Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

rkinner


  • Please log in to reply

#1
Troy

Troy

    Tech Staff

  • Technician
  • 8,841 posts
Thanks rkinner. Current symptoms that still exist are no right-click functionality for users and blank desktops, even though desktop profile folder lists everything they had just fine. Not sure exactly what you need so I am putting up all the logs I have collected so far so it might help to give you an idea of what has happened up until now.

First up, TDSSKiller:


10:00:52.0415 2036 TDSS rootkit removing tool 2.7.24.0 Apr 2 2012 10:31:48
10:00:53.0383 2036 ============================================================
10:00:53.0383 2036 Current date / time: 2012/04/03 10:00:53.0383
10:00:53.0383 2036 SystemInfo:
10:00:53.0383 2036
10:00:53.0383 2036 OS Version: 5.2.3790 ServicePack: 2.0
10:00:53.0383 2036 Product type: Server
10:00:53.0383 2036 ComputerName: xxxxx
10:00:53.0383 2036 UserName: administrator
10:00:53.0383 2036 Windows directory: C:\WINDOWS
10:00:53.0383 2036 System windows directory: C:\WINDOWS
10:00:53.0383 2036 Processor architecture: Intel x86
10:00:53.0383 2036 Number of processors: 8
10:00:53.0383 2036 Page size: 0x1000
10:00:53.0383 2036 Boot type: Safe boot with network
10:00:53.0383 2036 ============================================================
10:00:54.0524 2036 Drive \Device\Harddisk0\DR0 - Size: 0x21FE400000 (135.97 Gb), SectorSize: 0x200, Cylinders: 0x4556, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:00:54.0540 2036 Drive \Device\Harddisk1\DR1 - Size: 0x459DC00000 (278.46 Gb), SectorSize: 0x200, Cylinders: 0x8DFF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
10:00:54.0540 2036 Drive \Device\Harddisk2\DR4 - Size: 0x7470C05E00 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
10:00:54.0555 2036 \Device\Harddisk0\DR0:
10:00:54.0555 2036 MBR used
10:00:54.0555 2036 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x10FEDAD6
10:00:54.0555 2036 \Device\Harddisk1\DR1:
10:00:54.0555 2036 MBR used
10:00:54.0555 2036 \Device\Harddisk2\DR4:
10:00:54.0555 2036 MBR used
10:00:54.0555 2036 \Device\Harddisk2\DR4\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x3A384C02
10:00:54.0571 2036 Initialize success
10:00:54.0571 2036 ============================================================
10:00:57.0165 1312 ============================================================
10:00:57.0165 1312 Scan started
10:00:57.0165 1312 Mode: Manual;
10:00:57.0165 1312 ============================================================
10:01:03.0227 1312 Abiosdsk - ok
10:01:03.0336 1312 ACPI - ok
10:01:03.0399 1312 ACPIEC - ok
10:01:03.0524 1312 adpu160m - ok
10:01:03.0649 1312 adpu320 - ok
10:01:03.0774 1312 AeLookupSvc (d01968edebf1dc11e4c93517c98cdf7c) C:\WINDOWS\System32\aelupsvc.dll
10:01:03.0774 1312 AeLookupSvc - ok
10:01:03.0883 1312 afcnt - ok
10:01:04.0008 1312 AFD (317e75d96065ac6af5ef8857ce2e399b) C:\WINDOWS\System32\drivers\afd.sys
10:01:04.0008 1312 AFD - ok
10:01:04.0133 1312 aic78u2 - ok
10:01:04.0180 1312 aic78xx - ok
10:01:04.0321 1312 Alerter (055318e373b45ad6c3f518732809ef4e) C:\WINDOWS\system32\alrsvc.dll
10:01:04.0321 1312 Alerter - ok
10:01:04.0430 1312 ALG (8e89cb0283d7ded092d76ae53d123c40) C:\WINDOWS\System32\alg.exe
10:01:04.0430 1312 ALG - ok
10:01:04.0555 1312 AliIde - ok
10:01:04.0680 1312 AmdIde (d175d3c400a412b9cb2095e452afbbb0) C:\WINDOWS\system32\drivers\AmdIde.sys
10:01:04.0680 1312 AmdIde - ok
10:01:04.0805 1312 Amsp (a119a4aeb0e23884c4a92be3f5f5ab12) C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
10:01:04.0805 1312 Amsp - ok
10:01:04.0930 1312 AppMgmt (8a5ad4cfe2d84371abadfcf9e21954f6) C:\WINDOWS\System32\appmgmts.dll
10:01:04.0930 1312 AppMgmt - ok
10:01:05.0040 1312 arc (a9c7273645a06a01ac2ca070d7d7ec87) C:\WINDOWS\system32\drivers\arc.sys
10:01:05.0040 1312 arc - ok
10:01:05.0399 1312 aspnet_state (0e5e4957549056e2bf2c49f4f6b601ad) C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
10:01:05.0430 1312 aspnet_state - ok
10:01:05.0524 1312 AsyncMac (a35b971f631d4dfdeb68d71e770d2ce9) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:01:05.0524 1312 AsyncMac - ok
10:01:05.0649 1312 atapi (ff953a8f08ca3f822127654375786bbe) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:01:05.0649 1312 atapi - ok
10:01:05.0758 1312 Atdisk - ok
10:01:05.0899 1312 Atmarpc (d12dad5032285343ce3aa4906f661181) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:01:05.0899 1312 Atmarpc - ok
10:01:06.0008 1312 AudioSrv (754a448d5b87cbede41a0f0e0b237b03) C:\WINDOWS\System32\audiosrv.dll
10:01:06.0008 1312 AudioSrv - ok
10:01:06.0133 1312 audstub (5bfd980c2107d88101d1dc14055526fc) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:01:06.0133 1312 audstub - ok
10:01:06.0305 1312 Beep (99572503e15a3d10239b7b9887cbaf89) C:\WINDOWS\system32\drivers\Beep.sys
10:01:06.0321 1312 Beep - ok
10:01:06.0430 1312 BITS (9d7a318b2c7ae51e9d5374f8eede856c) C:\WINDOWS\system32\qmgr.dll
10:01:06.0446 1312 BITS - ok
10:01:06.0555 1312 Browser (f750a96d7478d435f5ac9ece6698f81e) C:\WINDOWS\System32\browser.dll
10:01:06.0555 1312 Browser - ok
10:01:06.0680 1312 cbidf2k (1342877de604a5a6bff986e288e3a8a7) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:01:06.0680 1312 cbidf2k - ok
10:01:06.0790 1312 cd20xrnt - ok
10:01:06.0915 1312 Cdfs (e6d72780c957b69c48bfc66bc3ecdad4) C:\WINDOWS\system32\drivers\Cdfs.sys
10:01:06.0915 1312 Cdfs - ok
10:01:07.0040 1312 Cdrom (825aa877a852ecc731fa0c39c8c37744) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:01:07.0040 1312 Cdrom - ok
10:01:07.0149 1312 Changer - ok
10:01:07.0305 1312 CiSvc (934ee973e9ee6ac414e9a0f07ab73d6e) C:\WINDOWS\system32\cisvc.exe
10:01:07.0321 1312 CiSvc - ok
10:01:07.0430 1312 ClipSrv (e53196ba56081f154e2d7a9e50a1d33f) C:\WINDOWS\system32\clipsrv.exe
10:01:07.0430 1312 ClipSrv - ok
10:01:07.0555 1312 clr_optimization_v2.0.50727_32 (d87acaed61e417bba546ced5e7e36d9c) c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
10:01:07.0633 1312 clr_optimization_v2.0.50727_32 - ok
10:01:07.0696 1312 ClusDisk (54308cdf97622fae1620bb1ec39ef014) C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
10:01:07.0696 1312 ClusDisk - ok
10:01:07.0805 1312 CmdIde - ok
10:01:07.0930 1312 COMSysApp - ok
10:01:08.0180 1312 Cpqarray - ok
10:01:08.0290 1312 cpqarry2 - ok
10:01:08.0415 1312 cpqcissm - ok
10:01:08.0540 1312 cpqfcalm - ok
10:01:08.0665 1312 cpqftbl (f54ef6ecdc0feafb28451b1067ca5e9f) C:\DOCUME~1\ADMINI~1.ECO\LOCALS~1\Temp\{9C96D555-3303-4E28-BD50-7540BF1FF61E}\cpqftbl.sys
10:01:08.0665 1312 cpqftbl - ok
10:01:08.0805 1312 cpqsrhmo (e346559d69e9f621bfe0db87b4c0f38a) C:\hp\hpsmh\data\cgi-bin\vcrepository\cpqsrhmo.exe
10:01:08.0821 1312 cpqsrhmo - ok
10:01:08.0915 1312 cpqsysio (c2d9aaec3101826a37343d39422d6c53) C:\DOCUME~1\ADMINI~1.ECO\LOCALS~1\Temp\{9C96D555-3303-4E28-BD50-7540BF1FF61E}\cpqsysio.sys
10:01:08.0915 1312 cpqsysio - ok
10:01:09.0040 1312 CPQTeam (74eff53a61cbc78560bdde295bc2b9d8) C:\WINDOWS\system32\DRIVERS\cpqteam.sys
10:01:09.0040 1312 CPQTeam - ok
10:01:09.0165 1312 cpqvcagent (a2911c0f087b2252394a2abf3e38fe46) C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
10:01:09.0180 1312 cpqvcagent - ok
10:01:09.0321 1312 crcdisk (0ee27d9dbb208c13314f3c60f66aed26) C:\WINDOWS\system32\DRIVERS\crcdisk.sys
10:01:09.0321 1312 crcdisk - ok
10:01:09.0915 1312 CryptSvc (feb85da744dd3f41a427cf6d2bc04fe4) C:\WINDOWS\System32\cryptsvc.dll
10:01:09.0915 1312 CryptSvc - ok
10:01:10.0040 1312 dac2w2k - ok
10:01:10.0149 1312 dac960nt - ok
10:01:10.0290 1312 DcomLaunch (305a8757d66b5d416b47c497c27a01fe) C:\WINDOWS\system32\rpcss.dll
10:01:10.0305 1312 DcomLaunch - ok
10:01:10.0399 1312 dellcerc - ok
10:01:10.0524 1312 Dfs (6217aa084ef7e052f3b5d7c3f67f68af) C:\WINDOWS\system32\Dfssvc.exe
10:01:10.0540 1312 Dfs - ok
10:01:10.0649 1312 DfsDriver (444726b01c31d29c70e60f7c35de43e5) C:\WINDOWS\system32\drivers\Dfs.sys
10:01:10.0649 1312 DfsDriver - ok
10:01:10.0774 1312 Dhcp (1201df9a11fbb0f69ebd22e503d3bc87) C:\WINDOWS\System32\dhcpcsvc.dll
10:01:10.0774 1312 Dhcp - ok
10:01:10.0883 1312 DhcpListenDriver - ok
10:01:11.0055 1312 DialComService (3ccf97a963fa6ea21c215744480bf349) C:\Program Files\DIAL GmbH\DIAL Communication Framework\DialComService.exe
10:01:11.0086 1312 DialComService - ok
10:01:11.0196 1312 Disk (bbd23b7414a3852ce0e9018d7c566ffa) C:\WINDOWS\system32\DRIVERS\disk.sys
10:01:11.0196 1312 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\disk.sys. Real md5: bbd23b7414a3852ce0e9018d7c566ffa, Fake md5: 98433302c02f1168efb7364f8111a179
10:01:11.0196 1312 Disk ( Rootkit.Win32.TDSS.tdl3 ) - infected
10:01:11.0196 1312 Disk - detected Rootkit.Win32.TDSS.tdl3 (0)
10:01:11.0305 1312 dmadmin - ok
10:01:11.0446 1312 dmboot (89fa376d83042f6f1aed505106a5719d) C:\WINDOWS\system32\drivers\dmboot.sys
10:01:11.0446 1312 dmboot - ok
10:01:11.0555 1312 dmio (15081421ee62dc1c95abb387d9081571) C:\WINDOWS\system32\drivers\dmio.sys
10:01:11.0555 1312 dmio - ok
10:01:11.0680 1312 dmload (3d9bfa13b6f1cd2d91c50c52b32e91a2) C:\WINDOWS\system32\drivers\dmload.sys
10:01:11.0680 1312 dmload - ok
10:01:11.0805 1312 dmserver (78a11666307820af94b5712d53decc55) C:\WINDOWS\System32\dmserver.dll
10:01:11.0805 1312 dmserver - ok
10:01:11.0915 1312 Dnscache (e927f3b46f85d934c8f420fe08593d1b) C:\WINDOWS\System32\dnsrslvr.dll
10:01:11.0915 1312 Dnscache - ok
10:01:12.0040 1312 dpti2o - ok
10:01:12.0227 1312 elxstor - ok
10:01:12.0415 1312 Eventlog (cf500580cdd83b145646a4dcfce1cf3c) C:\WINDOWS\system32\services.exe
10:01:12.0415 1312 Eventlog - ok
10:01:12.0586 1312 EventSystem (c17c56e91045e14df45d62dd89aed50c) C:\WINDOWS\system32\es.dll
10:01:12.0602 1312 EventSystem - ok
10:01:12.0821 1312 Fastfat (e792a18abdc32286212dce8e75baa124) C:\WINDOWS\system32\drivers\Fastfat.sys
10:01:12.0836 1312 Fastfat - ok
10:01:13.0071 1312 Fdc (5090cd3f6ab1d71ad507953cff556ea9) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:01:13.0086 1312 Fdc - ok
10:01:13.0180 1312 Fips (b485ac2edc466c538bdff32bc3f2e506) C:\WINDOWS\system32\drivers\Fips.sys
10:01:13.0196 1312 Fips - ok
10:01:13.0305 1312 Flpydisk (c621a51f415419a3145a5939abde39fa) C:\WINDOWS\system32\drivers\Flpydisk.sys
10:01:13.0305 1312 Flpydisk - ok
10:01:13.0430 1312 FltMgr (f978277ef786532195cdd9f88e908632) C:\WINDOWS\system32\drivers\fltmgr.sys
10:01:13.0430 1312 FltMgr - ok
10:01:13.0555 1312 FontCache3.0.0.0 (8ba7c024070f2b7fdd98ed8a4ba41789) c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
10:01:13.0555 1312 FontCache3.0.0.0 - ok
10:01:13.0665 1312 Fs_Rec (aebff3d810b74971b91b2b77b289a98b) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:01:13.0665 1312 Fs_Rec - ok
10:01:13.0790 1312 Ftdisk (4c533b70afa917416aec57fcbeecb57d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:01:13.0790 1312 Ftdisk - ok
10:01:13.0915 1312 G200e (1014adf87245e19b6fca51af15b543ba) C:\WINDOWS\system32\DRIVERS\G200em.sys
10:01:13.0930 1312 G200e - ok
10:01:14.0024 1312 getPlusHelper - ok
10:01:14.0149 1312 Gpc (30b1653a955f548352024a5fee203cc3) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:01:14.0165 1312 Gpc - ok
10:01:14.0305 1312 helpsvc (40ca39dba80372ed8ec34c4bece68495) C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
10:01:14.0305 1312 helpsvc - ok
10:01:14.0415 1312 HidServ (4828c4244081eb4132868ea3e93456bb) C:\WINDOWS\System32\hidserv.dll
10:01:14.0415 1312 HidServ - ok
10:01:14.0540 1312 hidusb (90a325e14f9b95f17712707b1a7181b5) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:01:14.0540 1312 hidusb - ok
10:01:14.0665 1312 HP Systems Insight Manager (f3aad3d681af9d210e58365466292db5) C:\PROGRA~1\HP\SYSTEM~1\lbin\hpsimsvc.exe
10:01:14.0665 1312 HP Systems Insight Manager - ok
10:01:14.0790 1312 hpcisss (8a445379d6e73731a6a37318dbb0c880) C:\WINDOWS\system32\drivers\hpcisss.sys
10:01:14.0790 1312 hpcisss - ok
10:01:14.0899 1312 hpn - ok
10:01:15.0024 1312 hpt3xx - ok
10:01:15.0149 1312 HTTP (7a5d176c4b43f0a47da4051c96c56439) C:\WINDOWS\system32\Drivers\HTTP.sys
10:01:15.0165 1312 HTTP - ok
10:01:15.0274 1312 HTTPFilter (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:15.0290 1312 HTTPFilter - ok
10:01:15.0383 1312 i2omgmt - ok
10:01:15.0508 1312 i2omp - ok
10:01:15.0571 1312 i8042prt (68e8ff9eeaf8b37a66cac2c57835ffbd) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:01:15.0571 1312 i8042prt - ok
10:01:15.0696 1312 IDriverT (6f95324909b502e2651442c1548ab12f) C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
10:01:15.0696 1312 IDriverT - ok
10:01:15.0821 1312 idsvc (c01ac32dc5c03076cfb852cb5da5229c) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
10:01:15.0852 1312 idsvc - ok
10:01:15.0930 1312 iirsp - ok
10:01:16.0055 1312 IISADMIN (58ac18bc908a78fba5430d23066d183a) C:\WINDOWS\system32\inetsrv\inetinfo.exe
10:01:16.0071 1312 IISADMIN - ok
10:01:16.0180 1312 imapi (44c132b35921b54b4a9ac64369d86d83) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:01:16.0180 1312 imapi - ok
10:01:16.0305 1312 ImapiService (5da3013244229422c9cbd91a16a477c4) C:\WINDOWS\system32\imapi.exe
10:01:16.0305 1312 ImapiService - ok
10:01:16.0602 1312 IntelIde - ok
10:01:16.0665 1312 Ip6Fw (d7e7e7898a05c53dd862b49828747c1e) C:\WINDOWS\system32\drivers\ip6fw.sys
10:01:16.0665 1312 Ip6Fw - ok
10:01:16.0790 1312 IpFilterDriver (5a41f207b7c39ee4918f7496a4f19b14) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:01:16.0790 1312 IpFilterDriver - ok
10:01:16.0899 1312 IpInIp - ok
10:01:16.0961 1312 IpNat (890e7a14a63aec2ea9257a79a88be784) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:01:16.0977 1312 IpNat - ok
10:01:17.0086 1312 IPSec (1a9aeac49683b32df55b7fb1516f3028) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:01:17.0086 1312 IPSec - ok
10:01:17.0196 1312 ipsraidn - ok
10:01:17.0336 1312 IRENUM (11407ee682a2d5b0248de8af0f1a6996) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:01:17.0336 1312 IRENUM - ok
10:01:17.0508 1312 isapnp (b71ba04a3b5d4404225ccdbf1969078f) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:01:17.0508 1312 isapnp - ok
10:01:17.0633 1312 IsmServ (1b1a2084540cc1f2e9a297a263d69d23) C:\WINDOWS\System32\ismserv.exe
10:01:17.0633 1312 IsmServ - ok
10:01:17.0758 1312 JavaQuickStarterService (a1509ba3a5fdc5366146e92b3d130eb5) C:\Program Files\Java\jre7\bin\jqs.exe
10:01:17.0758 1312 JavaQuickStarterService - ok
10:01:17.0868 1312 Kbdclass (e5097a07e14f36abc21fa18d88f93655) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:01:17.0883 1312 Kbdclass - ok
10:01:17.0993 1312 kbdhid (665f2ae9286dbb05b045ccc02f7bc2f8) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
10:01:17.0993 1312 kbdhid - ok
10:01:18.0118 1312 kdc (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\System32\lsass.exe
10:01:18.0118 1312 kdc - ok
10:01:18.0243 1312 KSecDD (2e47d8ffe0965d166f962a45302c7edd) C:\WINDOWS\system32\drivers\KSecDD.sys
10:01:18.0243 1312 KSecDD - ok
10:01:18.0321 1312 lanmanserver (dfc5b13f931461acc025d76d39afec0d) C:\WINDOWS\System32\srvsvc.dll
10:01:18.0321 1312 lanmanserver - ok
10:01:18.0446 1312 lanmanworkstation (5e8a9c4673b194dd1181b3f003d4f996) C:\WINDOWS\System32\wkssvc.dll
10:01:18.0446 1312 lanmanworkstation - ok
10:01:18.0680 1312 LicenseService (647945b72994e7b4a07f6da10f1dcd79) C:\WINDOWS\System32\llssrv.exe
10:01:18.0680 1312 LicenseService - ok
10:01:18.0805 1312 LmHosts (1916d44188853a53db93aecc6e6197d0) C:\WINDOWS\System32\lmhsvc.dll
10:01:18.0805 1312 LmHosts - ok
10:01:18.0915 1312 lp6nds35 - ok
10:01:19.0040 1312 lsi_sas (6b594eb941baa898874b4f43afd296ec) C:\WINDOWS\system32\drivers\lsi_sas.sys
10:01:19.0040 1312 lsi_sas - ok
10:01:19.0165 1312 MBAMSwissArmy (0905dc0814d738cff53577a59ccd81e0) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
10:01:19.0165 1312 MBAMSwissArmy - ok
10:01:19.0290 1312 MDM (7cf1b716372b89568ae4c0fe769f5869) C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
10:01:19.0290 1312 MDM - ok
10:01:19.0415 1312 MegaMonitorSrv (52cdb0d804111b46c7e6777697e344c9) C:\Program Files\MegaRAID Storage Manager\MegaMonitor\mrmonitor.exe
10:01:19.0430 1312 MegaMonitorSrv - ok
10:01:19.0524 1312 Messenger (7ce5ba9dd4beafa48dd099564046c6de) C:\WINDOWS\System32\msgsvc.dll
10:01:19.0524 1312 Messenger - ok
10:01:19.0649 1312 mnmdd (c35bb38904d843c0465858195b30dab7) C:\WINDOWS\system32\drivers\mnmdd.sys
10:01:19.0649 1312 mnmdd - ok
10:01:19.0774 1312 mnmsrvc (e2d859fa2e90fd1f12ca0806df8a4b3e) C:\WINDOWS\system32\mnmsrvc.exe
10:01:19.0774 1312 mnmsrvc - ok
10:01:19.0899 1312 Modem (81ec1c6d3798b36a92a6d7a355ba2c62) C:\WINDOWS\system32\drivers\Modem.sys
10:01:19.0899 1312 Modem - ok
10:01:20.0008 1312 Mouclass (aa50da5ab638ce0bab5f7d5d633110c2) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:01:20.0024 1312 Mouclass - ok
10:01:20.0133 1312 mouhid (6824b20127716121b53a2ec2bd6739b7) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:01:20.0133 1312 mouhid - ok
10:01:20.0274 1312 MountMgr (fc43a7a34309c750b9daeadf2f6ec9b9) C:\WINDOWS\system32\drivers\MountMgr.sys
10:01:20.0274 1312 MountMgr - ok
10:01:20.0383 1312 mraid35x - ok
10:01:20.0508 1312 MRxDAV (ab6db63a1791f8e86b085291686464fd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:01:20.0524 1312 MRxDAV - ok
10:01:20.0649 1312 MRxSmb (16936142fa1d989cf63fd22c8b9d4a6d) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:01:20.0680 1312 MRxSmb - ok
10:01:20.0758 1312 MSDTC (2eaa1763a77be385b9a71a843c7f159e) C:\WINDOWS\system32\msdtc.exe
10:01:20.0758 1312 MSDTC - ok
10:01:20.0993 1312 Msfs (8f50b87361585763841c6b603d23260c) C:\WINDOWS\system32\drivers\Msfs.sys
10:01:20.0993 1312 Msfs - ok
10:01:21.0118 1312 msftesql (f7e0900f9a8e3f71f2c16a932f0e03e0) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\msftesql.exe
10:01:21.0149 1312 msftesql - ok
10:01:21.0352 1312 MSIServer - ok
10:01:21.0477 1312 MSMFramework (a8bba3aa1d11102ffec5072d8afdb7b3) C:\Program Files\MegaRAID Storage Manager\Framework\VivaldiFramework.exe
10:01:21.0477 1312 MSMFramework - ok
10:01:21.0727 1312 mssmbios (92afab2f216ce8ffbad3bc510fcf4a33) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:01:21.0727 1312 mssmbios - ok
10:01:21.0836 1312 MSSQL$SQLEXPRESS - ok
10:01:21.0961 1312 MSSQLSERVER - ok
10:01:22.0086 1312 MSSQLServerADHelper (c06ea83f6fc2959e897c117255b6b1d5) c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe
10:01:22.0102 1312 MSSQLServerADHelper - ok
10:01:22.0227 1312 MSSQLServerADHelper100 (f1761c8fb2b25a32c6d63e36bb88c3ae) C:\Program Files\Microsoft SQL Server\100\Shared\SQLADHLP.EXE
10:01:22.0243 1312 MSSQLServerADHelper100 - ok
10:01:22.0352 1312 Mup (834560abee4eae62620f4026263aa051) C:\WINDOWS\system32\drivers\Mup.sys
10:01:22.0352 1312 Mup - ok
10:01:22.0461 1312 NDIS (33739ab31d36184772af1ee132d5c2e2) C:\WINDOWS\system32\drivers\NDIS.sys
10:01:22.0461 1312 NDIS - ok
10:01:22.0586 1312 NdisTapi (888b08f81b7d8428a37439d15c27f419) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:01:22.0586 1312 NdisTapi - ok
10:01:22.0696 1312 Ndisuio (8b8e682b03483092e17ab9dfe70fedff) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:01:22.0711 1312 Ndisuio - ok
10:01:22.0821 1312 NdisWan (1b397eef4614419be5679e0209f7848b) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:01:22.0836 1312 NdisWan - ok
10:01:22.0946 1312 NDProxy (5298ed90bbe5c5eeedc363eed2888a25) C:\WINDOWS\system32\drivers\NDProxy.sys
10:01:22.0946 1312 NDProxy - ok
10:01:23.0071 1312 NetBIOS (a0d5d6ae530ca78a062fc0471f1e6f78) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:01:23.0071 1312 NetBIOS - ok
10:01:23.0196 1312 NetBT (5cd7cca08498ec8753b22e92d367ca11) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:01:23.0196 1312 NetBT - ok
10:01:23.0368 1312 NetDDE (13d9a8b63a2a99a88339c0e00b702c92) C:\WINDOWS\system32\netdde.exe
10:01:23.0368 1312 NetDDE - ok
10:01:23.0477 1312 NetDDEdsdm (13d9a8b63a2a99a88339c0e00b702c92) C:\WINDOWS\system32\netdde.exe
10:01:23.0477 1312 NetDDEdsdm - ok
10:01:23.0602 1312 Netlogon (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:23.0602 1312 Netlogon - ok
10:01:23.0727 1312 Netman (12bcfb57162ad17cea545e362cd886a8) C:\WINDOWS\System32\netman.dll
10:01:23.0727 1312 Netman - ok
10:01:23.0852 1312 NetTcpPortSharing (d34612c5d02d026535b3095d620626ae) c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
10:01:23.0852 1312 NetTcpPortSharing - ok
10:01:23.0961 1312 nfrd960 - ok
10:01:24.0086 1312 Nla (9c0bf64484e9d297cb3e96dc22765a82) C:\WINDOWS\System32\mswsock.dll
10:01:24.0102 1312 Nla - ok
10:01:24.0274 1312 npdrv (f35135cc422683f3e6dfb2a0600f6fe6) C:\WINDOWS\system32\drivers\npdrv.sys
10:01:24.0290 1312 npdrv - ok
10:01:24.0399 1312 Npfs (d5bb605f6dcbdfe0129670c8de57913e) C:\WINDOWS\system32\drivers\Npfs.sys
10:01:24.0399 1312 Npfs - ok
10:01:24.0524 1312 NtFrs (981756f0532439aa3a1a4ae9da9f930e) C:\WINDOWS\system32\ntfrs.exe
10:01:24.0540 1312 NtFrs - ok
10:01:24.0649 1312 Ntfs (482ea51aadb8763a0f67588c394ec693) C:\WINDOWS\system32\drivers\Ntfs.sys
10:01:24.0665 1312 Ntfs - ok
10:01:24.0758 1312 NtLmSsp (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:24.0758 1312 NtLmSsp - ok
10:01:24.0883 1312 NtmsSvc (fea5225ef80d5930b86d7a6570bcbbdf) C:\WINDOWS\system32\ntmssvc.dll
10:01:24.0899 1312 NtmsSvc - ok
10:01:24.0993 1312 Null (5db0ede7aaf3a7bc9110d18c12524be0) C:\WINDOWS\system32\drivers\Null.sys
10:01:24.0993 1312 Null - ok
10:01:25.0211 1312 nv (83780f3a86d2804912f22f6e37cd2254) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:01:25.0321 1312 nv - ok
10:01:25.0383 1312 NVSvc (42321ac5448078131903b272e6c49024) C:\WINDOWS\system32\nvsvc32.exe
10:01:25.0399 1312 NVSvc - ok
10:01:25.0508 1312 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
10:01:25.0540 1312 odserv - ok
10:01:25.0633 1312 OpenSSHd (a61d617f37456d9d32f98bf70eb5d414) C:\Program Files\OpenSSH\bin\cygrunsrv.exe
10:01:25.0633 1312 OpenSSHd - ok
10:01:25.0758 1312 ose (5a432a042dae460abe7199b758e8606c) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
10:01:25.0774 1312 ose - ok
10:01:25.0930 1312 Parport (ee3333b36deb86a0d472f037172da10a) C:\WINDOWS\system32\drivers\Parport.sys
10:01:25.0930 1312 Parport - ok
10:01:26.0055 1312 PartMgr (4eb6f7418959444a06d3c51eb81bff04) C:\WINDOWS\system32\drivers\PartMgr.sys
10:01:26.0055 1312 PartMgr - ok
10:01:26.0180 1312 PCI (8217000e5c53ce823b3111f339e47c41) C:\WINDOWS\system32\DRIVERS\pci.sys
10:01:26.0180 1312 PCI - ok
10:01:26.0336 1312 PCIIde (7e3fb50aa22d4ed883c6abdd40e9c60b) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:01:26.0336 1312 PCIIde - ok
10:01:26.0461 1312 Pcmcia (fc9f4c9c73e9698357c836be4628a299) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:01:26.0461 1312 Pcmcia - ok
10:01:26.0586 1312 PDCOMP - ok
10:01:26.0696 1312 PDFRAME - ok
10:01:26.0821 1312 PDRELI - ok
10:01:26.0946 1312 PDRFRAME - ok
10:01:27.0071 1312 perc2 - ok
10:01:27.0118 1312 perc2hib - ok
10:01:27.0493 1312 PlugPlay (cf500580cdd83b145646a4dcfce1cf3c) C:\WINDOWS\system32\services.exe
10:01:27.0508 1312 PlugPlay - ok
10:01:27.0618 1312 PolicyAgent (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:27.0618 1312 PolicyAgent - ok
10:01:27.0743 1312 PptpMiniport (4454f2639bcca93be86a45137e427277) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:01:27.0743 1312 PptpMiniport - ok
10:01:27.0852 1312 ProtectedStorage (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:27.0852 1312 ProtectedStorage - ok
10:01:27.0977 1312 Ptilink (0320fd91fb5ed4298355977cecfc0eb4) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:01:27.0977 1312 Ptilink - ok
10:01:28.0102 1312 q57w2k (f10d8d61a60c0a8a38bcaf88b7d75c34) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
10:01:28.0118 1312 q57w2k - ok
10:01:28.0227 1312 QBCFMonitorService (296c2565b69b1d933e65807c0155350c) C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
10:01:28.0243 1312 QBCFMonitorService - ok
10:01:28.0352 1312 QBFCService (77aea3f9383a2690a44ae5496fd0631c) C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
10:01:28.0352 1312 QBFCService - ok
10:01:28.0461 1312 ql1080 - ok
10:01:28.0586 1312 Ql10wnt - ok
10:01:28.0696 1312 ql12160 - ok
10:01:28.0821 1312 ql1240 - ok
10:01:28.0946 1312 ql1280 - ok
10:01:29.0071 1312 ql2100 - ok
10:01:29.0180 1312 ql2200 - ok
10:01:29.0368 1312 ql2300 - ok
10:01:29.0493 1312 QuickBooksDB17 - ok
10:01:29.0618 1312 QuickBooksDB18 - ok
10:01:29.0758 1312 QuickBooksDB19 - ok
10:01:29.0946 1312 QuickBooksDB20 - ok
10:01:30.0165 1312 RasAcd (48ee7b6802c0306f9a66f34db7e9ef75) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:01:30.0180 1312 RasAcd - ok
10:01:30.0383 1312 RasAuto (ed67fa5dc9ce0bfc5ccce4296c684a57) C:\WINDOWS\System32\rasauto.dll
10:01:30.0399 1312 RasAuto - ok
10:01:30.0633 1312 Rasl2tp (3633175613e052ecb41776dee2777a89) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:01:30.0633 1312 Rasl2tp - ok
10:01:30.0821 1312 RasMan (02bc610cc90ca5415eb2c9409e77d583) C:\WINDOWS\System32\rasmans.dll
10:01:30.0836 1312 RasMan - ok
10:01:31.0040 1312 RasPppoe (59842f0a22216a71cade6f89fe84c973) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:01:31.0040 1312 RasPppoe - ok
10:01:31.0196 1312 Raspti (5b11871de804d3ed28bbdcc65fe14ede) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:01:31.0196 1312 Raspti - ok
10:01:31.0321 1312 Rdbss (4496b15c44ccb703fbc54f2cf5b67f15) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:01:31.0321 1312 Rdbss - ok
10:01:31.0446 1312 RDPCDD (ac5bb528ecd2bea4ff4bff9df9baf749) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:01:31.0446 1312 RDPCDD - ok
10:01:31.0618 1312 rdpdr (ff678596b761e1ccba79f49981ef51bc) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:01:31.0633 1312 rdpdr - ok
10:01:31.0805 1312 RDPWD (4e2e9b17a618433d68697a3c6d8ddd6e) C:\WINDOWS\system32\drivers\RDPWD.sys
10:01:31.0805 1312 RDPWD - ok
10:01:31.0930 1312 RDSessMgr (81f1cf0ed96e58a391ff83f792c87f3e) C:\WINDOWS\system32\sessmgr.exe
10:01:31.0930 1312 RDSessMgr - ok
10:01:32.0040 1312 redbook (c6f8751f3263603935866e71629cfae4) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:01:32.0055 1312 redbook - ok
10:01:32.0165 1312 RemoteAccess (d8f172c1ca72666d8193e226da7225f4) C:\WINDOWS\System32\mprdim.dll
10:01:32.0165 1312 RemoteAccess - ok
10:01:32.0290 1312 RemoteRegistry (55efa91d1c0de44c22d2d83413b06510) C:\WINDOWS\system32\regsvc.dll
10:01:32.0290 1312 RemoteRegistry - ok
10:01:32.0415 1312 ReportServer (d13465b5bbb9110c8a0a873ddc09fb8c) C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ReportingServicesService.exe
10:01:32.0430 1312 ReportServer - ok
10:01:32.0540 1312 RpcLocator (a83414d7a45555274e99793aa22d54ab) C:\WINDOWS\system32\locator.exe
10:01:32.0540 1312 RpcLocator - ok
10:01:32.0665 1312 RpcSs (305a8757d66b5d416b47c497c27a01fe) C:\WINDOWS\system32\rpcss.dll
10:01:32.0665 1312 RpcSs - ok
10:01:32.0774 1312 RsFx0102 (fedd2710b75be3ecf078adace790c423) C:\WINDOWS\system32\DRIVERS\RsFx0102.sys
10:01:32.0774 1312 RsFx0102 - ok
10:01:32.0899 1312 RSoPProv (3357c6edd71e73110c83f54e35ecde4d) C:\WINDOWS\system32\RSoPProv.exe
10:01:32.0899 1312 RSoPProv - ok
10:01:33.0008 1312 sacdrv (34d79729d6e4d1289e08322405045085) C:\WINDOWS\system32\drivers\sacdrv.sys
10:01:33.0024 1312 sacdrv - ok
10:01:33.0133 1312 sacsvr (77919394900dec12c8e65cb35d6272fe) C:\WINDOWS\system32\sacsvr.dll
10:01:33.0133 1312 sacsvr - ok
10:01:33.0258 1312 SamSs (d4b61a935670c57a0dea81b4f4a12169) C:\WINDOWS\system32\lsass.exe
10:01:33.0321 1312 SamSs - ok
10:01:33.0446 1312 SCardSvr (edf6b1852a55581ecc6ba18b4e2c6e8e) C:\WINDOWS\System32\SCardSvr.exe
10:01:33.0446 1312 SCardSvr - ok
10:01:33.0571 1312 Schedule (7e60f04ae424401a14d153ca6e851a85) C:\WINDOWS\system32\schedsvc.dll
10:01:33.0571 1312 Schedule - ok
10:01:33.0743 1312 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:01:33.0743 1312 Secdrv - ok
10:01:33.0868 1312 seclogon (03911d9a5d15a80301e767f787c0b015) C:\WINDOWS\System32\seclogon.dll
10:01:33.0868 1312 seclogon - ok
10:01:33.0993 1312 SENS (97b6172283112af7451e4abe83dd6f24) C:\WINDOWS\system32\sens.dll
10:01:33.0993 1312 SENS - ok
10:01:34.0102 1312 serenum (b261d4597bf9a2723b7020207260c72a) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:01:34.0102 1312 serenum - ok
10:01:34.0227 1312 Serial (95768fde08dd34089aa90dccb5537704) C:\WINDOWS\system32\DRIVERS\serial.sys
10:01:34.0258 1312 Serial - ok
10:01:34.0540 1312 Sfloppy (831826dc54fa225f0b654ef2f1e13af9) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:01:34.0540 1312 Sfloppy - ok
10:01:34.0665 1312 SharedAccess (27c6b8c2afed21c10429a56db95735f6) C:\WINDOWS\system32\ipnathlp.dll
10:01:34.0665 1312 SharedAccess - ok
10:01:34.0790 1312 ShellHWDetection (0af6401bdbd41a8b7aed5c923b8fdf4d) C:\WINDOWS\System32\shsvcs.dll
10:01:34.0790 1312 ShellHWDetection - ok
10:01:34.0899 1312 Simbad - ok
10:01:35.0086 1312 SNMP (e649d2345614e56249ce3f0b64849547) C:\WINDOWS\System32\snmp.exe
10:01:35.0086 1312 SNMP - ok
10:01:35.0211 1312 SNMPTRAP (b2a7b19f00d6dd8671ff5edc142c151b) C:\WINDOWS\System32\snmptrap.exe
10:01:35.0211 1312 SNMPTRAP - ok
10:01:35.0336 1312 Spooler (30b32e3127d9bbaa1e32394134718070) C:\WINDOWS\system32\spoolsv.exe
10:01:35.0336 1312 Spooler - ok
10:01:35.0461 1312 SQLAgent$SQLEXPRESS (eb2fd937449b7aceb39372f875eb8e78) C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE
10:01:35.0461 1312 SQLAgent$SQLEXPRESS - ok
10:01:35.0571 1312 SQLBrowser (99de6acfa5ca83fad6a765c81c6f129f) c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
10:01:35.0586 1312 SQLBrowser - ok
10:01:35.0696 1312 SQLSERVERAGENT (a2b96e2e86e11f9aabf69fb199c28966) C:\Program Files\Microsoft SQL Server\MSSQL.2\MSSQL\Binn\SQLAGENT90.EXE
10:01:35.0711 1312 SQLSERVERAGENT - ok
10:01:35.0821 1312 SQLWriter (637a0f23f9012358e92e6f99835494d1) c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
10:01:35.0821 1312 SQLWriter - ok
10:01:35.0930 1312 Srv (e8b1a07774a9e4fec3105cbad49bf289) C:\WINDOWS\system32\DRIVERS\srv.sys
10:01:35.0946 1312 Srv - ok
10:01:36.0055 1312 startdss - ok
10:01:36.0118 1312 stisvc (0df3c24094f68a5e5fa77a681e438a46) C:\WINDOWS\system32\wiaservc.dll
10:01:36.0133 1312 stisvc - ok
10:01:36.0243 1312 swenum (93965919785102ba847545ab460ce2df) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:01:36.0243 1312 swenum - ok
10:01:36.0383 1312 swprv (0ba2f4d23d62f7475a70d1988142d6bd) C:\WINDOWS\System32\swprv.dll
10:01:36.0383 1312 swprv - ok
10:01:36.0493 1312 symc810 - ok
10:01:36.0618 1312 symc8xx - ok
10:01:36.0727 1312 symmpi - ok
10:01:36.0852 1312 sym_hi - ok
10:01:36.0977 1312 sym_u3 - ok
10:01:37.0118 1312 SysMgmtHp (e9a79164342b6e25d4717134b227bc23) C:\hp\hpsmh\bin\smhstart.exe
10:01:37.0165 1312 SysMgmtHp - ok
10:01:37.0258 1312 SysmonLog (cc8610d2ffaff19d5c9cf8ce9ffad71a) C:\WINDOWS\system32\smlogsvc.exe
10:01:37.0274 1312 SysmonLog - ok
10:01:37.0352 1312 TapiSrv (ce1fcaf92f06bb8549c9e1b8605b90cc) C:\WINDOWS\System32\tapisrv.dll
10:01:37.0368 1312 TapiSrv - ok
10:01:37.0477 1312 Tcpip (238dc2b879d1b37b91f8d5d44f3815d3) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:01:37.0477 1312 Tcpip - ok
10:01:37.0586 1312 TDPIPE (45d49fb800463de84d1cc2e231319ad5) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:01:37.0586 1312 TDPIPE - ok
10:01:37.0711 1312 TDTCP (d7c31008de209b8b11ced207580e9c91) C:\WINDOWS\system32\drivers\TDTCP.sys
10:01:37.0711 1312 TDTCP - ok
10:01:37.0836 1312 TermDD (a01e46fff445a38d35db188c5458582c) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:01:37.0836 1312 TermDD - ok
10:01:37.0961 1312 TermService (5f0bd29cbd95465a3aa3ca319bc591a9) C:\WINDOWS\System32\termsrv.dll
10:01:37.0961 1312 TermService - ok
10:01:38.0086 1312 TermServLicensing (bc18bee62e7aec10b33c149ca3b64eae) C:\WINDOWS\system32\lserver.exe
10:01:38.0086 1312 TermServLicensing - ok
10:01:38.0196 1312 Themes (0af6401bdbd41a8b7aed5c923b8fdf4d) C:\WINDOWS\System32\shsvcs.dll
10:01:38.0196 1312 Themes - ok
10:01:38.0336 1312 TlntSvr (fe7ff05a90c1a24855b1cdc066b959e0) C:\WINDOWS\system32\tlntsvr.exe
10:01:38.0336 1312 TlntSvr - ok
10:01:38.0461 1312 tmactmon (7131c804d8847b695125bb8d91d64ee0) C:\WINDOWS\system32\DRIVERS\tmactmon.sys
10:01:38.0461 1312 tmactmon - ok
10:01:38.0586 1312 tmcfw (0be90f3fc8ed04554fa3c391ab22f222) C:\WINDOWS\system32\DRIVERS\TM_CFW.sys
10:01:38.0586 1312 tmcfw - ok
10:01:38.0696 1312 tmcomm (09f386a6ec8d6c37bfa0d5394cb186c1) C:\WINDOWS\system32\DRIVERS\tmcomm.sys
10:01:38.0696 1312 tmcomm - ok
10:01:38.0821 1312 tmevtmgr (c75310cbd1bccf3469c834143bc2390c) C:\WINDOWS\system32\DRIVERS\tmevtmgr.sys
10:01:38.0821 1312 tmevtmgr - ok
10:01:38.0946 1312 TmListen (dcd55afb49710a8ccc8183c6ae5e02f4) C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
10:01:38.0961 1312 TmListen - ok
10:01:39.0055 1312 tmtdi (69bf24e2871088115f422d6c7f41c400) C:\WINDOWS\system32\DRIVERS\tmtdi.sys
10:01:39.0055 1312 tmtdi - ok
10:01:39.0180 1312 TosIde - ok
10:01:39.0383 1312 TrkSvr (2ee42aced5fd4e1988116edeced90e93) C:\WINDOWS\system32\trksvr.dll
10:01:39.0383 1312 TrkSvr - ok
10:01:39.0493 1312 TrkWks (671fc35e995ffdbced00202771c6d169) C:\WINDOWS\system32\trkwks.dll
10:01:39.0493 1312 TrkWks - ok
10:01:39.0680 1312 Tssdis (43992245309838eacd05506b474985e5) C:\WINDOWS\System32\tssdis.exe
10:01:39.0680 1312 Tssdis - ok
10:01:39.0805 1312 Udfs (c26024265a7523312a5d06fc33aa57aa) C:\WINDOWS\system32\drivers\Udfs.sys
10:01:39.0805 1312 Udfs - ok
10:01:39.0915 1312 ultra - ok
10:01:40.0040 1312 UMWdf (997fe835c85d0fb0501df6664d6fd072) C:\WINDOWS\system32\wdfmgr.exe
10:01:40.0040 1312 UMWdf - ok
10:01:40.0165 1312 Update (b0e133858e63940755b496761834f334) C:\WINDOWS\system32\DRIVERS\update.sys
10:01:40.0180 1312 Update - ok
10:01:40.0290 1312 UPS (92c3a632e963a8224fe62aa37c9508f6) C:\WINDOWS\System32\ups.exe
10:01:40.0290 1312 UPS - ok
10:01:40.0399 1312 usbccgp (185959a7fccfd38aa71a274ae6252b88) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:01:40.0415 1312 usbccgp - ok
10:01:40.0540 1312 USBDLM (eb52059f51189e99174040f6318236f8) C:\Program Files\USBDLM\USBDLM.exe
10:01:40.0540 1312 USBDLM - ok
10:01:40.0649 1312 usbehci (9dd4aba9462938734bcbf51d8669c884) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:01:40.0649 1312 usbehci - ok
10:01:40.0774 1312 usbhub (17859937740bc0d422fe71a588d6ddf7) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:01:40.0790 1312 usbhub - ok
10:01:40.0883 1312 usbstor (d0740ff9f7e819486e88096826b4dc37) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:01:40.0883 1312 usbstor - ok
10:01:41.0008 1312 usbuhci (cbd3053337bb475f442a892edf671312) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:01:41.0008 1312 usbuhci - ok
10:01:41.0133 1312 vds (5ce9331dc4c9e3b1fa4aaef1b212701f) C:\WINDOWS\System32\vds.exe
10:01:41.0149 1312 vds - ok
10:01:41.0258 1312 vga (2eb062b434792bb6bb614f107dd3a5cf) C:\WINDOWS\system32\DRIVERS\vgapnp.sys
10:01:41.0258 1312 vga - ok
10:01:41.0368 1312 VgaSave (062fbc10147fd837d819f94aa394e661) C:\WINDOWS\System32\drivers\vga.sys
10:01:41.0383 1312 VgaSave - ok
10:01:41.0493 1312 ViaIde - ok
10:01:41.0618 1312 VolSnap (45ae67c387a640ec6e228f30d421f088) C:\WINDOWS\system32\DRIVERS\volsnap.sys
10:01:41.0618 1312 VolSnap - ok
10:01:41.0758 1312 VSS (74a6820792e5bca5ee4d0cc4595c6916) C:\WINDOWS\System32\vssvc.exe
10:01:41.0774 1312 VSS - ok
10:01:41.0868 1312 W32Time (42cdae64da5beabb51c0c0f613658545) C:\WINDOWS\system32\w32time.dll
10:01:41.0868 1312 W32Time - ok
10:01:41.0977 1312 W3SVC (db0e023ee673896ad1780acad3bab393) C:\WINDOWS\system32\inetsrv\iisw3adm.dll
10:01:41.0993 1312 W3SVC - ok
10:01:42.0102 1312 Wanarp (ce030b1d05a01fa012d32f2d25676b1c) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:01:42.0102 1312 Wanarp - ok
10:01:42.0227 1312 WbemConsumer (c009c54547b2786773da6a369ede1099) C:\Program Files\The Open Group\WMI Mapper\bin\WbemCons.exe
10:01:42.0243 1312 WbemConsumer - ok
10:01:42.0336 1312 WDICA - ok
10:01:42.0461 1312 WebClient (6f66e66ab1c25c0bd363f2252db04360) C:\WINDOWS\System32\webclnt.dll
10:01:42.0477 1312 WebClient - ok
10:01:42.0649 1312 WinHttpAutoProxySvc - ok
10:01:42.0774 1312 winmgmt (f8d5b9c1a26c933b9ea7740bab35bcf5) C:\WINDOWS\system32\wbem\WMIsvc.dll
10:01:42.0774 1312 winmgmt - ok
10:01:43.0071 1312 WLBS (d346e2f289f23e557ddfb9132d1dab35) C:\WINDOWS\system32\DRIVERS\wlbs.sys
10:01:43.0071 1312 WLBS - ok
10:01:43.0196 1312 WmdmPmSN (4d32f7bdbf325792ae28d5380ddf6bcf) C:\WINDOWS\system32\mspmsnsv.dll
10:01:43.0196 1312 WmdmPmSN - ok
10:01:43.0321 1312 Wmi (2085b957fb56927a8f3768de740612c4) C:\WINDOWS\System32\advapi32.dll
10:01:43.0336 1312 Wmi - ok
10:01:43.0446 1312 WMI Mapper (44791f9ab35dfcabd569520c6be4426f) C:\Program Files\The Open Group\WMI Mapper\bin\WMIServer.exe
10:01:43.0446 1312 WMI Mapper - ok
10:01:43.0633 1312 WmiApSrv (796d30c693f7b8a717499a9abeb3af39) C:\WINDOWS\system32\wbem\wmiapsrv.exe
10:01:43.0633 1312 WmiApSrv - ok
10:01:43.0743 1312 wqvtpuxyitqfuyc - ok
10:01:43.0915 1312 wuauserv (996cec79b1662044e8462e130a65739e) C:\WINDOWS\system32\wuauserv.dll
10:01:43.0930 1312 wuauserv - ok
10:01:44.0055 1312 WZCSVC (e21b2d0a0d4ab1d2441fe9fcc961c392) C:\WINDOWS\System32\wzcsvc.dll
10:01:44.0071 1312 WZCSVC - ok
10:01:44.0165 1312 xmlprov (c5b83f9a09a3ebfe8a931472f6da4e38) C:\WINDOWS\System32\xmlprov.dll
10:01:44.0165 1312 xmlprov - ok
10:01:44.0352 1312 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:01:44.0430 1312 \Device\Harddisk0\DR0 - ok
10:01:44.0524 1312 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR1
10:01:44.0524 1312 \Device\Harddisk1\DR1 - ok
10:01:44.0883 1312 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk2\DR4
10:01:44.0946 1312 \Device\Harddisk2\DR4 - ok
10:01:45.0008 1312 Boot (0x1200) (bb2cd8525573860114f1c1488ee898f1) \Device\Harddisk0\DR0\Partition0
10:01:45.0008 1312 \Device\Harddisk0\DR0\Partition0 - ok
10:01:45.0118 1312 Boot (0x1200) (9656eff4b74c82fadc1590a2a2f74017) \Device\Harddisk2\DR4\Partition0
10:01:45.0133 1312 \Device\Harddisk2\DR4\Partition0 - ok
10:01:45.0180 1312 ============================================================
10:01:45.0180 1312 Scan finished
10:01:45.0180 1312 ============================================================
10:01:45.0399 1316 Detected object count: 1
10:01:45.0399 1316 Actual detected object count: 1
10:02:10.0493 1316 C:\WINDOWS\system32\DRIVERS\disk.sys - copied to quarantine
10:02:10.0524 1316 \Device\Harddisk0\DR0\TDLFS\tdl - copied to quarantine
10:02:10.0524 1316 \Device\Harddisk0\DR0\TDLFS\config.ini - copied to quarantine
10:02:10.0540 1316 \Device\Harddisk0\DR0\TDLFS\rsrc.dat - copied to quarantine
10:02:11.0727 1316 Backup copy found, using it..
10:02:11.0836 1316 C:\WINDOWS\system32\DRIVERS\disk.sys - will be cured on reboot
10:02:11.0836 1316 Disk ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure
10:02:19.0524 0196 Deinitialize success
  • 0

Advertisements


#2
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
RKill:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 03/04/2012 at 10:07:15.
Operating System: Microsoft Windows Server 2003


Processes terminated by Rkill or while it was running:



Rkill completed on 03/04/2012 at 10:07:18.



---------------------------------------------------

MBAM:

Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.04.02.11

Windows Server 2003 Service Pack 2 x86 NTFS (Safe Mode/Networking)
Internet Explorer 8.0.6001.18702
administrator :: xxxxx [administrator]

3/04/2012 10:15:44 AM
mbam-log-2012-04-03 (10-15-44).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 2129269
Time elapsed: 1 hour(s), 49 minute(s), 53 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 2
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce|GrpConv (Trojan.Agent.Gen) -> Data: grpconv -o -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|wtteGLkxtw.exe (Backdoor.Agent.RCGen) -> Data: C:\Documents and Settings\All Users\Application Data\wtteGLkxtw.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\All Users\Application Data\wtteGLkxtw.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\grpconv.exe (Trojan.Agent.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\0da8qdbPHqALWO.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\toEAYfA4rFvhJI.exe (Backdoor.Agent.RCGen) -> Quarantined and deleted successfully.

(end)
  • 0

#3
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
Sigverif:

Your post was too long. Please go back and shorten it a little.


Let me know if you need this one.

-------------------------------------------------------

ShellExView:


7-Zip Shell Extension No Context Menu 7-Zip Shell Extension 9.20 7-Zip Igor Pavlov No No No No No No C:\Program Files\7-Zip\7-zip.dll {23170F69-40C1-278A-1000-000100020000} 19/11/2010 2:08:12 AM 24/05/2011 10:42:11 PM No *, Directory 55,808 No
7-Zip Shell Extension No Drag & Drop Handler 7-Zip Shell Extension 9.20 7-Zip Igor Pavlov No No No No No No C:\Program Files\7-Zip\7-zip.dll {23170F69-40C1-278A-1000-000100020000} 19/11/2010 2:08:12 AM 24/05/2011 10:42:11 PM No Directory, Drive 55,808 No
Adobe PDF Link Helper No Browser Helper Object Adobe PDF Helper for Internet Explorer 10.1.2.45 AcroIEHelperShim Library Adobe Systems Incorporated No No No No No No C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll {18DF081C-E8AD-4283-A596-FA578C2EBDC3} 3/01/2012 11:10:44 PM 8/08/2011 8:33:07 PM No 63,912 No
Adobe PDF Preview Handler No Preview Handler Adobe PDF Preview Handler Helper Application 10.1.2.45 Adobe PDF Preview Handler Helper Application Adobe Systems, Inc No No No No No No C:\Program Files\Adobe\Reader 10.0\Reader\pdfprevhndlrshim.exe {49400A7C-81A8-4F52-8CCE-D54739EE87EC} 3/01/2012 11:10:44 PM 8/08/2011 8:33:06 PM No 103,848 No
Adobe PDF Preview Handler for Vista No Preview Handler Adobe PDF Preview Handler 10.1.2.45 Adobe PDF Preview Handler Adobe Systems, Inc. No No No No No No C:\Program Files\Adobe\Reader 10.0\Reader\pdfprevhndlr.dll {DC6EFB56-9CFA-464D-8880-44885D7DC193} 3/01/2012 11:10:44 PM 8/08/2011 8:33:12 PM No 88,992 No
Desktop Explorer No Shell Folder NVIDIA Desktop Explorer, Version 111.94 6.14.10.11194 NVIDIA Desktop Explorer, Version 111.94 NVIDIA Corporation No No No No No No C:\WINDOWS\system32\nvshell.dll {1CDB2949-8F65-4355-8456-263E7C208A5D} 7/10/2008 3:33:00 PM 30/10/2009 5:09:26 PM No 466,944 No
Desktop Explorer Menu No System NVIDIA Desktop Explorer, Version 111.94 6.14.10.11194 NVIDIA Desktop Explorer, Version 111.94 NVIDIA Corporation No No No No No No C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A47} 7/10/2008 3:33:00 PM 30/10/2009 5:09:26 PM No 466,944 No
DesktopContext Class No Context Menu NVIDIA Display Properties Extension 6.14.11.7824 NVIDIA Compatible Windows 2000 Display driver, Version 178.24 NVIDIA Corporation No No No No No No C:\WINDOWS\system32\nvcpl.dll {A70C977A-BF00-412C-90B7-034C51DA2439} 7/10/2008 3:33:00 PM 30/10/2009 5:02:49 PM No Directory\Background 13,574,144 No
DIALux 2.0 DLXShellHandler Class No Thumbnail ShellExtension Module for DIALux UNICODE Version 4,9,0,2 DIALux 4.9 DIAL GmbH, Germany No No No No No No C:\Program Files\DIALux\DLXShellExtension.dll {7889C2D5-D128-43e2-A8D8-A7590A12C8B3} 8/06/2011 4:52:10 PM 14/12/2011 4:16:12 PM No .dlx, .dtf, .m3d, .m4d 542,720 No
DIALux 2.0 ULDShellHandler Class No Context Menu ShellExtension Module for DIALux UNICODE Version 4,9,0,2 DIALux 4.9 DIAL GmbH, Germany No No No No No No C:\Program Files\DIALux\DLXShellExtension.dll {7EFFF3DD-71B3-11D4-A25E-005056DCFB89} 8/06/2011 4:52:10 PM 14/12/2011 4:16:12 PM No .cib, .eld, .ies, .uld, CIBFile, IESFile, LDTFile, ULDFile 542,720 No
DIALux 2.0 ULDShellHandler Class No InfoTip Handler ShellExtension Module for DIALux UNICODE Version 4,9,0,2 DIALux 4.9 DIAL GmbH, Germany No No No No No No C:\Program Files\DIALux\DLXShellExtension.dll {7EFFF3DD-71B3-11D4-A25E-005056DCFB89} 8/06/2011 4:52:10 PM 14/12/2011 4:16:12 PM No .cib, .eld, .ies, .uld, CIBFile, IESFile, LDTFile, ULDFile 542,720 No
DIALux 2.0 ULDShellHandler Class No Thumbnail ShellExtension Module for DIALux UNICODE Version 4,9,0,2 DIALux 4.9 DIAL GmbH, Germany No No No No No No C:\Program Files\DIALux\DLXShellExtension.dll {7EFFF3DD-71B3-11D4-A25E-005056DCFB89} 8/06/2011 4:52:10 PM 14/12/2011 4:16:12 PM No .cib, .eld, .ies, .uld, CIBFile, IESFile, LDTFile, ULDFile 542,720 No
DIALux 3.1 ULDBrowserHelper Class No Browser Helper Object ShellExtension Module for DIALux UNICODE Version 4,9,0,2 DIALux 4.9 DIAL GmbH, Germany No No No No No No C:\Program Files\DIALux\DLXShellExtension.dll {69AB812A-8CE4-4BF3-B49B-3B60A9F31FB2} 8/06/2011 4:52:10 PM 14/12/2011 4:16:12 PM No 542,720 No
HyperTerminal Icon Ext No System No No No No No No C:\WINDOWS\system32\hticons.dll {88895560-9AA2-1069-930E-00AA0030EBC8} N / A 4/07/2009 5:41:24 AM No 0 No
Java™ Plug-In 2 SSV Helper No Browser Helper Object Java™ Platform SE binary 10.0.0.147 Java™ Platform SE 7 Oracle Corporation No No No No No No C:\Program Files\Java\jre7\bin\jp2ssv.dll {DBC80044-A445-435b-BC74-9C25C1C588A9} 8/08/2011 8:28:26 PM 8/08/2011 8:28:47 PM No 56,712 No
MBAMShlExt Class No Context Menu Malwarebytes' Anti-Malware 1.50.1.0000 Malwarebytes' Anti-Malware Malwarebytes Corporation No No No No No No C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll {57CE581A-0CB6-4266-9CA0-19364C90A0B3} 24/05/2011 10:20:06 AM 3/04/2012 10:08:12 AM No AllFilesystemObjects, Folder 77,648 No
NVIDIA CPL Extension No Context Menu NVIDIA Display Properties Extension 6.14.11.7824 NVIDIA Compatible Windows 2000 Display driver, Version 178.24 NVIDIA Corporation No No No No No No C:\WINDOWS\system32\nvcpl.dll {FFB699E0-306A-11d3-8BD1-00104B6F7516} 7/10/2008 3:33:00 PM 30/10/2009 5:02:48 PM No .avi, .m1v, .mp2, .mp2v, .mpa, .mpe, .mpeg, .mpg, .mpv2, .wmv, AVIFile, mpegfile, WMVFile 13,574,144 No
nView Desktop Context Menu No Context Menu NVIDIA Desktop Explorer, Version 111.94 6.14.10.11194 NVIDIA Desktop Explorer, Version 111.94 NVIDIA Corporation No No No No No No C:\WINDOWS\system32\nvshell.dll {1E9B04FB-F9E5-4718-997B-B8DA88302A48} 7/10/2008 3:33:00 PM 30/10/2009 5:09:26 PM No Directory\Background 466,944 No
PDF Shell Extension No Column Handler PDF Shell Extension 10.1.2.45 Adobe PDF Shell Extension Adobe Systems, Inc. No No No No No No C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll {F9DB5320-233E-11D1-9F84-707F02C10627} 3/01/2012 11:10:44 PM 8/08/2011 8:33:06 PM No Folder 394,136 No
TmdshellExt Class No Context Menu Trend Micro Client Shell Extension 1.6.0.1122 Trend Micro UniClient Trend Micro Inc. No No No No No No C:\Program Files\Trend Micro\UniClient\UiFrmwrk\tmdshell.dll {48F45200-91E6-11CE-8A4F-0080C81A28D4} 20/05/2011 5:04:34 PM 20/05/2011 5:09:53 PM No *, .lnk, .pif, .shb, .url, DocShortcut, Folder, InternetShortcut, lnkfile, piffile A 116,944 No
TmIEPlugInBHO Class No Browser Helper Object No No No No No No C:\Program Files\Trend Micro\AMSP\Module\20004\1.6.1106\6.6.1045\TmIEPlg.dll {1CA1377B-DC1D-4A52-9585-6E06050FAC53} N / A 25/05/2011 4:01:54 PM No 0 No
VersionShellExt Class No Property Sheet QBVersionTool 20.0D R1 QuickBooks for Windows Intuit Inc. No No No No No No C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll {7D5C4BDD-B015-4401-8731-1507B87DE297} 4/03/2011 8:20:10 PM 3/02/2012 11:13:57 AM No .qba, .qbb, .qbm, .qbw, .qbx, qbaFile, qbbFile, qbmFile, qbwFile, qbxFile 283,976 No
VersionShellExt Class No InfoTip Handler QBVersionTool 20.0D R1 QuickBooks for Windows Intuit Inc. No No No No No No C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll {7D5C4BDD-B015-4401-8731-1507B87DE297} 4/03/2011 8:20:10 PM 3/02/2012 11:13:57 AM No .qba, .qbb, .qbm, .qbw, .qbx, qbaFile, qbbFile, qbmFile, qbwFile, qbxFile 283,976 No
WinRAR No Context Menu WinRAR shell extension 4.1.0 WinRAR Alexander Roshal No No No No No No C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 2/11/2011 7:52:13 AM 2/11/2011 7:52:16 AM No *, .7z, .ace, .arj, .bz, .bz2, .cab, .gz, .lha, .lzh, .r00, .r01, .r02, .r03, .r04, .r05, .r06, .r07, .r08, .r09, .r10, .r11, .r12, .r13, .r14, .r15, .r16, .r17, .r18, .r19, .r20, .r21, .r22, .r23, .r24, .r25, .r26, .r27, .r28, .r29, .rar, .tar, .taz, .tbz, .tbz2, .tgz, .uu, .uue, .xxe, .z, .zip, Directory, Folder, WinRAR 140,288 No
WinRAR No Drop Handler WinRAR shell extension 4.1.0 WinRAR Alexander Roshal No No No No No No C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 2/11/2011 7:52:13 AM 2/11/2011 7:52:16 AM No .7z, .ace, .arj, .bz, .bz2, .cab, .gz, .lha, .lzh, .r00, .r01, .r02, .r03, .r04, .r05, .r06, .r07, .r08, .r09, .r10, .r11, .r12, .r13, .r14, .r15, .r16, .r17, .r18, .r19, .r20, .r21, .r22, .r23, .r24, .r25, .r26, .r27, .r28, .r29, .rar, .tar, .taz, .tbz, .tbz2, .tgz, .uu, .uue, .xxe, .z, .zip, WinRAR 140,288 No
WinRAR No Property Sheet WinRAR shell extension 4.1.0 WinRAR Alexander Roshal No No No No No No C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 2/11/2011 7:52:13 AM 2/11/2011 7:52:16 AM No .7z, .ace, .arj, .bz, .bz2, .cab, .exe, .gz, .lha, .lzh, .r00, .r01, .r02, .r03, .r04, .r05, .r06, .r07, .r08, .r09, .r10, .r11, .r12, .r13, .r14, .r15, .r16, .r17, .r18, .r19, .r20, .r21, .r22, .r23, .r24, .r25, .r26, .r27, .r28, .r29, .rar, .tar, .taz, .tbz, .tbz2, .tgz, .uu, .uue, .xxe, .z, .zip, exefile, WinRAR 140,288 No
WinRAR No Drag & Drop Handler WinRAR shell extension 4.1.0 WinRAR Alexander Roshal No No No No No No C:\Program Files\WinRAR\rarext.dll {B41DB860-8EE4-11D2-9906-E49FADC173CA} 2/11/2011 7:52:13 AM 2/11/2011 7:52:16 AM No Directory, Drive, Folder 140,288 No
  • 0

#4
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
System Idle Process:

Process PID CPU Private Bytes Working Set Description Company Name Verified Signer
System Idle Process 0 93.27 0 K 28 K
System 4 0.96 0 K 19,728 K
Interrupts n/a 4.42 0 K 0 K Hardware Interrupts and DPCs
smss.exe 416 136 K 516 K Windows NT Session Manager Microsoft Corporation (Verified) Microsoft Windows Component Publisher
csrss.exe 464 2,072 K 4,400 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 488 8,368 K 11,728 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
services.exe 536 0.19 2,032 K 4,644 K Services and Controller app Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 736 968 K 3,180 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
wmiprvse.exe 5028 1,824 K 5,388 K WMI Microsoft Corporation (Verified) Microsoft Windows Component Publisher
wmiprvse.exe 5348 8,656 K 11,416 K WMI Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 792 1,716 K 4,320 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 856 4,604 K 5,772 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 896 1,400 K 3,672 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 912 21,580 K 29,280 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rundll32.exe 1024 1,376 K 1,548 K Run a DLL as an App Microsoft Corporation (Verified) Microsoft Windows Component Publisher
spoolsv.exe 1068 11,204 K 17,960 K Spooler SubSystem App Microsoft Corporation (Verified) Microsoft Windows Component Publisher
coreServiceShell.exe 1092 0.38 120,416 K 46,748 K Trend Micro Anti-Malware Solution Platform Trend Micro Inc. (Verified) Trend Micro, Inc.
uiWatchDog.exe 1124 720 K 248 K Trend Micro Client Session Agent Monitor Trend Micro Inc. (Verified) Trend Micro, Inc.
coreFrameworkHost.exe 1144 7,036 K 3,124 K Trend Micro Anti-Malware Solution Platform Trend Micro Inc. (Verified) Trend Micro, Inc.
msdtc.exe 1312 1,868 K 4,568 K MS DTCconsole program Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cisvc.exe 1416 0.38 5,040 K 1,380 K Content Index service Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cidaemon.exe 7864 1,528 K 700 K Indexing Service filter daemon Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cidaemon.exe 6780 1,328 K 264 K Indexing Service filter daemon Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqsrhmo.exe 1432 3,628 K 9,068 K HP Version Control Repository Manager Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
vcagent.exe 1448 2,712 K 8,328 K HP Version Control Agent Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
hpsimsvc.exe 1628 456 K 2,064 K (Unable to verify)
mxdtf.exe 1640 99,428 K 58,176 K (Unable to verify)
mxdomainmgr.exe 2452 421,800 K 321,256 K (Unable to verify)
mxinventory.exe 7788 113,344 K 96,516 K (Unable to verify)
inetinfo.exe 1728 3,484 K 9,000 K Internet Information Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
jqs.exe 1752 2,628 K 1,448 K Java™ Quick Starter Service Oracle Corporation (Verified) Oracle America, Inc.
mdm.exe 1832 1,168 K 3,504 K Machine Debug Manager Microsoft Corporation (Unable to verify) Microsoft Corporation
msftesql.exe 1864 5,108 K 6,536 K PKM executable Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 1940 185,868 K 163,564 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
sqlservr.exe 2036 88,464 K 72,260 K SQL Server Windows NT Microsoft Corporation (Verified) Microsoft Corporation
nvsvc32.exe 2184 2,516 K 3,832 K NVIDIA Driver Helper Service, Version 178.24 NVIDIA Corporation (Verified) Microsoft Windows Hardware Compatibility Publisher
cygrunsrv.exe 2212 3,484 K 4,160 K (Unable to verify)
QBCFMonitorService.exe 2596 6,144 K 7,976 K QuickBooks Company File Monitoring Service Intuit (Unable to verify) Intuit
QBDBMgrN.exe 2776 302,252 K 304,244 K Adaptive Server Anywhere Network Server iAnywhere Solutions, Inc. (Verified) Quicken Australia
svchost.exe 2796 344 K 1,596 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
ReportingServicesService.exe 2808 70,900 K 57,488 K Report Scheduling and Delivery Server Windows NT Service Microsoft Corporation (Verified) Microsoft Corporation
snmp.exe 2900 5,040 K 8,024 K SNMP Service Microsoft Corporation (Verified) Microsoft Windows Component Publisher
sqlbrowser.exe 2916 724 K 2,548 K SQL Browser Service EXE Microsoft Corporation (Verified) Microsoft Corporation
sqlwriter.exe 2936 1,028 K 3,812 K SQL Server VSS Writer Microsoft Corporation (Verified) Microsoft Corporation
smhstart.exe 2980 5,572 K 7,280 K HP System Management Homepage Service Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
cmd.exe 3724 1,504 K 1,612 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
hpsmhd.exe 3732 13,944 K 17,424 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
cmd.exe 3812 1,468 K 1,564 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rotatelogs.exe 3820 716 K 2,188 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
cmd.exe 3828 1,468 K 1,564 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rotatelogs.exe 3836 716 K 2,184 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
hpsmhd.exe 3892 21,804 K 23,904 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
cmd.exe 3944 1,468 K 1,572 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rotatelogs.exe 3952 720 K 2,192 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
cmd.exe 3968 1,468 K 1,572 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rotatelogs.exe 3976 720 K 2,192 K HP System Management Homepage Hewlett-Packard Company (Unable to verify) Hewlett-Packard Company
lserver.exe 3012 7,468 K 9,992 K Microsoft® Terminal Server Licensing Microsoft Corporation (Verified) Microsoft Windows Component Publisher
USBDLM.exe 3044 2,224 K 3,696 K USB Drive Letter Manager (Win32) Uwe Sieber - www.uwe-sieber.de (Unable to verify) Uwe Sieber - www.uwe-sieber.de
vds.exe 3108 780 K 3,060 K Virtual Disk Service Microsoft Corporation (Verified) Microsoft Windows Component Publisher
wbemcons.exe 3156 2,208 K 5,732 K (Unable to verify)
WMIServer.exe 3212 4,408 K 10,484 K (Unable to verify)
VivaldiFramework.exe 3260 492 K 1,832 K (Unable to verify)
cmd.exe 3300 1,484 K 1,600 K Windows Command Processor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
javaw.exe 3328 28,544 K 24,824 K Java™ Platform SE binary Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
svchost.exe 3292 8,544 K 11,368 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
mrmonitor.exe 3712 4,036 K 8,388 K (Unable to verify)
SQLAGENT90.EXE 3848 9,248 K 4,452 K Microsoft SQL Server Agent Microsoft Corporation (Verified) Microsoft Corporation
dmadmin.exe 5288 2,952 K 4,636 K Logical Disk Manager Adminstrative Service Microsoft Corporation (Verified) Microsoft Windows Component Publisher
svchost.exe 5320 3,128 K 5,480 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
TmListen.exe 6232 11,852 K 11,668 K TmListen Application Trend Micro Inc. (Verified) Trend Micro, Inc.
svchost.exe 6464 3,132 K 4,312 K Generic Host Process for Win32 Services Microsoft Corporation (Verified) Microsoft Windows Component Publisher
snmptrap.exe 7240 564 K 2,144 K SNMP Trap Service Microsoft Corporation (Verified) Microsoft Windows Component Publisher
lsass.exe 548 17,536 K 16,952 K LSA Shell Microsoft Corporation (Verified) Microsoft Windows Component Publisher
logon.scr 5708 396 K 1,692 K Logon Screen Saver Microsoft Corporation (Verified) Microsoft Windows Component Publisher
csrss.exe 6848 1,296 K 5,112 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 6876 8,080 K 5,300 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 7376 940 K 332 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 7852 10,040 K 620 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
csrss.exe 6200 1,308 K 4,812 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 6224 6,632 K 6,272 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 8084 960 K 964 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 2400 10,016 K 792 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
axlbridge.exe 1424 720 K 3,264 K AXLBridge Module Intuit Inc. (Verified) Quicken Australia
csrss.exe 1956 1,368 K 5,052 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 4936 6,616 K 4,636 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 7692 960 K 320 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 6180 9,224 K 608 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
csrss.exe 9468 1,308 K 4,468 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 9472 3,972 K 3,972 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 9412 960 K 3,264 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 10076 9,260 K 696 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
axlbridge.exe 5800 720 K 3,320 K AXLBridge Module Intuit Inc. (Verified) Quicken Australia
csrss.exe 6696 1,364 K 4,028 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 8276 4,036 K 2,452 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 8112 1,000 K 1,204 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 5260 9,208 K 728 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
csrss.exe 8336 1,264 K 4,496 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 8780 5,284 K 3,952 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 888 940 K 3,184 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 8736 9,300 K 832 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
csrss.exe 6136 1,356 K 4,996 K Client Server Runtime Process Microsoft Corporation (Verified) Microsoft Windows Component Publisher
winlogon.exe 6312 5,460 K 4,000 K Windows NT Logon Application Microsoft Corporation (Verified) Microsoft Windows Component Publisher
rdpclip.exe 8656 956 K 3,192 K RDP Clip Monitor Microsoft Corporation (Verified) Microsoft Windows Component Publisher
uiSeAgnt.exe 8620 9,288 K 712 K Trend Micro Client Session Agent Trend Micro Inc. (Verified) Trend Micro, Inc.
sshd.exe 2704 4,176 K 6,004 K (Unable to verify)
explorer.exe 7524 11,116 K 2,964 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 7748 552 K 216 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 7836 756 K 156 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
explorer.exe 7564 13,216 K 9,404 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 6320 580 K 260 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 7348 756 K 148 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
ctfmon.exe 1876 504 K 1,152 K CTF Loader Microsoft Corporation (Verified) Microsoft Windows Component Publisher
OUTLOOK.EXE 3388 61,540 K 83,436 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
EXCEL.EXE 10104 22,156 K 18,640 K Microsoft Office Excel Microsoft Corporation (Verified) Microsoft Corporation
AcroRd32.exe 12048 0.19 40,684 K 47,996 K Adobe Reader Adobe Systems Incorporated (Verified) Adobe Systems, Incorporated
QBW32.EXE 6940 80,968 K 3,852 K QuickBooks Intuit Inc. (Verified) Quicken Australia
explorer.exe 6436 11,684 K 3,804 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 7780 584 K 256 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 3024 756 K 156 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
ctfmon.exe 6632 492 K 628 K CTF Loader Microsoft Corporation (Verified) Microsoft Windows Component Publisher
Dropbox.exe 6620 40,332 K 19,120 K Dropbox Dropbox, Inc. (Verified) Dropbox
OUTLOOK.EXE 8004 28,032 K 19,944 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
EXCEL.EXE 704 14,076 K 5,940 K Microsoft Office Excel Microsoft Corporation (Verified) Microsoft Corporation
ctfmon.exe 8796 504 K 2,788 K CTF Loader Microsoft Corporation (Verified) Microsoft Windows Component Publisher
explorer.exe 10092 9,736 K 16,004 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 9692 584 K 2,344 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 7336 1,488 K 6,092 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
OUTLOOK.EXE 9824 24,188 K 46,056 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
iexplore.exe 7592 8,244 K 18,208 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
iexplore.exe 8464 67,276 K 83,936 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
QBW32.EXE 7676 64,008 K 103,864 K QuickBooks Intuit Inc. (Verified) Quicken Australia
explorer.exe 9608 15,704 K 9,084 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 7024 552 K 204 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 9252 756 K 136 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
taskmgr.exe 4880 0.19 1,604 K 1,964 K Windows TaskManager Microsoft Corporation (Verified) Microsoft Windows Component Publisher
OUTLOOK.EXE 5308 25,268 K 8,960 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
procexp.exe 12200 55,948 K 63,564 K Sysinternals Process Explorer Sysinternals - www.sysinternals.com (Verified) Microsoft Corporation
explorer.exe 10072 10,324 K 15,364 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 9108 552 K 2,104 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 9400 756 K 2,800 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
OUTLOOK.EXE 5488 31,248 K 55,716 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
iexplore.exe 10648 10,328 K 18,104 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
iexplore.exe 10692 43,508 K 48,508 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
iexplore.exe 11616 21,708 K 31,368 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
iexplore.exe 11720 55,572 K 66,364 K Internet Explorer Microsoft Corporation (Verified) Microsoft Windows
explorer.exe 9696 13,084 K 17,668 K Windows Explorer Microsoft Corporation (Verified) Microsoft Windows Component Publisher
cpqteam.exe 8176 568 K 2,124 K CPQTEAM.EXE Hewlett-Packard Company (Verified) Microsoft Windows Hardware Compatibility Publisher
jusched.exe 1744 768 K 2,740 K Java™ Update Scheduler Sun Microsystems, Inc. (Verified) Sun Microsystems, Inc.
BIBLauncher.exe 9336 5,064 K 9,268 K Business-in-a-Box Launcher Application (Unable to verify)
Dropbox.exe 1456 41,520 K 45,944 K Dropbox Dropbox, Inc. (Verified) Dropbox
OUTLOOK.EXE 10504 39,604 K 66,224 K Microsoft Office Outlook Microsoft Corporation (Verified) Microsoft Corporation
EXCEL.EXE 11436 13,764 K 24,524 K Microsoft Office Excel Microsoft Corporation (Verified) Microsoft Corporation
  • 0

#5
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
From Trend Micro security console:

Date/Time Computer Name Virus/Malware name File Name Path Scan Type Action Taken
3/04/2012 9:41 xxxxx Possible_AppLnk SMART_HDD.lnk C:\Documents and Settings\xxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\ Real-time Scan Deleted
3/04/2012 9:41 xxxxx Possible_AppLnk SMART_HDD.lnk C:\Documents and Settings\xxxx\Desktop\ Real-time Scan Deleted
3/04/2012 9:41 xxxxx Possible_AppLnk Uninstall SMART HDD.lnk C:\Documents and Settings\xxxx\Start Menu\Programs\SMART HDD\ Real-time Scan Deleted
3/04/2012 9:41 xxxxx Possible_AppLnk SMART HDD.lnk C:\Documents and Settings\xxxx\Start Menu\Programs\SMART HDD\ Real-time Scan Deleted
3/04/2012 9:08 xxxxx Possible_AppLnk Uninstall SMART HDD.lnk C:\Documents and Settings\Administrator.xxxxxxxxx\Start Menu\Programs\SMART HDD\ Scan Now Passed
3/04/2012 9:08 xxxxx Possible_AppLnk SMART HDD.lnk C:\Documents and Settings\Administrator.xxxxxxxxx\Start Menu\Programs\SMART HDD\ Scan Now Passed
3/04/2012 9:07 xxxxx Possible_AppLnk SMART_HDD.lnk C:\Documents and Settings\Administrator.xxxxxxxxx\Desktop\ Scan Now Passed
3/04/2012 9:06 xxxxx Possible_AppLnk SMART_HDD.lnk C:\Documents and Settings\Administrator.xxxxxxxxx\Application Data\Microsoft\Internet Explorer\Quick Launch\ Scan Now Passed
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
Run TDSSKiller again.

Normally you have to tell it to Delete instead of Cure but let's see if it was able to fix these two:

10:02:11.0836 1316 C:\WINDOWS\system32\DRIVERS\disk.sys - will be cured on reboot
10:02:11.0836 1316 Disk ( Rootkit.Win32.TDSS.tdl3 ) - User select action: Cure

Make sure you delete the SMART HDD folders:

C:\Documents and Settings\xxxx\Start Menu\Programs\SMART HDD
C:\Documents and Settings\Administrator.xxxxxxxxx\Start Menu\Programs\SMART HDD

Also check

C:\Documents and Settings\All Users\Application Data\

Delete any .exe files you find in the Application Data folder. MBAM found several but there really is no reason for a file to run from Application Data.

Start, All Programs, Accessories, click on Command Prompt. Type with an Enter after each line:

cd  %temp%

dir  /a

(Do you see any of the following:

dfrgr
dfrg
Windows Update.exe
tmp2.tmp

Delete them:

del  dfrgr
del  dfrg
del  "windows update.exe"
del  tmp2.tmp
There may also be three random named files. One with no extension, one with .exe and one with .dll. Remove them the same way.

Run OTL

Copy the text in the code box:

DRIVES
nnetsvcs
%SYSTEMDRIVE%\*.exe
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%ALLUSERSPROFILE%\Application Data\*.exe
%APPDATA%\*.
/md5start
atapi.sys
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
consrv.dll
shell.dll
mdm.exe
mrmonitor.exe
wbemcons.exe
WMIServer.exe 
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
CREATERESTOREPOINT

Run OTL

Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes. Save the log and copy and paste it into a reply.

For sigverif. Normally I'm only concerned with stuff that shows up after you press the Start button and the scan finishes. Unfortunately that doesn't lend itself to posting to a reply unless you take a screen shot and attach it.
http://graphicssoft....nscreenshot.htm Save the file as a .jpg or the forum won't allow it.

I don't see aswMBR so please run it:


Download aswMBR.exe ( 511KB ) to your desktop.
Double click aswMBR.exe
uncheck trace disk IO calls
Click the "Scan" button to start scan (Accept the Avast Engine)
On completion of the scan, if the Fix button is enabled (not the FixMBR button) press it and then run a new scan and click save log, save it to your desktop and post in your next reply
If the Fix button is not enabled then just click save log, save it to your desktop and post in your next reply
(This may reset your PC so you may just want to save the log for now and save the Fix button for another time.)


Ron
  • 0

#7
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
I have the OTL log but it has lots of usernames in it I am not able to post. Is there a way I can get it to you privately (i.e. email or PM) or do I need to manually edit them all out?

I have completed everything up until the OTL log which I am working on.
  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
Email the OTL logs to me. Sent you my email address in a PM.
  • 0

#9
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
Just sent now, thanks very much.

I'll get the other ones done shortly.

(sigverif screenshot and aswMBR.exe)
  • 0

#10
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
sigverif:

sigverif1.jpg

sigverif2.jpg

sigverif3.jpg
  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,001 posts
  • MVP
What is:

C:\WINDOWS\Tasks\Vutpeoho.job

It looks like a randomly named task to me but it could be something you know about. What file is it trying to run?


There are two suspicious drivers:

05194209.sys

DRV - File not found [Kernel | Unavailable | Unknown] -- C:\WINDOWS\TEMP\190.tmp -- (wqvtpuxyitqfuyc)



From a command prompt you can use SC to turn the last one off:
sc  config  wqvtpuxyitqfuyc  start=  disabled

Submit both files to virustotal.com and let's see what they think. If they do not get 0/41 or so then copy the report and paste it into a log.

Also submit
C:\WINDOWS\Rtuxoci.dat
C:\WINDOWS\system32\DRIVERS\ipinip.sys
If you can't find ipinip.sys then:
sc  config  IpInIp  start=  disabled
sc  delete  IpInIp

You have a lot of users with:
IE - HKU\S-1-5-21-483691258-1399953429-3867479032-1142\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}

I expect it's at least adware since it is talking to itself - don't see how it can search the web that way. We can have OTL remove it but wanted to check with you first in case it is something you know about.

Ron
  • 0

#12
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts
aswMBR:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-04-05 13:37:05
-----------------------------
13:37:05.555 OS Version: Windows 5.2.3790 Service Pack 2
13:37:05.555 Number of processors: 8 586 0x1706
13:37:05.555 ComputerName: xxxxxxx UserName:
13:37:12.399 Initialize success
13:43:40.062 AVAST engine defs: 12040401
13:50:33.180 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\0000004f
13:50:33.180 Disk 0 Vendor: LSILOGIC 3000 Size: 139236MB BusType: 10
13:50:33.180 Disk 1 \Device\Harddisk1\DR1 -> \Device\00000050
13:50:33.180 Disk 1 Vendor: LSILOGIC 3000 Size: 285148MB BusType: 10
13:50:33.195 Disk 0 MBR read successfully
13:50:33.195 Disk 0 MBR scan
13:50:33.211 Disk 0 Windows XP default MBR code
13:50:33.211 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 139227 MB offset 63
13:50:33.227 Disk 0 scanning sectors +285137685
13:50:33.274 Disk 0 scanning C:\WINDOWS\system32\drivers
13:50:44.617 Service scanning
13:51:14.946 Modules scanning
13:51:19.087 AVAST engine scan C:\WINDOWS
13:51:32.228 AVAST engine scan C:\WINDOWS\system32
13:57:21.859 AVAST engine scan C:\WINDOWS\system32\drivers
13:57:38.282 AVAST engine scan C:\Documents and Settings\Administrator.xxxxxxxxx
13:58:59.815 AVAST engine scan C:\Documents and Settings\All Users
14:00:38.488 Scan finished successfully
14:12:25.348 Disk 0 MBR has been saved successfully to "C:\Security\MBR.dat"
14:12:25.348 The log file has been saved successfully to "C:\Security\aswMBR.txt"
  • 0

#13
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts

C:\WINDOWS\Tasks\Vutpeoho.job


This doesn't exist. It must be some form of reference perhaps? Either way if we can get rid of it that would be great.
  • 0

#14
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts

There are two suspicious drivers:

05194209.sys

DRV - File not found [Kernel | Unavailable | Unknown] -- C:\WINDOWS\TEMP\190.tmp -- (wqvtpuxyitqfuyc)



From a command prompt you can use SC to turn the last one off:

sc  config  wqvtpuxyitqfuyc  start=  disabled

Submit both files to virustotal.com and let's see what they think. If they do not get 0/41 or so then copy the report and paste it into a log.


I cannot find either of these files - where should they be located (if still present)? If I try and disable the service it gives me an error the service does not exist.
  • 0

#15
Troy

Troy

    Tech Staff

  • Topic Starter
  • Technician
  • 8,841 posts

Also submit
C:\WINDOWS\Rtuxoci.dat
C:\WINDOWS\system32\DRIVERS\ipinip.sys
If you can't find ipinip.sys then:

sc  config  IpInIp  start=  disabled
sc  delete  IpInIp

You have a lot of users with:
IE - HKU\S-1-5-21-483691258-1399953429-3867479032-1142\..\SearchScopes\{70D46D94-BF1E-45ED-B567-48701376298E}: "URL" = http://127.0.0.1:466...q={searchTerms}

I expect it's at least adware since it is talking to itself - don't see how it can search the web that way. We can have OTL remove it but wanted to check with you first in case it is something you know about.

Ron

Thanks Ron,

C:\WINDOWS\Rtuxoci.dat gave me no infected reports. It had been recently analysed but I went ahead and had it reanalysed just to be sure.

C:\WINDOWS\system32\DRIVERS\ipinip.sys was not found, successfully disabled and deleted per your instructions.

The Search Scopes can be removed with OTL, if you could include this in your instructions please.

Kind regards,

Troy

(P.S. have a great Easter, I likely won't be back until Tuesday 10th April AEST)
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP