPUTIE | Source = Microsoft Antimalware | ID = 2001
Description = %%860 has encountered an error trying to update signatures. New Signature
Version: Previous Signature Version: 1.141.3797.0 Update Source: %%851 Update Stage:
%%854 Source Path: http://go.microsoft.com/fwlink/?LinkID= ... 752CCA7094

Signature
Type: %%801 Update Type: %%803 User: NT AUTHORITY\NETWORK SERVICE Current Engine Version:
Previous Engine Version: 1.1.9002.0 Error code: 0x8000ffff Error description: Catastrophic
failure


< End of report >
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 20th, 2013, 9:24 am

Thanks, please post GMER and Virustotal logs in your next response.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 10:38 am

Oddly, it appears that the path of two of the files detected as mismatches has gone away, at least as far as they were reported by MBAM. I will try to see what happened there, but in the meantime, here are the results of the other two, and I will follow with a newly generated GMER log, I had MBAM and Chrome still active when I ran it last night:

SHA256: 53b8d87956b18731e45f77c4449534971f72c5ee36334b5df437b79506565659
SHA1: d796ba4c2b921669b8ebde02f428024ff0e0850f
MD5: c7b9082fbfa18acf12298408980fd49a
File size: 1.1 MB ( 1144089 bytes )
File name: 00000754.jpg
File type: Win32 DLL
Detection ratio: 0 / 46
Analysis date: 2013-01-20 14:21:10 UTC ( 0 minutes ago )


SHA256: 1922315f76d1f631c1becc1594ba8035e365d14b0c36e446e041dcfcebd6ac6c
SHA1: 697668d18667d7ca883f295f89d51a94f5329f7c
MD5: 4d18e9d219ab68e2b9a00e1865b25451
File size: 10.8 KB ( 11023 bytes )
File name: WINNT32.LOG
File type: Win32 DLL
Detection ratio: 0 / 46
Analysis date: 2013-01-20 14:32:59 UTC ( 0 minutes ago )
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 10:56 am

I guess I just wasn't completely awake, I read the system files checkbox wrong when I was trying to display all folder, here are the other two file reports, GMER log next post:


SHA256: b7251aa05398c8d9e3bd9c536a1fc5f775c56aa611b94b3dbe96e7eb860291a9
SHA1: 959436a37cb7229e208290cb42dc2268ba98a7dc
MD5: 7ce40c7fe2dc360b6b69a2f0bb5f85fb
File size: 1.1 KB ( 1113 bytes )
File name: caretslogo[1].jpg
File type: Win32 DLL
Detection ratio: 8 / 46
Analysis date: 2013-01-20 14:48:41 UTC ( 1 minute ago )
00
Less details
Analysis
Comments
Votes
Additional information
Antivirus Result Update
Agnitum Suspicious!SA 20130119
AhnLab-V3 - 20130120
AntiVir - 20130120
Antiy-AVL - 20130120
Avast - 20130120
AVG Win32/PEPatch 20130120
BitDefender - 20130120
ByteHero - 20130118
CAT-QuickHeal (Suspicious) - DNAScan 20130120
ClamAV - 20130120
Commtouch - 20130120
Comodo - 20130120
DrWeb - 20130120
Emsisoft - 20130120
eSafe - 20130120
ESET-NOD32 - 20130120
F-Prot - 20130120
F-Secure - 20130120
Fortinet - 20130120
GData - 20130120
Ikarus - 20130120
Jiangmin - 20121221
K7AntiVirus - 20130119
Kaspersky - 20130120
Kingsoft - 20130115
Malwarebytes - 20130120
McAfee - 20130120
McAfee-GW-Edition - 20130120
Microsoft - 20130120
MicroWorld-eScan - 20130120
NANO-Antivirus - 20130120
Norman - 20130120
nProtect - 20130120
Panda - 20130120
PCTools HeurEngine.EP 20130120
Rising - 20130117
Sophos - 20130120
SUPERAntiSpyware - 20130119
Symantec Bloodhound.W32.EP 20130120
TheHacker - 20130119
TotalDefense - 20130120
TrendMicro PAK_Generic.002 20130120
TrendMicro-HouseCall PAK_Generic.002 20130120
VBA32 - 20130118
VIPRE Corrupted File (v) 20130120
ViRobot - 20130120


ssdeep
12:ePBKjrsYA6h1cvjW5QR9DfxO8HulkZkwbGNL/l:eUwbCMDHKjGg/
TrID
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ExifTool
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2011:03:18 14:53:43+01:00
FileType.................: Win32 DLL
PEType...................: PE32
CodeSize.................: 8192
LinkerVersion............: 10.0
EntryPoint...............: 0x0160
InitializedDataSize......: 8192
SubsystemVersion.........: 5.1
ImageVersion.............: 0.0
OSVersion................: 5.1
UninitializedDataSize....: 0
Portable Executable structural information
Compilation timedatestamp.....: 2011-03-18 13:53:43
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)
Entry point address...........: 0x00000160

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
OPTIM 4096 7712 4034 0.00 0a25e7fe3131a04b8683607a189dcba7
First seen by VirusTotal
2013-01-20 14:48:41 UTC ( 4 minutes ago )
Last seen by VirusTotal
2013-01-20 14:48:41 UTC ( 4 minutes ago )
File names (max. 25)
caretslogo[1].jpg



SHA256: bfbdc175338763b4b7b6aac68cf599132403fcf4a0aeb246724d0cb68b090152
SHA1: 9b230c0f14a460754c4d44f3c363dc96224a68cb
MD5: ea3aad785a3cc36cc530ceebed88b94a
File size: 5.9 KB ( 6082 bytes )
File name: lr96337974-6[1].jpg
File type: Win32 DLL
Detection ratio: 1 / 46
Analysis date: 2013-01-20 14:54:19 UTC ( 0 minutes ago )
00
Less details
Analysis
Comments
Votes
Additional information
Antivirus Result Update
Agnitum - 20130119
AhnLab-V3 - 20130120
AntiVir - 20130120
Antiy-AVL - 20130120
Avast - 20130120
AVG - 20130120
BitDefender - 20130120
ByteHero - 20130118
CAT-QuickHeal - 20130120
ClamAV - 20130120
Commtouch - 20130120
Comodo - 20130120
DrWeb - 20130120
Emsisoft - 20130120
eSafe - 20130120
ESET-NOD32 - 20130120
F-Prot - 20130120
F-Secure - 20130120
Fortinet - 20130120
GData - 20130120
Ikarus - 20130120
Jiangmin - 20121221
K7AntiVirus - 20130119
Kaspersky - 20130120
Kingsoft - 20130115
Malwarebytes - 20130120
McAfee - 20130120
McAfee-GW-Edition - 20130120
Microsoft - 20130120
MicroWorld-eScan - 20130120
NANO-Antivirus - 20130120
Norman - 20130120
nProtect - 20130120
Panda - 20130120
PCTools - 20130120
Rising - 20130117
Sophos - 20130120
SUPERAntiSpyware - 20130119
Symantec - 20130120
TheHacker - 20130119
TotalDefense - 20130120
TrendMicro - 20130120
TrendMicro-HouseCall - 20130120
VBA32 - 20130118
VIPRE Corrupted File (v) 20130120
ViRobot - 20130120


ssdeep
48:yAeT+QHuk6aO9XSyh6yrvHeD2+xkpkHjj6k1hF:fQUaO9Cydp+2ODJP
TrID
Generic Win/DOS Executable (49.9%)
DOS Executable Generic (49.8%)
Autodesk FLIC Image File (extensions: flc, fli, cel) (0.1%)
ExifTool
MIMEType.................: application/octet-stream
Subsystem................: Windows GUI
MachineType..............: Intel 386 or later, and compatibles
TimeStamp................: 2012:08:30 22:25:56+01:00
FileType.................: Win32 DLL
PEType...................: PE32
CodeSize.................: 0
LinkerVersion............: 8.0
EntryPoint...............: 0x0000
InitializedDataSize......: 1024000
SubsystemVersion.........: 4.0
ImageVersion.............: 0.0
OSVersion................: 4.0
UninitializedDataSize....: 0
Portable Executable structural information
Compilation timedatestamp.....: 2012-08-30 21:25:56
Target machine................: 0x14C (Intel 386 or later processors and compatible processors)

PE Sections...................:

Name Virtual Address Virtual Size Raw Size Entropy MD5
.rdata 4096 93 512 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 8192 1022976 1022976 4.39 3da3d76e2da9f1e56397ab3d44e06a9b
.reloc 1032192 8 512 0.00 d41d8cd98f00b204e9800998ecf8427e
Symantec Reputation
Suspicious.Insight
First seen by VirusTotal
2013-01-20 14:54:19 UTC ( 1 minute ago )
Last seen by VirusTotal
2013-01-20 14:54:19 UTC ( 1 minute ago )
File names (max. 25)
lr96337974-6[1].jpg
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 2:01 pm

GMER 2.0.18444 - http://www.gmer.net
Rootkit scan 2013-01-19 12:56:18
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8026GAX rev.PA002D 74.53GB
Running: qbyu7ybj.exe; Driver: C:\DOCUME~1\Marc\LOCALS~1\Temp\fwdyrpod.sys


---- Kernel code sections - GMER 2.0 ----

? C:\DOCUME~1\Marc\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- Registry - GMER 2.0 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0010c6916cd3
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0010c6916cd3 (not active ControlSet)

---- EOF - GMER 2.0 ----
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 20th, 2013, 2:16 pm

Hi helpintoledo,

Please download TDSSKiller and save it to your Desktop.

  • Double click TDSSKiller.exe to run it.
  • Under Additional Options check Verify file digital signatures
  • IMPORTANT: Ensure Detect TDLFS file system remains UNchecked.
  • Click Start scan and allow it to scan for Malicious objects.

    • If Malicious objects are detected, the default action will be Cure, ensure Cure is selected then click Continue
    • If suspicious objects are detected, the default action will be Skip, ensure Skip is selected then click Continue
    • If Unsigned files are detected, the default action will be Skip, ensure Skip is selected then click Continue

    DO NOT change the default actions.

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now and allow the computer to reboot.
  • A log will be created on your root (usually C:) drive. The log is like UtilityName.Version_Date_Time_log.txt.
    for example, C:\TDSSKiller.2.4.1.2_20.04.2010_15.31.43_log.txt.
  • If no reboot is required, click on Report. A log file should appear.
  • Please post the contents in your next reply
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 2:51 pm

13:41:36.0468 2312 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
13:41:37.0000 2312 ============================================================
13:41:37.0000 2312 Current date / time: 2013/01/19 13:41:37.0000
13:41:37.0000 2312 SystemInfo:
13:41:37.0000 2312
13:41:37.0000 2312 OS Version: 5.1.2600 ServicePack: 3.0
13:41:37.0000 2312 Product type: Workstation
13:41:37.0015 2312 ComputerName: KELLYSPUTIE
13:41:37.0015 2312 UserName: Marc
13:41:37.0015 2312 Windows directory: C:\WINDOWS
13:41:37.0015 2312 System windows directory: C:\WINDOWS
13:41:37.0015 2312 Processor architecture: Intel x86
13:41:37.0015 2312 Number of processors: 1
13:41:37.0015 2312 Page size: 0x1000
13:41:37.0015 2312 Boot type: Normal boot
13:41:37.0015 2312 ============================================================
13:41:39.0125 2312 Drive \Device\Harddisk0\DR0 - Size: 0x12A1F16000 (74.53 Gb), SectorSize: 0x200, Cylinders: 0x2601, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
13:41:39.0125 2312 ============================================================
13:41:39.0125 2312 \Device\Harddisk0\DR0:
13:41:39.0125 2312 MBR partitions:
13:41:39.0125 2312 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x1F608, BlocksNum 0x94EAFF8
13:41:39.0125 2312 ============================================================
13:41:39.0156 2312 C: <-> \Device\Harddisk0\DR0\Partition1
13:41:39.0156 2312 ============================================================
13:41:39.0156 2312 Initialize success
13:41:39.0156 2312 ============================================================
13:42:45.0203 3528 ============================================================
13:42:45.0203 3528 Scan started
13:42:45.0203 3528 Mode: Manual; SigCheck;
13:42:45.0203 3528 ============================================================
13:42:45.0765 3528 ================ Scan system memory ========================
13:43:02.0828 3528 System memory - ok
13:43:02.0828 3528 ================ Scan services =============================
13:43:03.0281 3528 Abiosdsk - ok
13:43:03.0281 3528 abp480n5 - ok
13:43:03.0406 3528 [ 8FD99680A539792A30E97944FDAECF17 ] ACPI C:\WINDOWS\system32\DRIVERS\ACPI.sys
13:43:04.0015 3528 ACPI - ok
13:43:04.0046 3528 [ 9859C0F6936E723E4892D7141B1327D5 ] ACPIEC C:\WINDOWS\system32\drivers\ACPIEC.sys
13:43:04.0218 3528 ACPIEC - ok
13:43:04.0406 3528 [ 424877CB9D5517F980FF7BACA2EB379D ] AdobeFlashPlayerUpdateSvc C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe
13:43:04.0562 3528 AdobeFlashPlayerUpdateSvc - ok
13:43:04.0578 3528 adpu160m - ok
13:43:04.0671 3528 [ 8BED39E3C35D6A489438B8141717A557 ] aec C:\WINDOWS\system32\drivers\aec.sys
13:43:04.0890 3528 aec - ok
13:43:04.0937 3528 [ 2C5C22990156A1063E19AD162191DC1D ] AegisP C:\WINDOWS\system32\DRIVERS\AegisP.sys
13:43:04.0968 3528 AegisP ( UnsignedFile.Multi.Generic ) - warning
13:43:04.0968 3528 AegisP - detected UnsignedFile.Multi.Generic (1)
13:43:05.0078 3528 [ 1E44BC1E83D8FD2305F8D452DB109CF9 ] AFD C:\WINDOWS\System32\drivers\afd.sys
13:43:05.0109 3528 AFD - ok
13:43:05.0109 3528 Aha154x - ok
13:43:05.0125 3528 aic78u2 - ok
13:43:05.0125 3528 aic78xx - ok
13:43:05.0171 3528 [ A9A3DAA780CA6C9671A19D52456705B4 ] Alerter C:\WINDOWS\system32\alrsvc.dll
13:43:05.0312 3528 Alerter - ok
13:43:05.0359 3528 [ 8C515081584A38AA007909CD02020B3D ] ALG C:\WINDOWS\System32\alg.exe
13:43:05.0578 3528 ALG - ok
13:43:05.0593 3528 AliIde - ok
13:43:05.0593 3528 amsint - ok
13:43:05.0609 3528 AppMgmt - ok
13:43:05.0609 3528 asc - ok
13:43:05.0625 3528 asc3350p - ok
13:43:05.0625 3528 asc3550 - ok
13:43:05.0671 3528 [ B153AFFAC761E7F5FCFA822B9C4E97BC ] AsyncMac C:\WINDOWS\system32\DRIVERS\asyncmac.sys
13:43:05.0843 3528 AsyncMac - ok
13:43:05.0906 3528 [ 9F3A2F5AA6875C72BF062C712CFA2674 ] atapi C:\WINDOWS\system32\DRIVERS\atapi.sys
13:43:06.0078 3528 atapi - ok
13:43:06.0078 3528 Atdisk - ok
13:43:06.0140 3528 [ 9916C1225104BA14794209CFA8012159 ] Atmarpc C:\WINDOWS\system32\DRIVERS\atmarpc.sys
13:43:06.0296 3528 Atmarpc - ok
13:43:06.0343 3528 [ DEF7A7882BEC100FE0B2CE2549188F9D ] AudioSrv C:\WINDOWS\System32\audiosrv.dll
13:43:06.0515 3528 AudioSrv - ok
13:43:06.0546 3528 [ D9F724AA26C010A217C97606B160ED68 ] audstub C:\WINDOWS\system32\DRIVERS\audstub.sys
13:43:06.0703 3528 audstub - ok
13:43:06.0796 3528 [ 2ACF06176B9D011567D7F25B83DDD066 ] b57w2k C:\WINDOWS\system32\DRIVERS\b57xp32.sys
13:43:06.0828 3528 b57w2k - ok
13:43:07.0031 3528 [ DA7CA369A1A3593CEAC85DEC2D267A08 ] BCM43XX C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
13:43:07.0203 3528 BCM43XX - ok
13:43:07.0265 3528 [ DA1F27D85E0D1525F6621372E7B685E9 ] Beep C:\WINDOWS\system32\drivers\Beep.sys
13:43:07.0421 3528 Beep - ok
13:43:07.0687 3528 [ 574738F61FCA2935F5265DC4E5691314 ] BITS C:\WINDOWS\system32\qmgr.dll
13:43:08.0156 3528 BITS - ok
13:43:08.0234 3528 [ CFD4E51402DA9838B5A04AE680AF54A0 ] Browser C:\WINDOWS\System32\browser.dll
13:43:08.0343 3528 Browser - ok
13:43:08.0390 3528 [ 2FE6D5BE0629F706197B30C0AA05DE30 ] BrPar C:\WINDOWS\System32\drivers\BrPar.sys
13:43:08.0421 3528 BrPar ( UnsignedFile.Multi.Generic ) - warning
13:43:08.0421 3528 BrPar - detected UnsignedFile.Multi.Generic (1)
13:43:08.0500 3528 [ B279426E3C0C344893ED78A613A73BDE ] BthEnum C:\WINDOWS\system32\DRIVERS\BthEnum.sys
13:43:08.0640 3528 BthEnum - ok
13:43:08.0703 3528 [ 80602B8746D3738F5886CE3D67EF06B6 ] BthPan C:\WINDOWS\system32\DRIVERS\bthpan.sys
13:43:08.0843 3528 BthPan - ok
13:43:09.0015 3528 [ 662BFD909447DD9CC15B1A1C366583B4 ] BTHPORT C:\WINDOWS\system32\Drivers\BTHport.sys
13:43:09.0093 3528 BTHPORT - ok
13:43:09.0156 3528 [ F4C43C66471B87996D95DB7A3A664A37 ] BthServ C:\WINDOWS\System32\bthserv.dll
13:43:09.0328 3528 BthServ - ok
13:43:09.0343 3528 [ 61364CD71EF63B0F038B7E9DF00F1EFA ] BTHUSB C:\WINDOWS\system32\Drivers\BTHUSB.sys
13:43:09.0515 3528 BTHUSB - ok
13:43:09.0578 3528 [ 90A673FC8E12A79AFBED2576F6A7AAF9 ] cbidf2k C:\WINDOWS\system32\drivers\cbidf2k.sys
13:43:09.0718 3528 cbidf2k - ok
13:43:09.0718 3528 cd20xrnt - ok
13:43:09.0750 3528 [ C1B486A7658353D33A10CC15211A873B ] Cdaudio C:\WINDOWS\system32\drivers\Cdaudio.sys
13:43:09.0906 3528 Cdaudio - ok
13:43:09.0968 3528 [ C885B02847F5D2FD45A24E219ED93B32 ] Cdfs C:\WINDOWS\system32\drivers\Cdfs.sys
13:43:10.0125 3528 Cdfs - ok
13:43:10.0187 3528 [ 1F4260CC5B42272D71F79E570A27A4FE ] Cdrom C:\WINDOWS\system32\DRIVERS\cdrom.sys
13:43:10.0296 3528 Cdrom - ok
13:43:10.0359 3528 [ 84853B3FD012251690570E9E7E43343F ] cercsr6 C:\WINDOWS\system32\drivers\cercsr6.sys
13:43:10.0375 3528 cercsr6 ( UnsignedFile.Multi.Generic ) - warning
13:43:10.0375 3528 cercsr6 - detected UnsignedFile.Multi.Generic (1)
13:43:10.0390 3528 Changer - ok
13:43:10.0437 3528 [ 1CFE720EB8D93A7158A4EBC3AB178BDE ] CiSvc C:\WINDOWS\system32\cisvc.exe
13:43:10.0625 3528 CiSvc - ok
13:43:10.0656 3528 [ 34CBE729F38138217F9C80212A2A0C82 ] ClipSrv C:\WINDOWS\system32\clipsrv.exe
13:43:10.0875 3528 ClipSrv - ok
13:43:10.0906 3528 [ 0F6C187D38D98F8DF904589A5F94D411 ] CmBatt C:\WINDOWS\system32\DRIVERS\CmBatt.sys
13:43:11.0031 3528 CmBatt - ok
13:43:11.0046 3528 CmdIde - ok
13:43:11.0078 3528 [ 6E4C9F21F0FAE8940661144F41B13203 ] Compbatt C:\WINDOWS\system32\DRIVERS\compbatt.sys
13:43:11.0218 3528 Compbatt - ok
13:43:11.0218 3528 COMSysApp - ok
13:43:11.0234 3528 Cpqarray - ok
13:43:11.0312 3528 [ 3D4E199942E29207970E04315D02AD3B ] CryptSvc C:\WINDOWS\System32\cryptsvc.dll
13:43:11.0562 3528 CryptSvc - ok
13:43:11.0578 3528 dac2w2k - ok
13:43:11.0578 3528 dac960nt - ok
13:43:11.0812 3528 [ 6B27A5C03DFB94B4245739065431322C ] DcomLaunch C:\WINDOWS\system32\rpcss.dll
13:43:12.0171 3528 DcomLaunch - ok
13:43:12.0250 3528 [ 5E38D7684A49CACFB752B046357E0589 ] Dhcp C:\WINDOWS\System32\dhcpcsvc.dll
13:43:12.0515 3528 Dhcp - ok
13:43:12.0515 3528 [ 044452051F3E02E7963599FC8F4F3E25 ] Disk C:\WINDOWS\system32\DRIVERS\disk.sys
13:43:12.0671 3528 Disk - ok
13:43:12.0687 3528 dmadmin - ok
13:43:13.0093 3528 [ D992FE1274BDE0F84AD826ACAE022A41 ] dmboot C:\WINDOWS\system32\drivers\dmboot.sys
13:43:13.0890 3528 dmboot - ok
13:43:13.0984 3528 [ 7C824CF7BBDE77D95C08005717A95F6F ] dmio C:\WINDOWS\system32\drivers\dmio.sys
13:43:14.0203 3528 dmio - ok
13:43:14.0265 3528 [ E9317282A63CA4D188C0DF5E09C6AC5F ] dmload C:\WINDOWS\system32\drivers\dmload.sys
13:43:14.0421 3528 dmload - ok
13:43:14.0500 3528 [ 57EDEC2E5F59F0335E92F35184BC8631 ] dmserver C:\WINDOWS\System32\dmserver.dll
13:43:14.0656 3528 dmserver - ok
13:43:14.0718 3528 [ 8A208DFCF89792A484E76C40E5F50B45 ] DMusic C:\WINDOWS\system32\drivers\DMusic.sys
13:43:14.0875 3528 DMusic - ok
13:43:14.0937 3528 [ 5F7E24FA9EAB896051FFB87F840730D2 ] Dnscache C:\WINDOWS\System32\dnsrslvr.dll
13:43:15.0000 3528 Dnscache - ok
13:43:15.0140 3528 [ 0F0F6E687E5E15579EF4DA8DD6945814 ] Dot3svc C:\WINDOWS\System32\dot3svc.dll
13:43:15.0406 3528 Dot3svc - ok
13:43:15.0406 3528 dpti2o - ok
13:43:15.0437 3528 [ 8F5FCFF8E8848AFAC920905FBD9D33C8 ] drmkaud C:\WINDOWS\system32\drivers\drmkaud.sys
13:43:15.0609 3528 drmkaud - ok
13:43:15.0671 3528 [ B15F9E526BA511A48B1B1B8537815740 ] drvmcdb C:\WINDOWS\system32\drivers\drvmcdb.sys
13:43:15.0703 3528 drvmcdb ( UnsignedFile.Multi.Generic ) - warning
13:43:15.0703 3528 drvmcdb - detected UnsignedFile.Multi.Generic (1)
13:43:15.0765 3528 [ FA4670CAE95AE2BB857C68E535661145 ] drvnddm C:\WINDOWS\system32\drivers\drvnddm.sys
13:43:15.0859 3528 drvnddm ( UnsignedFile.Multi.Generic ) - warning
13:43:15.0859 3528 drvnddm - detected UnsignedFile.Multi.Generic (1)
13:43:15.0906 3528 [ 4A3A4B62DB9B38B60CDD8125B77948E0 ] EapHost C:\WINDOWS\System32\eapsvc.dll
13:43:15.0953 3528 EapHost ( UnsignedFile.Multi.Generic ) - warning
13:43:15.0953 3528 EapHost - detected UnsignedFile.Multi.Generic (1)
13:43:16.0000 3528 [ BC93B4A066477954555966D77FEC9ECB ] ERSvc C:\WINDOWS\System32\ersvc.dll
13:43:16.0156 3528 ERSvc - ok
13:43:16.0250 3528 [ 65DF52F5B8B6E9BBD183505225C37315 ] Eventlog C:\WINDOWS\system32\services.exe
13:43:16.0343 3528 Eventlog - ok
13:43:16.0515 3528 [ D4991D98F2DB73C60D042F1AEF79EFAE ] EventSystem C:\WINDOWS\system32\es.dll
13:43:16.0687 3528 EventSystem - ok
13:43:16.0828 3528 [ D335183519E6814DFAB4ED3DD806A943 ] EvtEng C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
13:43:16.0906 3528 EvtEng ( UnsignedFile.Multi.Generic ) - warning
13:43:16.0906 3528 EvtEng - detected UnsignedFile.Multi.Generic (1)
13:43:17.0015 3528 [ 38D332A6D56AF32635675F132548343E ] Fastfat C:\WINDOWS\system32\drivers\Fastfat.sys
13:43:17.0250 3528 Fastfat - ok
13:43:17.0359 3528 [ 99BC0B50F511924348BE19C7C7313BBF ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
13:43:17.0468 3528 FastUserSwitchingCompatibility - ok
13:43:17.0546 3528 [ 92CDD60B6730B9F50F6A1A0C1F8CDC81 ] Fdc C:\WINDOWS\system32\drivers\Fdc.sys
13:43:17.0703 3528 Fdc - ok
13:43:17.0750 3528 [ D45926117EB9FA946A6AF572FBE1CAA3 ] Fips C:\WINDOWS\system32\drivers\Fips.sys
13:43:17.0890 3528 Fips - ok
13:43:17.0937 3528 [ 9D27E7B80BFCDF1CDD9B555862D5E7F0 ] Flpydisk C:\WINDOWS\system32\drivers\Flpydisk.sys
13:43:18.0093 3528 Flpydisk - ok
13:43:18.0187 3528 [ B2CF4B0786F8212CB92ED2B50C6DB6B0 ] FltMgr C:\WINDOWS\system32\drivers\fltmgr.sys
13:43:18.0343 3528 FltMgr - ok
13:43:18.0359 3528 [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A ] Fs_Rec C:\WINDOWS\system32\drivers\Fs_Rec.sys
13:43:18.0515 3528 Fs_Rec - ok
13:43:18.0578 3528 [ 6AC26732762483366C3969C9E4D2259D ] Ftdisk C:\WINDOWS\system32\DRIVERS\ftdisk.sys
13:43:18.0765 3528 Ftdisk - ok
13:43:18.0796 3528 [ 0A02C63C8B144BD8C86B103DEE7C86A2 ] Gpc C:\WINDOWS\system32\DRIVERS\msgpc.sys
13:43:18.0968 3528 Gpc - ok
13:43:19.0093 3528 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files\Google\Update\GoogleUpdate.exe
13:43:19.0187 3528 gupdate - ok
13:43:19.0265 3528 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files\Google\Update\GoogleUpdate.exe
13:43:19.0296 3528 gupdatem - ok
13:43:19.0531 3528 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
13:43:19.0656 3528 gusvc - ok
13:43:19.0781 3528 [ 4FCCA060DFE0C51A09DD5C3843888BCD ] helpsvc C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
13:43:19.0937 3528 helpsvc - ok
13:43:19.0984 3528 [ DEB04DA35CC871B6D309B77E1443C796 ] HidServ C:\WINDOWS\System32\hidserv.dll
13:43:20.0125 3528 HidServ - ok
13:43:20.0140 3528 [ CCF82C5EC8A7326C3066DE870C06DAF1 ] HidUsb C:\WINDOWS\system32\DRIVERS\hidusb.sys
13:43:20.0296 3528 HidUsb - ok
13:43:20.0406 3528 [ 8878BD685E490239777BFE51320B88E9 ] hkmsvc C:\WINDOWS\System32\kmsvc.dll
13:43:20.0656 3528 hkmsvc - ok
13:43:20.0656 3528 hpn - ok
13:43:20.0984 3528 [ 58D4765AB87347DB835D5693ADF652C1 ] hpqcxs08 C:\Program Files\HP\Digital Imaging\bin\hpqcxs08.dll
13:43:21.0109 3528 hpqcxs08 ( UnsignedFile.Multi.Generic ) - warning
13:43:21.0109 3528 hpqcxs08 - detected UnsignedFile.Multi.Generic (1)
13:43:21.0406 3528 [ 50AED60EA813124D6DAEE41814E4AAAC ] HPSLPSVC C:\Program Files\HP\Digital Imaging\bin\HPSLPSVC32.DLL
13:43:22.0031 3528 HPSLPSVC ( UnsignedFile.Multi.Generic ) - warning
13:43:22.0031 3528 HPSLPSVC - detected UnsignedFile.Multi.Generic (1)
13:43:22.0203 3528 [ F80A415EF82CD06FFAF0D971528EAD38 ] HTTP C:\WINDOWS\system32\Drivers\HTTP.sys
13:43:22.0218 3528 HTTP - ok
13:43:22.0250 3528 [ 6100A808600F44D999CEBDEF8841C7A3 ] HTTPFilter C:\WINDOWS\System32\w3ssl.dll
13:43:22.0406 3528 HTTPFilter - ok
13:43:22.0421 3528 i2omgmt - ok
13:43:22.0421 3528 i2omp - ok
13:43:22.0515 3528 [ 4A0B06AA8943C1E332520F7440C0AA30 ] i8042prt C:\WINDOWS\system32\DRIVERS\i8042prt.sys
13:43:22.0671 3528 i8042prt - ok
13:43:23.0078 3528 [ 737DA0BE27652C4482AC5CDE099BFCE9 ] ialm C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
13:43:23.0406 3528 ialm - ok
13:43:23.0453 3528 [ 083A052659F5310DD8B6A6CB05EDCF8E ] Imapi C:\WINDOWS\system32\DRIVERS\imapi.sys
13:43:23.0718 3528 Imapi - ok
13:43:23.0828 3528 [ 30DEAF54A9755BB8546168CFE8A6B5E1 ] ImapiService C:\WINDOWS\system32\imapi.exe
13:43:24.0109 3528 ImapiService - ok
13:43:24.0109 3528 ini910u - ok
13:43:24.0156 3528 [ B5466A9250342A7AA0CD1FBA13420678 ] IntelIde C:\WINDOWS\system32\DRIVERS\intelide.sys
13:43:24.0312 3528 IntelIde - ok
13:43:24.0375 3528 [ 8C953733D8F36EB2133F5BB58808B66B ] intelppm C:\WINDOWS\system32\DRIVERS\intelppm.sys
13:43:24.0546 3528 intelppm - ok
13:43:24.0593 3528 [ 3BB22519A194418D5FEC05D800A19AD0 ] Ip6Fw C:\WINDOWS\system32\drivers\ip6fw.sys
13:43:24.0765 3528 Ip6Fw - ok
13:43:24.0843 3528 [ 731F22BA402EE4B62748ADAF6363C182 ] IpFilterDriver C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
13:43:25.0000 3528 IpFilterDriver - ok
13:43:25.0046 3528 [ B87AB476DCF76E72010632B5550955F5 ] IpInIp C:\WINDOWS\system32\DRIVERS\ipinip.sys
13:43:25.0218 3528 IpInIp - ok
13:43:25.0328 3528 [ CC748EA12C6EFFDE940EE98098BF96BB ] IpNat C:\WINDOWS\system32\DRIVERS\ipnat.sys
13:43:25.0562 3528 IpNat - ok
13:43:25.0609 3528 [ 23C74D75E36E7158768DD63D92789A91 ] IPSec C:\WINDOWS\system32\DRIVERS\ipsec.sys
13:43:25.0765 3528 IPSec - ok
13:43:25.0828 3528 [ C93C9FF7B04D772627A3646D89F7BF89 ] IRENUM C:\WINDOWS\system32\DRIVERS\irenum.sys
13:43:26.0046 3528 IRENUM - ok
13:43:26.0093 3528 [ 05A299EC56E52649B1CF2FC52D20F2D7 ] isapnp C:\WINDOWS\system32\DRIVERS\isapnp.sys
13:43:26.0250 3528 isapnp - ok
13:43:26.0421 3528 [ A12175F063302CD68F8FC6D572D7E5FD ] JavaQuickStarterService C:\Program Files\Java\jre7\bin\jqs.exe
13:43:26.0656 3528 JavaQuickStarterService - ok
13:43:26.0703 3528 [ 463C1EC80CD17420A542B7F36A36F128 ] Kbdclass C:\WINDOWS\system32\DRIVERS\kbdclass.sys
13:43:26.0875 3528 Kbdclass - ok
13:43:26.0921 3528 [ 9EF487A186DEA361AA06913A75B3FA99 ] kbdhid C:\WINDOWS\system32\DRIVERS\kbdhid.sys
13:43:27.0046 3528 kbdhid - ok
13:43:27.0156 3528 [ 692BCF44383D056AED41B045A323D378 ] kmixer C:\WINDOWS\system32\drivers\kmixer.sys
13:43:27.0390 3528 kmixer - ok
13:43:27.0468 3528 [ B467646C54CC746128904E1654C750C1 ] KSecDD C:\WINDOWS\system32\drivers\KSecDD.sys
13:43:27.0593 3528 KSecDD - ok
13:43:27.0687 3528 [ 3A7C3CBE5D96B8AE96CE81F0B22FB527 ] lanmanserver C:\WINDOWS\System32\srvsvc.dll
13:43:27.0765 3528 lanmanserver - ok
13:43:27.0875 3528 [ A8888A5327621856C0CEC4E385F69309 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
13:43:27.0984 3528 lanmanworkstation - ok
13:43:28.0000 3528 lbrtfdc - ok
13:43:28.0046 3528 [ A7DB739AE99A796D91580147E919CC59 ] LmHosts C:\WINDOWS\System32\lmhsvc.dll
13:43:28.0203 3528 LmHosts - ok
13:43:28.0265 3528 [ 0DB7527DB188C7D967A37BB51BBF3963 ] MBAMSwissArmy C:\WINDOWS\system32\drivers\mbamswissarmy.sys
13:43:28.0296 3528 MBAMSwissArmy - ok
13:43:28.0343 3528 [ 986B1FF5814366D71E0AC5755C88F2D3 ] Messenger C:\WINDOWS\System32\msgsvc.dll
13:43:28.0484 3528 Messenger - ok
13:43:28.0609 3528 [ 4AE068242760A1FB6E1A44BF4E16AFA6 ] mnmdd C:\WINDOWS\system32\drivers\mnmdd.sys
13:43:28.0781 3528 mnmdd - ok
13:43:28.0828 3528 [ D18F1F0C101D06A1C1ADF26EED16FCDD ] mnmsrvc C:\WINDOWS\system32\mnmsrvc.exe
13:43:28.0968 3528 mnmsrvc - ok
13:43:29.0015 3528 [ DFCBAD3CEC1C5F964962AE10E0BCC8E1 ] Modem C:\WINDOWS\system32\drivers\Modem.sys
13:43:29.0187 3528 Modem - ok
13:43:29.0234 3528 [ 35C9E97194C8CFB8430125F8DBC34D04 ] Mouclass C:\WINDOWS\system32\DRIVERS\mouclass.sys
13:43:29.0406 3528 Mouclass - ok
13:43:29.0453 3528 [ B1C303E17FB9D46E87A98E4BA6769685 ] mouhid C:\WINDOWS\system32\DRIVERS\mouhid.sys
13:43:29.0640 3528 mouhid - ok
13:43:29.0671 3528 [ A80B9A0BAD1B73637DBCBBA7DF72D3FD ] MountMgr C:\WINDOWS\system32\drivers\MountMgr.sys
13:43:29.0843 3528 MountMgr - ok
13:43:29.0968 3528 [ EE728AF83850DDAD9A3FCAC0AAB3AD97 ] MpFilter C:\WINDOWS\system32\DRIVERS\MpFilter.sys
13:43:30.0000 3528 MpFilter - ok
13:43:30.0000 3528 mraid35x - ok
13:43:30.0125 3528 [ 11D42BB6206F33FBB3BA0288D3EF81BD ] MRxDAV C:\WINDOWS\system32\DRIVERS\mrxdav.sys
13:43:30.0281 3528 MRxDAV - ok
13:43:30.0562 3528 [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0 ] MRxSmb C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
13:43:30.0734 3528 MRxSmb - ok
13:43:30.0765 3528 [ A137F1470499A205ABBB9AAFB3B6F2B1 ] MSDTC C:\WINDOWS\system32\msdtc.exe
13:43:30.0906 3528 MSDTC - ok
13:43:30.0921 3528 [ C941EA2454BA8350021D774DAF0F1027 ] Msfs C:\WINDOWS\system32\drivers\Msfs.sys
13:43:31.0140 3528 Msfs - ok
13:43:31.0156 3528 MSIServer - ok
13:43:31.0171 3528 [ D1575E71568F4D9E14CA56B7B0453BF1 ] MSKSSRV C:\WINDOWS\system32\drivers\MSKSSRV.sys
13:43:31.0296 3528 MSKSSRV - ok
13:43:31.0375 3528 [ E077FCA2A7E79FB9BF67D3E30B5CE593 ] MsMpSvc c:\Program Files\Microsoft Security Client\MsMpEng.exe
13:43:31.0390 3528 MsMpSvc - ok
13:43:31.0406 3528 [ 325BB26842FC7CCC1FCCE2C457317F3E ] MSPCLOCK C:\WINDOWS\system32\drivers\MSPCLOCK.sys
13:43:31.0593 3528 MSPCLOCK - ok
13:43:31.0640 3528 [ BAD59648BA099DA4A17680B39730CB3D ] MSPQM C:\WINDOWS\system32\drivers\MSPQM.sys
13:43:31.0765 3528 MSPQM - ok
13:43:31.0812 3528 [ AF5F4F3F14A8EA2C26DE30F7A1E17136 ] mssmbios C:\WINDOWS\system32\DRIVERS\mssmbios.sys
13:43:31.0953 3528 mssmbios - ok
13:43:32.0031 3528 [ DE6A75F5C270E756C5508D94B6CF68F5 ] Mup C:\WINDOWS\system32\drivers\Mup.sys
13:43:32.0078 3528 Mup - ok
13:43:32.0265 3528 [ 0102140028FAD045756796E1C685D695 ] napagent C:\WINDOWS\System32\qagentrt.dll
13:43:32.0656 3528 napagent - ok
13:43:32.0765 3528 [ 1DF7F42665C94B825322FAE71721130D ] NDIS C:\WINDOWS\system32\drivers\NDIS.sys
13:43:32.0890 3528 NDIS - ok
13:43:32.0921 3528 [ 0109C4F3850DFBAB279542515386AE22 ] NdisTapi C:\WINDOWS\system32\DRIVERS\ndistapi.sys
13:43:32.0968 3528 NdisTapi - ok
13:43:33.0031 3528 [ F927A4434C5028758A842943EF1A3849 ] Ndisuio C:\WINDOWS\system32\DRIVERS\ndisuio.sys
13:43:33.0218 3528 Ndisuio - ok
13:43:33.0265 3528 [ EDC1531A49C80614B2CFDA43CA8659AB ] NdisWan C:\WINDOWS\system32\DRIVERS\ndiswan.sys
13:43:33.0390 3528 NdisWan - ok
13:43:33.0437 3528 [ 9282BD12DFB069D3889EB3FCC1000A9B ] NDProxy C:\WINDOWS\system32\drivers\NDProxy.sys
13:43:33.0468 3528 NDProxy - ok
13:43:33.0562 3528 [ 51C6D8BFBD4EA5B62A1BA7F4469250D3 ] Net Driver HPZ12 C:\WINDOWS\system32\HPZinw12.dll
13:43:33.0593 3528 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
13:43:33.0593 3528 Net Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
13:43:33.0656 3528 [ 5D81CF9A2F1A3A756B66CF684911CDF0 ] NetBIOS C:\WINDOWS\system32\DRIVERS\netbios.sys
13:43:33.0796 3528 NetBIOS - ok
13:43:33.0921 3528 [ 74B2B2F5BEA5E9A3DC021D685551BD3D ] NetBT C:\WINDOWS\system32\DRIVERS\netbt.sys
13:43:34.0046 3528 NetBT - ok
13:43:34.0140 3528 [ B857BA82860D7FF85AE29B095645563B ] NetDDE C:\WINDOWS\system32\netdde.exe
13:43:34.0312 3528 NetDDE - ok
13:43:34.0375 3528 [ B857BA82860D7FF85AE29B095645563B ] NetDDEdsdm C:\WINDOWS\system32\netdde.exe
13:43:34.0593 3528 NetDDEdsdm - ok
13:43:34.0640 3528 [ BF2466B3E18E970D8A976FB95FC1CA85 ] Netlogon C:\WINDOWS\system32\lsass.exe
13:43:34.0765 3528 Netlogon - ok
13:43:34.0875 3528 [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE ] Netman C:\WINDOWS\System32\netman.dll
13:43:35.0109 3528 Netman - ok
13:43:35.0250 3528 [ 943337D786A56729263071623BBB9DE5 ] Nla C:\WINDOWS\System32\mswsock.dll
13:43:35.0375 3528 Nla - ok
13:43:35.0406 3528 [ 3182D64AE053D6FB034F44B6DEF8034A ] Npfs C:\WINDOWS\system32\drivers\Npfs.sys
13:43:35.0593 3528 Npfs - ok
13:43:35.0953 3528 [ 78A08DD6A8D65E697C18E1DB01C5CDCA ] Ntfs C:\WINDOWS\system32\drivers\Ntfs.sys
13:43:36.0281 3528 Ntfs - ok
13:43:36.0296 3528 [ BF2466B3E18E970D8A976FB95FC1CA85 ] NtLmSsp C:\WINDOWS\system32\lsass.exe
13:43:36.0421 3528 NtLmSsp - ok
13:43:36.0703 3528 [ 156F64A3345BD23C600655FB4D10BC08 ] NtmsSvc C:\WINDOWS\system32\ntmssvc.dll
13:43:37.0171 3528 NtmsSvc - ok
13:43:37.0203 3528 [ CF7E041663119E09D2E118521ADA9300 ] NuidFltr C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
13:43:37.0218 3528 NuidFltr - ok
13:43:37.0234 3528 [ 73C1E1F395918BC2C6DD67AF7591A3AD ] Null C:\WINDOWS\system32\drivers\Null.sys
13:43:37.0390 3528 Null - ok
13:43:37.0453 3528 [ B305F3FAD35083837EF46A0BBCE2FC57 ] NwlnkFlt C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
13:43:37.0656 3528 NwlnkFlt - ok
13:43:37.0687 3528 [ C99B3415198D1AAB7227F2C88FD664B9 ] NwlnkFwd C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
13:43:37.0843 3528 NwlnkFwd - ok
13:43:37.0875 3528 [ CEC7E2C6C1FA00C7AB2F5434F848AE51 ] OMCI C:\WINDOWS\SYSTEM32\DRIVERS\OMCI.SYS
13:43:37.0906 3528 OMCI ( UnsignedFile.Multi.Generic ) - warning
13:43:37.0906 3528 OMCI - detected UnsignedFile.Multi.Generic (1)
13:43:38.0015 3528 [ 7A56CF3E3F12E8AF599963B16F50FB6A ] ose C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
13:43:38.0078 3528 ose - ok
13:43:38.0125 3528 [ 5575FAF8F97CE5E713D108C2A58D7C7C ] Parport C:\WINDOWS\system32\DRIVERS\parport.sys
13:43:38.0250 3528 Parport - ok
13:43:38.0296 3528 [ BEB3BA25197665D82EC7065B724171C6 ] PartMgr C:\WINDOWS\system32\drivers\PartMgr.sys
13:43:38.0453 3528 PartMgr - ok
13:43:38.0500 3528 [ 70E98B3FD8E963A6A46A2E6247E0BEA1 ] ParVdm C:\WINDOWS\system32\drivers\ParVdm.sys
13:43:38.0718 3528 ParVdm - ok
13:43:38.0750 3528 [ 3ADB8BD6154A3EF87496E8FCE9C22493 ] pavboot C:\WINDOWS\system32\drivers\pavboot.sys
13:43:38.0765 3528 pavboot - ok
13:43:38.0828 3528 [ A219903CCF74233761D92BEF471A07B1 ] PCI C:\WINDOWS\system32\DRIVERS\pci.sys
13:43:39.0000 3528 PCI - ok
13:43:39.0015 3528 PCIDump - ok
13:43:39.0062 3528 [ CCF5F451BB1A5A2A522A76E670000FF0 ] PCIIde C:\WINDOWS\system32\DRIVERS\pciide.sys
13:43:39.0203 3528 PCIIde - ok
13:43:39.0281 3528 [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1 ] Pcmcia C:\WINDOWS\system32\DRIVERS\pcmcia.sys
13:43:39.0437 3528 Pcmcia - ok
13:43:39.0453 3528 PDCOMP - ok
13:43:39.0453 3528 PDFRAME - ok
13:43:39.0468 3528 PDRELI - ok
13:43:39.0468 3528 PDRFRAME - ok
13:43:39.0484 3528 perc2 - ok
13:43:39.0500 3528 perc2hib - ok
13:43:39.0593 3528 [ 65DF52F5B8B6E9BBD183505225C37315 ] PlugPlay C:\WINDOWS\system32\services.exe
13:43:39.0609 3528 PlugPlay - ok
13:43:39.0671 3528 [ 79834AA2FBF9FE81EEBB229024F6F7FC ] Pml Driver HPZ12 C:\WINDOWS\system32\HPZipm12.dll
13:43:39.0703 3528 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - warning
13:43:39.0703 3528 Pml Driver HPZ12 - detected UnsignedFile.Multi.Generic (1)
13:43:39.0734 3528 [ BF2466B3E18E970D8A976FB95FC1CA85 ] PolicyAgent C:\WINDOWS\system32\lsass.exe
13:43:39.0859 3528 PolicyAgent - ok
13:43:39.0890 3528 [ EFEEC01B1D3CF84F16DDD24D9D9D8F99 ] PptpMiniport C:\WINDOWS\system32\DRIVERS\raspptp.sys
13:43:40.0062 3528 PptpMiniport - ok
13:43:40.0078 3528 [ BF2466B3E18E970D8A976FB95FC1CA85 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
13:43:40.0203 3528 ProtectedStorage - ok
13:43:40.0250 3528 [ 09298EC810B07E5D582CB3A3F9255424 ] PSched C:\WINDOWS\system32\DRIVERS\psched.sys
13:43:40.0390 3528 PSched - ok
13:43:40.0406 3528 [ 80D317BD1C3DBC5D4FE7B1678C60CADD ] Ptilink C:\WINDOWS\system32\DRIVERS\ptilink.sys
13:43:40.0640 3528 Ptilink - ok
13:43:40.0687 3528 [ 30CBAE0A34359F1CD19D1576245149ED ] PxHelp20 C:\WINDOWS\system32\Drivers\PxHelp20.sys
13:43:40.0687 3528 PxHelp20 ( UnsignedFile.Multi.Generic ) - warning
13:43:40.0687 3528 PxHelp20 - detected UnsignedFile.Multi.Generic (1)
13:43:40.0703 3528 ql1080 - ok
13:43:40.0718 3528 Ql10wnt - ok
13:43:40.0718 3528 ql12160 - ok
13:43:40.0734 3528 ql1240 - ok
13:43:40.0750 3528 ql1280 - ok
13:43:40.0781 3528 [ FE0D99D6F31E4FAD8159F690D68DED9C ] RasAcd C:\WINDOWS\system32\DRIVERS\rasacd.sys
13:43:40.0906 3528 RasAcd - ok
13:43:40.0968 3528 [ AD188BE7BDF94E8DF4CA0A55C00A5073 ] RasAuto C:\WINDOWS\System32\rasauto.dll
13:43:41.0218 3528 RasAuto - ok
13:43:41.0265 3528 [ 11B4A627BC9614B885C4969BFA5FF8A6 ] Rasl2tp C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
13:43:41.0406 3528 Rasl2tp - ok
13:43:41.0562 3528 [ 76A9A3CBEADD68CC57CDA5E1D7448235 ] RasMan C:\WINDOWS\System32\rasmans.dll
13:43:41.0843 3528 RasMan - ok
13:43:41.0875 3528 [ 5BC962F2654137C9909C3D4603587DEE ] RasPppoe C:\WINDOWS\system32\DRIVERS\raspppoe.sys
13:43:42.0000 3528 RasPppoe - ok
13:43:42.0015 3528 [ FDBB1D60066FCFBB7452FD8F9829B242 ] Raspti C:\WINDOWS\system32\DRIVERS\raspti.sys
13:43:42.0203 3528 Raspti - ok
13:43:42.0312 3528 [ 7AD224AD1A1437FE28D89CF22B17780A ] Rdbss C:\WINDOWS\system32\DRIVERS\rdbss.sys
13:43:42.0437 3528 Rdbss - ok
13:43:42.0453 3528 [ 4912D5B403614CE99C28420F75353332 ] RDPCDD C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
13:43:42.0671 3528 RDPCDD - ok
13:43:42.0796 3528 [ 43AF5212BD8FB5BA6EED9754358BD8F7 ] RDPWD C:\WINDOWS\system32\drivers\RDPWD.sys
13:43:42.0875 3528 RDPWD - ok
13:43:42.0968 3528 [ 3C37BF86641BDA977C3BF8A840F3B7FA ] RDSessMgr C:\WINDOWS\system32\sessmgr.exe
13:43:43.0171 3528 RDSessMgr - ok
13:43:43.0218 3528 [ F828DD7E1419B6653894A8F97A0094C5 ] redbook C:\WINDOWS\system32\DRIVERS\redbook.sys
13:43:43.0359 3528 redbook - ok
13:43:43.0468 3528 [ 15BA3BCEEB32C4279B27F5C3389E4847 ] RegSrvc C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
13:43:43.0593 3528 RegSrvc ( UnsignedFile.Multi.Generic ) - warning
13:43:43.0593 3528 RegSrvc - detected UnsignedFile.Multi.Generic (1)
13:43:43.0671 3528 [ 7E699FF5F59B5D9DE5390E3C34C67CF5 ] RemoteAccess C:\WINDOWS\System32\mprdim.dll
13:43:43.0828 3528 RemoteAccess - ok
13:43:43.0906 3528 [ 851C30DF2807FCFA21E4C681A7D6440E ] RFCOMM C:\WINDOWS\system32\DRIVERS\rfcomm.sys
13:43:44.0046 3528 RFCOMM - ok
13:43:44.0109 3528 [ AAED593F84AFA419BBAE8572AF87CF6A ] RpcLocator C:\WINDOWS\system32\locator.exe
13:43:44.0281 3528 RpcLocator - ok
13:43:44.0500 3528 [ 6B27A5C03DFB94B4245739065431322C ] RpcSs C:\WINDOWS\system32\rpcss.dll
13:43:44.0671 3528 RpcSs - ok
13:43:44.0781 3528 [ 471B3F9741D762ABE75E9DEEA4787E47 ] RSVP C:\WINDOWS\system32\rsvp.exe
13:43:45.0000 3528 RSVP - ok
13:43:45.0203 3528 [ 79A647519CA3E700E9738153F788FB7D ] S24EventMonitor C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
13:43:45.0703 3528 S24EventMonitor ( UnsignedFile.Multi.Generic ) - warning
13:43:45.0703 3528 S24EventMonitor - detected UnsignedFile.Multi.Generic (1)
13:43:45.0734 3528 [ 81AA6F0D6A2BE1C550F814B036215888 ] s24trans C:\WINDOWS\system32\DRIVERS\s24trans.sys
13:43:45.0812 3528 s24trans ( UnsignedFile.Multi.Generic ) - warning
13:43:45.0812 3528 s24trans - detected UnsignedFile.Multi.Generic (1)
13:43:45.0843 3528 [ BF2466B3E18E970D8A976FB95FC1CA85 ] SamSs C:\WINDOWS\system32\lsass.exe
13:43:45.0953 3528 SamSs - ok
13:43:46.0046 3528 [ 86D007E7A654B9A71D1D7D856B104353 ] SCardSvr C:\WINDOWS\System32\SCardSvr.exe
13:43:46.0328 3528 SCardSvr - ok
13:43:46.0421 3528 [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA ] Schedule C:\WINDOWS\system32\schedsvc.dll
13:43:46.0703 3528 Schedule - ok
13:43:46.0765 3528 [ 90A3935D05B494A5A39D37E71F09A677 ] Secdrv C:\WINDOWS\system32\DRIVERS\secdrv.sys
13:43:46.0921 3528 Secdrv - ok
13:43:46.0953 3528 [ CBE612E2BB6A10E3563336191EDA1250 ] seclogon C:\WINDOWS\System32\seclogon.dll
13:43:47.0140 3528 seclogon - ok
13:43:47.0187 3528 [ 7FDD5D0684ECA8C1F68B4D99D124DCD0 ] SENS C:\WINDOWS\system32\sens.dll
13:43:47.0359 3528 SENS - ok
13:43:47.0390 3528 [ 0F29512CCD6BEAD730039FB4BD2C85CE ] serenum C:\WINDOWS\system32\DRIVERS\serenum.sys
13:43:47.0515 3528 serenum - ok
13:43:47.0625 3528 [ CCA207A8896D4C6A0C9CE29A4AE411A7 ] Serial C:\WINDOWS\system32\DRIVERS\serial.sys
13:43:47.0781 3528 Serial - ok
13:43:47.0812 3528 [ 8E6B8C671615D126FDC553D1E2DE5562 ] Sfloppy C:\WINDOWS\system32\drivers\Sfloppy.sys
13:43:47.0953 3528 Sfloppy - ok
13:43:48.0171 3528 [ 83F41D0D89645D7235C051AB1D9523AC ] SharedAccess C:\WINDOWS\System32\ipnathlp.dll
13:43:48.0671 3528 SharedAccess - ok
13:43:48.0750 3528 [ 99BC0B50F511924348BE19C7C7313BBF ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
13:43:48.0781 3528 ShellHWDetection - ok
13:43:48.0781 3528 Simbad - ok
13:43:48.0796 3528 Sparrow - ok
13:43:48.0812 3528 [ AB8B92451ECB048A4D1DE7C3FFCB4A9F ] splitter C:\WINDOWS\system32\drivers\splitter.sys
13:43:48.0937 3528 splitter - ok
13:43:49.0000 3528 [ 60784F891563FB1B767F70117FC2428F ] Spooler C:\WINDOWS\system32\spoolsv.exe
13:43:49.0031 3528 Spooler - ok
13:43:49.0093 3528 [ 76BB022C2FB6902FD5BDD4F78FC13A5D ] sr C:\WINDOWS\system32\DRIVERS\sr.sys
13:43:49.0218 3528 sr - ok
13:43:49.0343 3528 [ 3805DF0AC4296A34BA4BF93B346CC378 ] srservice C:\WINDOWS\system32\srsvc.dll
13:43:49.0609 3528 srservice - ok
13:43:49.0796 3528 [ 47DDFC2F003F7F9F0592C6874962A2E7 ] Srv C:\WINDOWS\system32\DRIVERS\srv.sys
13:43:49.0937 3528 Srv - ok
13:43:49.0984 3528 [ D7968049BE0ADBB6A57CEE3960320911 ] sscdbhk5 C:\WINDOWS\system32\drivers\sscdbhk5.sys
13:43:50.0015 3528 sscdbhk5 ( UnsignedFile.Multi.Generic ) - warning
13:43:50.0015 3528 sscdbhk5 - detected UnsignedFile.Multi.Generic (1)
13:43:50.0062 3528 [ 0A5679B3714EDAB99E357057EE88FCA6 ] SSDPSRV C:\WINDOWS\System32\ssdpsrv.dll
13:43:50.0250 3528 SSDPSRV - ok
13:43:50.0296 3528 [ C3FFD65ABFB6441E7606CF74F1155273 ] ssrtln C:\WINDOWS\system32\drivers\ssrtln.sys
13:43:50.0296 3528 ssrtln ( UnsignedFile.Multi.Generic ) - warning
13:43:50.0296 3528 ssrtln - detected UnsignedFile.Multi.Generic (1)
13:43:50.0453 3528 [ 305CC42945A713347F978D78566113F3 ] STAC97 C:\WINDOWS\system32\drivers\STAC97.sys
13:43:50.0500 3528 STAC97 - ok
13:43:50.0531 3528 [ A9573045BAA16EAB9B1085205B82F1ED ] StillCam C:\WINDOWS\system32\DRIVERS\serscan.sys
13:43:50.0718 3528 StillCam - ok
13:43:50.0906 3528 [ 8BAD69CBAC032D4BBACFCE0306174C30 ] stisvc C:\WINDOWS\system32\wiaservc.dll
13:43:51.0421 3528 stisvc - ok
13:43:51.0453 3528 [ 3941D127AEF12E93ADDF6FE6EE027E0F ] swenum C:\WINDOWS\system32\DRIVERS\swenum.sys
13:43:51.0593 3528 swenum - ok
13:43:51.0671 3528 [ 8CE882BCC6CF8A62F2B2323D95CB3D01 ] swmidi C:\WINDOWS\system32\drivers\swmidi.sys
13:43:51.0843 3528 swmidi - ok
13:43:51.0843 3528 SwPrv - ok
13:43:51.0859 3528 symc810 - ok
13:43:51.0875 3528 symc8xx - ok
13:43:51.0875 3528 sym_hi - ok
13:43:51.0890 3528 sym_u3 - ok
13:43:51.0953 3528 [ 8B83F3ED0F1688B4958F77CD6D2BF290 ] sysaudio C:\WINDOWS\system32\drivers\sysaudio.sys
13:43:52.0093 3528 sysaudio - ok
13:43:52.0156 3528 [ C7ABBC59B43274B1109DF6B24D617051 ] SysmonLog C:\WINDOWS\system32\smlogsvc.exe
13:43:52.0296 3528 SysmonLog - ok
13:43:52.0437 3528 [ 3CB78C17BB664637787C9A1C98F79C38 ] TapiSrv C:\WINDOWS\System32\tapisrv.dll
13:43:52.0687 3528 TapiSrv - ok
13:43:52.0890 3528 [ 9AEFA14BD6B182D61E3119FA5F436D3D ] Tcpip C:\WINDOWS\system32\DRIVERS\tcpip.sys
13:43:53.0078 3528 Tcpip - ok
13:43:53.0125 3528 [ 6471A66807F5E104E4885F5B67349397 ] TDPIPE C:\WINDOWS\system32\drivers\TDPIPE.sys
13:43:53.0250 3528 TDPIPE - ok
13:43:53.0312 3528 [ C56B6D0402371CF3700EB322EF3AAF61 ] TDTCP C:\WINDOWS\system32\drivers\TDTCP.sys
13:43:53.0468 3528 TDTCP - ok
13:43:53.0515 3528 [ 88155247177638048422893737429D9E ] TermDD C:\WINDOWS\system32\DRIVERS\termdd.sys
13:43:53.0734 3528 TermDD - ok
13:43:53.0906 3528 [ FF3477C03BE7201C294C35F684B3479F ] TermService C:\WINDOWS\System32\termsrv.dll
13:43:54.0187 3528 TermService - ok
13:43:54.0265 3528 [ 1D265CD2FB1673A0873BF8CEC19DDC7F ] tfsnboio C:\WINDOWS\system32\dla\tfsnboio.sys
13:43:54.0296 3528 tfsnboio ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0296 3528 tfsnboio - detected UnsignedFile.Multi.Generic (1)
13:43:54.0343 3528 [ 62E4901295E0467CAC78E5B4B131AE5C ] tfsncofs C:\WINDOWS\system32\dla\tfsncofs.sys
13:43:54.0375 3528 tfsncofs ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0375 3528 tfsncofs - detected UnsignedFile.Multi.Generic (1)
13:43:54.0406 3528 [ A2F380F9252AB3464C859ADF91EEAD9C ] tfsndrct C:\WINDOWS\system32\dla\tfsndrct.sys
13:43:54.0437 3528 tfsndrct ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0437 3528 tfsndrct - detected UnsignedFile.Multi.Generic (1)
13:43:54.0484 3528 [ EEE79BBEFE9C6A2A3CE6C8753CFEA950 ] tfsndres C:\WINDOWS\system32\dla\tfsndres.sys
13:43:54.0484 3528 tfsndres ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0484 3528 tfsndres - detected UnsignedFile.Multi.Generic (1)
13:43:54.0546 3528 [ 9D644EB11FEC9487450C4CFCD63A5DF4 ] tfsnifs C:\WINDOWS\system32\dla\tfsnifs.sys
13:43:54.0671 3528 tfsnifs ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0671 3528 tfsnifs - detected UnsignedFile.Multi.Generic (1)
13:43:54.0718 3528 [ E656AF05C67EDB7C0E9230A5DF71ED1B ] tfsnopio C:\WINDOWS\system32\dla\tfsnopio.sys
13:43:54.0750 3528 tfsnopio ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0750 3528 tfsnopio - detected UnsignedFile.Multi.Generic (1)
13:43:54.0750 3528 [ 64FCCB9CCE703CA507DFFC3CEBF6B2CB ] tfsnpool C:\WINDOWS\system32\dla\tfsnpool.sys
13:43:54.0765 3528 tfsnpool ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0765 3528 tfsnpool - detected UnsignedFile.Multi.Generic (1)
13:43:54.0843 3528 [ 48BC9D8AB4E4B9BFF70FB18E55CEC3D6 ] tfsnudf C:\WINDOWS\system32\dla\tfsnudf.sys
13:43:54.0843 3528 tfsnudf ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0843 3528 tfsnudf - detected UnsignedFile.Multi.Generic (1)
13:43:54.0906 3528 [ 79F60822224256B49BFC855DA8D651D5 ] tfsnudfa C:\WINDOWS\system32\dla\tfsnudfa.sys
13:43:54.0937 3528 tfsnudfa ( UnsignedFile.Multi.Generic ) - warning
13:43:54.0937 3528 tfsnudfa - detected UnsignedFile.Multi.Generic (1)
13:43:55.0031 3528 [ 99BC0B50F511924348BE19C7C7313BBF ] Themes C:\WINDOWS\System32\shsvcs.dll
13:43:55.0046 3528 Themes - ok
13:43:55.0046 3528 TosIde - ok
13:43:55.0125 3528 [ 55BCA12F7F523D35CA3CB833C725F54E ] TrkWks C:\WINDOWS\system32\trkwks.dll
13:43:55.0312 3528 TrkWks - ok
13:43:55.0390 3528 [ 5787B80C2E3C5E2F56C2A233D91FA2C9 ] Udfs C:\WINDOWS\system32\drivers\Udfs.sys
13:43:55.0562 3528 Udfs - ok
13:43:55.0562 3528 ultra - ok
13:43:55.0875 3528 [ 402DDC88356B1BAC0EE3DD1580C76A31 ] Update C:\WINDOWS\system32\DRIVERS\update.sys
13:43:56.0171 3528 Update - ok
13:43:56.0281 3528 [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91 ] upnphost C:\WINDOWS\System32\upnphost.dll
13:43:56.0578 3528 upnphost - ok
13:43:56.0656 3528 [ 05365FB38FCA1E98F7A566AAAF5D1815 ] UPS C:\WINDOWS\System32\ups.exe
13:43:56.0812 3528 UPS - ok
13:43:56.0859 3528 [ 173F317CE0DB8E21322E71B7E60A27E8 ] usbccgp C:\WINDOWS\system32\DRIVERS\usbccgp.sys
13:43:57.0000 3528 usbccgp - ok
13:43:57.0046 3528 [ 65DCF09D0E37D4C6B11B5B0B76D470A7 ] usbehci C:\WINDOWS\system32\DRIVERS\usbehci.sys
13:43:57.0203 3528 usbehci - ok
13:43:57.0234 3528 [ 1AB3CDDE553B6E064D2E754EFE20285C ] usbhub C:\WINDOWS\system32\DRIVERS\usbhub.sys
13:43:57.0359 3528 usbhub - ok
13:43:57.0406 3528 [ A717C8721046828520C9EDF31288FC00 ] usbprint C:\WINDOWS\system32\DRIVERS\usbprint.sys
13:43:57.0546 3528 usbprint - ok
13:43:57.0578 3528 [ A0B8CF9DEB1184FBDD20784A58FA75D4 ] usbscan C:\WINDOWS\system32\DRIVERS\usbscan.sys
13:43:57.0734 3528 usbscan - ok
13:43:57.0765 3528 [ A32426D9B14A089EAA1D922E0C5801A9 ] USBSTOR C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
13:43:57.0937 3528 USBSTOR - ok
13:43:57.0968 3528 [ 26496F9DEE2D787FC3E61AD54821FFE6 ] usbuhci C:\WINDOWS\system32\DRIVERS\usbuhci.sys
13:43:58.0093 3528 usbuhci - ok
13:43:58.0125 3528 [ 0D3A8FAFCEACD8B7625CD549757A7DF1 ] VgaSave C:\WINDOWS\System32\drivers\vga.sys
13:43:58.0250 3528 VgaSave - ok
13:43:58.0265 3528 ViaIde - ok
13:43:58.0296 3528 [ 4C8FCB5CC53AAB716D810740FE59D025 ] VolSnap C:\WINDOWS\system32\drivers\VolSnap.sys
13:43:58.0453 3528 VolSnap - ok
13:43:58.0640 3528 [ 7A9DB3A67C333BF0BD42E42B8596854B ] VSS C:\WINDOWS\System32\vssvc.exe
13:43:58.0906 3528 VSS - ok
13:43:59.0015 3528 [ 54AF4B1D5459500EF0937F6D33B1914F ] W32Time C:\WINDOWS\system32\w32time.dll
13:43:59.0265 3528 W32Time - ok
13:43:59.0312 3528 [ E20B95BAEDB550F32DD489265C1DA1F6 ] Wanarp C:\WINDOWS\system32\DRIVERS\wanarp.sys
13:43:59.0453 3528 Wanarp - ok
13:43:59.0734 3528 [ FD47474BD21794508AF449D9D91AF6E6 ] Wdf01000 C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
13:43:59.0890 3528 Wdf01000 - ok
13:43:59.0890 3528 WDICA - ok
13:43:59.0953 3528 [ 6768ACF64B18196494413695F0C3A00F ] wdmaud C:\WINDOWS\system32\drivers\wdmaud.sys
13:44:00.0109 3528 wdmaud - ok
13:44:00.0156 3528 [ 77A354E28153AD2D5E120A5A8687BC06 ] WebClient C:\WINDOWS\System32\webclnt.dll
13:44:00.0343 3528 WebClient - ok
13:44:00.0500 3528 [ 2D0E4ED081963804CCC196A0929275B5 ] winmgmt C:\WINDOWS\system32\wbem\WMIsvc.dll
13:44:00.0796 3528 winmgmt - ok
13:44:00.0937 3528 [ 43ED73F10DE96E0A23244BD9CF04F5C2 ] WLANKEEPER C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
13:44:01.0062 3528 WLANKEEPER ( UnsignedFile.Multi.Generic ) - warning
13:44:01.0062 3528 WLANKEEPER - detected UnsignedFile.Multi.Generic (1)
13:44:01.0078 3528 wltrysvc - ok
13:44:01.0140 3528 [ C7E39EA41233E9F5B86C8DA3A9F1E4A8 ] WmdmPmSN C:\WINDOWS\system32\mspmsnsv.dll
13:44:01.0296 3528 WmdmPmSN - ok
13:44:01.0421 3528 [ E0673F1106E62A68D2257E376079F821 ] WmiApSrv C:\WINDOWS\system32\wbem\wmiapsrv.exe
13:44:01.0703 3528 WmiApSrv - ok
13:44:01.0765 3528 [ 7C278E6408D1DCE642230C0585A854D5 ] wscsvc C:\WINDOWS\system32\wscsvc.dll
13:44:01.0937 3528 wscsvc - ok
13:44:01.0953 3528 [ 35321FB577CDC98CE3EB3A3EB9E4610A ] wuauserv C:\WINDOWS\system32\wuauserv.dll
13:44:02.0109 3528 wuauserv - ok
13:44:02.0375 3528 [ 81DC3F549F44B1C1FFF022DEC9ECF30B ] WZCSVC C:\WINDOWS\System32\wzcsvc.dll
13:44:02.0921 3528 WZCSVC - ok
13:44:03.0000 3528 [ 295D21F14C335B53CB8154E5B1F892B9 ] xmlprov C:\WINDOWS\System32\xmlprov.dll
13:44:03.0203 3528 xmlprov - ok
13:44:03.0218 3528 ================ Scan global ===============================
13:44:03.0296 3528 [ 42F1F4C0AFB08410E5F02D4B13EBB623 ] C:\WINDOWS\system32\basesrv.dll
13:44:03.0468 3528 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:44:03.0765 3528 [ 8C7DCA4B158BF16894120786A7A5F366 ] C:\WINDOWS\system32\winsrv.dll
13:44:03.0843 3528 [ 65DF52F5B8B6E9BBD183505225C37315 ] C:\WINDOWS\system32\services.exe
13:44:03.0843 3528 [Global] - ok
13:44:03.0843 3528 ================ Scan MBR ==================================
13:44:03.0875 3528 [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
13:44:04.0187 3528 \Device\Harddisk0\DR0 - ok
13:44:04.0187 3528 ================ Scan VBR ==================================
13:44:04.0203 3528 [ 280B154D3EBBB7E425741C9B38CF9355 ] \Device\Harddisk0\DR0\Partition1
13:44:04.0203 3528 \Device\Harddisk0\DR0\Partition1 - ok
13:44:04.0203 3528 ============================================================
13:44:04.0203 3528 Scan finished
13:44:04.0203 3528 ============================================================
13:44:04.0328 0592 Detected object count: 28
13:44:04.0328 0592 Actual detected object count: 28
13:45:11.0468 0592 AegisP ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 AegisP ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 BrPar ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 BrPar ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 cercsr6 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 cercsr6 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 drvmcdb ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 drvmcdb ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 drvnddm ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 drvnddm ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 EapHost ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 EapHost ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 EvtEng ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 EvtEng ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 hpqcxs08 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 hpqcxs08 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 HPSLPSVC ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 HPSLPSVC ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0468 0592 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0468 0592 Net Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 OMCI ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 OMCI ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 Pml Driver HPZ12 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 PxHelp20 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 PxHelp20 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 RegSrvc ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 RegSrvc ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 S24EventMonitor ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 S24EventMonitor ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 s24trans ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 s24trans ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 sscdbhk5 ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 sscdbhk5 ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 ssrtln ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 ssrtln ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 tfsnboio ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 tfsnboio ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 tfsncofs ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 tfsncofs ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 tfsndrct ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 tfsndrct ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0484 0592 tfsndres ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0484 0592 tfsndres ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 tfsnifs ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 tfsnifs ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 tfsnopio ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 tfsnopio ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 tfsnpool ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 tfsnpool ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 tfsnudf ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 tfsnudf ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 tfsnudfa ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 tfsnudfa ( UnsignedFile.Multi.Generic ) - User select action: Skip
13:45:11.0500 0592 WLANKEEPER ( UnsignedFile.Multi.Generic ) - skipped by user
13:45:11.0500 0592 WLANKEEPER ( UnsignedFile.Multi.Generic ) - User select action: Skip
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 20th, 2013, 2:55 pm

Hi helpintoledo,

ComboFix
Image
Please download ComboFix.exe... © Copyrighted to sUBs. Save it to your desktop. <<--- IMPORTANT!! .
If you previously downloaded ComboFix, please delete that version and download it again. This tool is frequently updated.

The first thing you need to do is print out How-To-Use-ComboFix. Read these instructions thoroughly.
You will not have Internet access when you execute ComboFix.
Please disable any Antivirus or Firewall you have active, as shown in this topic. Close all open application windows.

  1. Double click the ComboFix.exe icon on your desktop to begin execution. If you receive the "Open File - Security Warning"... press Run.
  2. Press Yes to the Disclaimer prompt.
    ComboFix screen appears... preparing to run. ComboFix will now begin creating a System Restore Point and then backup your registry.
  3. For XP users: If not already installed... Press "Yes" to any "Recovery Console" prompts.
    Do Not use your keyboard or mouse click anywhere in the ComboFix window, as this may cause the program to stall or crash!
    When finished... Notepad will open ... ComboFix will produce a log file called "ComboFix.txt".
  4. Please copy/paste the contents of ComboFix.txt... in your next reply.
Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, NOT for general public or personal use. Using this tool incorrectly could lead to serious problems with your operating system such as preventing it from ever starting again. This site, sUBs and myself will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own. Please read Combofix's Disclaimer.

** Enable your Antivirus and Firewall, before connecting to the Internet again! **
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 3:52 pm

During the ComboFix run, showing a step number in the 20's, I received a BSOD Stop Error.

It was Stop 0x000000CA(0x00000004, 0xFE6C59D8, 0x00, 0x00)
Plug and play detected an error most likely caused by a faulty driver.

Should I try to update drivers with Windows update, or should I simply attempt another run of ComboFix?
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 20th, 2013, 4:01 pm

Should I try to update drivers with Windows update


No, don't update any drivers.

Reboot and run Combofix again, if it still fails then run it in safe mode.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 4:35 pm

ComboFix 13-01-17.04 - Marc 01/19/2013 15:04:34.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1271.846 [GMT -8:00]
Running from: c:\documents and settings\Marc\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\atv06nt5.dll
c:\windows\system32\URTTemp
c:\windows\wininit.ini
c:\windows\WINNT32.LOG
c:\windows\WinSecurity
.
Infected copy of c:\windows\system32\sprestrt.exe was found and disinfected
Restored copy from - c:\i386\sprestrt.exe
.
.
((((((((((((((((((((((((( Files Created from 2012-12-19 to 2013-01-19 )))))))))))))))))))))))))))))))
.
.
2013-01-19 22:50 . 2013-01-08 04:57 6991832 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E1F7541A-42C5-4AB5-8261-6B21B98FDD10}\mpengine.dll
2013-01-12 00:50 . 2012-11-08 18:00 6812136 ----a-w- c:\documents and settings\All Users.WINDOWS\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2013-01-09 15:39 . 2013-01-09 15:39 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2013-01-09 15:38 . 2013-01-09 15:38 -------- d-----w- c:\documents and settings\Marc\Application Data\Malwarebytes
2013-01-09 15:37 . 2013-01-09 15:37 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2013-01-09 15:37 . 2013-01-09 15:38 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-09 15:37 . 2012-12-15 00:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-09 03:31 . 2013-01-09 03:31 -------- d-sh--w- c:\documents and settings\LocalService.NT AUTHORITY\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-09 03:31 . 2012-08-08 05:23 697864 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2013-01-09 03:31 . 2011-05-18 19:52 74248 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-16 12:23 . 2004-08-04 12:00 290560 ----a-w- c:\windows\system32\atmfd.dll
2012-11-13 01:25 . 2004-08-04 12:00 1866368 ------w- c:\windows\system32\win32k.sys
2012-11-02 02:02 . 2004-08-04 12:00 375296 ------w- c:\windows\system32\dpnet.dll
2012-11-01 12:17 . 2004-08-04 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2012-11-01 12:17 . 2004-08-04 12:00 43520 ------w- c:\windows\system32\licmgr10.dll
2012-11-01 12:17 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2012-11-01 00:35 . 2004-08-04 12:00 385024 ------w- c:\windows\system32\html.iec
2005-09-16 01:26 . 2005-07-29 21:59 94208 -c--a-w- c:\program files\mozilla firefox\components\BrandRes.dll
2005-09-16 01:26 . 2005-07-29 21:59 150912 ----a-w- c:\program files\mozilla firefox\components\fullsoft.dll
2006-11-27 21:01 . 2006-11-27 21:00 156672 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2005-09-16 01:26 . 2005-07-29 21:59 41573 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2005-09-16 01:26 . 2005-07-29 21:59 48223 -c--a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2005-09-16 01:26 . 2005-07-29 21:59 8813 ----a-w- c:\program files\mozilla firefox\components\qfaservices.dll
2005-09-16 01:26 . 2005-07-29 21:59 160871 -c--a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-03-10 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Dell Wireless Manager UI"="c:\windows\system32\WLTRAY" [X]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"AirPort Base Station Agent"="c:\program files\AirPort\APAgent.exe" [2007-08-08 643072]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-02-15 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-02-15 126976]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-09-13 947176]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-07-03 252848]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-08 00:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AirPort\\APAgent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:UDP"= 5353:UDP:Bonjour
.
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [8/7/2012 7:30 PM 28552]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [1/9/2013 7:39 AM 40776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-19 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-08-08 03:31]
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-10 23:05]
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-10 23:05]
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-152049171-725345543-1004Core.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 02:27]
.
2013-01-19 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1708537768-152049171-725345543-1004UA.job
- c:\documents and settings\Marc\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-08 02:27]
.
2013-01-19 c:\windows\Tasks\Microsoft Antimalware Scheduled Scan.job
- c:\program files\Microsoft Security Client\MpCmdRun.exe [2012-09-13 00:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
SafeBoot-mcmscsvc
SafeBoot-MCODS
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2013-01-19 15:20
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_11_5_502_146_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\program files\Intel\Wireless\Bin\LgNotify.dll
.
- - - - - - - > 'explorer.exe'(3668)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\MsMpEng.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\System32\wltrysvc.exe
c:\windows\System32\bcmwltry.exe
c:\program files\Java\jre7\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Intel\Wireless\Bin\ZcfgSvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\WLTRAY.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2013-01-19 15:30:18 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-19 23:30
.
Pre-Run: 50,766,786,560 bytes free
Post-Run: 51,835,555,840 bytes free
.
- - End Of File - - B054FB21DE9A5EA4DC99630E0F2584EF
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm

Re: Slow windows XP laptop with rootkit evidence

Unread postby deltalima » January 20th, 2013, 4:41 pm

Hi helpintoledo,

Please run a quick scan with Malwarebytes and post the log. Please let me know how the computer is running now.
User avatar
deltalima
Admin/Teacher
Admin/Teacher
 
Posts: 7614
Joined: February 28th, 2009, 4:38 pm
Location: UK

Re: Slow windows XP laptop with rootkit evidence

Unread postby helpintoledo » January 20th, 2013, 5:11 pm

So far everything, including the MBAM scan log, looks good. I will have Kelly resume use of her laptop and will advise later today. Thanks for everything!

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.20.07

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Marc :: KELLYSPUTIE [administrator]

1/19/2013 3:54:46 PM
mbam-log-2013-01-19 (15-54-46).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 311831
Time elapsed: 10 minute(s), 54 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
helpintoledo
Regular Member
 
Posts: 52
Joined: February 24th, 2010, 9:39 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 58 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware