Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows desktop won't fully load; suspect malware


  • Please log in to reply

#31
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Sorry that its taken me a while to get back to this thread.  Been working a lot.

 

Ran Windows Repair in Safe Mode with only the Reset Registry Permissions and Reset File Permissions options checked.  No change after rebooting.  Went back in and checked just the Repair Icons option and the Repair Start Menu Icons Removed By Infections option.  Again, no change after a run and reboot.

 

Afterward, I updated and ran the ESET Online Scanner.  It found and deleted the following 3 items:

 

C:\Documents and Settings\steveo\Application Data\Mozilla\Firefox\Profiles\lcj47vxs.default\extensions\staged\{9ee802e8-c931-47ab-b570-aa8f791598ca}\Plugins\npConduitFirefoxPlugin.dll    a variant of Win32/Conduit.SearchProtect.N potentially unwanted application    

 

C:\Documents and Settings\steveo\My Documents\Downloads\emusic_fx_bundle.exe    Win32/Toolbar.Conduit.A potentially unwanted application    

 

C:\Program Files\ccsetup522.exe    Win32/Bundled.Toolbar.Google.D potentially unsafe application    
 

The first two appear to be unrelated to the ZeroAccess infection, but the last one might be because the Crap Cleaner icon was one of those that mysteriously appeared in my tray after the unattended reboot.

 

 

Haven't tried a repair install of Bitdefender 2015 yet. 

 

Still getting the "Warning  EMET service status is: Not Running" message when I launch the GUI.  I haven't learned enough about addressing that message to attempt a repair.  Checking and unchecking the Tray Icon box has no effect; the box is always checked in the GUI when I open it, yet the icon never appears in the tray.

 

I'm becoming a little more concerned about not having these programs up and running.


  • 0

Advertisements


#32
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,624 posts
  • MVP

Run Combofix again and see if it finds anything.

 

Also let's see if there are any errors that explain why EMET fails.

 

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application. (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
 

 

It said the EMET service is not running.  Search for

 

services.msc

 

and hit Enter (or type it into the RUN box)

 

Is there an EMET (or Enhanced Mitigation Experience Toolkit) service?  Right click on it and select Properties.  Make sure the STARTUP TYPE: is set to AUTOMATIC.  APPLY if you change it.  Then try to START the service.  Do you get an error?  What does it say?


  • 0

#33
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Here we go again:

 

"You are infected with Rootkit.ZeroAccess!  It has inserted itself in the TCP-IP stack..."

 

 

Combofix took longer to run this time--well over half an hour.  This may be because it was run in normal mode instead of Safe Mode.  Got the expired version/reduced functionality message again using the same copy I ran last time.  Downloaded a fresh copy and the message returned.  After confirming that I really did have the latest version I ran the fresh copy a second time and the message didn't reappear.  Of course I was prompted to restart along the way so ZeroAccess could be killed one more time.  Bitdefender remains disabled despite what Combofix reports.

 

I still have a complete desktop.  Might this new infection be a FP?  According to WOT I haven't surfed to any questionable sites.  Ran MBAM before the Combofix scan and it found nothing--as usual.

 

The only recent change I've seen is in the EMET GUI.  In the Running Processess list there is now a green check mark next to Windows Explorer indicating that it is now Running EMET.  I didn't see this check mark a couple of days ago and I didn't make any changes that would put it there.

 

You'll find the latest Combofix log pasted below.  I'll follow-up with my Event Viewer homework in a separate post.

 

 

ComboFix 17-05-16.01 - dean 06/11/2017  18:35:01.4.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.759.562 [GMT -5:00]
Running from: c:\documents and settings\dean\Desktop\ComboFix.exe
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2017-05-11 to 2017-06-11  )))))))))))))))))))))))))))))))
.
.
2017-06-09 04:18 . 2017-06-09 04:18    --------    d-----w-    c:\documents and settings\dean\Local Settings\Application Data\ESET
2017-06-09 01:15 . 2017-06-09 01:15    --------    d-----w-    c:\program files\Common Files\Java
2017-06-09 01:15 . 2017-06-09 01:15    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2017-06-08 23:25 . 2017-06-08 23:25    --------    d-----w-    C:\RegBackup
2017-06-08 22:21 . 2017-06-08 22:21    --------    d-----w-    c:\program files\Tweaking.com
2017-06-08 22:05 . 2017-06-08 22:06    32412640    ----a-w-    c:\program files\tweaking.com_windows_repair_aio_setup.exe
2017-05-25 03:48 . 2017-06-09 22:29    --------    d-----w-    c:\program files\Farbar
2017-05-25 01:51 . 2017-06-08 11:54    --------    d-----w-    C:\FRST
2017-05-24 22:59 . 2017-05-24 22:59    --------    d-----w-    c:\program files\MS Safety Scanner
2017-05-24 20:21 . 2015-09-14 18:03    38520    ----a-w-    c:\windows\system32\drivers\DasPtct.SYS
2017-05-24 20:19 . 2017-05-24 20:19    --------    d-----w-    c:\program files\Panda Security
2017-05-24 18:00 . 2017-05-24 18:00    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes Anti-Exploit
2017-05-24 18:00 . 2017-05-24 23:00    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2017-05-24 13:35 . 2017-05-24 13:35    --------    d-----w-    c:\program files\CPUID
2017-05-24 02:24 . 2017-05-24 02:24    242504    ----a-w-    c:\windows\system32\drivers\avchv.sys
2017-05-23 17:24 . 2017-05-23 17:24    --------    d-----w-    c:\windows\system32\wbem\Repository
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-06-09 02:25 . 2012-04-05 21:42    803320    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2017-06-09 02:25 . 2011-05-20 15:47    144888    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2017-06-09 01:14 . 2014-10-19 16:33    95808    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2017-06-09 01:13 . 2016-03-06 05:48    160256    ----a-w-    c:\windows\system32\javacpl.cpl
2016-10-06 01:26 . 2016-10-06 01:25    48013312    ----a-w-    c:\program files\AdbeRdrUpd11017.msp
2016-09-19 20:11 . 2016-09-19 20:11    10056744    ----a-w-    c:\program files\Antivirus_Free_Edition_x86.exe
2016-09-19 19:15 . 2016-09-19 19:10    196944    ----a-w-    c:\program files\Antivirus_Free_Edition.exe
2016-09-19 14:39 . 2016-09-19 14:39    146112    ----a-w-    c:\program files\regscanner_setup.exe
2016-09-07 21:08 . 2016-09-07 21:08    473291    ----a-w-    c:\program files\Everything-1.3.4.686.x86-Setup.exe
2016-09-05 18:54 . 2016-09-05 18:54    1718016    ----a-w-    c:\program files\cpu-z_1.77-en.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2017-05-12 2650576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2015-12-17 1085656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe" [2016-11-13 1224896]
.
c:\documents and settings\steveo\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
 [BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swprv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-14 01:51    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring]
2016-08-26 19:23    6868696    ----a-w-    c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwest Personal Digital Vault]
2009-12-18 18:58    1064808    ----a-w-    c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]
2010-07-06 19:14    45992    ----a-w-    c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2017-03-15 07:43    587288    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\steveo\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [11/11/2016 1:14 AM 633344]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [5/24/2017 1:00 PM 59872]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [9/19/2016 3:27 PM 164952]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [5/24/2017 1:00 PM 155088]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [8/22/2010 10:13 AM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [8/22/2010 10:13 AM 185640]
S0 cerc6;cerc6; [x]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [9/19/2016 3:29 PM 486536]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [8/21/2010 10:43 PM 54271]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [8/21/2010 10:39 PM 26568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/29/2012 11:01 PM 20464]
S4 EMET_Service;Microsoft EMET Service;c:\program files\EMET 5.0\EMET_Service.exe [7/30/2014 8:11 PM 31880]
S4 gzserv;Bitdefender Antivirus Free Edition;c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe [9/19/2016 3:29 PM 67592]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/29/2012 11:01 PM 652360]
.
Contents of the 'Scheduled Tasks' folder
.
2017-06-11 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job
- c:\windows\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [2016-11-13 14:47]
.
2017-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003Core.job
- c:\documents and settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 16:08]
.
2017-06-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003UA.job
- c:\documents and settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 16:08]
.
2017-05-02 c:\windows\Tasks\jucheck.job
- c:\program files\Common Files\Java\Java Update\jucheck.exe [2017-03-15 07:42]
.
2017-06-11 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2017-06-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2017-06-11 c:\windows\Tasks\Opera scheduled Autoupdate 1470936737.job
- c:\program files\Opera\launcher.exe [2016-08-11 12:29]
.
2017-06-11 c:\windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job
- c:\program files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2015-03-11 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\dean\Application Data\Mozilla\Firefox\Profiles\al7xekgi.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - ExtSQL: !HIDDEN! 2010-08-26 03:11; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe  /startup
SafeBoot-AppXSvc
SafeBoot-ClipSvc
SafeBoot-TweakingRemoveSafeBoot
SafeBoot-WSService
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2017-06-11 18:44
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,80,9b,c7,f1,79,48,41,99,13,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,80,9b,c7,f1,79,48,41,99,13,0c,\
.
Completion time: 2017-06-11  18:46:43
ComboFix-quarantined-files.txt  2017-06-11 23:46
ComboFix2.txt  2017-05-31 16:48
ComboFix3.txt  2012-03-30 13:10
.
Pre-Run: 58,157,535,232 bytes free
Post-Run: 58,179,149,824 bytes free
.
- - End Of File - - A88A3D6F4E6C6AC3AED40F6AE25A4223
8F558EB6672622401DA993E1E865C861
 


Edited by Lamont_Cranston, 11 June 2017 - 07:38 PM.

  • 0

#34
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Opened the Services window and followed your instructions to change the EMET Startup Type from Disabled to Automatic.  Didn't get an error message.  Started the service and its Status did change to Started.  When I launched the EMET GUI I didn't see the Warning message, but the EMET icon didn't appear in the tray.  After a reboot the icon showed up right where its supposed to be.  :)

 

EMET and MBAE appear to be playing nicely with each other.

 

While I had Services open I tried the same thing with Bitdefender.  Got an Access is denied message when i hit the Apply button.

 

 

 

The VEW Output logs are pasted below:

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 12/06/2017 8:23:44 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/06/2017 1:18:17 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 10/06/2017 6:17:20 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

Log: 'System' Date/Time: 08/06/2017 11:05:04 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 10:51:24 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Tweaking Run As System 0002 service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.  

Log: 'System' Date/Time: 08/06/2017 10:51:24 PM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Tweaking Run As System 0002 service to connect.

Log: 'System' Date/Time: 08/06/2017 10:51:18 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Tweaking Run As System 0001 service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.  

Log: 'System' Date/Time: 08/06/2017 10:51:18 PM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Tweaking Run As System 0001 service to connect.

Log: 'System' Date/Time: 08/06/2017 10:49:23 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 08/06/2017 10:48:23 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 10:36:51 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 10:22:38 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Tweaking Run As System 0002 service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.  

Log: 'System' Date/Time: 08/06/2017 10:22:38 PM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Tweaking Run As System 0002 service to connect.

Log: 'System' Date/Time: 08/06/2017 10:22:29 PM
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The Tweaking Run As System 0001 service failed to start due to the following error:  The service did not respond to the start or control request in a timely fashion.  

Log: 'System' Date/Time: 08/06/2017 10:22:29 PM
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the Tweaking Run As System 0001 service to connect.

Log: 'System' Date/Time: 08/06/2017 10:15:21 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 08/06/2017 10:14:08 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 5:40:29 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 5:28:57 PM
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load:  avc3 bdftdif bdselfpr ESProtectionDriver Fips gzflt intelppm trufos

Log: 'System' Date/Time: 08/06/2017 5:27:45 PM
Type: error Category: 0
Event: 10005 Source: DCOM
DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Log: 'System' Date/Time: 08/06/2017 5:27:17 PM
Type: error Category: 0
Event: 1002 Source: Dhcp
The IP address lease 192.168.0.2 for the Network Card with network address 000BDBBF2B86 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 10/06/2017 6:17:01 PM
Type: warning Category: 0
Event: 1003 Source: Dhcp
Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 000BDBBF2B86.  The following error occurred:  The operation was canceled by the user. . Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.

Log: 'System' Date/Time: 10/06/2017 6:16:59 PM
Type: warning Category: 0
Event: 4 Source: bcm4sbxp
Broadcom 440x 10/100 Integrated Controller: The network link is down.  Check to make sure the network cable is properly connected.

Log: 'System' Date/Time: 10/06/2017 6:16:31 PM
Type: warning Category: 0
Event: 4 Source: bcm4sbxp
Broadcom 440x 10/100 Integrated Controller: The network link is down.  Check to make sure the network cable is properly connected.

 

 

Vino's Event Viewer v01c run on Windows XP in English
Report run at 12/06/2017 8:31:07 PM

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 08/06/2017 8:39:11 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application plugin-container.exe, version 52.1.2.6346, faulting module unknown, version 0.0.0.0, fault address 0x00000000.

Log: 'Application' Date/Time: 08/06/2017 5:21:40 PM
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application repair_windows.exe, version 3.9.0.33, faulting module gdi32.dll, version 5.1.2600.6460, fault address 0x0000ef4b.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 


Edited by Lamont_Cranston, 12 June 2017 - 08:45 PM.

  • 0

#35
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,624 posts
  • MVP
While I had Services open I tried the same thing with Bitdefender.  Got an Access is denied message when i hit the Apply button.

 

 

So BitDefender is not set to Automatic?

 

Run or Search for

regedit

 

and hit Enter.

 

Navigate to:

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services

 

you will see a long list of services and drivers.  Find the Bitdefender one and click on it then look in the right pane.  There should be a Start:  What is it set to?  I don't have bitdefender but my Avast servies are all set to 2.  It probably won't let you change it (double click on Start and a window should pop up where you can change it but I expect you will get an error when you hit OK.  If that's the case you need to take ownership of the key and change the permissions:

 

https://www.maketech...-registry-keys/

 

(I am not recommending the program at the end of the article just the manual method.)


  • 0

#36
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Had a run of hard luck, wouldn't seem to end...

 

Now that I finally got my car into a shop I can get back to the PC issues.

 

Latest problem was svchost consuming 100% cpu.  Went to Safe Mode and downloaded the MS Safety Scanner again; ran it in regular mode.  The scan took 14.5 hours to complete.  It didn't find any malware, but the Microsoft Update icon appeared in the tray at least 3 times toward the end of the scan.  Acting on this clue, I turned off Automatic Updates, rebooted, and the problem went away.

 

Re your recommendations from post #35, I looked in the registry and found two Bitdefender services.  I guessed one was for the AV and the other for updates.  Changed the Start value from 1 to 2 in both with no error message.  Rebooted. 

 

Bitdefender didn't start with Windows, which I half expected. 

 

What I didn't expect was that MBAE didn't start either.  When I changed the Bitdefender values back to 1 MBAE started normally.  I was aware of potential conflicts between EMET and MBAE, but overlooked the possibility of a conflict between Bitdefender and MBAE.  I don't know if there's a way around this or not.

 

Another thing I noticed recently is that I no longer have Bitdefender and MBAM menu options when I right click on a file.  I checked and made sure this feature was enabled in the MBAM UI.  Prior to the infection I'd been using those options to scan almost all downloads.

 

The only other item of note is that I've updated Firefox.  Based on past experience, I usually wait for an update of the update to make sure I'm getting something useful.  In this case I checked the changelog after the third nag and learned the version I'd been using had an unusually long list of serious security vulnerabilities, so I updated immediately.


  • 0

#37
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,624 posts
  • MVP

I would leave Automatic Updates turned off.  MS has shut down the servers that it looks for so not surprising that it hangs.

1 means it loads fairly early in the boot process before the automatic services.  Probably normal for BitDefender.

 

That you can change the values means that the registry values are not locked so the problem may be the files.

 

R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [9/19/2016 3:27 PM 164952]

S4 gzserv;Bitdefender Antivirus Free Edition;c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe [9/19/2016 3:29 PM 67592]

 

Please download GrantPerms.zip 

and save it to your desktop.
Unzip the file and depending on the system run GrantPerms.exe or GrantPerms64.exe
Copy and paste the following in the edit box:
 
 
c:\windows\system32\drivers\gzflt.sys
 
Click Unlock. When it is done click "OK".
Click List Permissions and post the result (Perms.txt) that pops up. A copy of Perms.txt will be saved in the same directory the tool is run.
 
Repeat for:
 
c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe
 
I would run Combofix  again.  Does it still give you the infected with ZA message?

  • 0

#38
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Here are the GrantPerms results:

 

 

GrantPerms by Farbar
Ran by dean (administrator) at 2017-06-18 16:49:54

===============================================
\\?\c:\windows\system32\drivers\gzflt.sys

   Owner: BUILTIN\Administrators

   DACL(NP)(AI):
         BUILTIN\Administrators   FULL   ALLOW   (I)
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (I)
   BUILTIN\Users   READ/EXECUTE   ALLOW   (I)
   BUILTIN\Power Users   READ/EXECUTE   ALLOW   (I)

 

 

GrantPerms by Farbar
Ran by dean (administrator) at 2017-06-18 16:54:11

===============================================
\\?\c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe

   Owner: BUILTIN\Administrators

   DACL(NP)(AI):
         BUILTIN\Administrators   FULL   ALLOW   (I)
   NT AUTHORITY\SYSTEM   FULL   ALLOW   (I)
   BUILTIN\Users   READ/EXECUTE   ALLOW   (I)
   BUILTIN\Power Users   change   ALLOW   (I)


Combofix log to follow...


 


  • 0

#39
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Firefox crashed right after my last post.  Decided to reboot before running ComboFix.  Was prompted to update to the latest version and I did so.  While the scan was running I stepped away from my PC for a few minutes.  Upon returning I was informed that "ComboFix has detected the presence of rootkit activity and needs to reboot the machine."

 

After rebooting the scan seemed to start again from scratch.  Here is the log:

 

 

ComboFix 17-05-16.14 - dean 06/18/2017  17:27:58.5.1 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.759.542 [GMT -5:00]
Running from: c:\documents and settings\dean\Desktop\ComboFix.exe
AV: Bitdefender Antivirus Free Edition *Enabled/Updated* {9488E0FA-F058-4673-850E-E755F112BABC}
FW:  *Enabled* {9488E0FA-F058-4673-850E-E755F112BABC}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\i8042prt.sys . . . is missing!!
.
.
(((((((((((((((((((((((((   Files Created from 2017-05-18 to 2017-06-18  )))))))))))))))))))))))))))))))
.
.
2017-06-09 04:18 . 2017-06-09 04:18    --------    d-----w-    c:\documents and settings\dean\Local Settings\Application Data\ESET
2017-06-09 01:15 . 2017-06-09 01:15    --------    d-----w-    c:\program files\Common Files\Java
2017-06-09 01:15 . 2017-06-09 01:15    --------    d-----w-    c:\documents and settings\NetworkService\Local Settings\Application Data\Sun
2017-06-08 23:25 . 2017-06-08 23:25    --------    d-----w-    C:\RegBackup
2017-06-08 22:21 . 2017-06-08 22:21    --------    d-----w-    c:\program files\Tweaking.com
2017-06-08 22:05 . 2017-06-08 22:06    32412640    ----a-w-    c:\program files\tweaking.com_windows_repair_aio_setup.exe
2017-06-04 04:38 . 2017-06-04 04:38    17404160    ----a-w-    c:\program files\Common Files\Microsoft Shared\OFFICE12\MSO.DLL
2017-05-25 03:48 . 2017-06-13 01:31    --------    d-----w-    c:\program files\Farbar
2017-05-25 01:51 . 2017-06-08 11:54    --------    d-----w-    C:\FRST
2017-05-24 22:59 . 2017-06-17 12:57    --------    d-----w-    c:\program files\MS Safety Scanner
2017-05-24 20:21 . 2015-09-14 18:03    38520    ----a-w-    c:\windows\system32\drivers\DasPtct.SYS
2017-05-24 20:19 . 2017-05-24 20:19    --------    d-----w-    c:\program files\Panda Security
2017-05-24 18:00 . 2017-06-14 04:20    --------    d-----w-    c:\documents and settings\All Users\Application Data\Malwarebytes Anti-Exploit
2017-05-24 18:00 . 2017-05-24 23:00    --------    d-----w-    c:\program files\Malwarebytes Anti-Exploit
2017-05-24 17:18 . 2017-06-16 17:56    51852232    ----a-w-    c:\program files\Mozilla Firefox\xul.dll
2017-05-24 13:35 . 2017-05-24 13:35    --------    d-----w-    c:\program files\CPUID
2017-05-24 02:24 . 2017-05-24 02:24    242504    ----a-w-    c:\windows\system32\drivers\avchv.sys
2017-05-23 17:24 . 2017-05-23 17:24    --------    d-----w-    c:\windows\system32\wbem\Repository
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2017-06-09 02:25 . 2012-04-05 21:42    803320    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2017-06-09 02:25 . 2011-05-20 15:47    144888    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
2017-06-09 01:14 . 2014-10-19 16:33    95808    ----a-w-    c:\windows\system32\WindowsAccessBridge.dll
2017-06-09 01:13 . 2016-03-06 05:48    160256    ----a-w-    c:\windows\system32\javacpl.cpl
2016-10-06 01:26 . 2016-10-06 01:25    48013312    ----a-w-    c:\program files\AdbeRdrUpd11017.msp
2016-09-19 20:11 . 2016-09-19 20:11    10056744    ----a-w-    c:\program files\Antivirus_Free_Edition_x86.exe
2016-09-19 19:15 . 2016-09-19 19:10    196944    ----a-w-    c:\program files\Antivirus_Free_Edition.exe
2016-09-19 14:39 . 2016-09-19 14:39    146112    ----a-w-    c:\program files\regscanner_setup.exe
2016-09-07 21:08 . 2016-09-07 21:08    473291    ----a-w-    c:\program files\Everything-1.3.4.686.x86-Setup.exe
2016-09-05 18:54 . 2016-09-05 18:54    1718016    ----a-w-    c:\program files\cpu-z_1.77-en.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2017-05-12 2650576]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2015-12-17 1085656]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe" [2016-11-13 1224896]
.
c:\documents and settings\steveo\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NavLogon]
 [BU]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swprv]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-09-14 01:51    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CCleaner Monitoring]
2016-08-26 19:23    6868696    ----a-w-    c:\program files\CCleaner\CCleaner.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\program files\QuickTime\QTTask.exe [BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Qwest Personal Digital Vault]
2009-12-18 18:58    1064808    ----a-w-    c:\program files\Qwest Personal Digital Vault\QwestPersonalDigitalVault.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QwestTouchPointAgent]
2010-07-06 19:14    45992    ----a-w-    c:\program files\Qwest\Desktop\QwestTouchPointAgent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2017-03-15 07:43    587288    ----a-w-    c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\steveo\\Local Settings\\Application Data\\Google\\Chrome\\Application\\chrome.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R0 avc3;avc3;c:\windows\system32\drivers\avc3.sys [11/11/2016 1:14 AM 633344]
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [5/24/2017 1:00 PM 59872]
R1 gzflt;gzflt;c:\windows\system32\drivers\gzflt.sys [9/19/2016 3:27 PM 164952]
R2 EMET_Service;Microsoft EMET Service;c:\program files\EMET 5.0\EMET_Service.exe [7/30/2014 8:11 PM 31880]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [5/24/2017 1:00 PM 155088]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 PM 1213728]
R2 sprtsvc_quickcare;SupportSoft Sprocket Service (quickcare);c:\program files\Qwest\Quickcare\bin\sprtsvc.exe [8/22/2010 10:13 AM 206120]
R2 tgsrvc_quickcare;SupportSoft Repair Service (quickcare);c:\program files\Qwest\Quickcare\bin\tgsrvc.exe [8/22/2010 10:13 AM 185640]
S0 cerc6;cerc6; [x]
S3 avckf;avckf;c:\windows\system32\drivers\avckf.sys [9/19/2016 3:29 PM 486536]
S3 BCM42XX;Broadcom iLine10™ Network Adapter Driver;c:\windows\system32\drivers\bcm42xx5.sys [8/21/2010 10:43 PM 54271]
S3 BCM44X2;BCM 10/100 Ethernet Network Adapter Driver;c:\windows\system32\drivers\BCM4E5.SYS [8/21/2010 10:39 PM 26568]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [3/29/2012 11:01 PM 20464]
S4 gzserv;Bitdefender Antivirus Free Edition;c:\program files\Bitdefender\Antivirus Free Edition\gzserv.exe [9/19/2016 3:29 PM 67592]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [3/29/2012 11:01 PM 652360]
.
Contents of the 'Scheduled Tasks' folder
.
2017-06-18 c:\windows\Tasks\Adobe Flash Player PPAPI Notifier.job
- c:\windows\system32\Macromed\Flash\FlashUtil32_23_0_0_207_pepper.exe [2016-11-13 14:47]
.
2017-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003Core.job
- c:\documents and settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 16:08]
.
2017-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-57989841-179605362-1644491937-1003UA.job
- c:\documents and settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-19 16:08]
.
2017-05-02 c:\windows\Tasks\jucheck.job
- c:\program files\Common Files\Java\Java Update\jucheck.exe [2017-03-15 07:42]
.
2017-06-18 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Logon.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2017-06-08 c:\windows\Tasks\Microsoft Windows XP End of Service Notification Monthly.job
- c:\windows\system32\xp_eos.exe [2014-03-26 01:59]
.
2017-06-18 c:\windows\Tasks\Opera scheduled Autoupdate 1470936737.job
- c:\program files\Opera\launcher.exe [2016-08-11 12:29]
.
2017-06-18 c:\windows\Tasks\Tweaking.com - Windows Repair Tray Icon.job
- c:\program files\Tweaking.com\Windows Repair (All in One)\WR_Tray_Icon.exe [2015-03-11 00:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://qwest.live.com
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
TCP: DhcpNameServer = 192.168.0.1 205.171.3.25
FF - ProfilePath - c:\documents and settings\dean\Application Data\Mozilla\Firefox\Profiles\al7xekgi.default\
FF - prefs.js: browser.search.selectedEngine - DuckDuckGo
FF - ExtSQL: !HIDDEN! 2010-08-26 03:11; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2017-06-18 17:37
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,80,9b,c7,f1,79,48,41,99,13,0c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
   d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,40,80,9b,c7,f1,79,48,41,99,13,0c,\
.
Completion time: 2017-06-18  17:40:29
ComboFix-quarantined-files.txt  2017-06-18 22:40
ComboFix2.txt  2017-06-11 23:46
ComboFix3.txt  2017-05-31 16:48
ComboFix4.txt  2012-03-30 13:10
.
Pre-Run: 57,303,388,160 bytes free
Post-Run: 57,320,079,360 bytes free
.
- - End Of File - - 8C26A4F85A6A56AD8E4DA038FBF621D3
8F558EB6672622401DA993E1E865C861
 

 

Almost forgot: when I right clicked on the GrantPerms file to unzip it to my desktop the Scan with MBAM option was available in the menu.  I did double check this while drafting post #36.  Strange that it came back on its own.


  • 0

#40
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

After using my PC for a few days I decided to run TDSSKIller and aswMBR again to compare scan results with ComboFix.  This time I ran both in normal mode and allowed aswMBR to download the latest avast virus definition database.

 

The most recent version of TDSSKiller was released in April and it didn't detect any threats.  The aswMBR scan took over a half hour to complete and spent several minutes on the ESET online scanner file.  While it was running I also noticed 2 Bitdefender AV files highlighted in yellow.  I didn't disable MBAE or close Firefox before starting the scan as there was no instruction to do so.  Upon completion of the scan the Fix button was not enabled.  I saved the log file and can post it if you'd like.

 

I find it puzzling that ComboFix is the only tool that has found rootkit activity on my machine.  I'm at the point now where its hard to avoid using passwords or entering card numbers for purchases.  I'll keep searching for a way to enable Bitdefender so that it can work with MBAE.


  • 0

Advertisements


#41
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,624 posts
  • MVP

Please post the aswmbr and TDSSKiller logs.  

 

Does Combofix still find evidence of zero access?


  • 0

#42
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Here's the TDSS Killer log:

 

 

11:38:07.0234 0x0f6c  TDSS rootkit removing tool 3.1.0.15 Apr 18 2017 11:34:02
11:38:13.0140 0x0f6c  ============================================================
11:38:13.0140 0x0f6c  Current date / time: 2017/06/25 11:38:13.0140
11:38:13.0140 0x0f6c  SystemInfo:
11:38:13.0140 0x0f6c  
11:38:13.0140 0x0f6c  OS Version: 5.1.2600 ServicePack: 3.0
11:38:13.0140 0x0f6c  Product type: Workstation
11:38:13.0140 0x0f6c  ComputerName: BADDABING
11:38:13.0140 0x0f6c  UserName: dean
11:38:13.0140 0x0f6c  Windows directory: C:\WINDOWS
11:38:13.0140 0x0f6c  System windows directory: C:\WINDOWS
11:38:13.0140 0x0f6c  Processor architecture: Intel x86
11:38:13.0140 0x0f6c  Number of processors: 1
11:38:13.0140 0x0f6c  Page size: 0x1000
11:38:13.0140 0x0f6c  Boot type: Normal boot
11:38:13.0140 0x0f6c  ============================================================
11:38:15.0578 0x0f6c  KLMD registered as C:\WINDOWS\system32\drivers\50619420.sys
11:38:15.0578 0x0f6c  KLMD ARK init status: drvProperties = 0xFFF00, osBuild = 2600.6419, osProperties = 0x0
11:38:15.0875 0x0f6c  System UUID: {8BE41F93-6EA6-B673-4168-522EDE6D4AA9}
11:38:17.0125 0x0f6c  Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 ( 74.51 Gb ), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
11:38:17.0125 0x0f6c  ============================================================
11:38:17.0125 0x0f6c  \Device\Harddisk0\DR0:
11:38:17.0125 0x0f6c  MBR partitions:
11:38:17.0125 0x0f6c  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0xFB04, BlocksNum 0x94EEEB9
11:38:17.0125 0x0f6c  ============================================================
11:38:17.0156 0x0f6c  C: <-> \Device\Harddisk0\DR0\Partition1
11:38:17.0156 0x0f6c  ============================================================
11:38:17.0156 0x0f6c  Initialize success
11:38:17.0156 0x0f6c  ============================================================
11:39:42.0468 0x0f3c  ============================================================
11:39:42.0468 0x0f3c  Scan started
11:39:42.0468 0x0f3c  Mode: Manual;
11:39:42.0468 0x0f3c  ============================================================
11:39:42.0468 0x0f3c  KSN ping started
11:39:45.0140 0x0f3c  KSN ping finished: true
11:39:45.0796 0x0f3c  ================ Scan system memory ========================
11:39:45.0796 0x0f3c  System memory - ok
11:39:45.0812 0x0f3c  ================ Scan services =============================
11:39:46.0015 0x0f3c  Abiosdsk - ok
11:39:46.0031 0x0f3c  abp480n5 - ok
11:39:46.0140 0x0f3c  [ 8FD99680A539792A30E97944FDAECF17, 594F8E0C3695400B0C09A797AF6BDFAC6F750ECD67D0EE803914C572B1DCC43C ] ACPI            C:\WINDOWS\system32\DRIVERS\ACPI.sys
11:39:46.0156 0x0f3c  ACPI - ok
11:39:46.0265 0x0f3c  [ 9859C0F6936E723E4892D7141B1327D5, 5E8F6A2FC4DF2E5E92A1D66ECC2810E08B42B64E9CD0DF4AD3F78EA8558B90AF ] ACPIEC          C:\WINDOWS\system32\drivers\ACPIEC.sys
11:39:46.0265 0x0f3c  ACPIEC - ok
11:39:46.0281 0x0f3c  adpu160m - ok
11:39:46.0375 0x0f3c  [ 8BED39E3C35D6A489438B8141717A557, 1B5796E56B0927360CE0759641B1151828BC0A9E45620D2B2D880491F5CE33D0 ] aec             C:\WINDOWS\system32\drivers\aec.sys
11:39:46.0375 0x0f3c  aec - ok
11:39:46.0453 0x0f3c  [ 1E44BC1E83D8FD2305F8D452DB109CF9, CF5EC07E0B589FA2A4701C6CFD69E893FC3ABF274AD57AE3C13FFE49063B02C8 ] AFD             C:\WINDOWS\System32\drivers\afd.sys
11:39:46.0453 0x0f3c  AFD - ok
11:39:46.0484 0x0f3c  Aha154x - ok
11:39:46.0515 0x0f3c  aic78u2 - ok
11:39:46.0546 0x0f3c  aic78xx - ok
11:39:46.0609 0x0f3c  [ A9A3DAA780CA6C9671A19D52456705B4, 67C959144B57AE0BBF1D82DBED197F32CDB06FECD883A80C441A0202FE83FAB4 ] Alerter         C:\WINDOWS\system32\alrsvc.dll
11:39:46.0609 0x0f3c  Alerter - ok
11:39:46.0656 0x0f3c  [ 8C515081584A38AA007909CD02020B3D, A5E13CA10F702928E0DE84C74D0EA8ACCB117FD76FBABC55220C75C4FFD596DC ] ALG             C:\WINDOWS\System32\alg.exe
11:39:46.0656 0x0f3c  ALG - ok
11:39:46.0671 0x0f3c  AliIde - ok
11:39:46.0703 0x0f3c  amsint - ok
11:39:46.0828 0x0f3c  [ 2E3E53A6AEF23E24F402C7855B9B1542, 0327D3609B2EA3705B35875A68C0EA3281983091B8BA56CF7CC0686E6CEFD495 ] Apple Mobile Device C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
11:39:46.0843 0x0f3c  Apple Mobile Device - ok
11:39:46.0906 0x0f3c  [ D8849F77C0B66226335A59D26CB4EDC6, 4990031453204C57E36E850252A39B05D6ECDAB9E71A8136FB4900F17E59C9CA ] AppMgmt         C:\WINDOWS\System32\appmgmts.dll
11:39:46.0921 0x0f3c  AppMgmt - ok
11:39:46.0953 0x0f3c  asc - ok
11:39:46.0968 0x0f3c  asc3350p - ok
11:39:47.0000 0x0f3c  asc3550 - ok
11:39:47.0203 0x0f3c  [ 776ACEFA0CA9DF0FAA51A5FB2F435705, 72DF7ED6B085BC468994F5B3189506FD726A9A17A9C42ACA1E420D787691361D ] aspnet_state    C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
11:39:47.0234 0x0f3c  aspnet_state - ok
11:39:47.0296 0x0f3c  [ B153AFFAC761E7F5FCFA822B9C4E97BC, 7E60F572A6B3C6219E3C86225AA37243AFFD74337DB7F108B04778042E5CC959 ] AsyncMac        C:\WINDOWS\system32\DRIVERS\asyncmac.sys
11:39:47.0296 0x0f3c  AsyncMac - ok
11:39:47.0343 0x0f3c  [ 9F3A2F5AA6875C72BF062C712CFA2674, B4DF1D2C56A593C6B54DE57395E3B51D288F547842893B32B0F59228A0CF70B9 ] atapi           C:\WINDOWS\system32\DRIVERS\atapi.sys
11:39:47.0359 0x0f3c  atapi - ok
11:39:47.0375 0x0f3c  Atdisk - ok
11:39:47.0500 0x0f3c  [ 8759322FFC1A50569C1E5528EE8026B7, 4096F61F5C580622ABDC2FFC523FD81D667ACBD584074182134FB00E1EE43EC7 ] ati2mtag        C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
11:39:47.0578 0x0f3c  ati2mtag - ok
11:39:47.0640 0x0f3c  [ 9916C1225104BA14794209CFA8012159, 5D6F05F715C52A16D05CAE15C3DFE77A139A7F27F7AE710EC9A10F9EE05115A1 ] Atmarpc         C:\WINDOWS\system32\DRIVERS\atmarpc.sys
11:39:47.0640 0x0f3c  Atmarpc - ok
11:39:47.0703 0x0f3c  [ DEF7A7882BEC100FE0B2CE2549188F9D, 462C95B63D0A1058291A2DC8CBFCB13D7D74CCD1CA43B613A7EB43D49E3276F8 ] AudioSrv        C:\WINDOWS\System32\audiosrv.dll
11:39:47.0703 0x0f3c  AudioSrv - ok
11:39:47.0765 0x0f3c  [ D9F724AA26C010A217C97606B160ED68, 329B5118F2409731D06FDAE85B6ADD64A048292801BCB3546651CEB303111695 ] audstub         C:\WINDOWS\system32\DRIVERS\audstub.sys
11:39:47.0765 0x0f3c  audstub - ok
11:39:47.0875 0x0f3c  [ B5B8FC2C4D520F1F1EED52A980ED5091, 31C853FAC89A145AC999DC779C3865E6DE666229085F3E963C50BD78A980B2D5 ] avc3            C:\WINDOWS\system32\DRIVERS\avc3.sys
11:39:47.0937 0x0f3c  avc3 - ok
11:39:48.0015 0x0f3c  [ 818E7E029DB594DCB8D6218A7D6FA575, A78A9C9F689C228BF49EB806CDB4EBB88F0FE6E62DF21108ED33F901C5E2A267 ] avckf           C:\WINDOWS\system32\DRIVERS\avckf.sys
11:39:48.0062 0x0f3c  avckf - ok
11:39:48.0125 0x0f3c  [ B9391A83F075351C923C3A37C53AF396, E98DE8AF0D5D517C7A718CC544C84C992D277673C31C9F92AB57F8396FB8B694 ] b57w2k          C:\WINDOWS\system32\DRIVERS\b57xp32.sys
11:39:48.0140 0x0f3c  b57w2k - ok
11:39:48.0187 0x0f3c  [ 5FF4A1E41DF9F1E328C955CAA12CD3B0, 3ECBC8897AFA564F3A7607120B7D068B01D072DA916A7B7E755C7317AB70D102 ] BCM42XX         C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
11:39:48.0187 0x0f3c  BCM42XX - ok
11:39:48.0218 0x0f3c  [ F13FE9A3648628B29306EDB48A4E48D3, FB77CB611FD2FDB54F0357CF8291BCEAC6327C5CD55B02913C5E810141448AE8 ] BCM44X2         C:\WINDOWS\system32\DRIVERS\BCM4E5.SYS
11:39:48.0250 0x0f3c  BCM44X2 - ok
11:39:48.0296 0x0f3c  [ B60F57B4D9CDBC663CC03EB8AF7EC34E, 4D4DC5D2A332C2ECDAD22CAB5FE827761FBEDA1D3ED0FA0BF34016E230505421 ] bcm4sbxp        C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
11:39:48.0296 0x0f3c  bcm4sbxp - ok
11:39:48.0453 0x0f3c  [ 41347688046D49CDE0F6D138A534F73D, 3EF4157B47C103BC289E9C2BBDC2EFF3961EEAD0C40509076064FF7B9E75FF22 ] BCMModem        C:\WINDOWS\system32\DRIVERS\BCMSM.sys
11:39:48.0546 0x0f3c  BCMModem - ok
11:39:48.0671 0x0f3c  [ 560E3C3D50F8FAA6227EBE97600D3220, ABEE86D15EEF893071AE65EC6A0F5B42B2098F26AEE81796D54A3CDC8A87B68D ] bdftdif         C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys
11:39:48.0671 0x0f3c  bdftdif - ok
11:39:48.0750 0x0f3c  [ 66668490AC6165FDA83089BF71511BF4, ADD6BE1B7ABC91F2B29E996BDA30A2A906E76C50D9D47B5F73A779DF593C78B6 ] bdselfpr        C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys
11:39:48.0765 0x0f3c  bdselfpr - ok
11:39:48.0828 0x0f3c  [ DA1F27D85E0D1525F6621372E7B685E9, 5A81A46A3BDD19DAFC6C87D277267A5D44F3A1B5302F2CC1111D84B7BAD5610D ] Beep            C:\WINDOWS\system32\drivers\Beep.sys
11:39:48.0828 0x0f3c  Beep - ok
11:39:48.0921 0x0f3c  [ 574738F61FCA2935F5265DC4E5691314, 3C7CCF064397186C3A3863DD2370AB6414A61B330097DCA4F299CA7BBAA3D1B4 ] BITS            C:\WINDOWS\system32\qmgr.dll
11:39:49.0031 0x0f3c  BITS - ok
11:39:49.0156 0x0f3c  [ 5AB58C337AC65837FE404462AD6265AB, F7E145F5D8DB1017D5B7B9D5380100F170FE5CC2050B5F7346A521B7B72D2166 ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
11:39:49.0203 0x0f3c  Bonjour Service - ok
11:39:49.0265 0x0f3c  [ CFD4E51402DA9838B5A04AE680AF54A0, 5378F42B195B5832B00A05AD64E00473A45FFB86AC25C57241F26EA82B149FE1 ] Browser         C:\WINDOWS\System32\browser.dll
11:39:49.0265 0x0f3c  Browser - ok
11:39:49.0437 0x0f3c  catchme - ok
11:39:49.0484 0x0f3c  [ 90A673FC8E12A79AFBED2576F6A7AAF9, BDE7858A3457DB979FEDD8577FA6321BF72848E4A7BF9F173C78A6A10CBB3EBE ] cbidf2k         C:\WINDOWS\system32\drivers\cbidf2k.sys
11:39:49.0500 0x0f3c  cbidf2k - ok
11:39:49.0515 0x0f3c  cd20xrnt - ok
11:39:49.0562 0x0f3c  [ C1B486A7658353D33A10CC15211A873B, AA4DD9E7AAE5AAB1146B360B17001F975D2F29A1281CF7B13E7136480410F347 ] Cdaudio         C:\WINDOWS\system32\drivers\Cdaudio.sys
11:39:49.0562 0x0f3c  Cdaudio - ok
11:39:49.0625 0x0f3c  [ C885B02847F5D2FD45A24E219ED93B32, B26B2F8E3A831E2B65EB0C5195B0645CD50E22615CE79C9B0B391CD563B121DB ] Cdfs            C:\WINDOWS\system32\drivers\Cdfs.sys
11:39:49.0640 0x0f3c  Cdfs - ok
11:39:49.0703 0x0f3c  [ 1F4260CC5B42272D71F79E570A27A4FE, B51C2A3ED3C309953D0EA45869C8E464C10F2533DADE9E0286AF674979098D1D ] Cdrom           C:\WINDOWS\system32\DRIVERS\cdrom.sys
11:39:49.0703 0x0f3c  Cdrom - ok
11:39:49.0734 0x0f3c  cerc6 - ok
11:39:49.0765 0x0f3c  Changer - ok
11:39:49.0828 0x0f3c  [ 1CFE720EB8D93A7158A4EBC3AB178BDE, 65D2A9D9A88F38D4AF323134C151BA0F4B3CD0F6A134AF86E7AC9D07319F1726 ] CiSvc           C:\WINDOWS\system32\cisvc.exe
11:39:49.0828 0x0f3c  CiSvc - ok
11:39:49.0859 0x0f3c  [ 34CBE729F38138217F9C80212A2A0C82, A9FD7A758D12E0818A11BEEF1CE772FEFA8373E92EF6C0DA8628CD4572CC9A43 ] ClipSrv         C:\WINDOWS\system32\clipsrv.exe
11:39:49.0859 0x0f3c  ClipSrv - ok
11:39:49.0921 0x0f3c  [ D87ACAED61E417BBA546CED5E7E36D9C, 14AC6034A5BC0FB2A1AFDAD42BEF4DE641556E54AD30D0C46765660A4BE55462 ] clr_optimization_v2.0.50727_32 C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
11:39:50.0046 0x0f3c  clr_optimization_v2.0.50727_32 - ok
11:39:50.0093 0x0f3c  [ C5A75EB48E2344ABDC162BDA79E16841, 6070A8AAFD38FBC6A68A2B10C20117612354DF21B4492D90CA522BFB6870D726 ] clr_optimization_v4.0.30319_32 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
11:39:50.0203 0x0f3c  clr_optimization_v4.0.30319_32 - ok
11:39:50.0234 0x0f3c  CmdIde - ok
11:39:50.0421 0x0f3c  [ A0F7D6B070F15EAD9F4231B51B246E4C, 308CC43B296518CF33B5FF599B7D02C266C6A709C4BEE3C76185C0F9A4E81591 ] cmuda3          C:\WINDOWS\system32\drivers\cmudax3.sys
11:39:50.0562 0x0f3c  cmuda3 - ok
11:39:50.0593 0x0f3c  COMSysApp - ok
11:39:50.0656 0x0f3c  Cpqarray - ok
11:39:50.0718 0x0f3c  [ 3D4E199942E29207970E04315D02AD3B, 0825960894CF9C86CC8775BDD2A262948A09CA495AA7FE9F210FAF49E7086383 ] CryptSvc        C:\WINDOWS\System32\cryptsvc.dll
11:39:50.0734 0x0f3c  CryptSvc - ok
11:39:50.0750 0x0f3c  dac2w2k - ok
11:39:50.0796 0x0f3c  dac960nt - ok
11:39:50.0875 0x0f3c  [ 6B27A5C03DFB94B4245739065431322C, 6AEAC16AB4E0DFD25123AAF4D4181FEE1B919B7B2793117006CE8CF30E826CFD ] DcomLaunch      C:\WINDOWS\system32\rpcss.dll
11:39:50.0921 0x0f3c  DcomLaunch - ok
11:39:51.0015 0x0f3c  [ 5E38D7684A49CACFB752B046357E0589, F192AD4190BCFB6939A5CBC91648FE63168AF79A5E227A111DEAD6A92E42AB8D ] Dhcp            C:\WINDOWS\System32\dhcpcsvc.dll
11:39:51.0015 0x0f3c  Dhcp - ok
11:39:51.0046 0x0f3c  [ 044452051F3E02E7963599FC8F4F3E25, 584BDDB074618BE76454CF90E74829CFF588B5B5FAEB793E2F7AAD26352DD689 ] Disk            C:\WINDOWS\system32\DRIVERS\disk.sys
11:39:51.0046 0x0f3c  Disk - ok
11:39:51.0078 0x0f3c  dmadmin - ok
11:39:51.0218 0x0f3c  [ D992FE1274BDE0F84AD826ACAE022A41, C82BD6561A14F2932A761F5883A787B99031250EE5E9B7B5714AA045545C9B99 ] dmboot          C:\WINDOWS\system32\drivers\dmboot.sys
11:39:51.0296 0x0f3c  dmboot - ok
11:39:51.0359 0x0f3c  [ 7C824CF7BBDE77D95C08005717A95F6F, A73CB323B7A6410C3D3F258BF204E716ADF8C84C9E4F6562C57AB73DAED8CCDE ] dmio            C:\WINDOWS\system32\drivers\dmio.sys
11:39:51.0375 0x0f3c  dmio - ok
11:39:51.0421 0x0f3c  [ E9317282A63CA4D188C0DF5E09C6AC5F, D41E002F555FE9015EF620975255F58BB79198CA1FF0E09EC950CB450FF77CF7 ] dmload          C:\WINDOWS\system32\drivers\dmload.sys
11:39:51.0421 0x0f3c  dmload - ok
11:39:51.0453 0x0f3c  [ 57EDEC2E5F59F0335E92F35184BC8631, 61F6F0DC2D1A6C61D5EF0D5CC4BE0FFC217F1E61FDA3EA9F704709293656600F ] dmserver        C:\WINDOWS\System32\dmserver.dll
11:39:51.0453 0x0f3c  dmserver - ok
11:39:51.0515 0x0f3c  [ 8A208DFCF89792A484E76C40E5F50B45, 4E40E2EB38C6254E7CAA488200E89EE7DEBBBA773890BC6A84313CC68178D54F ] DMusic          C:\WINDOWS\system32\drivers\DMusic.sys
11:39:51.0515 0x0f3c  DMusic - ok
11:39:51.0593 0x0f3c  [ 5F7E24FA9EAB896051FFB87F840730D2, 356EEFDCD54DECAD0170B34B993E4BF80DD039E2B2922D7A8D09B84031E9FC7A ] Dnscache        C:\WINDOWS\System32\dnsrslvr.dll
11:39:51.0593 0x0f3c  Dnscache - ok
11:39:51.0656 0x0f3c  [ 0F0F6E687E5E15579EF4DA8DD6945814, 5C32D88119EB1465B2D719BEE2E05888D1A73454B5E33F2D4928DA710F8BFBA3 ] Dot3svc         C:\WINDOWS\System32\dot3svc.dll
11:39:51.0656 0x0f3c  Dot3svc - ok
11:39:51.0687 0x0f3c  dpti2o - ok
11:39:51.0750 0x0f3c  [ 8F5FCFF8E8848AFAC920905FBD9D33C8, C8C6FB97AB0871C8C88A2201525A5CF10D5131CB6980D32692ED7A8F58399AD5 ] drmkaud         C:\WINDOWS\system32\drivers\drmkaud.sys
11:39:51.0750 0x0f3c  drmkaud - ok
11:39:51.0828 0x0f3c  [ 2187855A7703ADEF0CEF9EE4285182CC, 8233CC11F637866C0074043835A785EA2B616739B6B1181B143A253CF2508CFD ] EapHost         C:\WINDOWS\System32\eapsvc.dll
11:39:51.0828 0x0f3c  EapHost - ok
11:39:51.0921 0x0f3c  [ E434C57936AACAB22A5B43CCF1580806, D60252C3AD222F0C1D8B19DB89B5EA2FBEA1A1E7A8357946D69DD301BD1A0687 ] EMET_Service    C:\Program Files\EMET 5.0\EMET_Service.exe
11:39:51.0937 0x0f3c  EMET_Service - ok
11:39:51.0968 0x0f3c  [ BC93B4A066477954555966D77FEC9ECB, 27F5B780175EF46DA102EE33F7F33559C8B40C077EEA4405D579D9507F4B1C23 ] ERSvc           C:\WINDOWS\System32\ersvc.dll
11:39:51.0968 0x0f3c  ERSvc - ok
11:39:52.0062 0x0f3c  [ B7B3A43640209484A1E22065F227959A, 53334E31EEBB5E21C09BD4E7717A40CB6D735AAC3FAF86F3FDD066E4800698CB ] ESProtectionDriver C:\Program Files\Malwarebytes Anti-Exploit\mbae.sys
11:39:52.0078 0x0f3c  ESProtectionDriver - ok
11:39:52.0140 0x0f3c  [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] Eventlog        C:\WINDOWS\system32\services.exe
11:39:52.0156 0x0f3c  Eventlog - ok
11:39:52.0234 0x0f3c  [ D4991D98F2DB73C60D042F1AEF79EFAE, 58AF949EAEBF4FF3E3314DFB66CE4198BF65F0836B68CD27A6ED319742CCCCD2 ] EventSystem     C:\WINDOWS\system32\es.dll
11:39:52.0265 0x0f3c  EventSystem - ok
11:39:52.0328 0x0f3c  [ 38D332A6D56AF32635675F132548343E, E6909DB836AF679B4F4D62C7396D6C82769CC7ABB8C919C2AABFE934FCE268F6 ] Fastfat         C:\WINDOWS\system32\drivers\Fastfat.sys
11:39:52.0343 0x0f3c  Fastfat - ok
11:39:52.0406 0x0f3c  [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] FastUserSwitchingCompatibility C:\WINDOWS\System32\shsvcs.dll
11:39:52.0421 0x0f3c  FastUserSwitchingCompatibility - ok
11:39:52.0453 0x0f3c  [ 92CDD60B6730B9F50F6A1A0C1F8CDC81, 8307A532AB4D05CBBCE206DC2759497708BF5AAA880BD00F0E4F281D8578A1F5 ] Fdc             C:\WINDOWS\system32\DRIVERS\fdc.sys
11:39:52.0453 0x0f3c  Fdc - ok
11:39:52.0484 0x0f3c  [ D45926117EB9FA946A6AF572FBE1CAA3, 4C94EF009D778BE0BDF8F812F026B96F91F641BE30AA2531427A5E63DBD280DA ] Fips            C:\WINDOWS\system32\drivers\Fips.sys
11:39:52.0484 0x0f3c  Fips - ok
11:39:52.0531 0x0f3c  [ 9D27E7B80BFCDF1CDD9B555862D5E7F0, 69C271AD5BCEBFD8AE5A769BDD7EC51256DA3A8ADAD5D12E5C0D13F4E82D8805 ] Flpydisk        C:\WINDOWS\system32\DRIVERS\flpydisk.sys
11:39:52.0546 0x0f3c  Flpydisk - ok
11:39:52.0609 0x0f3c  [ B2CF4B0786F8212CB92ED2B50C6DB6B0, 280F5CF8A90F7BEDE73ADD0DD0F8952088133A7CA9A3D3B7041957E33B36845D ] FltMgr          C:\WINDOWS\system32\DRIVERS\fltMgr.sys
11:39:52.0625 0x0f3c  FltMgr - ok
11:39:52.0718 0x0f3c  [ 8BA7C024070F2B7FDD98ED8A4BA41789, 47585006F86B2C6016EC54250A416794792D1E4024FF229C120BC25B684AF66A ] FontCache3.0.0.0 c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
11:39:52.0718 0x0f3c  FontCache3.0.0.0 - ok
11:39:52.0781 0x0f3c  [ 3E1E2BD4F39B0E2B7DC4F4D2BCC2779A, EC635E071201A766845D48973772CBE0958942B4162F3F5F70660D114CC877E0 ] Fs_Rec          C:\WINDOWS\system32\drivers\Fs_Rec.sys
11:39:52.0781 0x0f3c  Fs_Rec - ok
11:39:52.0812 0x0f3c  [ 6AC26732762483366C3969C9E4D2259D, FF2C9A23CC17F380093F0BEA955B1925794271C2FEA16B9B7639668E6999BAE3 ] Ftdisk          C:\WINDOWS\system32\DRIVERS\ftdisk.sys
11:39:52.0828 0x0f3c  Ftdisk - ok
11:39:52.0875 0x0f3c  [ 8182FF89C65E4D38B2DE4BB0FB18564E, 2ACFA64D48BF7D25641EC5819C8722144284B8A8E071BF297C1881B07EEAFE88 ] GEARAspiWDM     C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
11:39:52.0890 0x0f3c  GEARAspiWDM - ok
11:39:52.0921 0x0f3c  [ 0A02C63C8B144BD8C86B103DEE7C86A2, 7A3235DD3E1995DD72B212FAEB3ECA2A974434DE9BF6D269EA11BA65A80E7E50 ] Gpc             C:\WINDOWS\system32\DRIVERS\msgpc.sys
11:39:52.0937 0x0f3c  Gpc - ok
11:39:52.0984 0x0f3c  [ C1B577B2169900F4CF7190C39F085794, 73E104B96A48F4C80D8C37254ECB0891D15C0D2F0C251B57C168F90D60316447 ] gusvc           C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
11:39:53.0000 0x0f3c  gusvc - ok
11:39:53.0046 0x0f3c  [ 46524E4F27A44A86F28772D80BC3CE02, DEDAB3CE5CE0417962D49C58F0557339EF83365372E28A485F3999411C3519AF ] gzflt           C:\WINDOWS\system32\DRIVERS\gzflt.sys
11:39:53.0062 0x0f3c  gzflt - ok
11:39:53.0125 0x0f3c  [ F95E3F9EF9D7E268F7CB26341D6D9B91, 0B9B02C5FEAFDA7F665DBD8302EDA7B7E7E45C83CE5D52E539208EFDAA791CA4 ] gzserv          C:\Program Files\Bitdefender\Antivirus Free Edition\gzserv.exe
11:39:53.0125 0x0f3c  gzserv - ok
11:39:53.0234 0x0f3c  [ 4FCCA060DFE0C51A09DD5C3843888BCD, D82417706B517F2610DDF7C86BE03A72EFA9A2A389DF5C8F8ADEAB8144E2C80A ] helpsvc         C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll
11:39:53.0250 0x0f3c  helpsvc - ok
11:39:53.0296 0x0f3c  [ DEB04DA35CC871B6D309B77E1443C796, F66A15C9528D661940F1F4CA453B3E95036D68C74C3B8AB53644211DBD3D2F32 ] HidServ         C:\WINDOWS\System32\hidserv.dll
11:39:53.0312 0x0f3c  HidServ - ok
11:39:53.0375 0x0f3c  [ CCF82C5EC8A7326C3066DE870C06DAF1, 93395FA4C26B2E82DC8B7025ED3BCF583885E5D8C5F60CD6EEAA6335D6A126EC ] hidusb          C:\WINDOWS\system32\DRIVERS\hidusb.sys
11:39:53.0375 0x0f3c  hidusb - ok
11:39:53.0437 0x0f3c  [ 8878BD685E490239777BFE51320B88E9, C5C3ECF6B049B6736E35B39518A8F830B45C45A88FFE8E3A6B7922AD946597E2 ] hkmsvc          C:\WINDOWS\System32\kmsvc.dll
11:39:53.0437 0x0f3c  hkmsvc - ok
11:39:53.0468 0x0f3c  hpn - ok
11:39:53.0546 0x0f3c  [ F80A415EF82CD06FFAF0D971528EAD38, 524D9E9201572929522F6805011783711B7C0F76308B924C89CF75F4B7A1FDF3 ] HTTP            C:\WINDOWS\system32\Drivers\HTTP.sys
11:39:53.0578 0x0f3c  HTTP - ok
11:39:53.0640 0x0f3c  [ 6100A808600F44D999CEBDEF8841C7A3, 61A75118C327812C60622010985A2E80E79B6FD9030A5732390EE5426E4AF6C9 ] HTTPFilter      C:\WINDOWS\System32\w3ssl.dll
11:39:53.0640 0x0f3c  HTTPFilter - ok
11:39:53.0671 0x0f3c  i2omgmt - ok
11:39:53.0687 0x0f3c  i2omp - ok
11:39:53.0828 0x0f3c  [ 44B7D5A4F2BD9FE21AEA0BB0BACE38C4, D371103E752EF852BEDE330AB23EED4BFFD4150961EC377B03D69D871368F144 ] ialm            C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
11:39:53.0906 0x0f3c  ialm - ok
11:39:54.0093 0x0f3c  [ C01AC32DC5C03076CFB852CB5DA5229C, A4D7749220B5BC965D96A267F1E02FE8284A230BA249109207BD4B9EA8DFAC96 ] idsvc           c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
11:39:54.0187 0x0f3c  idsvc - ok
11:39:54.0218 0x0f3c  [ 083A052659F5310DD8B6A6CB05EDCF8E, 48D39B03FFB6FAA1529B774443BA12618AE3982D9F65A7B9D18F2269F78B31F4 ] Imapi           C:\WINDOWS\system32\DRIVERS\imapi.sys
11:39:54.0234 0x0f3c  Imapi - ok
11:39:54.0296 0x0f3c  [ 30DEAF54A9755BB8546168CFE8A6B5E1, 3936228CD3125C763ABFCB93E86E4B43838202BCC0913A28E84AC0263B43EE0D ] ImapiService    C:\WINDOWS\system32\imapi.exe
11:39:54.0296 0x0f3c  ImapiService - ok
11:39:54.0343 0x0f3c  ini910u - ok
11:39:54.0421 0x0f3c  [ B5466A9250342A7AA0CD1FBA13420678, 87E735C4E8924A883AB692D387A83BCBFAE6E165688336AE7AB488F7CA8D339E ] IntelIde        C:\WINDOWS\system32\DRIVERS\intelide.sys
11:39:54.0421 0x0f3c  IntelIde - ok
11:39:54.0484 0x0f3c  [ 8C953733D8F36EB2133F5BB58808B66B, 555868F246D73652E998B0B1296476E42FCEDED30D646CC000F31ECE4EBC25E6 ] intelppm        C:\WINDOWS\system32\DRIVERS\intelppm.sys
11:39:54.0484 0x0f3c  intelppm - ok
11:39:54.0531 0x0f3c  [ 3BB22519A194418D5FEC05D800A19AD0, F6662F440950596DC1382DD1DB5D7891CCEA30A6062BEA942C18445B5F0D8B16 ] Ip6Fw           C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
11:39:54.0531 0x0f3c  Ip6Fw - ok
11:39:54.0593 0x0f3c  [ 731F22BA402EE4B62748ADAF6363C182, 5C3BEBD008A5BE4DC2F92076FF41A10DDC01E10EC7E6552213CFA11970811848 ] IpFilterDriver  C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
11:39:54.0593 0x0f3c  IpFilterDriver - ok
11:39:54.0640 0x0f3c  [ B87AB476DCF76E72010632B5550955F5, E6E74D3A86A7917A8BAED44F8E97CCD2EB171E4E4B27E9907F60D1523FAF319A ] IpInIp          C:\WINDOWS\system32\DRIVERS\ipinip.sys
11:39:54.0640 0x0f3c  IpInIp - ok
11:39:54.0703 0x0f3c  [ CC748EA12C6EFFDE940EE98098BF96BB, AF523E21C25D9A1715EFEA573E4F52AF5D4FC9F28A2D613F5DB629C186C439E0 ] IpNat           C:\WINDOWS\system32\DRIVERS\ipnat.sys
11:39:54.0718 0x0f3c  IpNat - ok
11:39:54.0828 0x0f3c  [ 630D74599070824AF3DC63A894ADCDFC, CC19169F1B9B104219029F6DA8AE5B73CFFFD639FDB12868824ED7A5086949D2 ] iPod Service    C:\Program Files\iPod\bin\iPodService.exe
11:39:54.0875 0x0f3c  iPod Service - ok
11:39:54.0937 0x0f3c  [ 23C74D75E36E7158768DD63D92789A91, 394D296F38E7D8EFD91A6EEC301D9CE6AF910E35EB9819F1A9E3363863AEDFDC ] IPSec           C:\WINDOWS\system32\DRIVERS\ipsec.sys
11:39:54.0953 0x0f3c  IPSec - ok
11:39:55.0000 0x0f3c  [ C93C9FF7B04D772627A3646D89F7BF89, 805FA48E7A46D4F10240BF880A2468F53DEA36E83004399228AB70DB7D20544A ] IRENUM          C:\WINDOWS\system32\DRIVERS\irenum.sys
11:39:55.0000 0x0f3c  IRENUM - ok
11:39:55.0062 0x0f3c  [ 05A299EC56E52649B1CF2FC52D20F2D7, 2654619DB3E6D6C385B63AB02F87D4241C4F0250CC31383D1B3586917166C2DC ] isapnp          C:\WINDOWS\system32\DRIVERS\isapnp.sys
11:39:55.0062 0x0f3c  isapnp - ok
11:39:55.0125 0x0f3c  [ 463C1EC80CD17420A542B7F36A36F128, E3B11BA26AFEAFB50B0FC168EA07F6049DA6B88BCDDEEE20310602D7FC27A3A7 ] Kbdclass        C:\WINDOWS\system32\DRIVERS\kbdclass.sys
11:39:55.0125 0x0f3c  Kbdclass - ok
11:39:55.0171 0x0f3c  [ 9EF487A186DEA361AA06913A75B3FA99, B94EBA4EC6D85E11C81AF9927E9EF0AF2E6FE134CFF1FDB0535B7C5A794B4261 ] kbdhid          C:\WINDOWS\system32\DRIVERS\kbdhid.sys
11:39:55.0171 0x0f3c  kbdhid - ok
11:39:55.0218 0x0f3c  [ 692BCF44383D056AED41B045A323D378, 1A99DEE83FFAF64E73067FC049C0A4CE07D94E4AE31EFA17B38CEFA9E41D67DC ] kmixer          C:\WINDOWS\system32\drivers\kmixer.sys
11:39:55.0234 0x0f3c  kmixer - ok
11:39:55.0296 0x0f3c  [ B467646C54CC746128904E1654C750C1, 3BD71BE3663EA23463D236D8A2A2E42DFA10C502BDB4B6E131FAF0FBA748219E ] KSecDD          C:\WINDOWS\system32\drivers\KSecDD.sys
11:39:55.0312 0x0f3c  KSecDD - ok
11:39:55.0375 0x0f3c  [ 3A7C3CBE5D96B8AE96CE81F0B22FB527, 0044F03132596A494448CCE5F3D6ECC12617BB4CF6BAE348F79D4DC40ACD6EE0 ] LanmanServer    C:\WINDOWS\System32\srvsvc.dll
11:39:55.0375 0x0f3c  LanmanServer - ok
11:39:55.0437 0x0f3c  [ A8888A5327621856C0CEC4E385F69309, B08B63300D824E35E31EEEA2C4C086DFA2C2A964CEDAE512E74D3D88AADAA2C1 ] lanmanworkstation C:\WINDOWS\System32\wkssvc.dll
11:39:55.0453 0x0f3c  lanmanworkstation - ok
11:39:55.0468 0x0f3c  lbrtfdc - ok
11:39:55.0562 0x0f3c  [ A7DB739AE99A796D91580147E919CC59, EDF4E039BA277B0E6D66FEB0B28096E67D682C09DFC18ECECF062D9DCFB75ACF ] LmHosts         C:\WINDOWS\System32\lmhsvc.dll
11:39:55.0562 0x0f3c  LmHosts - ok
11:39:55.0609 0x0f3c  [ 6EB137ECCDFE7CA15E59463859175899, EBAC796C99903223C98360082E4CDCCB57C8974925561AAF3E51D88B9A412532 ] MbaeSvc         C:\Program Files\Malwarebytes Anti-Exploit\mbae-svc.exe
11:39:55.0625 0x0f3c  MbaeSvc - ok
11:39:55.0687 0x0f3c  [ B7CA8CC3F978201856B6AB82F40953C3, 2B58B8B989F2659FF6C45D94B72BDE9FFEC340DAC5648CE21921A213590BDA06 ] MBAMProtector   C:\WINDOWS\system32\drivers\mbam.sys
11:39:55.0687 0x0f3c  MBAMProtector - ok
11:39:55.0859 0x0f3c  [ 056B19651BD7B7CE5F89A3AC46DBDC08, B9F2A725BA930A0A3BB6C03C394C7D2E642B9A2E8F390491D58C893742E29476 ] MBAMService     C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
11:39:55.0921 0x0f3c  MBAMService - ok
11:39:55.0968 0x0f3c  [ 986B1FF5814366D71E0AC5755C88F2D3, E6AF051174531C24B38E73987755D366ABEC595476C6D17793E8DCCC73F55340 ] Messenger       C:\WINDOWS\System32\msgsvc.dll
11:39:55.0968 0x0f3c  Messenger - ok
11:39:56.0031 0x0f3c  [ 4AE068242760A1FB6E1A44BF4E16AFA6, 1FB771162B96AAF787AC24867B818DF8511F0780BB094FA9A38C11D8DBFE68BC ] mnmdd           C:\WINDOWS\system32\drivers\mnmdd.sys
11:39:56.0031 0x0f3c  mnmdd - ok
11:39:56.0093 0x0f3c  [ D18F1F0C101D06A1C1ADF26EED16FCDD, BA0837C7780BD8262E143E2935AFA63BE59C3C39EF56CB8608EED0F50AF070D4 ] mnmsrvc         C:\WINDOWS\system32\mnmsrvc.exe
11:39:56.0093 0x0f3c  mnmsrvc - ok
11:39:56.0171 0x0f3c  [ DFCBAD3CEC1C5F964962AE10E0BCC8E1, B342CC9EC3729AB1AB4B5E2E99F890C1E0CA649162DE91F6768AB857B719E97B ] Modem           C:\WINDOWS\system32\drivers\Modem.sys
11:39:56.0171 0x0f3c  Modem - ok
11:39:56.0234 0x0f3c  [ 1992E0D143B09653AB0F9C5E04B0FD65, 1431EC53A65F561C235A08F926C5348A6B21B06A08C075DE8172A88EE0AA634E ] MODEMCSA        C:\WINDOWS\system32\drivers\MODEMCSA.sys
11:39:56.0234 0x0f3c  MODEMCSA - ok
11:39:56.0281 0x0f3c  [ 35C9E97194C8CFB8430125F8DBC34D04, 0C0FCE6B0A23FB0ECB92E1663E1C72D2DD5B177D82E04782957690B69530DB39 ] Mouclass        C:\WINDOWS\system32\DRIVERS\mouclass.sys
11:39:56.0281 0x0f3c  Mouclass - ok
11:39:56.0312 0x0f3c  [ B1C303E17FB9D46E87A98E4BA6769685, 161A45488522055D0F0474ABEDA04DDD0B5DAC2411AF9154B15190BBD66E7153 ] mouhid          C:\WINDOWS\system32\DRIVERS\mouhid.sys
11:39:56.0312 0x0f3c  mouhid - ok
11:39:56.0359 0x0f3c  [ A80B9A0BAD1B73637DBCBBA7DF72D3FD, 2A5E15ED2C24C6C65EF2F7E1FD93374774076C9D8D451E4422561F4D269C012F ] MountMgr        C:\WINDOWS\system32\drivers\MountMgr.sys
11:39:56.0359 0x0f3c  MountMgr - ok
11:39:56.0406 0x0f3c  [ 3542910814BD40FAA8DD2BC4C39B932B, C5FAA0AB1E2490840DB7B629D8442C2E5715C1BBA3ECBE040F119DF2AD6510B2 ] MozillaMaintenance C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
11:39:56.0421 0x0f3c  MozillaMaintenance - ok
11:39:56.0468 0x0f3c  mraid35x - ok
11:39:56.0515 0x0f3c  [ 11D42BB6206F33FBB3BA0288D3EF81BD, 76ABCFB62C5AC549F58C231F72A99882CDEB74928104B77FE52554765C2B1A22 ] MRxDAV          C:\WINDOWS\system32\DRIVERS\mrxdav.sys
11:39:56.0531 0x0f3c  MRxDAV - ok
11:39:56.0625 0x0f3c  [ 7D304A5EB4344EBEEAB53A2FE3FFB9F0, DB9B186F7076D7B94F45041AF7B77C1AD2CAB504D683B459C6CB1C22840ED170 ] MRxSmb          C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
11:39:56.0671 0x0f3c  MRxSmb - ok
11:39:56.0750 0x0f3c  [ A137F1470499A205ABBB9AAFB3B6F2B1, FB4951727543030D9E6ED74149C3FAACE2CA9DA8C1B5F616301B30B858C724E8 ] MSDTC           C:\WINDOWS\system32\msdtc.exe
11:39:56.0750 0x0f3c  MSDTC - ok
11:39:56.0843 0x0f3c  [ C941EA2454BA8350021D774DAF0F1027, C940E978C7B66A713A0FDAB54B5F995DF59D089AFCD96221DD3222948CD49BBD ] Msfs            C:\WINDOWS\system32\drivers\Msfs.sys
11:39:56.0843 0x0f3c  Msfs - ok
11:39:56.0859 0x0f3c  MSIServer - ok
11:39:56.0906 0x0f3c  [ D1575E71568F4D9E14CA56B7B0453BF1, 4ABE0E24786C0D39FA2B885447E56204CA6942FB175E534DCE675D7BCF0B176A ] MSKSSRV         C:\WINDOWS\system32\drivers\MSKSSRV.sys
11:39:56.0906 0x0f3c  MSKSSRV - ok
11:39:56.0937 0x0f3c  [ 325BB26842FC7CCC1FCCE2C457317F3E, C07BE560513B1FB91D756494F0BA4AEEB2E1998DE0E1C21EE83DB1183B0CEE91 ] MSPCLOCK        C:\WINDOWS\system32\drivers\MSPCLOCK.sys
11:39:56.0937 0x0f3c  MSPCLOCK - ok
11:39:56.0984 0x0f3c  [ BAD59648BA099DA4A17680B39730CB3D, 9AD4C7C94C186C8815D0BC75DCAFB962158DA6935A244BA243EDDDEB33F9816C ] MSPQM           C:\WINDOWS\system32\drivers\MSPQM.sys
11:39:56.0984 0x0f3c  MSPQM - ok
11:39:57.0046 0x0f3c  [ AF5F4F3F14A8EA2C26DE30F7A1E17136, AC93A1E4ABB0D038B772E429015567E44CC2EDB66C54DBE23A5F98176FAC1520 ] mssmbios        C:\WINDOWS\system32\DRIVERS\mssmbios.sys
11:39:57.0046 0x0f3c  mssmbios - ok
11:39:57.0109 0x0f3c  [ DE6A75F5C270E756C5508D94B6CF68F5, FCC972DDC36C2C44D836913F10004C2C33B11C54DEFFF0C63E0FDF901D2F9261 ] Mup             C:\WINDOWS\system32\drivers\Mup.sys
11:39:57.0125 0x0f3c  Mup - ok
11:39:57.0203 0x0f3c  [ 0102140028FAD045756796E1C685D695, 5335B8278418CA200E2772124F0602C3E15A5CAF2D5CC59F6785DFAABF339B09 ] napagent        C:\WINDOWS\System32\qagentrt.dll
11:39:57.0218 0x0f3c  napagent - ok
11:39:57.0281 0x0f3c  [ 1DF7F42665C94B825322FAE71721130D, FE0DCB728471465B39A42A7511F4133021FBA5DF88F88BCB5FE2FF34CFD713F9 ] NDIS            C:\WINDOWS\system32\drivers\NDIS.sys
11:39:57.0296 0x0f3c  NDIS - ok
11:39:57.0359 0x0f3c  [ 0109C4F3850DFBAB279542515386AE22, 4F6DB1E499AC853FD36FD603FBB6D3AC9BDCEB298C7FE1FB59A9236CB46729B2 ] NdisTapi        C:\WINDOWS\system32\DRIVERS\ndistapi.sys
11:39:57.0359 0x0f3c  NdisTapi - ok
11:39:57.0406 0x0f3c  [ F927A4434C5028758A842943EF1A3849, B1AA3AF150C05307461774925901789456B0CCCD03A5E71ADA4AB58455962BEE ] Ndisuio         C:\WINDOWS\system32\DRIVERS\ndisuio.sys
11:39:57.0406 0x0f3c  Ndisuio - ok
11:39:57.0437 0x0f3c  [ EDC1531A49C80614B2CFDA43CA8659AB, 494042F790F33721328B4451E79842E21919681CC421A4F9633EC4D383E06097 ] NdisWan         C:\WINDOWS\system32\DRIVERS\ndiswan.sys
11:39:57.0453 0x0f3c  NdisWan - ok
11:39:57.0500 0x0f3c  [ 2F597BB467E05B1FE3830EABD821B8E0, 141497F5A49D47CCE3C9289644F4BD838DCB238F6D8E847FC006652E21FE02AC ] NDProxy         C:\WINDOWS\system32\drivers\NDProxy.sys
11:39:57.0500 0x0f3c  NDProxy - ok
11:39:57.0546 0x0f3c  [ 5D81CF9A2F1A3A756B66CF684911CDF0, 7989C36607CAEA17AFA2C1C9904145CA0714A54B9F712D9D4C1AB140D0B2CC0C ] NetBIOS         C:\WINDOWS\system32\DRIVERS\netbios.sys
11:39:57.0562 0x0f3c  NetBIOS - ok
11:39:57.0609 0x0f3c  [ 74B2B2F5BEA5E9A3DC021D685551BD3D, 7932B71F98B4122BE88F576BF6D745A757AE378A48924B7F4358837B75640A82 ] NetBT           C:\WINDOWS\system32\DRIVERS\netbt.sys
11:39:57.0625 0x0f3c  NetBT - ok
11:39:57.0671 0x0f3c  [ B857BA82860D7FF85AE29B095645563B, 86FF0E4CDD9C394E8BABD93A4D57E73FF9A779261717DEC6E9CDE99F1C6B0F4C ] NetDDE          C:\WINDOWS\system32\netdde.exe
11:39:57.0687 0x0f3c  NetDDE - ok
11:39:57.0718 0x0f3c  [ B857BA82860D7FF85AE29B095645563B, 86FF0E4CDD9C394E8BABD93A4D57E73FF9A779261717DEC6E9CDE99F1C6B0F4C ] NetDDEdsdm      C:\WINDOWS\system32\netdde.exe
11:39:57.0718 0x0f3c  NetDDEdsdm - ok
11:39:57.0796 0x0f3c  [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] Netlogon        C:\WINDOWS\system32\lsass.exe
11:39:57.0796 0x0f3c  Netlogon - ok
11:39:57.0875 0x0f3c  [ 13E67B55B3ABD7BF3FE7AAE5A0F9A9DE, 4E0A67B3CC897E80D4B342FFE8B7B4CC4F6CA2EF2D34C136027A098B2E1C6166 ] Netman          C:\WINDOWS\System32\netman.dll
11:39:57.0890 0x0f3c  Netman - ok
11:39:57.0953 0x0f3c  [ D22CD77D4F0D63D1169BB35911BFF12D, 85B1FDFA02E1B8EA4FCB9B7EEB687C5C448697FC7EC9D178C5A2F64D2C9CFEE8 ] NetTcpPortSharing C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe
11:39:58.0000 0x0f3c  NetTcpPortSharing - ok
11:39:58.0062 0x0f3c  [ 943337D786A56729263071623BBB9DE5, B631B47C869FE4ACF46E4AA272435D9A9CA536E3349E3FFBB8602636FEE7AFD4 ] Nla             C:\WINDOWS\System32\mswsock.dll
11:39:58.0078 0x0f3c  Nla - ok
11:39:58.0109 0x0f3c  [ 3182D64AE053D6FB034F44B6DEF8034A, 4ADFC76965BA2A5F488E71789A4E4EA702A74AF42725F72130D1CA919406CF19 ] Npfs            C:\WINDOWS\system32\drivers\Npfs.sys
11:39:58.0109 0x0f3c  Npfs - ok
11:39:58.0218 0x0f3c  [ 78A08DD6A8D65E697C18E1DB01C5CDCA, E0E6F3ED05068E32F1D5C2D2B38CDEF4536B8656DB6756C66CF6B40B60C8F3DA ] Ntfs            C:\WINDOWS\system32\drivers\Ntfs.sys
11:39:58.0281 0x0f3c  Ntfs - ok
11:39:58.0312 0x0f3c  [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] NtLmSsp         C:\WINDOWS\system32\lsass.exe
11:39:58.0312 0x0f3c  NtLmSsp - ok
11:39:58.0390 0x0f3c  [ 156F64A3345BD23C600655FB4D10BC08, 9611BE411586E068D9297D77102DB3BE48AA67F1BAD6F61A84F83FC3043FA9CD ] NtmsSvc         C:\WINDOWS\system32\ntmssvc.dll
11:39:58.0453 0x0f3c  NtmsSvc - ok
11:39:58.0500 0x0f3c  [ 73C1E1F395918BC2C6DD67AF7591A3AD, B21133A75253EC15E2DFF66D3B480AB1A7E1A2360476C810E7AA55D0F0EB08D4 ] Null            C:\WINDOWS\system32\drivers\Null.sys
11:39:58.0500 0x0f3c  Null - ok
11:39:58.0578 0x0f3c  [ B305F3FAD35083837EF46A0BBCE2FC57, 9D0E0E666D652D0FC9EAB97280A5D67AAF61D6B21929DF7CF8ED72A367720464 ] NwlnkFlt        C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
11:39:58.0578 0x0f3c  NwlnkFlt - ok
11:39:58.0609 0x0f3c  [ C99B3415198D1AAB7227F2C88FD664B9, DD8DA4B5E804F134AB9233859544C025062902DFC3E8FB8A09A67337A4E73F55 ] NwlnkFwd        C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
11:39:58.0609 0x0f3c  NwlnkFwd - ok
11:39:58.0703 0x0f3c  [ 7A56CF3E3F12E8AF599963B16F50FB6A, 882C82BAE96D263138D4C0D6C425458B770B7B9C8E9C1D28AC918BF6BE94A5C2 ] ose             C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
11:39:58.0718 0x0f3c  ose - ok
11:39:58.0750 0x0f3c  [ 5575FAF8F97CE5E713D108C2A58D7C7C, 96D4595D19A78CCBE8B325A08780AC077AE5CC99642ACD72FB47AEAE8D344D3B ] Parport         C:\WINDOWS\system32\DRIVERS\parport.sys
11:39:58.0781 0x0f3c  Parport - ok
11:39:58.0812 0x0f3c  [ BEB3BA25197665D82EC7065B724171C6, 7E71C13BA30CD95CEE8A9CC85E6F48A01F30EDEAADEE69D80AE828BF97E5A5CA ] PartMgr         C:\WINDOWS\system32\drivers\PartMgr.sys
11:39:58.0812 0x0f3c  PartMgr - ok
11:39:58.0875 0x0f3c  [ 70E98B3FD8E963A6A46A2E6247E0BEA1, 6771313EC41B3B5BFD398F60706E40BE71617046880CC352DD110B001AFC22A1 ] ParVdm          C:\WINDOWS\system32\drivers\ParVdm.sys
11:39:58.0875 0x0f3c  ParVdm - ok
11:39:58.0906 0x0f3c  [ A219903CCF74233761D92BEF471A07B1, D4E6C360A1D2FCA4D17C991B834D68BF20F5111DD06B1FAB8B22984804CEC269 ] PCI             C:\WINDOWS\system32\DRIVERS\pci.sys
11:39:58.0906 0x0f3c  PCI - ok
11:39:58.0937 0x0f3c  PCIDump - ok
11:39:58.0953 0x0f3c  [ CCF5F451BB1A5A2A522A76E670000FF0, D63F7E5A39653EC9CCE94B7D84B2D3EBD4F54533BD65701020198724042C9257 ] PCIIde          C:\WINDOWS\system32\drivers\PCIIde.sys
11:39:58.0953 0x0f3c  PCIIde - ok
11:39:59.0015 0x0f3c  [ 9E89EF60E9EE05E3F2EEF2DA7397F1C1, 0BA3DB21DC7C641C181E2635B5C9B73965FDCDCD3EBBBE48FCFEC1C8C987F617 ] Pcmcia          C:\WINDOWS\system32\drivers\Pcmcia.sys
11:39:59.0031 0x0f3c  Pcmcia - ok
11:39:59.0046 0x0f3c  PDCOMP - ok
11:39:59.0078 0x0f3c  PDFRAME - ok
11:39:59.0109 0x0f3c  PDRELI - ok
11:39:59.0140 0x0f3c  PDRFRAME - ok
11:39:59.0156 0x0f3c  perc2 - ok
11:39:59.0187 0x0f3c  perc2hib - ok
11:39:59.0328 0x0f3c  [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] PlugPlay        C:\WINDOWS\system32\services.exe
11:39:59.0328 0x0f3c  PlugPlay - ok
11:39:59.0359 0x0f3c  [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] PolicyAgent     C:\WINDOWS\system32\lsass.exe
11:39:59.0359 0x0f3c  PolicyAgent - ok
11:39:59.0406 0x0f3c  [ EFEEC01B1D3CF84F16DDD24D9D9D8F99, C5F0C8C66A3AF7E7BB04CEDE4AC5306F8387AB384A2107DC5BE413AAE968EFF1 ] PptpMiniport    C:\WINDOWS\system32\DRIVERS\raspptp.sys
11:39:59.0421 0x0f3c  PptpMiniport - ok
11:39:59.0437 0x0f3c  [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] ProtectedStorage C:\WINDOWS\system32\lsass.exe
11:39:59.0437 0x0f3c  ProtectedStorage - ok
11:39:59.0468 0x0f3c  [ 09298EC810B07E5D582CB3A3F9255424, 35473A1BE25AC289474090EB0806AC6B3035DC33D1F3DF97A14BF1E361AC6AC3 ] PSched          C:\WINDOWS\system32\DRIVERS\psched.sys
11:39:59.0468 0x0f3c  PSched - ok
11:39:59.0515 0x0f3c  [ 80D317BD1C3DBC5D4FE7B1678C60CADD, DA76804B55D0CAB3DDD01EFC06673764AE4860693375C658B6063FB14AF7F12C ] Ptilink         C:\WINDOWS\system32\DRIVERS\ptilink.sys
11:39:59.0531 0x0f3c  Ptilink - ok
11:39:59.0546 0x0f3c  ql1080 - ok
11:39:59.0578 0x0f3c  Ql10wnt - ok
11:39:59.0609 0x0f3c  ql12160 - ok
11:39:59.0625 0x0f3c  ql1240 - ok
11:39:59.0656 0x0f3c  ql1280 - ok
11:39:59.0734 0x0f3c  [ FE0D99D6F31E4FAD8159F690D68DED9C, 998685622ABE631984B7E4DBF91AB3594B1F574378D75EB9F6265F4650470692 ] RasAcd          C:\WINDOWS\system32\DRIVERS\rasacd.sys
11:39:59.0734 0x0f3c  RasAcd - ok
11:39:59.0796 0x0f3c  [ AD188BE7BDF94E8DF4CA0A55C00A5073, C7D76CB579FAEBCCC2873499441BACDD6BD6668ACF5ED7F31862656E96E2B20C ] RasAuto         C:\WINDOWS\System32\rasauto.dll
11:39:59.0796 0x0f3c  RasAuto - ok
11:39:59.0843 0x0f3c  [ 11B4A627BC9614B885C4969BFA5FF8A6, EAE0A412A2B0F68919C32A96B3A08CC1A06585E4998819F5C9051745F63FF5AD ] Rasl2tp         C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
11:39:59.0843 0x0f3c  Rasl2tp - ok
11:39:59.0890 0x0f3c  [ 76A9A3CBEADD68CC57CDA5E1D7448235, 4AFD048C5D2306AB8DE46F3AA60AC0213333DDA3B09A9E91F7585DB6EB978EC8 ] RasMan          C:\WINDOWS\System32\rasmans.dll
11:39:59.0906 0x0f3c  RasMan - ok
11:39:59.0921 0x0f3c  [ 5BC962F2654137C9909C3D4603587DEE, A5CE5653D0105240F5E86CFAAB89E7917D42D939E2F27A5A7D6979289CA651B8 ] RasPppoe        C:\WINDOWS\system32\DRIVERS\raspppoe.sys
11:39:59.0937 0x0f3c  RasPppoe - ok
11:39:59.0968 0x0f3c  [ FDBB1D60066FCFBB7452FD8F9829B242, 10A2DACF944BD000032EBA8C095CB3D879CC55B28C377ADF6E52E508E47444DB ] Raspti          C:\WINDOWS\system32\DRIVERS\raspti.sys
11:39:59.0968 0x0f3c  Raspti - ok
11:40:00.0000 0x0f3c  [ 7AD224AD1A1437FE28D89CF22B17780A, 6645235CA27D671954E3557FA37082881C3D7D47492C71264CD8CB8D108EC801 ] Rdbss           C:\WINDOWS\system32\DRIVERS\rdbss.sys
11:40:00.0015 0x0f3c  Rdbss - ok
11:40:00.0046 0x0f3c  [ 4912D5B403614CE99C28420F75353332, 975341ECD660209987B5E5171B8315E032439E408CBE8A5986E67AF767F373BB ] RDPCDD          C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
11:40:00.0046 0x0f3c  RDPCDD - ok
11:40:00.0156 0x0f3c  [ 15CABD0F7C00C47C70124907916AF3F1, 66B5C978B7FB6359AD8BAC9F568FE9D469E358FEAB07B1F129BA9E85F1DF723E ] rdpdr           C:\WINDOWS\system32\DRIVERS\rdpdr.sys
11:40:00.0171 0x0f3c  rdpdr - ok
11:40:00.0250 0x0f3c  [ 43AF5212BD8FB5BA6EED9754358BD8F7, AF330F61CECA4AFA359CEABC5EB3227E6B56A9A2DCE50701381D665122D7356D ] RDPWD           C:\WINDOWS\system32\drivers\RDPWD.sys
11:40:00.0265 0x0f3c  RDPWD - ok
11:40:00.0328 0x0f3c  [ 3C37BF86641BDA977C3BF8A840F3B7FA, AB9A6E54DBA3F4561CD4837372BECCE0D73943D02E3288F944333039375AC08C ] RDSessMgr       C:\WINDOWS\system32\sessmgr.exe
11:40:00.0343 0x0f3c  RDSessMgr - ok
11:40:00.0375 0x0f3c  [ F828DD7E1419B6653894A8F97A0094C5, E6150E1F598BA4CFEDB8FF075BC0D576518C331B864388F1CAE8812EFF106ECF ] redbook         C:\WINDOWS\system32\DRIVERS\redbook.sys
11:40:00.0375 0x0f3c  redbook - ok
11:40:00.0437 0x0f3c  [ 7E699FF5F59B5D9DE5390E3C34C67CF5, 3FCF0442D80AB181FED4303E570378736AA1F8718C0B8B70F689A1E45200FFE4 ] RemoteAccess    C:\WINDOWS\System32\mprdim.dll
11:40:00.0437 0x0f3c  RemoteAccess - ok
11:40:00.0500 0x0f3c  [ 5B19B557B0C188210A56A6B699D90B8F, 0FA880B81AE615206FD1738B83428AAA491D54B24168339DE6E87FDE8C6C14B0 ] RemoteRegistry  C:\WINDOWS\system32\regsvc.dll
11:40:00.0500 0x0f3c  RemoteRegistry - ok
11:40:00.0562 0x0f3c  [ AAED593F84AFA419BBAE8572AF87CF6A, CC0FFC5A69394C8830DC66320DA01A820BBF41AD7E57D0FC343561DC5EF9A360 ] RpcLocator      C:\WINDOWS\system32\locator.exe
11:40:00.0578 0x0f3c  RpcLocator - ok
11:40:00.0640 0x0f3c  [ 6B27A5C03DFB94B4245739065431322C, 6AEAC16AB4E0DFD25123AAF4D4181FEE1B919B7B2793117006CE8CF30E826CFD ] RpcSs           C:\WINDOWS\System32\rpcss.dll
11:40:00.0656 0x0f3c  RpcSs - ok
11:40:00.0750 0x0f3c  [ 471B3F9741D762ABE75E9DEEA4787E47, D9ADE42965EC22AEB4B2AD21D429C3C8232A60AA9853DEFDA7AED86A13FE8623 ] RSVP            C:\WINDOWS\system32\rsvp.exe
11:40:00.0750 0x0f3c  RSVP - ok
11:40:00.0796 0x0f3c  [ BF2466B3E18E970D8A976FB95FC1CA85, F7794B5D12DC5D820A162850F4388E2AA80426AD07CB221799CF941C682AB501 ] SamSs           C:\WINDOWS\system32\lsass.exe
11:40:00.0812 0x0f3c  SamSs - ok
11:40:00.0890 0x0f3c  [ 86D007E7A654B9A71D1D7D856B104353, 7B1DE53D637A5FC9619D5D07C48927AFEC89D959207F6F2E2F45DD054EEA04C7 ] SCardSvr        C:\WINDOWS\System32\SCardSvr.exe
11:40:00.0890 0x0f3c  SCardSvr - ok
11:40:00.0968 0x0f3c  [ 0A9A7365A1CA4319AA7C1D6CD8E4EAFA, 0B582F47BD70732BAC48B8B86E5D06CE7F299A20E8177F3F2E6F28217C3FB605 ] Schedule        C:\WINDOWS\system32\schedsvc.dll
11:40:00.0984 0x0f3c  Schedule - ok
11:40:01.0046 0x0f3c  [ 90A3935D05B494A5A39D37E71F09A677, F72733A69BC6E1A2BB91D7632FF3463C12563F60FDCC00A2CDD67FF20D479952 ] Secdrv          C:\WINDOWS\system32\DRIVERS\secdrv.sys
11:40:01.0046 0x0f3c  Secdrv - ok
11:40:01.0093 0x0f3c  [ CBE612E2BB6A10E3563336191EDA1250, C331797DC3569F0E715766561DE2562F60B924378842246C35D2B1CF867E9D96 ] seclogon        C:\WINDOWS\System32\seclogon.dll
11:40:01.0109 0x0f3c  seclogon - ok
11:40:01.0140 0x0f3c  [ 7FDD5D0684ECA8C1F68B4D99D124DCD0, 7105B026F966A992430F86C3698ABE15EC73E4772F1A3E362E29FD5247A5DCA6 ] SENS            C:\WINDOWS\system32\sens.dll
11:40:01.0140 0x0f3c  SENS - ok
11:40:01.0171 0x0f3c  [ 0F29512CCD6BEAD730039FB4BD2C85CE, 4F98AE390D1B14A755700DD6CEFB9CF921F0404AF2145D2D7E5F52394F87C6A5 ] serenum         C:\WINDOWS\system32\DRIVERS\serenum.sys
11:40:01.0171 0x0f3c  serenum - ok
11:40:01.0203 0x0f3c  [ CCA207A8896D4C6A0C9CE29A4AE411A7, 5999B39242283CD803319AADCA171CCCC6E2A40FB2FAFA51B1D29F3FF2DD8D6C ] Serial          C:\WINDOWS\system32\DRIVERS\serial.sys
11:40:01.0203 0x0f3c  Serial - ok
11:40:01.0359 0x0f3c  [ 8E6B8C671615D126FDC553D1E2DE5562, CEEC0067514555D5CA489F50E3D7562FCA8DB8E952C3C878604C9277FC77959F ] Sfloppy         C:\WINDOWS\system32\drivers\Sfloppy.sys
11:40:01.0359 0x0f3c  Sfloppy - ok
11:40:01.0421 0x0f3c  [ 83F41D0D89645D7235C051AB1D9523AC, B681F33EEAA511D6A2DCB9FBAA407B739184C9FF6067C6B7E51F1FC37E9D4DD7 ] SharedAccess    C:\WINDOWS\System32\ipnathlp.dll
11:40:01.0468 0x0f3c  SharedAccess - ok
11:40:01.0515 0x0f3c  [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] ShellHWDetection C:\WINDOWS\System32\shsvcs.dll
11:40:01.0531 0x0f3c  ShellHWDetection - ok
11:40:01.0562 0x0f3c  Simbad - ok
11:40:01.0609 0x0f3c  Sparrow - ok
11:40:01.0671 0x0f3c  [ AB8B92451ECB048A4D1DE7C3FFCB4A9F, DD17733CBB370FCA08F0296704D7CBEACA3C8F76D0ABE4761C3B1FFDF7481D9E ] splitter        C:\WINDOWS\system32\drivers\splitter.sys
11:40:01.0671 0x0f3c  splitter - ok
11:40:01.0734 0x0f3c  [ 60784F891563FB1B767F70117FC2428F, E0B07F08E60FFBAD36C2E58180F4B2A16DCA47716044CBE0213DF7B74D742F1F ] Spooler         C:\WINDOWS\system32\spoolsv.exe
11:40:01.0750 0x0f3c  Spooler - ok
11:40:01.0796 0x0f3c  sprtlisten - ok
11:40:01.0843 0x0f3c  sprtsvc_quickcare - ok
11:40:01.0906 0x0f3c  [ 76BB022C2FB6902FD5BDD4F78FC13A5D, 6031CB2344D7277FC703480EB43CF856A0F8F818EA98FF26A2CA532336CD2DFA ] sr              C:\WINDOWS\system32\DRIVERS\sr.sys
11:40:01.0906 0x0f3c  sr - ok
11:40:01.0953 0x0f3c  [ 3805DF0AC4296A34BA4BF93B346CC378, B57A14F1B7B0997E619DDD62B73157AA2399A9852166FB58139CBB358A88F6F3 ] srservice       C:\WINDOWS\system32\srsvc.dll
11:40:01.0968 0x0f3c  srservice - ok
11:40:02.0046 0x0f3c  [ 47DDFC2F003F7F9F0592C6874962A2E7, 17C643BD4EB09B5666FE41817DC785BE04A6E491CE79E8E5A702CDBD98E1BDD7 ] Srv             C:\WINDOWS\system32\DRIVERS\srv.sys
11:40:02.0093 0x0f3c  Srv - ok
11:40:02.0171 0x0f3c  [ 0A5679B3714EDAB99E357057EE88FCA6, 01E1A101FFF48402C77E385A78FEF27876E04533B60EB1C18558A737E57E5FA8 ] SSDPSRV         C:\WINDOWS\System32\ssdpsrv.dll
11:40:02.0187 0x0f3c  SSDPSRV - ok
11:40:02.0265 0x0f3c  [ 8BAD69CBAC032D4BBACFCE0306174C30, 2AA0DA710FCBFF38FE8DA91EE02E7A4503269347E61F8D3246FCA3384BBA2305 ] stisvc          C:\WINDOWS\system32\wiaservc.dll
11:40:02.0312 0x0f3c  stisvc - ok
11:40:02.0406 0x0f3c  [ 9A97B7024E2CA4D42046BF272997E14C, DB724A4A1B28F8C4D63937D749590475FB0D9E2045D66F086D14BC5499B58045 ] SupportSoft RemoteAssist C:\Program Files\Common Files\supportsoft\bin\ssrc.exe
11:40:02.0468 0x0f3c  SupportSoft RemoteAssist - ok
11:40:02.0515 0x0f3c  [ 3941D127AEF12E93ADDF6FE6EE027E0F, EA1F0E32E1C5E90FA4AAC421DEBBE086512340758D3217A6334E886BCE638B51 ] swenum          C:\WINDOWS\system32\DRIVERS\swenum.sys
11:40:02.0515 0x0f3c  swenum - ok
11:40:02.0562 0x0f3c  [ 8CE882BCC6CF8A62F2B2323D95CB3D01, B408550A581F3DA222355964AFA4E976AD8471F0AA37573C42C4948AE5A23A3B ] swmidi          C:\WINDOWS\system32\drivers\swmidi.sys
11:40:02.0578 0x0f3c  swmidi - ok
11:40:02.0593 0x0f3c  SwPrv - ok
11:40:02.0640 0x0f3c  symc810 - ok
11:40:02.0671 0x0f3c  symc8xx - ok
11:40:02.0687 0x0f3c  sym_hi - ok
11:40:02.0718 0x0f3c  sym_u3 - ok
11:40:02.0781 0x0f3c  [ 8B83F3ED0F1688B4958F77CD6D2BF290, 546D3602183702B4F53E84413CFA2C933D64C8540378E54A8DCD148F3F36A2DA ] sysaudio        C:\WINDOWS\system32\drivers\sysaudio.sys
11:40:02.0796 0x0f3c  sysaudio - ok
11:40:02.0859 0x0f3c  [ C7ABBC59B43274B1109DF6B24D617051, 4384CA0AA6CE9B603CF7DB775A3C721E46715D5B120B94FB57DEADAADE18535B ] SysmonLog       C:\WINDOWS\system32\smlogsvc.exe
11:40:02.0875 0x0f3c  SysmonLog - ok
11:40:02.0968 0x0f3c  [ 3CB78C17BB664637787C9A1C98F79C38, F35C31F6B7F366CB949D1044B357C76DEC9170441C5E559802794F62B72FD255 ] TapiSrv         C:\WINDOWS\System32\tapisrv.dll
11:40:02.0984 0x0f3c  TapiSrv - ok
11:40:03.0078 0x0f3c  [ 9AEFA14BD6B182D61E3119FA5F436D3D, EA29E49434585409272E7901AF89771FE9D6E911A7DC44AB3C7020CFF8A44552 ] Tcpip           C:\WINDOWS\system32\DRIVERS\tcpip.sys
11:40:03.0109 0x0f3c  Tcpip - ok
11:40:03.0187 0x0f3c  [ 6471A66807F5E104E4885F5B67349397, F35CBFFB8BB235CCE30EF94A5273333900DD49FD506BF9D55D99A320B8A53A5A ] TDPIPE          C:\WINDOWS\system32\drivers\TDPIPE.sys
11:40:03.0187 0x0f3c  TDPIPE - ok
11:40:03.0218 0x0f3c  [ C56B6D0402371CF3700EB322EF3AAF61, 7743FA4C734BCE38EFB1CA69BC17364D8421E2CD172F856F7E38E7AE1EE93F2F ] TDTCP           C:\WINDOWS\system32\drivers\TDTCP.sys
11:40:03.0218 0x0f3c  TDTCP - ok
11:40:03.0265 0x0f3c  [ 88155247177638048422893737429D9E, B6D4E8691917946332C2208D01F8C8281978C1AD1E9951C5D99DF0D49AC34B3B ] TermDD          C:\WINDOWS\system32\DRIVERS\termdd.sys
11:40:03.0265 0x0f3c  TermDD - ok
11:40:03.0328 0x0f3c  [ FF3477C03BE7201C294C35F684B3479F, D6246521539BA4ACD022D26983182F5E323D2EF1EA7C54265A248C43A1CE5202 ] TermService     C:\WINDOWS\System32\termsrv.dll
11:40:03.0390 0x0f3c  TermService - ok
11:40:03.0421 0x0f3c  tgsrvc_quickcare - ok
11:40:03.0515 0x0f3c  [ 99BC0B50F511924348BE19C7C7313BBF, A1006C687BD352F700B140DC741515A0CDD9E1352C0FBD1EE410D404E344444B ] Themes          C:\WINDOWS\System32\shsvcs.dll
11:40:03.0515 0x0f3c  Themes - ok
11:40:03.0578 0x0f3c  [ DB7205804759FF62C34E3EFD8A4CC76A, 13A4248F528CE98ACA66898E56822E4FC49B11F491FF1F61A687BA601BF0A802 ] TlntSvr         C:\WINDOWS\system32\tlntsvr.exe
11:40:03.0593 0x0f3c  TlntSvr - ok
11:40:03.0609 0x0f3c  TosIde - ok
11:40:03.0671 0x0f3c  [ 55BCA12F7F523D35CA3CB833C725F54E, 849FB1AE31B143B14B298BBC0D91230693D41DEB95F46516878F53A7F4186C38 ] TrkWks          C:\WINDOWS\system32\trkwks.dll
11:40:03.0687 0x0f3c  TrkWks - ok
11:40:03.0781 0x0f3c  [ 88E0F99FDB8DDCB6E6A15380E164FEA2, 794C084B60DAC803E35BE933143A77EF2888D53B9EBEDAE4825C40A05A04F7E4 ] trufos          C:\WINDOWS\system32\DRIVERS\trufos.sys
11:40:03.0812 0x0f3c  trufos - ok
11:40:03.0890 0x0f3c  [ 5787B80C2E3C5E2F56C2A233D91FA2C9, 3774905CF77954DFCECDA5BCC7CDE3D0ED72712BFAAD85ADAE5246306447E46C ] Udfs            C:\WINDOWS\system32\drivers\Udfs.sys
11:40:03.0890 0x0f3c  Udfs - ok
11:40:03.0937 0x0f3c  ultra - ok
11:40:04.0015 0x0f3c  [ 402DDC88356B1BAC0EE3DD1580C76A31, 32A686595710336A6BFD54C03F552AE39439611662F84EF5D24193AE5665C6F3 ] Update          C:\WINDOWS\system32\DRIVERS\update.sys
11:40:04.0062 0x0f3c  Update - ok
11:40:04.0140 0x0f3c  [ 1EBAFEB9A3FBDC41B8D9C7F0F687AD91, 7746916DB48E3F5B243B63C066596AD9037A494BF1AD935946DD04AC85D983DF ] upnphost        C:\WINDOWS\System32\upnphost.dll
11:40:04.0156 0x0f3c  upnphost - ok
11:40:04.0203 0x0f3c  [ 05365FB38FCA1E98F7A566AAAF5D1815, 16843048CEEC3DAA3B953A12FF1EE339E86783A08F2A56DA7F94AD9F9717D77D ] UPS             C:\WINDOWS\System32\ups.exe
11:40:04.0203 0x0f3c  UPS - ok
11:40:04.0265 0x0f3c  [ 1B611611C28D2DF25BC057D79C6F13FC, B0D86F63E44B40413BBAE6402CC088046CFAE082D41BBC2ED5A916293356B846 ] usbccgp         C:\WINDOWS\system32\DRIVERS\usbccgp.sys
11:40:04.0281 0x0f3c  usbccgp - ok
11:40:04.0328 0x0f3c  [ 4BAC8DF07F1D8434FC640E677A62204E, 76C1351AF6752224BF59DEEE0F8665FE699F3DFD679F5BCD01C7D9383E6402A4 ] usbehci         C:\WINDOWS\system32\DRIVERS\usbehci.sys
11:40:04.0328 0x0f3c  usbehci - ok
11:40:04.0375 0x0f3c  [ 1AB3CDDE553B6E064D2E754EFE20285C, A99C4528C4227B1E96847614745AAFACD3C5F1BDFE435214DBF78740FFB300FE ] usbhub          C:\WINDOWS\system32\DRIVERS\usbhub.sys
11:40:04.0390 0x0f3c  usbhub - ok
11:40:04.0437 0x0f3c  [ A717C8721046828520C9EDF31288FC00, 1530BBE832EDBB0974AD89D723A03FF7A0094B368992D73C2C3E62A181DF1E0A ] usbprint        C:\WINDOWS\system32\DRIVERS\usbprint.sys
11:40:04.0437 0x0f3c  usbprint - ok
11:40:04.0453 0x0f3c  [ A32426D9B14A089EAA1D922E0C5801A9, ED1DC52EE45F8EAD3AEC4B1F817BB25634141CF48295494C5947DCE6CF7A9817 ] usbstor         C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
11:40:04.0468 0x0f3c  usbstor - ok
11:40:04.0500 0x0f3c  [ 26496F9DEE2D787FC3E61AD54821FFE6, 8BE7FF647470B9A951CBB478FAF83D657A15CC78037F42348A6B738F21D523DA ] usbuhci         C:\WINDOWS\system32\DRIVERS\usbuhci.sys
11:40:04.0515 0x0f3c  usbuhci - ok
11:40:04.0562 0x0f3c  [ 0D3A8FAFCEACD8B7625CD549757A7DF1, B9CFDEFCD66AA139F3DC2F967B184669532922563AD5A71769BABDC4370D065E ] VgaSave         C:\WINDOWS\System32\drivers\vga.sys
11:40:04.0562 0x0f3c  VgaSave - ok
11:40:04.0578 0x0f3c  ViaIde - ok
11:40:04.0625 0x0f3c  [ 4C8FCB5CC53AAB716D810740FE59D025, 010EAC43DBED700B73E4FC908FAAF9F6A0168EBBD5D86751E49BC33AAA18BFA4 ] VolSnap         C:\WINDOWS\system32\drivers\VolSnap.sys
11:40:04.0640 0x0f3c  VolSnap - ok
11:40:04.0718 0x0f3c  [ 7A9DB3A67C333BF0BD42E42B8596854B, D31A9A3B1AAAB373EDD73B674102395212FCB616F829E938B7B2B7BE7D4752C5 ] VSS             C:\WINDOWS\System32\vssvc.exe
11:40:04.0734 0x0f3c  VSS - ok
11:40:04.0828 0x0f3c  [ 54AF4B1D5459500EF0937F6D33B1914F, FA1876888BCB9C72A92369DBED4FF1A8666784523FB41E618FA0919490FCDDB9 ] W32Time         C:\WINDOWS\system32\w32time.dll
11:40:04.0843 0x0f3c  W32Time - ok
11:40:04.0890 0x0f3c  [ E20B95BAEDB550F32DD489265C1DA1F6, 5589B2067E6C9FBA290D8C5EADDC198EBAF39C50C3CD7D2BC5CDA7CBFBC445E5 ] Wanarp          C:\WINDOWS\system32\DRIVERS\wanarp.sys
11:40:04.0890 0x0f3c  Wanarp - ok
11:40:04.0984 0x0f3c  [ D918617B46457B9AC28027722E30F647, 407284D3055DC11944D4EE7E4357E7CF9CAF8CA40CA50633AB6FD4A82CB7EEA6 ] Wdf01000        C:\WINDOWS\system32\Drivers\wdf01000.sys
11:40:05.0031 0x0f3c  Wdf01000 - ok
11:40:05.0046 0x0f3c  WDICA - ok
11:40:05.0093 0x0f3c  [ 6768ACF64B18196494413695F0C3A00F, 3A8F8586F1D997D19A8478345338D2AECD785AEABDB61531DD3F92003D3230A5 ] wdmaud          C:\WINDOWS\system32\drivers\wdmaud.sys
11:40:05.0109 0x0f3c  wdmaud - ok
11:40:05.0140 0x0f3c  [ 77A354E28153AD2D5E120A5A8687BC06, 8B2D37A4443501C0A8E70BC2079BE27F0A36FD07B561E6F68B40A72EABBC2DFE ] WebClient       C:\WINDOWS\System32\webclnt.dll
11:40:05.0156 0x0f3c  WebClient - ok
11:40:05.0281 0x0f3c  [ 2D0E4ED081963804CCC196A0929275B5, E1D75C7D7233D81DFDE13160B0C80138DF8B35230D04FB79B367A52FACF69BF8 ] winmgmt         C:\WINDOWS\system32\wbem\WMIsvc.dll
11:40:05.0281 0x0f3c  winmgmt - ok
11:40:05.0375 0x0f3c  [ C51B4A5C05A5475708E3C81C7765B71D, F776D2680BD3407307B7072626F78460361FC5BC38623C9E16F394D300AB25DE ] WmdmPmSN        C:\WINDOWS\system32\MsPMSNSv.dll
11:40:05.0390 0x0f3c  WmdmPmSN - ok
11:40:05.0468 0x0f3c  [ E76F8807070ED04E7408A86D6D3A6137, BFCF5361B7335760A7AE4B6958DE516A27AC60AA09135A46F0B49F588FAFE3A0 ] Wmi             C:\WINDOWS\System32\advapi32.dll
11:40:05.0546 0x0f3c  Wmi - ok
11:40:05.0625 0x0f3c  [ E0673F1106E62A68D2257E376079F821, 12992F18C9653050B10DC61D12988067933FCFDF02123D3A7EF5DE607A785DDC ] WmiApSrv        C:\WINDOWS\system32\wbem\wmiapsrv.exe
11:40:05.0640 0x0f3c  WmiApSrv - ok
11:40:05.0796 0x0f3c  [ F74E3D9A7FA9556C3BBB14D4E5E63D3B, C71FAAC752F6D58BF8556661252DBF8C5DDD090CAE002A2C7E09C9A014526066 ] WMPNetworkSvc   C:\Program Files\Windows Media Player\WMPNetwk.exe
11:40:05.0890 0x0f3c  WMPNetworkSvc - ok
11:40:06.0046 0x0f3c  [ 15673BD0B86150CB8E27766059C72A9B, 56C23289A8BFF4945EE532CF6D62D3EC81B827CA15A359F30A327789F9FE9CAF ] WPFFontCache_v0400 C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
11:40:06.0109 0x0f3c  WPFFontCache_v0400 - ok
11:40:06.0171 0x0f3c  [ 6ABE6E225ADB5A751622A9CC3BC19CE8, 4061C5D0F051DFF1730E2A3BFC1CCA97B29602FC50F10F6B44D93B0D28F42024 ] WS2IFSL         C:\WINDOWS\System32\drivers\ws2ifsl.sys
11:40:06.0171 0x0f3c  WS2IFSL - ok
11:40:06.0234 0x0f3c  [ 7C278E6408D1DCE642230C0585A854D5, DA46079A04F6E8E3441E4AE454AEAC02B3E935DE29CE7F6D4476F57867FCC12A ] wscsvc          C:\WINDOWS\system32\wscsvc.dll
11:40:06.0250 0x0f3c  wscsvc - ok
11:40:06.0312 0x0f3c  [ 35321FB577CDC98CE3EB3A3EB9E4610A, C9A6F5CF282D8FCB3CDFCC4B306013480E78E1B664E1A60A4E27B161F9FFD4CD ] wuauserv        C:\WINDOWS\system32\wuauserv.dll
11:40:06.0328 0x0f3c  wuauserv - ok
11:40:06.0390 0x0f3c  [ F15FEAFFFBB3644CCC80C5DA584E6311, 79B3E9AF35976CE49921E9BEA3BA3B4A8AF762FD3F284B62954038B5FFB32471 ] WudfPf          C:\WINDOWS\system32\DRIVERS\WudfPf.sys
11:40:06.0390 0x0f3c  WudfPf - ok
11:40:06.0437 0x0f3c  [ 28B524262BCE6DE1F7EF9F510BA3985B, AEFF02B899801A63CBB262757C3D4369E38BFF0690BD085DE60E873DFBE3C3F4 ] WudfRd          C:\WINDOWS\system32\DRIVERS\wudfrd.sys
11:40:06.0437 0x0f3c  WudfRd - ok
11:40:06.0484 0x0f3c  [ 05231C04253C5BC30B26CBAAE680ED89, 5C03C2D7E0B573646D32F4093E2FF2C3BA391C39F5BA37D67F69D38E357FCC3D ] WudfSvc         C:\WINDOWS\System32\WUDFSvc.dll
11:40:06.0500 0x0f3c  WudfSvc - ok
11:40:06.0593 0x0f3c  [ 81DC3F549F44B1C1FFF022DEC9ECF30B, 3D14BFEA539F9CEB16555BD56C5E3C7C8F6692FC62C2789F8AAEA1C042E63940 ] WZCSVC          C:\WINDOWS\System32\wzcsvc.dll
11:40:06.0640 0x0f3c  WZCSVC - ok
11:40:06.0703 0x0f3c  [ 295D21F14C335B53CB8154E5B1F892B9, 9418477C2E3EA93E93D931A4EDD4500DA568FAD6040204B5201D1080203B0BBC ] xmlprov         C:\WINDOWS\System32\xmlprov.dll
11:40:06.0718 0x0f3c  xmlprov - ok
11:40:06.0734 0x0f3c  ================ Scan global ===============================
11:40:06.0796 0x0f3c  [ 42F1F4C0AFB08410E5F02D4B13EBB623, 924C30587C51C0D1E1F47991969AF492A644552E15F2480EA991DCB74A3E68D5 ] C:\WINDOWS\system32\basesrv.dll
11:40:06.0875 0x0f3c  [ 69AE2B2E6968C316536E5B10B9702E63, D9C5DA7A20DDE69D91E72400C3F06F3CB099DEF42EA6C53FCE076258A0C22391 ] C:\WINDOWS\system32\winsrv.dll
11:40:06.0937 0x0f3c  [ 69AE2B2E6968C316536E5B10B9702E63, D9C5DA7A20DDE69D91E72400C3F06F3CB099DEF42EA6C53FCE076258A0C22391 ] C:\WINDOWS\system32\winsrv.dll
11:40:06.0984 0x0f3c  [ 65DF52F5B8B6E9BBD183505225C37315, 59C606977DB40A3443DFF0BE2A4C761824881B22C9FDB3D23F6486DB580E92A4 ] C:\WINDOWS\system32\services.exe
11:40:06.0984 0x0f3c  [ Global ] - ok
11:40:07.0000 0x0f3c  ================ Scan MBR ==================================
11:40:07.0031 0x0f3c  [ 8F558EB6672622401DA993E1E865C861 ] \Device\Harddisk0\DR0
11:40:07.0250 0x0f3c  \Device\Harddisk0\DR0 - ok
11:40:07.0250 0x0f3c  ================ Scan VBR ==================================
11:40:07.0281 0x0f3c  [ 33B71562F7EFC7C84E1731B6C0C45D39 ] \Device\Harddisk0\DR0\Partition1
11:40:07.0281 0x0f3c  \Device\Harddisk0\DR0\Partition1 - ok
11:40:07.0296 0x0f3c  ================ Scan generic autorun ======================
11:40:07.0562 0x0f3c  [ 5A63691DA367ADBA3081D4D51AE3C939, 05E3D4AB716BF68BC6EEFDC4FC2B85F6738E052EB6D75198F7C876435CA198B5 ] C:\Program Files\Malwarebytes Anti-Exploit\mbae.exe
11:40:07.0812 0x0f3c  Malwarebytes Anti-Exploit - ok
11:40:07.0890 0x0f3c  [ 093D3EE722542BA2E7AD929AA3CA6ABC, C96CAFE2365DB062A06CC0426C5C1519350CD2E57D2721148BC20F72130CBF5C ] C:\WINDOWS\system32\igfxtray.exe
11:40:07.0906 0x0f3c  IgfxTray - ok
11:40:07.0937 0x0f3c  [ E4CF942A4AEA9D27C87F190F65E7D0F6, 4F0875FDEA3B5363CB54295EE3A9EA2355E270C8DD2FC57F0713116867F8AE77 ] C:\WINDOWS\system32\hkcmd.exe
11:40:07.0953 0x0f3c  HotKeysCmds - ok
11:40:08.0015 0x0f3c  [ 2D99607F21FF368C0E335A2D91A052A1, 97C8DADC411B2B2470F764CB44738F39EC4652FD021A32420D2A460B02BB4F4B ] C:\WINDOWS\BCMSMMSG.exe
11:40:08.0046 0x0f3c  BCMSMMSG - ok
11:40:08.0187 0x0f3c  [ 4EAF6F8F0B3BE33A0E3877EB7FFD48D4, CD89A31004E3E5A3253554CABF70B89D4F2FCBC40161FFA9E633CD85261A2769 ] C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
11:40:08.0265 0x0f3c  Adobe ARM - ok
11:40:08.0343 0x0f3c  [ 5F1D5F88303D4A4DBC8E5F97BA967CC3, 5FB24FC7916A6E6B3BE7D84CB1684215B266CD1495575C2E5672B8447932E5B1 ] C:\WINDOWS\system32\ctfmon.exe
11:40:08.0343 0x0f3c  ctfmon.exe - ok
11:40:08.0500 0x0f3c  [ F172AD4E906D97ED8F071896FC6789DC, FC10B3CE3DB0D3BF84DFD28E900EB6A11EDAAE32AC50F23CB03AACC6AA496911 ] C:\Documents and Settings\steveo\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
11:40:08.0609 0x0f3c  Google Update - ok
11:40:08.0625 0x0f3c  Waiting for KSN requests completion. In queue: 213
11:40:09.0625 0x0f3c  Waiting for KSN requests completion. In queue: 213
11:40:10.0625 0x0f3c  Waiting for KSN requests completion. In queue: 213
11:40:11.0812 0x0f3c  AV detected via SS1: Bitdefender Antivirus Free Edition, 1.0.21.1109, enabled, updated
11:40:11.0812 0x0f3c  FW detected via SS1: , 1.0.21.1109, enabled
11:40:14.0406 0x0f3c  ============================================================
11:40:14.0406 0x0f3c  Scan finished
11:40:14.0406 0x0f3c  ============================================================
11:40:14.0437 0x0c18  Detected object count: 0
11:40:14.0437 0x0c18  Actual detected object count: 0
11:40:33.0015 0x0ad4  Deinitialize success
 


  • 0

#43
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

And the aswMBR log:

 

 

aswMBR version 1.0.1.2290 Copyright© 2014 AVAST Software
Run date: 2017-06-25 11:50:59
-----------------------------
11:50:59.218    OS Version: Windows 5.1.2600 Service Pack 3
11:50:59.218    Number of processors: 1 586 0x209
11:50:59.218    ComputerName: BADDABING  UserName: dean
11:50:59.968    Initialize success
11:51:00.046    VM: initialized successfully
11:51:00.046    VM: Intel CPU virtualization not supported
12:02:55.609    AVAST engine defs: 17030301
12:09:30.140    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:09:30.140    Disk 0 Vendor: ST380011A 3.16 Size: 76293MB BusType: 3
12:09:30.421    Disk 0 MBR read successfully
12:09:30.437    Disk 0 MBR scan
12:09:32.390    Disk 0 Windows XP default MBR code
12:09:32.421    Disk 0 Partition 1 00     DE   Dell Utility Dell 4.1       31 MB offset 63
12:09:34.281    Disk 0 Partition 2 80 (A) 07      HPFS/NTFS NTFS        76253 MB offset 64260
12:09:34.328    Disk 0 default boot code
12:09:35.375    Disk 0 scanning sectors +156232125
12:09:36.468    Disk 0 scanning C:\WINDOWS\system32\drivers
12:10:15.796    Service scanning
12:10:22.265    Service bdftdif C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys **LOCKED** 5
12:10:22.500    Service bdselfpr C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys **LOCKED** 5
12:11:01.515    Modules scanning
12:11:01.546    Disk 0 trace - called modules:
12:11:01.562    ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys PCIIDEX.SYS
12:11:01.562    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x83b6aab8]
12:11:01.578    3 CLASSPNP.SYS[f7a40fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x83be0d98]
12:11:03.656    AVAST engine scan C:\WINDOWS
12:11:18.562    AVAST engine scan C:\WINDOWS\system32
12:16:21.078    AVAST engine scan C:\WINDOWS\system32\drivers
12:16:39.328    AVAST engine scan C:\Documents and Settings\dean
12:32:10.296    AVAST engine scan C:\Documents and Settings\All Users
12:34:00.656    Disk 0 statistics 1672815/0/0 @ 0.80 MB/s
12:34:00.687    Scan finished successfully
12:37:41.437    Disk 0 MBR has been saved successfully to "C:\MBR.dat"
12:37:41.437    The log file has been saved successfully to "C:\aswMBR.txt"


 


  • 0

#44
RKinner

RKinner

    Malware Expert

  • Expert
  • 19,624 posts
  • MVP
12:10:22.265    Service bdftdif C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys **LOCKED** 5
12:10:22.500    Service bdselfpr C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys **LOCKED** 5

 

 

This is normal for Bitdefender.  They don't like for other programs to snoop in their files.

 

I wonder if you could submit the files to Virustotal:

 

 
Easiest way to submit a file is to copy the path:
 
C:\Program Files\Bitdefender\Antivirus Free Edition\bdftdif.sys
 
Then
Go to virustotal.com with your browser.  Click on Choose File then when the file chooser window opens, move down to the File Name: box and then Ctrl + v and the path should appear.  Hit Open and it should return to the main page with bdftdif.sys chosen.  Click on Scan it.  If it knows the file already it will tell you it's already been analyzed and offer you a choice of Reanalyze and View Last Analysis.  In that case click on View Last Analysis.  If it doesn't know the file it will take a minute to query 50+ different anti-virus companies.  In either case, If the Detection ratio: is not 0 / 50+ then copy the Analysis page and paste it into the forum.  You can just hit Ctrl + a then Ctrl + c to copy the page then go to a reply and Ctrl + v.
 
Repeat for C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys
 
The MBR seems to be the default XP mbr so should be OK but you can submit it to virustotal too using the copy that aswmbr put at C:\MBR.dat
 
If combofix is still complaining about the rootkit in tcpip, go in to device manager (right click on My COmputer and select Manage then Device Manager).  Find the Network Adapters and right click on each and delete then reboot.  Windows should reinstall them.  You can also reset tcpip.  Start, All Programs, Command Prompt and type:
 
netsh  int  ip  reset  reset.log

then hit Enter.  Reboot.


  • 0

#45
Lamont_Cranston

Lamont_Cranston

    Member

  • Topic Starter
  • Member
  • PipPip
  • 36 posts

Just updated and ran ComboFix again.  This may have been the longest scan yet.  Yeah, it found ZeroAccess! in the TCP/IP stack again.  After I rebooted twice and started Firefox I was informed that it was not set as my default browser, when it always has been. 

 

I'll delete and reinstall the network adapters, and reset TCP/IP as well after posting here.  If I run into any trouble I'll let you know.

 

After that I'll try to get the Bitdefender files to virustotal.

 

Although my machine seems to be okay right now, I'm concerned about running XP with just the EMET/MBAE combo for protection.  If the rootkit did screw up Bitdefender that might explain why it would prevent MBAE from starting.  I've checked at the wilderssecurity and malwarebytes forums for any history of conflicts between the two and didn't find much to work with.

 

I need to enter some personal information at a couple of automotive websites by morning.  Neither of them have terms of use or privacy policies which makes me nervous.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP