[SOLVED] Definetly Infected with Operating Memory svchost(1776) trojan and other viru

protocoder · 03-29-2012, 12:49 PM

Dear Experts,

Last time when I posted a issue I was clean and now I clicked something redirected to adult site and when I closed I got hit by scores of virus including svchost.exe(1724) a variant of Win32/Olmasco.O trojan and other virus I am posting in the end as detected by ESET antivirus.

Symtoms:
Complete Blue screen and when I take the pointer to task bar I get a hour glass. The only I can go to run command to open browser is using the run task in the alt+control+del ..

2. I am not sure how to disable ESET to run the combofix as I am not allowed to cursor does allow me, If I restart, ESET starts again.
3.The safemode is changed to debug mode with changed title do not run.
4. I have recovery installed, thanks to Iian who helped me confirm system is clean and also have the recovery console.
5. The virus erased all the restore information and also disabled the system restore point, I downloaded restore system tools and able to enable the system restore point. But I am not sure How to go there as cursor disallows me to go to start operation.
6. Trojan is smart, any google link with similar issue is redirected to wrong site.

Here is the list of virus and Trojan ESET failed to quarantine.
3/30/2012 12:12:25 AM Startup scanner file Operating memory » C:\Documents and Settings\All Users\Application Data\JYSiYyRGNluwQXA.exe a variant of Win32/TrojanDownloader.Prodatect.BL trojan cleaned by deleting - quarantined ANAND\GR Anand
3/30/2012 12:11:47 AM Startup scanner file Operating memory » svchost.exe(1724) a variant of Win32/Olmasco.O trojan unable to clean ANAND\GR Anand
3/30/2012 12:08:23 AM Real-time file system protection file C:\DOCUME~1\~1\LOCALS~1\Temp\10B.tmp a variant of Win32/Kryptik.CO trojan cleaned by deleting (after the next restart) - quarantined ANAND\GR Anand Event occurred on a file modified by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\outlkupd.exe.
3/30/2012 12:07:32 AM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\108.tmp a variant of Win32/Kryptik.CO trojan cleaned by deleting (after the next restart) - quarantined ANAND\GR Anand Event occurred on a file modified by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\008uAbL7JVmKMS.exe.
3/30/2012 12:07:21 AM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\outlkupd.exe a variant of Win32/Kryptik.CO trojan cleaned by deleting (after the next restart) - quarantined ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\008uAbL7JVmKMS.exe.
3/30/2012 12:07:00 AM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\008uAbL7JVmKMS.exe a variant of Win32/Kryptik.CO trojan cleaned by deleting (after the next restart) - quarantined ANAND\GR Anand Event occurred on a file modified by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\cgs8h0.exe.
3/22/2012 11:02:33 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:31 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:29 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\datamngrUI.exe a variant of Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:26 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\datamngr.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:26 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\datamngr.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:25 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\DnsBHO.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:25 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\BrowserConnection.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:24 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\BrowserConnection.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:24 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\IEBHO.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:02:23 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\IEBHO.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred during an attempt to access the file by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:01:05 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\IEBHO.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:01:03 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\DnsBHO.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:00:58 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\DataMngr.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:00:56 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\BrowserConnection.dll Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
3/22/2012 11:00:43 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\iMesh_DM\DataMngrUI.exe a variant of Win32/Toolbar.SearchSuite potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\DOCUME~1\ananN~1\LOCALS~1\Temp\SetupDataMngr_iMesh.exe.
2/22/2012 9:56:11 PM Real-time file system protection file F:\GR Anand_Backup\2012-02-12_22-57-37\Memeo\2012-02-12_22-57-37\C_\data\applications\exe_deleted_from_windows\FixCamera.exe a variant of Win32/KillProc.A potentially unwanted application unable to clean ANAND\GR Anand Event occurred on a new file created by the application: C:\Program Files\Memeo\AutoBackup\InstantBackup.exe.
2/19/2012 1:58:30 PM Real-time file system protection file C:\DOCUMENTS AND SETTINGS\GR ANAND\LOCAL SETTINGS\TEMPDIR\BETTERINSTALLER.EXE Win32/Adware.Somoto.A application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\Program Files\ESET\ESET Smart Security\egui.exe.
2/11/2012 1:43:48 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantined ANAND\GR Anand Event occurred on a new file created by the application: C:\ComboFix\CF31460.3XE.
2/9/2012 6:31:01 PM Real-time file system protection file C:\DOCUME~1\ananN~1\LOCALS~1\Temp\Av-test.txt Eicar test file cleaned by deleting - quarantined ANAND\GR Anand Event occurred on a new file created by the application: C:\ComboFix\CF14432.3XE.

Any quick help will be appreciated as I have skype interview soon.

Thanks a Ton in Advance
Anand

**Will Watts** · 03-30-2012, 05:48 AM

Hi protocoder,

There are some logs missing from your post that I need to see before we can begin.

Please follow our First Steps here:
http://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html

Include the required logs in your next reply.

protocoder · 03-30-2012, 12:30 PM

Apologies Someguy, I have forgotten to attach it. I have run them again and attached here. Meanwhile, I googled about the svchost.exe(1724) a variant of Win32/Olmasco.O trojan which advised me to delete it as soon as possible. So tried TDSkiller, the name change too did not work and fix from symantec did the trick and I think my laptop is back to normal...
1. Tested with Malaware, SuperAntiSpyware, SpysearchandDestroy and Hitman to see for any activity, my ESET too does not detect "svchost.exe(1724) a variant of Win32/Olmasco.O trojan presence any more"
I want your certification before I use the system .. I have to use this system for skype on Monday for interview and do not want to risk it without certification from you.

In short, I do not see any more the symptoms which I got earlier. However ESET did collect all the SVCHOST as suspicious and took the information for analysis. Now I need your certification. Thanks a lot in Advance.

--- DDS text -------------- and Attachments -----------------

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by GR Anand at 7:44:54 on 2012-03-31
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.565 [GMT 13:00]
.
AV: ESET Smart Security 4.2 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: AutorunsDisabled - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\datamngr\toolbar\wincoreimdtx.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wincore Mediabar: {28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\imesha~1\mediabar\datamngr\toolbar\wincoreimdtx.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: {A92ED0AE-BE6F-4690-A3FF-5A56717CC3C8} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {AEEC7764-290D-4718-A15A-805B726D46D2} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [DATAMNGR]
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRunOnce: [SpybotDeletingA457] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_23_22_22_53.log"
mRunOnce: [SpybotDeletingC3165] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_23_22_22_53.log"
mRunOnce: [SpybotDeletingA810] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_23_22_23_11.log"
mRunOnce: [SpybotDeletingC5230] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_23_22_23_11.log"
mRunOnce: [SpybotDeletingA5008] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_24_05_58_03.log"
mRunOnce: [SpybotDeletingC2913] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_24_05_58_03.log"
mRunOnce: [SpybotDeletingA5832] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_26_19_22_40.log"
mRunOnce: [SpybotDeletingC8627] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_26_19_22_40.log"
mRunOnce: [SpybotDeletingA2490] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_26_23_16_01.log"
mRunOnce: [SpybotDeletingC2928] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_26_23_16_01.log"
mRunOnce: [SpybotDeletingA1380] command.com /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_27_19_25_58.log"
mRunOnce: [SpybotDeletingC1942] cmd.exe /c del "c:\documents and settings\gr anand\application data\regclean\log\log_2009_02_27_19_25_58.log"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\dell\bluetooth software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\dell\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\inetrepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - c:\program files\hello\PicasaCapture.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: funpeeps.com\www
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} - hxxp://www.andhrajyothy.com/wfplayer/tdserver.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?LinkID=39204
DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\data\applications\common\yinsthelper.dll
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} - hxxp://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1133633412488
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.co.uk/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{27C373EA-8943-4A2F-96D8-206C323F8BBC} : DhcpNameServer = 192.168.1.1
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\aatp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\cenetflt.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\gr anand\application data\mozilla\firefox\profiles\0hp50axf.default\
FF - prefs.js: browser.search.selectedEngine - Search Results
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=1083&systemid=1&sr=0&q=
FF - plugin: c:\documents and settings\gr anand\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\gr anand\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\gr anand\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\photodex presenter\npPxPlay.dll
FF - plugin: c:\program files\picasa2\npPicasa3.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-22 130936]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
S1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-5-14 115008]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 ekrn;ESET Service;c:\program files\eset\eset smart security\ekrn.exe [2011-1-12 810144]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2011-5-11 54760]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-5-11 652360]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\system32\drivers\wA301b.sys [1980-1-1 33847]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2011-6-2 11336]
S3 DellBIOS;DellBIOS;c:\windows\DellBIOS.Sys [2012-1-21 5120]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\google\google desktop search\GoogleDesktop.exe [2009-9-29 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-7-28 133104]
S3 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\system32\drivers\hitmanpro36.sys [2012-3-30 25888]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\dell support center\pcdsrvc.pkms [2011-12-14 21744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-7-22 348752]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-7-22 1095560]
S3 SNCT511;PC Camera (6005 CIF);c:\windows\system32\drivers\snct511.sys [2005-1-1 219136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-3-19 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 DiskSuiteService;PC Tools Disk Suite;c:\program files\pc tools disk suite\DSService.exe [2009-6-26 394560]
S4 gupdate1ca0f652340fd90;Google Update Service (gupdate1ca0f652340fd90);c:\program files\google\update\GoogleUpdate.exe [2009-7-28 133104]
.
=============== Created Last 30 ================
.
2012-03-30 18:28:50 -------- d-s---w- C:\ComboFix
2012-03-30 11:02:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-30 11:02:30 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-30 10:27:20 25888 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-03-30 10:27:18 -------- d-----w- c:\program files\HitmanPro
2012-03-30 08:55:56 -------- d-----w- c:\documents and settings\all users\application data\HitmanPro
2012-03-30 08:54:52 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2012-03-30 04:02:08 -------- d-----w- c:\documents and settings\gr anand\application data\ParetoLogic
2012-03-22 19:12:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-22 10:02:11 -------- d-----w- c:\documents and settings\gr anand\application data\mediabarim
2012-03-22 10:01:21 -------- d-----w- c:\documents and settings\all users\application data\boost_interprocess
2012-03-22 09:53:19 -------- d-----w- c:\documents and settings\gr anand\local settings\application data\PackageAware
2012-03-19 02:40:39 19384 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2012-03-19 02:40:38 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2012-03-19 02:40:38 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2012-03-19 02:40:38 125880 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2012-03-19 02:40:36 592824 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-03-19 02:40:35 44472 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-03-13 02:46:22 -------- d-----w- c:\program files\ScreenshotCaptor
2012-03-12 07:15:46 1409 ----a-w- c:\windows\QTFont.for
2012-03-08 11:56:43 -------- d-----w- C:\Python32
.
==================== Find3M ====================
.
2012-02-17 06:25:21 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-21 01:38:56 5120 ----a-w- c:\windows\DellBIOS.Sys
2012-01-09 16:20:25 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
.
============= FINISH: 7:46:13.54 ===============
--------------------------- END----------------------------------------

**Will Watts** · 03-30-2012, 12:42 PM

Hi protocoder,

There are still some signs of infection showing in the logs. However it's possible that the tools you've run have already dealt with the bulk of the active infection. Please refrain from running tools other than instructed whilst I'm helping you with this topic, it makes my life a lot more difficult if I can't keep track of everything that's been run on the system.

Please run the following tool in Normal Mode.

I would also like to see the log from TDSSKiller, you will find this on your root drive (typically C:\) with the following naming pattern: C:\TDSSKiller.2.7.7.0_date_time_log.txt

Please attach this to your next reply.

If you haven't already, please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. You may want to print and/or save the following instructions in Notepad as this webpage will not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

If there are any personal files, pics, etc. on your computer you cannot live without, back it up now just as a precaution.

------------------------------------------------------

Try to carry out the next set of instructions using Normal mode. If you cannot, be sure to boot into Safe Mode with Networking

**Read through these instructions in their entirety BEFORE executing them.** If you have any questions or are unsure about any of the following instructions PLEASE ASK for clarification before continuing. You may want to copy this page to notepad or print it as it will not be available while you run ComboFix.

Download ComboFix from one of the following locations:

* IMPORTANT !!! Place combofix.exe on your Desktop

Disable all your AntiVirus, AntiSpyware and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

You can get help on disabling your protection programs here

Close all open browsers and windows and double click on combofix.exe & follow the prompts.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. It will be a new screen you see on bootup which will last only a few seconds. You do not have to press or do anything for Windows to load normally. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to do so by a helper.
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.
Click on OK, to continue scanning for malware.

** NOTE: Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This, too, is normal.

When finished it will produce a log for you (C:\ComboFix.txt). Please include this log in your next reply.

Do not mouse-click Combofix's window while it is running. This may cause it to stall.

Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

--------------------------------------------------------

protocoder · 03-30-2012, 07:13 PM

Hi Someguy201,

Thank you very much. I am sorry I did a few things on my own, this time lucky it made it workable.

Note: FixTDS from Symmantic gave the message read like "MBT cleared" and then I noticed that I could able to access the task bar with no hour bar and also able to run the TDSkiller.

Here are two log files TDSKiller Log file followed by Combofix logfile. I eagerly wait for further instructions.

1. TDSKiller Log file

22:07:32.0427 2252 TDSS rootkit removing tool 2.7.23.0 Mar 26 2012 13:40:18
22:07:33.0699 2252 ============================================================
22:07:33.0699 2252 Current date / time: 2012/03/30 22:07:33.0699
22:07:33.0699 2252 SystemInfo:
22:07:33.0699 2252
22:07:33.0709 2252 OS Version: 5.1.2600 ServicePack: 3.0
22:07:33.0709 2252 Product type: Workstation
22:07:33.0709 2252 ComputerName: ANAND
22:07:33.0709 2252 UserName: Anand
22:07:33.0709 2252 Windows directory: C:\WINDOWS
22:07:33.0709 2252 System windows directory: C:\WINDOWS
22:07:33.0709 2252 Processor architecture: Intel x86
22:07:33.0709 2252 Number of processors: 1
22:07:33.0709 2252 Page size: 0x1000
22:07:33.0709 2252 Boot type: Normal boot
22:07:33.0709 2252 ============================================================
22:07:43.0613 2252 Drive \Device\Harddisk0\DR0 - Size: 0xDF8F90000 (55.89 Gb), SectorSize: 0x200, Cylinders: 0x1C80, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:07:43.0963 2252 Drive \Device\Harddisk1\DR4 - Size: 0x7BBB000 (0.12 Gb), SectorSize: 0x200, Cylinders: 0xF, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
22:07:43.0963 2252 \Device\Harddisk0\DR0:
22:07:44.0654 2252 MBR used
22:07:44.0654 2252 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x139C5, BlocksNum 0x6FB03FA
22:07:44.0654 2252 \Device\Harddisk1\DR4:
22:07:44.0664 2252 MBR used
22:07:44.0664 2252 \Device\Harddisk1\DR4\Partition0: MBR, Type 0x6, StartLBA 0x3F, BlocksNum 0x3DD0D
22:07:44.0664 2252 Initialize success
22:07:44.0664 2252 ============================================================
22:08:10.0592 3340 ============================================================
22:08:10.0592 3340 Scan started
22:08:10.0592 3340 Mode: Manual;
22:08:10.0592 3340 ============================================================
22:08:12.0104 3340 !SASCORE - ok
22:08:12.0164 3340 Abiosdsk - ok
22:08:12.0174 3340 abp480n5 - ok
22:08:12.0194 3340 ACPI - ok
22:08:12.0204 3340 ACPIEC - ok
22:08:12.0224 3340 adpu160m - ok
22:08:12.0234 3340 aec - ok
22:08:12.0244 3340 AFD - ok
22:08:12.0264 3340 agp440 - ok
22:08:12.0274 3340 agpCPQ - ok
22:08:12.0284 3340 Aha154x - ok
22:08:12.0304 3340 aic78u2 - ok
22:08:12.0314 3340 aic78xx - ok
22:08:12.0334 3340 aksfridge - ok
22:08:12.0354 3340 Alerter - ok
22:08:12.0364 3340 ALG - ok
22:08:12.0374 3340 AliIde - ok
22:08:12.0394 3340 alim1541 - ok
22:08:12.0404 3340 amdagp - ok
22:08:12.0424 3340 amsint - ok
22:08:12.0434 3340 ApfiltrService - ok
22:08:12.0444 3340 APPDRV - ok
22:08:12.0464 3340 AppMgmt - ok
22:08:12.0474 3340 Arp1394 - ok
22:08:12.0494 3340 asc - ok
22:08:12.0514 3340 asc3350p - ok
22:08:12.0524 3340 asc3550 - ok
22:08:12.0564 3340 aspnet_state - ok
22:08:12.0574 3340 AsyncMac - ok
22:08:12.0604 3340 atapi - ok
22:08:12.0635 3340 Atdisk - ok
22:08:12.0645 3340 Atmarpc - ok
22:08:12.0665 3340 AudioSrv - ok
22:08:12.0675 3340 audstub - ok
22:08:12.0705 3340 Beep - ok
22:08:12.0725 3340 BITS - ok
22:08:12.0735 3340 Browser - ok
22:08:12.0755 3340 BthEnum - ok
22:08:12.0775 3340 BTHMODEM - ok
22:08:12.0785 3340 BthPan - ok
22:08:12.0805 3340 BTHPORT - ok
22:08:12.0825 3340 BthServ - ok
22:08:12.0835 3340 BTHUSB - ok
22:08:12.0855 3340 BTKRNL - ok
22:08:12.0865 3340 btwdins - ok
22:08:12.0885 3340 BTWUSB - ok
22:08:12.0905 3340 bvrp_pci - ok
22:08:12.0995 3340 catchme - ok
22:08:13.0015 3340 cbidf - ok
22:08:13.0025 3340 cbidf2k - ok
22:08:13.0035 3340 CCDECODE - ok
22:08:13.0055 3340 cd20xrnt - ok
22:08:13.0065 3340 Cdaudio - ok
22:08:13.0085 3340 Cdfs - ok
22:08:13.0105 3340 Cdr4_xp - ok
22:08:13.0115 3340 Cdralw2k - ok
22:08:13.0135 3340 Cdrom - ok
22:08:13.0145 3340 cdudf_xp - ok
22:08:13.0155 3340 Changer - ok
22:08:13.0175 3340 CiSvc - ok
22:08:13.0195 3340 ClipSrv - ok
22:08:13.0205 3340 clr_optimization_v2.0.50727_32 - ok
22:08:13.0225 3340 clr_optimization_v4.0.30319_32 - ok
22:08:13.0235 3340 CmBatt - ok
22:08:13.0255 3340 CmdIde - ok
22:08:13.0265 3340 Compbatt - ok
22:08:13.0275 3340 COMSysApp - ok
22:08:13.0306 3340 Cpqarray - ok
22:08:13.0326 3340 cpudrv - ok
22:08:13.0336 3340 CryptSvc - ok
22:08:13.0346 3340 dac2w2k - ok
22:08:13.0366 3340 dac960nt - ok
22:08:13.0386 3340 DcomLaunch - ok
22:08:13.0396 3340 DellBIOS - ok
22:08:13.0416 3340 Dhcp - ok
22:08:13.0426 3340 Disk - ok
22:08:13.0446 3340 DiskSuiteService - ok
22:08:13.0456 3340 dmadmin - ok
22:08:13.0466 3340 dmboot - ok
22:08:13.0486 3340 dmio - ok
22:08:13.0496 3340 dmload - ok
22:08:13.0516 3340 dmserver - ok
22:08:13.0526 3340 DMusic - ok
22:08:13.0546 3340 Dnscache - ok
22:08:13.0556 3340 Dot3svc - ok
22:08:13.0576 3340 dpti2o - ok
22:08:13.0596 3340 drmkaud - ok
22:08:13.0606 3340 dvd_2K - ok
22:08:13.0616 3340 E100B - ok
22:08:13.0636 3340 eamon - ok
22:08:13.0646 3340 EapHost - ok
22:08:13.0656 3340 ehdrv - ok
22:08:13.0676 3340 EhttpSrv - ok
22:08:13.0686 3340 ekrn - ok
22:08:13.0706 3340 epfw - ok
22:08:13.0716 3340 Epfwndis - ok
22:08:13.0736 3340 epfwtdi - ok
22:08:13.0746 3340 ERSvc - ok
22:08:13.0766 3340 Eventlog - ok
22:08:13.0776 3340 EventSystem - ok
22:08:13.0816 3340 EvtEng - ok
22:08:13.0826 3340 Fastfat - ok
22:08:13.0846 3340 FastUserSwitchingCompatibility - ok
22:08:13.0866 3340 Fax - ok
22:08:13.0876 3340 Fdc - ok
22:08:13.0896 3340 Fips - ok
22:08:13.0946 3340 Flpydisk - ok
22:08:13.0956 3340 FltMgr - ok
22:08:13.0976 3340 FontCache3.0.0.0 - ok
22:08:13.0996 3340 fssfltr - ok
22:08:14.0007 3340 fsssvc - ok
22:08:14.0017 3340 Fs_Rec - ok
22:08:14.0037 3340 Ftdisk - ok
22:08:14.0047 3340 GoogleDesktopManager-060409-093314 - ok
22:08:14.0067 3340 Gpc - ok
22:08:14.0087 3340 gupdate1ca0f652340fd90 - ok
22:08:14.0097 3340 gupdatem - ok
22:08:14.0117 3340 gusvc - ok
22:08:14.0137 3340 gv3 - ok
22:08:14.0147 3340 hardlock - ok
22:08:14.0167 3340 hasplms - ok
22:08:14.0177 3340 helpsvc - ok
22:08:14.0197 3340 HidServ - ok
22:08:14.0217 3340 HidUsb - ok
22:08:14.0227 3340 hkmsvc - ok
22:08:14.0247 3340 hpn - ok
22:08:14.0257 3340 HSFHWICH - ok
22:08:14.0277 3340 HSF_DP - ok
22:08:14.0287 3340 HSF_DPV - ok
22:08:14.0307 3340 HTTP - ok
22:08:14.0317 3340 HTTPFilter - ok
22:08:14.0337 3340 i2omgmt - ok
22:08:14.0357 3340 i2omp - ok
22:08:14.0367 3340 i8042prt - ok
22:08:14.0377 3340 ialm - ok
22:08:14.0397 3340 Icam4USB - ok
22:08:14.0407 3340 idsvc - ok
22:08:14.0437 3340 Imapi - ok
22:08:14.0457 3340 ImapiService - ok
22:08:14.0477 3340 ini910u - ok
22:08:14.0507 3340 IntelIde - ok
22:08:14.0527 3340 intelppm - ok
22:08:14.0537 3340 ip6fw - ok
22:08:14.0557 3340 IpFilterDriver - ok
22:08:14.0577 3340 IpInIp - ok
22:08:14.0587 3340 IpNat - ok
22:08:14.0607 3340 IPSec - ok
22:08:14.0617 3340 irda - ok
22:08:14.0627 3340 IRENUM - ok
22:08:14.0637 3340 Irmon - ok
22:08:14.0657 3340 isapnp - ok
22:08:14.0677 3340 JavaQuickStarterService - ok
22:08:14.0687 3340 Kbdclass - ok
22:08:14.0698 3340 kbdhid - ok
22:08:14.0718 3340 kmixer - ok
22:08:14.0728 3340 KSecDD - ok
22:08:14.0748 3340 lanmanserver - ok
22:08:14.0768 3340 lanmanworkstation - ok
22:08:14.0778 3340 lbrtfdc - ok
22:08:14.0808 3340 LmHosts - ok
22:08:14.0848 3340 LVUSBSta - ok
22:08:14.0878 3340 MASPINT - ok
22:08:14.0888 3340 MBAMProtector - ok
22:08:14.0908 3340 MBAMService - ok
22:08:14.0948 3340 MDC8021X - ok
22:08:14.0968 3340 MDM - ok
22:08:14.0978 3340 mdmxsdk - ok
22:08:14.0998 3340 Messenger - ok
22:08:15.0008 3340 mmc_2K - ok
22:08:15.0028 3340 mnmdd - ok
22:08:15.0038 3340 mnmsrvc - ok
22:08:15.0048 3340 Modem - ok
22:08:15.0068 3340 Mouclass - ok
22:08:15.0078 3340 mouhid - ok
22:08:15.0098 3340 MountMgr - ok
22:08:15.0108 3340 mraid35x - ok
22:08:15.0128 3340 MREMPR5 - ok
22:08:15.0148 3340 MRENDIS5 - ok
22:08:15.0158 3340 MRxDAV - ok
22:08:15.0178 3340 MRxSmb - ok
22:08:15.0188 3340 MSDTC - ok
22:08:15.0218 3340 Msfs - ok
22:08:15.0238 3340 MSIRCOMM - ok
22:08:15.0248 3340 MSIServer - ok
22:08:15.0268 3340 MSKSSRV - ok
22:08:15.0278 3340 MSPCLOCK - ok
22:08:15.0298 3340 MSPQM - ok
22:08:15.0308 3340 mssmbios - ok
22:08:15.0328 3340 MSTEE - ok
22:08:15.0338 3340 Mup - ok
22:08:15.0358 3340 n558 - ok
22:08:15.0368 3340 NABTSFEC - ok
22:08:15.0388 3340 napagent - ok
22:08:15.0399 3340 NDIS - ok
22:08:15.0419 3340 NdisIP - ok
22:08:15.0429 3340 NdisTapi - ok
22:08:15.0439 3340 Ndisuio - ok
22:08:15.0459 3340 NdisWan - ok
22:08:15.0469 3340 NDProxy - ok
22:08:15.0479 3340 NetBIOS - ok
22:08:15.0499 3340 NetBT - ok
22:08:15.0519 3340 NetDDE - ok
22:08:15.0529 3340 NetDDEdsdm - ok
22:08:15.0539 3340 Netlogon - ok
22:08:15.0549 3340 Netman - ok
22:08:15.0569 3340 NetSvc - ok
22:08:15.0579 3340 NetTcpPortSharing - ok
22:08:15.0599 3340 NIC1394 - ok
22:08:15.0619 3340 NICCONFIGSVC - ok
22:08:15.0629 3340 Nla - ok
22:08:15.0639 3340 Npfs - ok
22:08:15.0659 3340 Ntfs - ok
22:08:15.0669 3340 NtLmSsp - ok
22:08:15.0679 3340 NtmsSvc - ok
22:08:15.0699 3340 Null - ok
22:08:15.0709 3340 NwlnkFlt - ok
22:08:15.0719 3340 NwlnkFwd - ok
22:08:15.0749 3340 odserv - ok
22:08:15.0769 3340 ohci1394 - ok
22:08:15.0779 3340 omci - ok
22:08:15.0799 3340 ose - ok
22:08:15.0819 3340 Parport - ok
22:08:15.0829 3340 PartMgr - ok
22:08:15.0839 3340 ParVdm - ok
22:08:15.0859 3340 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok
22:08:15.0879 3340 PCI - ok
22:08:15.0879 3340 PCIDump - ok
22:08:15.0899 3340 PCIIde - ok
22:08:15.0959 3340 Pcmcia - ok
22:08:15.0969 3340 PCTCore - ok
22:08:15.0989 3340 PDCOMP - ok
22:08:15.0999 3340 PDFRAME - ok
22:08:16.0019 3340 PDRELI - ok
22:08:16.0029 3340 PDRFRAME - ok
22:08:16.0049 3340 PenRendezvous - ok
22:08:16.0059 3340 PenSup - ok
22:08:16.0079 3340 perc2 - ok
22:08:16.0090 3340 perc2hib - ok
22:08:16.0130 3340 pfc - ok
22:08:16.0150 3340 PlugPlay - ok
22:08:16.0160 3340 PolicyAgent - ok
22:08:16.0170 3340 PptpMiniport - ok
22:08:16.0190 3340 Processor - ok
22:08:16.0200 3340 ProtectedStorage - ok
22:08:16.0220 3340 PSched - ok
22:08:16.0230 3340 Ptilink - ok
22:08:16.0250 3340 pwd_2k - ok
22:08:16.0260 3340 PxHelp20 - ok
22:08:16.0280 3340 QCMerced - ok
22:08:16.0290 3340 ql1080 - ok
22:08:16.0310 3340 Ql10wnt - ok
22:08:16.0330 3340 ql12160 - ok
22:08:16.0340 3340 ql1240 - ok
22:08:16.0360 3340 ql1280 - ok
22:08:16.0370 3340 RasAcd - ok
22:08:16.0380 3340 RasAuto - ok
22:08:16.0390 3340 Rasirda - ok
22:08:16.0410 3340 Rasl2tp - ok
22:08:16.0420 3340 RasMan - ok
22:08:16.0440 3340 RasPppoe - ok
22:08:16.0450 3340 Raspti - ok
22:08:16.0470 3340 Rdbss - ok
22:08:16.0480 3340 RDPCDD - ok
22:08:16.0500 3340 rdpdr - ok
22:08:16.0520 3340 RDPWD - ok
22:08:16.0540 3340 RDSessMgr - ok
22:08:16.0560 3340 redbook - ok
22:08:16.0570 3340 RegSrvc - ok
22:08:16.0580 3340 RemoteAccess - ok
22:08:16.0600 3340 RemoteRegistry - ok
22:08:16.0620 3340 RFCOMM - ok
22:08:16.0630 3340 RpcLocator - ok
22:08:16.0640 3340 RpcSs - ok
22:08:16.0660 3340 RSVP - ok
22:08:16.0670 3340 S24EventMonitor - ok
22:08:16.0680 3340 s24trans - ok
22:08:16.0700 3340 SamSs - ok
22:08:16.0720 3340 SASDIFSV - ok
22:08:16.0740 3340 SASKUTIL - ok
22:08:16.0750 3340 SCardSvr - ok
22:08:16.0770 3340 Schedule - ok
22:08:16.0780 3340 ScsiAccess - ok
22:08:16.0811 3340 sdAuxService - ok
22:08:16.0821 3340 sdCoreService - ok
22:08:16.0841 3340 SeaPort - ok
22:08:16.0851 3340 Secdrv - ok
22:08:16.0861 3340 seclogon - ok
22:08:16.0881 3340 SENS - ok
22:08:16.0891 3340 Sentinel - ok
22:08:16.0911 3340 serenum - ok
22:08:17.0021 3340 Serial - ok
22:08:17.0071 3340 Sfloppy - ok
22:08:17.0091 3340 SharedAccess - ok
22:08:17.0111 3340 ShellHWDetection - ok
22:08:17.0121 3340 Simbad - ok
22:08:17.0141 3340 sisagp - ok
22:08:17.0161 3340 SLIP - ok
22:08:17.0171 3340 SMCIRDA - ok
22:08:17.0211 3340 SNCT511 - ok
22:08:17.0221 3340 SNP2STD - ok
22:08:17.0241 3340 SONYPVU1 - ok
22:08:17.0251 3340 Sparrow - ok
22:08:17.0271 3340 splitter - ok
22:08:17.0281 3340 Spooler - ok
22:08:17.0301 3340 sr - ok
22:08:17.0321 3340 srservice - ok
22:08:17.0331 3340 Srv - ok
22:08:17.0351 3340 SSDPSRV - ok
22:08:17.0361 3340 STAC97 - ok
22:08:17.0381 3340 stisvc - ok
22:08:17.0401 3340 streamip - ok
22:08:17.0411 3340 swenum - ok
22:08:17.0431 3340 swmidi - ok
22:08:17.0451 3340 SwPrv - ok
22:08:17.0471 3340 symc810 - ok
22:08:17.0492 3340 symc8xx - ok
22:08:17.0502 3340 sym_hi - ok
22:08:17.0522 3340 sym_u3 - ok
22:08:17.0532 3340 sysaudio - ok
22:08:17.0552 3340 SysmonLog - ok
22:08:17.0562 3340 TapiSrv - ok
22:08:17.0582 3340 Tcpip - ok
22:08:17.0602 3340 TDPIPE - ok
22:08:17.0612 3340 TDTCP - ok
22:08:17.0632 3340 TermDD - ok
22:08:17.0642 3340 TermService - ok
22:08:17.0662 3340 Themes - ok
22:08:17.0672 3340 TlntSvr - ok
22:08:17.0702 3340 tmcomm - ok
22:08:17.0712 3340 TosIde - ok
22:08:17.0732 3340 TrkWks - ok
22:08:17.0752 3340 TuneUp.Defrag - ok
22:08:17.0772 3340 UdfReadr_xp - ok
22:08:17.0792 3340 Udfs - ok
22:08:17.0812 3340 UIUSys - ok
22:08:17.0822 3340 ultra - ok
22:08:17.0842 3340 Update - ok
22:08:17.0852 3340 upnphost - ok
22:08:17.0872 3340 UPS - ok
22:08:17.0882 3340 usbaudio - ok
22:08:17.0902 3340 usbccgp - ok
22:08:17.0962 3340 usbehci - ok
22:08:17.0972 3340 usbhub - ok
22:08:17.0992 3340 usbprint - ok
22:08:18.0012 3340 usbscan - ok
22:08:18.0022 3340 USBSTOR - ok
22:08:18.0032 3340 usbuhci - ok
22:08:18.0052 3340 UxTuneUp - ok
22:08:18.0062 3340 VgaSave - ok
22:08:18.0082 3340 viaagp - ok
22:08:18.0102 3340 ViaIde - ok
22:08:18.0112 3340 VolSnap - ok
22:08:18.0132 3340 VSS - ok
22:08:18.0152 3340 w22n51 - ok
22:08:18.0162 3340 w29n51 - ok
22:08:18.0183 3340 w32time - ok
22:08:18.0203 3340 Wanarp - ok
22:08:18.0213 3340 WDICA - ok
22:08:18.0233 3340 wdmaud - ok
22:08:18.0243 3340 WebClient - ok
22:08:18.0263 3340 winachsf - ok
22:08:18.0293 3340 WinDriver6 - ok
22:08:18.0313 3340 winmgmt - ok
22:08:18.0323 3340 WinRM - ok
22:08:18.0363 3340 WLANKEEPER - ok
22:08:18.0383 3340 wltrysvc - ok
22:08:18.0403 3340 WmdmPmSN - ok
22:08:18.0413 3340 Wmi - ok
22:08:18.0433 3340 WmiApSrv - ok
22:08:18.0453 3340 WMPNetworkSvc - ok
22:08:18.0473 3340 WpdUsb - ok
22:08:18.0483 3340 WPFFontCache_v0400 - ok
22:08:18.0513 3340 WS2IFSL - ok
22:08:18.0533 3340 wscsvc - ok
22:08:18.0543 3340 WSTCODEC - ok
22:08:18.0563 3340 wuauserv - ok
22:08:18.0583 3340 WudfPf - ok
22:08:18.0593 3340 WUDFRd - ok
22:08:18.0613 3340 WudfSvc - ok
22:08:18.0623 3340 WZCSVC - ok
22:08:18.0643 3340 xmlprov - ok
22:08:18.0653 3340 zebrbus - ok
22:08:18.0673 3340 zebrceb - ok
22:08:18.0683 3340 zebrmdfl - ok
22:08:18.0703 3340 zebrmdm - ok
22:08:18.0713 3340 zebrmdmc - ok
22:08:18.0733 3340 zebrsce - ok
22:08:18.0783 3340 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
22:08:18.0833 3340 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
22:08:18.0863 3340 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:08:18.0884 3340 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:08:18.0954 3340 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:08:24.0351 3340 \Device\Harddisk0\DR0 - ok
22:08:24.0411 3340 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR4
22:08:24.0442 3340 \Device\Harddisk1\DR4 - ok
22:08:24.0492 3340 Boot (0x1200) (098a8fa4a8ca5cd11d5f37f13c3b0b10) \Device\Harddisk0\DR0\Partition0
22:08:24.0522 3340 \Device\Harddisk0\DR0\Partition0 - ok
22:08:24.0542 3340 Boot (0x1200) (11367c834cd7711dc5c2760ff56b409a) \Device\Harddisk1\DR4\Partition0
22:08:24.0552 3340 \Device\Harddisk1\DR4\Partition0 - ok
22:08:24.0552 3340 ============================================================
22:08:24.0552 3340 Scan finished
22:08:24.0552 3340 ============================================================
22:08:24.0582 3332 Detected object count: 0
22:08:24.0582 3332 Actual detected object count: 0
22:08:48.0356 4052 ============================================================
22:08:48.0356 4052 Scan started
22:08:48.0356 4052 Mode: Manual; SigCheck; TDLFS;
22:08:48.0356 4052 ============================================================
22:08:48.0366 4052 !SASCORE - ok
22:08:48.0426 4052 Abiosdsk - ok
22:08:48.0446 4052 abp480n5 - ok
22:08:48.0456 4052 ACPI - ok
22:08:48.0476 4052 ACPIEC - ok
22:08:48.0486 4052 adpu160m - ok
22:08:48.0506 4052 aec - ok
22:08:48.0516 4052 AFD - ok
22:08:48.0526 4052 agp440 - ok
22:08:48.0546 4052 agpCPQ - ok
22:08:48.0556 4052 Aha154x - ok
22:08:48.0576 4052 aic78u2 - ok
22:08:48.0586 4052 aic78xx - ok
22:08:48.0606 4052 aksfridge - ok
22:08:48.0626 4052 Alerter - ok
22:08:48.0636 4052 ALG - ok
22:08:48.0656 4052 AliIde - ok
22:08:48.0666 4052 alim1541 - ok
22:08:48.0686 4052 amdagp - ok
22:08:48.0696 4052 amsint - ok
22:08:48.0716 4052 ApfiltrService - ok
22:08:48.0736 4052 APPDRV - ok
22:08:48.0746 4052 AppMgmt - ok
22:08:48.0766 4052 Arp1394 - ok
22:08:48.0787 4052 asc - ok
22:08:48.0797 4052 asc3350p - ok
22:08:48.0807 4052 asc3550 - ok
22:08:48.0857 4052 aspnet_state - ok
22:08:48.0877 4052 AsyncMac - ok
22:08:48.0887 4052 atapi - ok
22:08:48.0897 4052 Atdisk - ok
22:08:48.0917 4052 Atmarpc - ok
22:08:48.0927 4052 AudioSrv - ok
22:08:48.0937 4052 audstub - ok
22:08:48.0967 4052 Beep - ok
22:08:48.0977 4052 BITS - ok
22:08:48.0987 4052 Browser - ok
22:08:49.0007 4052 BthEnum - ok
22:08:49.0017 4052 BTHMODEM - ok
22:08:49.0027 4052 BthPan - ok
22:08:49.0047 4052 BTHPORT - ok
22:08:49.0057 4052 BthServ - ok
22:08:49.0067 4052 BTHUSB - ok
22:08:49.0087 4052 BTKRNL - ok
22:08:49.0097 4052 btwdins - ok
22:08:49.0107 4052 BTWUSB - ok
22:08:49.0117 4052 bvrp_pci - ok
22:08:49.0127 4052 catchme - ok
22:08:49.0137 4052 cbidf - ok
22:08:49.0167 4052 cbidf2k - ok
22:08:49.0177 4052 CCDECODE - ok
22:08:49.0187 4052 cd20xrnt - ok
22:08:49.0207 4052 Cdaudio - ok
22:08:49.0217 4052 Cdfs - ok
22:08:49.0237 4052 Cdr4_xp - ok
22:08:49.0247 4052 Cdralw2k - ok
22:08:49.0257 4052 Cdrom - ok
22:08:49.0277 4052 cdudf_xp - ok
22:08:49.0287 4052 Changer - ok
22:08:49.0297 4052 CiSvc - ok
22:08:49.0317 4052 ClipSrv - ok
22:08:49.0327 4052 clr_optimization_v2.0.50727_32 - ok
22:08:49.0337 4052 clr_optimization_v4.0.30319_32 - ok
22:08:49.0357 4052 CmBatt - ok
22:08:49.0377 4052 CmdIde - ok
22:08:49.0387 4052 Compbatt - ok
22:08:49.0417 4052 COMSysApp - ok
22:08:49.0447 4052 Cpqarray - ok
22:08:49.0467 4052 cpudrv - ok
22:08:49.0478 4052 CryptSvc - ok
22:08:49.0488 4052 dac2w2k - ok
22:08:49.0538 4052 dac960nt - ok
22:08:49.0558 4052 DcomLaunch - ok
22:08:49.0568 4052 DellBIOS - ok
22:08:49.0578 4052 Dhcp - ok
22:08:49.0598 4052 Disk - ok
22:08:49.0608 4052 DiskSuiteService - ok
22:08:49.0618 4052 dmadmin - ok
22:08:49.0628 4052 dmboot - ok
22:08:49.0658 4052 dmio - ok
22:08:49.0668 4052 dmload - ok
22:08:49.0688 4052 dmserver - ok
22:08:49.0698 4052 DMusic - ok
22:08:49.0728 4052 Dnscache - ok
22:08:49.0748 4052 Dot3svc - ok
22:08:49.0768 4052 dpti2o - ok
22:08:49.0788 4052 drmkaud - ok
22:08:49.0808 4052 dvd_2K - ok
22:08:49.0818 4052 E100B - ok
22:08:49.0838 4052 eamon - ok
22:08:49.0858 4052 EapHost - ok
22:08:49.0868 4052 ehdrv - ok
22:08:49.0878 4052 EhttpSrv - ok
22:08:49.0888 4052 ekrn - ok
22:08:49.0908 4052 epfw - ok
22:08:49.0918 4052 Epfwndis - ok
22:08:49.0928 4052 epfwtdi - ok
22:08:49.0948 4052 ERSvc - ok
22:08:49.0958 4052 Eventlog - ok
22:08:49.0968 4052 EventSystem - ok
22:08:49.0988 4052 EvtEng - ok
22:08:49.0998 4052 Fastfat - ok
22:08:50.0018 4052 FastUserSwitchingCompatibility - ok
22:08:50.0028 4052 Fax - ok
22:08:50.0038 4052 Fdc - ok
22:08:50.0058 4052 Fips - ok
22:08:50.0068 4052 Flpydisk - ok
22:08:50.0078 4052 FltMgr - ok
22:08:50.0098 4052 FontCache3.0.0.0 - ok
22:08:50.0108 4052 fssfltr - ok
22:08:50.0118 4052 fsssvc - ok
22:08:50.0128 4052 Fs_Rec - ok
22:08:50.0138 4052 Ftdisk - ok
22:08:50.0189 4052 GoogleDesktopManager-060409-093314 - ok
22:08:50.0209 4052 Gpc - ok
22:08:50.0219 4052 gupdate1ca0f652340fd90 - ok
22:08:50.0239 4052 gupdatem - ok
22:08:50.0249 4052 gusvc - ok
22:08:50.0269 4052 gv3 - ok
22:08:50.0279 4052 hardlock - ok
22:08:50.0299 4052 hasplms - ok
22:08:50.0309 4052 helpsvc - ok
22:08:50.0329 4052 HidServ - ok
22:08:50.0339 4052 HidUsb - ok
22:08:50.0369 4052 hkmsvc - ok
22:08:50.0379 4052 hpn - ok
22:08:50.0399 4052 HSFHWICH - ok
22:08:50.0409 4052 HSF_DP - ok
22:08:50.0429 4052 HSF_DPV - ok
22:08:50.0439 4052 HTTP - ok
22:08:50.0459 4052 HTTPFilter - ok
22:08:50.0469 4052 i2omgmt - ok
22:08:50.0489 4052 i2omp - ok
22:08:50.0509 4052 i8042prt - ok
22:08:50.0519 4052 ialm - ok
22:08:50.0539 4052 Icam4USB - ok
22:08:50.0559 4052 idsvc - ok
22:08:50.0589 4052 Imapi - ok
22:08:50.0609 4052 ImapiService - ok
22:08:50.0639 4052 ini910u - ok
22:08:50.0659 4052 IntelIde - ok
22:08:50.0689 4052 intelppm - ok
22:08:50.0699 4052 ip6fw - ok
22:08:50.0729 4052 IpFilterDriver - ok
22:08:50.0739 4052 IpInIp - ok
22:08:50.0759 4052 IpNat - ok
22:08:50.0769 4052 IPSec - ok
22:08:50.0789 4052 irda - ok
22:08:50.0809 4052 IRENUM - ok
22:08:50.0819 4052 Irmon - ok
22:08:50.0849 4052 isapnp - ok
22:08:50.0860 4052 JavaQuickStarterService - ok
22:08:50.0880 4052 Kbdclass - ok
22:08:50.0900 4052 kbdhid - ok
22:08:50.0910 4052 kmixer - ok
22:08:50.0930 4052 KSecDD - ok
22:08:50.0940 4052 lanmanserver - ok
22:08:50.0960 4052 lanmanworkstation - ok
22:08:50.0980 4052 lbrtfdc - ok
22:08:51.0010 4052 LmHosts - ok
22:08:51.0020 4052 LVUSBSta - ok
22:08:51.0050 4052 MASPINT - ok
22:08:51.0060 4052 MBAMProtector - ok
22:08:51.0080 4052 MBAMService - ok
22:08:51.0090 4052 MDC8021X - ok
22:08:51.0110 4052 MDM - ok
22:08:51.0130 4052 mdmxsdk - ok
22:08:51.0140 4052 Messenger - ok
22:08:51.0220 4052 mmc_2K - ok
22:08:51.0230 4052 mnmdd - ok
22:08:51.0250 4052 mnmsrvc - ok
22:08:51.0260 4052 Modem - ok
22:08:51.0280 4052 Mouclass - ok
22:08:51.0290 4052 mouhid - ok
22:08:51.0310 4052 MountMgr - ok
22:08:51.0320 4052 mraid35x - ok
22:08:51.0340 4052 MREMPR5 - ok
22:08:51.0350 4052 MRENDIS5 - ok
22:08:51.0370 4052 MRxDAV - ok
22:08:51.0390 4052 MRxSmb - ok
22:08:51.0400 4052 MSDTC - ok
22:08:51.0440 4052 Msfs - ok
22:08:51.0450 4052 MSIRCOMM - ok
22:08:51.0470 4052 MSIServer - ok
22:08:51.0480 4052 MSKSSRV - ok
22:08:51.0500 4052 MSPCLOCK - ok
22:08:51.0510 4052 MSPQM - ok
22:08:51.0520 4052 mssmbios - ok
22:08:51.0540 4052 MSTEE - ok
22:08:51.0561 4052 Mup - ok
22:08:51.0571 4052 n558 - ok
22:08:51.0591 4052 NABTSFEC - ok
22:08:51.0601 4052 napagent - ok
22:08:51.0621 4052 NDIS - ok
22:08:51.0631 4052 NdisIP - ok
22:08:51.0651 4052 NdisTapi - ok
22:08:51.0661 4052 Ndisuio - ok
22:08:51.0681 4052 NdisWan - ok
22:08:51.0701 4052 NDProxy - ok
22:08:51.0711 4052 NetBIOS - ok
22:08:51.0731 4052 NetBT - ok
22:08:51.0741 4052 NetDDE - ok
22:08:51.0761 4052 NetDDEdsdm - ok
22:08:51.0781 4052 Netlogon - ok
22:08:51.0791 4052 Netman - ok
22:08:51.0821 4052 NetSvc - ok
22:08:51.0831 4052 NetTcpPortSharing - ok
22:08:51.0851 4052 NIC1394 - ok
22:08:51.0871 4052 NICCONFIGSVC - ok
22:08:51.0891 4052 Nla - ok
22:08:51.0901 4052 Npfs - ok
22:08:51.0921 4052 Ntfs - ok
22:08:51.0941 4052 NtLmSsp - ok
22:08:51.0961 4052 NtmsSvc - ok
22:08:51.0971 4052 Null - ok
22:08:51.0991 4052 NwlnkFlt - ok
22:08:52.0011 4052 NwlnkFwd - ok
22:08:52.0021 4052 odserv - ok
22:08:52.0041 4052 ohci1394 - ok
22:08:52.0061 4052 omci - ok
22:08:52.0081 4052 ose - ok
22:08:52.0101 4052 Parport - ok
22:08:52.0121 4052 PartMgr - ok
22:08:52.0131 4052 ParVdm - ok
22:08:52.0151 4052 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok
22:08:52.0181 4052 PCI - ok
22:08:52.0201 4052 PCIDump - ok
22:08:52.0211 4052 PCIIde - ok
22:08:52.0221 4052 Pcmcia - ok
22:08:52.0252 4052 PCTCore - ok
22:08:52.0262 4052 PDCOMP - ok
22:08:52.0282 4052 PDFRAME - ok
22:08:52.0302 4052 PDRELI - ok
22:08:52.0312 4052 PDRFRAME - ok
22:08:52.0332 4052 PenRendezvous - ok
22:08:52.0342 4052 PenSup - ok
22:08:52.0362 4052 perc2 - ok
22:08:52.0372 4052 perc2hib - ok
22:08:52.0422 4052 pfc - ok
22:08:52.0442 4052 PlugPlay - ok
22:08:52.0462 4052 PolicyAgent - ok
22:08:52.0482 4052 PptpMiniport - ok
22:08:52.0502 4052 Processor - ok
22:08:52.0512 4052 ProtectedStorage - ok
22:08:52.0532 4052 PSched - ok
22:08:52.0552 4052 Ptilink - ok
22:08:52.0572 4052 pwd_2k - ok
22:08:52.0582 4052 PxHelp20 - ok
22:08:52.0592 4052 QCMerced - ok
22:08:52.0622 4052 ql1080 - ok
22:08:52.0632 4052 Ql10wnt - ok
22:08:52.0652 4052 ql12160 - ok
22:08:52.0672 4052 ql1240 - ok
22:08:52.0692 4052 ql1280 - ok
22:08:52.0702 4052 RasAcd - ok
22:08:52.0712 4052 RasAuto - ok
22:08:52.0732 4052 Rasirda - ok
22:08:52.0752 4052 Rasl2tp - ok
22:08:52.0772 4052 RasMan - ok
22:08:52.0782 4052 RasPppoe - ok
22:08:52.0802 4052 Raspti - ok
22:08:52.0822 4052 Rdbss - ok
22:08:52.0832 4052 RDPCDD - ok
22:08:52.0862 4052 rdpdr - ok
22:08:52.0892 4052 RDPWD - ok
22:08:52.0912 4052 RDSessMgr - ok
22:08:52.0922 4052 redbook - ok
22:08:52.0932 4052 RegSrvc - ok
22:08:52.0953 4052 RemoteAccess - ok
22:08:52.0963 4052 RemoteRegistry - ok
22:08:53.0013 4052 RFCOMM - ok
22:08:53.0033 4052 RpcLocator - ok
22:08:53.0043 4052 RpcSs - ok
22:08:53.0063 4052 RSVP - ok
22:08:53.0073 4052 S24EventMonitor - ok
22:08:53.0093 4052 s24trans - ok
22:08:53.0113 4052 SamSs - ok
22:08:53.0133 4052 SASDIFSV - ok
22:08:53.0143 4052 SASKUTIL - ok
22:08:53.0163 4052 SCardSvr - ok
22:08:53.0173 4052 Schedule - ok
22:08:53.0183 4052 ScsiAccess - ok
22:08:53.0203 4052 sdAuxService - ok
22:08:53.0233 4052 sdCoreService - ok
22:08:53.0273 4052 SeaPort - ok
22:08:53.0273 4052 Secdrv - ok
22:08:53.0293 4052 seclogon - ok
22:08:53.0313 4052 SENS - ok
22:08:53.0323 4052 Sentinel - ok
22:08:53.0343 4052 serenum - ok
22:08:53.0353 4052 Serial - ok
22:08:53.0433 4052 Sfloppy - ok
22:08:53.0443 4052 SharedAccess - ok
22:08:53.0473 4052 ShellHWDetection - ok
22:08:53.0483 4052 Simbad - ok
22:08:53.0503 4052 sisagp - ok
22:08:53.0543 4052 SLIP - ok
22:08:53.0563 4052 SMCIRDA - ok
22:08:53.0613 4052 SNCT511 - ok
22:08:53.0644 4052 SNP2STD - ok
22:08:53.0664 4052 SONYPVU1 - ok
22:08:53.0674 4052 Sparrow - ok
22:08:53.0694 4052 splitter - ok
22:08:53.0704 4052 Spooler - ok
22:08:53.0724 4052 sr - ok
22:08:53.0734 4052 srservice - ok
22:08:53.0754 4052 Srv - ok
22:08:53.0764 4052 SSDPSRV - ok
22:08:53.0784 4052 STAC97 - ok
22:08:53.0804 4052 stisvc - ok
22:08:53.0814 4052 streamip - ok
22:08:53.0844 4052 swenum - ok
22:08:53.0854 4052 swmidi - ok
22:08:53.0874 4052 SwPrv - ok
22:08:53.0894 4052 symc810 - ok
22:08:53.0904 4052 symc8xx - ok
22:08:53.0914 4052 sym_hi - ok
22:08:53.0934 4052 sym_u3 - ok
22:08:53.0944 4052 sysaudio - ok
22:08:53.0954 4052 SysmonLog - ok
22:08:53.0974 4052 TapiSrv - ok
22:08:53.0984 4052 Tcpip - ok
22:08:54.0004 4052 TDPIPE - ok
22:08:54.0014 4052 TDTCP - ok
22:08:54.0024 4052 TermDD - ok
22:08:54.0044 4052 TermService - ok
22:08:54.0054 4052 Themes - ok
22:08:54.0074 4052 TlntSvr - ok
22:08:54.0084 4052 tmcomm - ok
22:08:54.0094 4052 TosIde - ok
22:08:54.0114 4052 TrkWks - ok
22:08:54.0134 4052 TuneUp.Defrag - ok
22:08:54.0144 4052 UdfReadr_xp - ok
22:08:54.0164 4052 Udfs - ok
22:08:54.0174 4052 UIUSys - ok
22:08:54.0204 4052 ultra - ok
22:08:54.0214 4052 Update - ok
22:08:54.0224 4052 upnphost - ok
22:08:54.0234 4052 UPS - ok
22:08:54.0254 4052 usbaudio - ok
22:08:54.0264 4052 usbccgp - ok
22:08:54.0284 4052 usbehci - ok
22:08:54.0294 4052 usbhub - ok
22:08:54.0304 4052 usbprint - ok
22:08:54.0324 4052 usbscan - ok
22:08:54.0334 4052 USBSTOR - ok
22:08:54.0355 4052 usbuhci - ok
22:08:54.0365 4052 UxTuneUp - ok
22:08:54.0385 4052 VgaSave - ok
22:08:54.0395 4052 viaagp - ok
22:08:54.0405 4052 ViaIde - ok
22:08:54.0425 4052 VolSnap - ok
22:08:54.0435 4052 VSS - ok
22:08:54.0455 4052 w22n51 - ok
22:08:54.0465 4052 w29n51 - ok
22:08:54.0485 4052 w32time - ok
22:08:54.0505 4052 Wanarp - ok
22:08:54.0515 4052 WDICA - ok
22:08:54.0525 4052 wdmaud - ok
22:08:54.0545 4052 WebClient - ok
22:08:54.0555 4052 winachsf - ok
22:08:54.0585 4052 WinDriver6 - ok
22:08:54.0605 4052 winmgmt - ok
22:08:54.0615 4052 WinRM - ok
22:08:54.0655 4052 WLANKEEPER - ok
22:08:54.0665 4052 wltrysvc - ok
22:08:54.0685 4052 WmdmPmSN - ok
22:08:54.0695 4052 Wmi - ok
22:08:54.0715 4052 WmiApSrv - ok
22:08:54.0725 4052 WMPNetworkSvc - ok
22:08:54.0745 4052 WpdUsb - ok
22:08:54.0755 4052 WPFFontCache_v0400 - ok
22:08:54.0775 4052 WS2IFSL - ok
22:08:54.0795 4052 wscsvc - ok
22:08:54.0805 4052 WSTCODEC - ok
22:08:54.0825 4052 wuauserv - ok
22:08:54.0835 4052 WudfPf - ok
22:08:54.0855 4052 WUDFRd - ok
22:08:54.0885 4052 WudfSvc - ok
22:08:54.0905 4052 WZCSVC - ok
22:08:54.0915 4052 xmlprov - ok
22:08:54.0935 4052 zebrbus - ok
22:08:54.0945 4052 zebrceb - ok
22:08:54.0955 4052 zebrmdfl - ok
22:08:54.0975 4052 zebrmdm - ok
22:08:54.0985 4052 zebrmdmc - ok
22:08:54.0995 4052 zebrsce - ok
22:08:55.0046 4052 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
22:08:55.0076 4052 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
22:08:55.0096 4052 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:08:55.0116 4052 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:08:55.0296 4052 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:08:59.0101 4052 \Device\Harddisk0\DR0 - ok
22:08:59.0161 4052 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR4
22:09:00.0373 4052 \Device\Harddisk1\DR4 - ok
22:09:00.0433 4052 Boot (0x1200) (098a8fa4a8ca5cd11d5f37f13c3b0b10) \Device\Harddisk0\DR0\Partition0
22:09:00.0433 4052 \Device\Harddisk0\DR0\Partition0 - ok
22:09:00.0453 4052 Boot (0x1200) (11367c834cd7711dc5c2760ff56b409a) \Device\Harddisk1\DR4\Partition0
22:09:00.0463 4052 \Device\Harddisk1\DR4\Partition0 - ok
22:09:00.0463 4052 ============================================================
22:09:00.0463 4052 Scan finished
22:09:00.0463 4052 ============================================================
22:09:00.0523 3560 Detected object count: 0
22:09:00.0523 3560 Actual detected object count: 0
22:24:41.0857 2940 ============================================================
22:24:41.0857 2940 Scan started
22:24:41.0857 2940 Mode: Manual; SigCheck; TDLFS;
22:24:41.0857 2940 ============================================================
22:24:41.0887 2940 !SASCORE - ok
22:24:41.0947 2940 Abiosdsk - ok
22:24:41.0957 2940 abp480n5 - ok
22:24:41.0977 2940 ACPI - ok
22:24:41.0987 2940 ACPIEC - ok
22:24:42.0007 2940 adpu160m - ok
22:24:42.0017 2940 aec - ok
22:24:42.0027 2940 AFD - ok
22:24:42.0047 2940 agp440 - ok
22:24:42.0057 2940 agpCPQ - ok
22:24:42.0067 2940 Aha154x - ok
22:24:42.0087 2940 aic78u2 - ok
22:24:42.0107 2940 aic78xx - ok
22:24:42.0117 2940 aksfridge - ok
22:24:42.0127 2940 Alerter - ok
22:24:42.0137 2940 ALG - ok
22:24:42.0147 2940 AliIde - ok
22:24:42.0167 2940 alim1541 - ok
22:24:42.0177 2940 amdagp - ok
22:24:42.0187 2940 amsint - ok
22:24:42.0197 2940 ApfiltrService - ok
22:24:42.0228 2940 APPDRV - ok
22:24:42.0238 2940 AppMgmt - ok
22:24:42.0248 2940 Arp1394 - ok
22:24:42.0258 2940 asc - ok
22:24:42.0278 2940 asc3350p - ok
22:24:42.0288 2940 asc3550 - ok
22:24:42.0328 2940 aspnet_state - ok
22:24:42.0338 2940 AsyncMac - ok
22:24:42.0348 2940 atapi - ok
22:24:42.0358 2940 Atdisk - ok
22:24:42.0368 2940 Atmarpc - ok
22:24:42.0388 2940 AudioSrv - ok
22:24:42.0398 2940 audstub - ok
22:24:42.0428 2940 Beep - ok
22:24:42.0438 2940 BITS - ok
22:24:42.0448 2940 Browser - ok
22:24:42.0458 2940 BthEnum - ok
22:24:42.0478 2940 BTHMODEM - ok
22:24:42.0488 2940 BthPan - ok
22:24:42.0498 2940 BTHPORT - ok
22:24:42.0508 2940 BthServ - ok
22:24:42.0528 2940 BTHUSB - ok
22:24:42.0538 2940 BTKRNL - ok
22:24:42.0548 2940 btwdins - ok
22:24:42.0558 2940 BTWUSB - ok
22:24:42.0568 2940 bvrp_pci - ok
22:24:42.0588 2940 catchme - ok
22:24:42.0598 2940 cbidf - ok
22:24:42.0608 2940 cbidf2k - ok
22:24:42.0618 2940 CCDECODE - ok
22:24:42.0628 2940 cd20xrnt - ok
22:24:42.0648 2940 Cdaudio - ok
22:24:42.0658 2940 Cdfs - ok
22:24:42.0668 2940 Cdr4_xp - ok
22:24:42.0678 2940 Cdralw2k - ok
22:24:42.0698 2940 Cdrom - ok
22:24:42.0708 2940 cdudf_xp - ok
22:24:42.0718 2940 Changer - ok
22:24:42.0728 2940 CiSvc - ok
22:24:42.0738 2940 ClipSrv - ok
22:24:42.0758 2940 clr_optimization_v2.0.50727_32 - ok
22:24:42.0768 2940 clr_optimization_v4.0.30319_32 - ok
22:24:42.0778 2940 CmBatt - ok
22:24:42.0798 2940 CmdIde - ok
22:24:42.0808 2940 Compbatt - ok
22:24:42.0818 2940 COMSysApp - ok
22:24:42.0848 2940 Cpqarray - ok
22:24:42.0858 2940 cpudrv - ok
22:24:42.0868 2940 CryptSvc - ok
22:24:42.0878 2940 dac2w2k - ok
22:24:42.0888 2940 dac960nt - ok
22:24:42.0908 2940 DcomLaunch - ok
22:24:42.0918 2940 DellBIOS - ok
22:24:42.0929 2940 Dhcp - ok
22:24:42.0939 2940 Disk - ok
22:24:42.0959 2940 DiskSuiteService - ok
22:24:42.0969 2940 dmadmin - ok
22:24:42.0979 2940 dmboot - ok
22:24:42.0989 2940 dmio - ok
22:24:43.0009 2940 dmload - ok
22:24:43.0019 2940 dmserver - ok
22:24:43.0029 2940 DMusic - ok
22:24:43.0039 2940 Dnscache - ok
22:24:43.0049 2940 Dot3svc - ok
22:24:43.0069 2940 dpti2o - ok
22:24:43.0079 2940 drmkaud - ok
22:24:43.0089 2940 dvd_2K - ok
22:24:43.0099 2940 E100B - ok
22:24:43.0109 2940 eamon - ok
22:24:43.0129 2940 EapHost - ok
22:24:43.0139 2940 ehdrv - ok
22:24:43.0149 2940 EhttpSrv - ok
22:24:43.0159 2940 ekrn - ok
22:24:43.0169 2940 epfw - ok
22:24:43.0189 2940 Epfwndis - ok
22:24:43.0199 2940 epfwtdi - ok
22:24:43.0219 2940 ERSvc - ok
22:24:43.0229 2940 Eventlog - ok
22:24:43.0249 2940 EventSystem - ok
22:24:43.0259 2940 EvtEng - ok
22:24:43.0269 2940 Fastfat - ok
22:24:43.0289 2940 FastUserSwitchingCompatibility - ok
22:24:43.0299 2940 Fax - ok
22:24:43.0319 2940 Fdc - ok
22:24:43.0329 2940 Fips - ok
22:24:43.0339 2940 Flpydisk - ok
22:24:43.0349 2940 FltMgr - ok
22:24:43.0359 2940 FontCache3.0.0.0 - ok
22:24:43.0369 2940 fssfltr - ok
22:24:43.0389 2940 fsssvc - ok
22:24:43.0399 2940 Fs_Rec - ok
22:24:43.0409 2940 Ftdisk - ok
22:24:43.0429 2940 GoogleDesktopManager-060409-093314 - ok
22:24:43.0439 2940 Gpc - ok
22:24:43.0449 2940 gupdate1ca0f652340fd90 - ok
22:24:43.0459 2940 gupdatem - ok
22:24:43.0479 2940 gusvc - ok
22:24:43.0489 2940 gv3 - ok
22:24:43.0499 2940 hardlock - ok
22:24:43.0519 2940 hasplms - ok
22:24:43.0529 2940 helpsvc - ok
22:24:43.0539 2940 HidServ - ok
22:24:43.0549 2940 HidUsb - ok
22:24:43.0569 2940 hkmsvc - ok
22:24:43.0579 2940 hpn - ok
22:24:43.0589 2940 HSFHWICH - ok
22:24:43.0599 2940 HSF_DP - ok
22:24:43.0620 2940 HSF_DPV - ok
22:24:43.0630 2940 HTTP - ok
22:24:43.0640 2940 HTTPFilter - ok
22:24:43.0650 2940 i2omgmt - ok
22:24:43.0670 2940 i2omp - ok
22:24:43.0680 2940 i8042prt - ok
22:24:43.0690 2940 ialm - ok
22:24:43.0710 2940 Icam4USB - ok
22:24:43.0720 2940 idsvc - ok
22:24:43.0750 2940 Imapi - ok
22:24:43.0760 2940 ImapiService - ok
22:24:43.0780 2940 ini910u - ok
22:24:43.0800 2940 IntelIde - ok
22:24:43.0820 2940 intelppm - ok
22:24:43.0830 2940 ip6fw - ok
22:24:43.0840 2940 IpFilterDriver - ok
22:24:43.0850 2940 IpInIp - ok
22:24:43.0860 2940 IpNat - ok
22:24:43.0880 2940 IPSec - ok
22:24:43.0890 2940 irda - ok
22:24:43.0900 2940 IRENUM - ok
22:24:43.0920 2940 Irmon - ok
22:24:43.0930 2940 isapnp - ok
22:24:43.0950 2940 JavaQuickStarterService - ok
22:24:43.0960 2940 Kbdclass - ok
22:24:43.0970 2940 kbdhid - ok
22:24:43.0980 2940 kmixer - ok
22:24:44.0000 2940 KSecDD - ok
22:24:44.0010 2940 lanmanserver - ok
22:24:44.0020 2940 lanmanworkstation - ok
22:24:44.0040 2940 lbrtfdc - ok
22:24:44.0060 2940 LmHosts - ok
22:24:44.0070 2940 LVUSBSta - ok
22:24:44.0090 2940 MASPINT - ok
22:24:44.0100 2940 MBAMProtector - ok
22:24:44.0110 2940 MBAMService - ok
22:24:44.0130 2940 MDC8021X - ok
22:24:44.0140 2940 MDM - ok
22:24:44.0150 2940 mdmxsdk - ok
22:24:44.0170 2940 Messenger - ok
22:24:44.0180 2940 mmc_2K - ok
22:24:44.0190 2940 mnmdd - ok
22:24:44.0200 2940 mnmsrvc - ok
22:24:44.0230 2940 Modem - ok
22:24:44.0240 2940 Mouclass - ok
22:24:44.0250 2940 mouhid - ok
22:24:44.0270 2940 MountMgr - ok
22:24:44.0280 2940 mraid35x - ok
22:24:44.0300 2940 MREMPR5 - ok
22:24:44.0310 2940 MRENDIS5 - ok
22:24:44.0321 2940 MRxDAV - ok
22:24:44.0341 2940 MRxSmb - ok
22:24:44.0351 2940 MSDTC - ok
22:24:44.0371 2940 Msfs - ok
22:24:44.0381 2940 MSIRCOMM - ok
22:24:44.0401 2940 MSIServer - ok
22:24:44.0411 2940 MSKSSRV - ok
22:24:44.0421 2940 MSPCLOCK - ok
22:24:44.0431 2940 MSPQM - ok
22:24:44.0451 2940 mssmbios - ok
22:24:44.0461 2940 MSTEE - ok
22:24:44.0471 2940 Mup - ok
22:24:44.0481 2940 n558 - ok
22:24:44.0501 2940 NABTSFEC - ok
22:24:44.0511 2940 napagent - ok
22:24:44.0521 2940 NDIS - ok
22:24:44.0541 2940 NdisIP - ok
22:24:44.0551 2940 NdisTapi - ok
22:24:44.0561 2940 Ndisuio - ok
22:24:44.0571 2940 NdisWan - ok
22:24:44.0591 2940 NDProxy - ok
22:24:44.0601 2940 NetBIOS - ok
22:24:44.0611 2940 NetBT - ok
22:24:44.0621 2940 NetDDE - ok
22:24:44.0641 2940 NetDDEdsdm - ok
22:24:44.0651 2940 Netlogon - ok
22:24:44.0661 2940 Netman - ok
22:24:44.0671 2940 NetSvc - ok
22:24:44.0691 2940 NetTcpPortSharing - ok
22:24:44.0701 2940 NIC1394 - ok
22:24:44.0711 2940 NICCONFIGSVC - ok
22:24:44.0731 2940 Nla - ok
22:24:44.0741 2940 Npfs - ok
22:24:44.0751 2940 Ntfs - ok
22:24:44.0761 2940 NtLmSsp - ok
22:24:44.0781 2940 NtmsSvc - ok
22:24:44.0791 2940 Null - ok
22:24:44.0801 2940 NwlnkFlt - ok
22:24:44.0821 2940 NwlnkFwd - ok
22:24:44.0831 2940 odserv - ok
22:24:44.0841 2940 ohci1394 - ok
22:24:44.0861 2940 omci - ok
22:24:44.0861 2940 ose - ok
22:24:44.0881 2940 Parport - ok
22:24:44.0901 2940 PartMgr - ok
22:24:44.0911 2940 ParVdm - ok
22:24:44.0931 2940 PCDSRVC{E9D79540-57D5953E-06020101}_0 - ok
22:24:44.0941 2940 PCI - ok
22:24:44.0951 2940 PCIDump - ok
22:24:44.0961 2940 PCIIde - ok
22:24:44.0981 2940 Pcmcia - ok
22:24:44.0991 2940 PCTCore - ok
22:24:45.0001 2940 PDCOMP - ok
22:24:45.0022 2940 PDFRAME - ok
22:24:45.0032 2940 PDRELI - ok
22:24:45.0042 2940 PDRFRAME - ok
22:24:45.0062 2940 PenRendezvous - ok
22:24:45.0072 2940 PenSup - ok
22:24:45.0082 2940 perc2 - ok
22:24:45.0102 2940 perc2hib - ok
22:24:45.0132 2940 pfc - ok
22:24:45.0142 2940 PlugPlay - ok
22:24:45.0162 2940 PolicyAgent - ok
22:24:45.0172 2940 PptpMiniport - ok
22:24:45.0182 2940 Processor - ok
22:24:45.0202 2940 ProtectedStorage - ok
22:24:45.0222 2940 PSched - ok
22:24:45.0232 2940 Ptilink - ok
22:24:45.0252 2940 pwd_2k - ok
22:24:45.0262 2940 PxHelp20 - ok
22:24:45.0272 2940 QCMerced - ok
22:24:45.0332 2940 ql1080 - ok
22:24:45.0342 2940 Ql10wnt - ok
22:24:45.0362 2940 ql12160 - ok
22:24:45.0362 2940 ql1240 - ok
22:24:45.0382 2940 ql1280 - ok
22:24:45.0392 2940 RasAcd - ok
22:24:45.0402 2940 RasAuto - ok
22:24:45.0422 2940 Rasirda - ok
22:24:45.0432 2940 Rasl2tp - ok
22:24:45.0452 2940 RasMan - ok
22:24:45.0462 2940 RasPppoe - ok
22:24:45.0472 2940 Raspti - ok
22:24:45.0492 2940 Rdbss - ok
22:24:45.0502 2940 RDPCDD - ok
22:24:45.0522 2940 rdpdr - ok
22:24:45.0542 2940 RDPWD - ok
22:24:45.0552 2940 RDSessMgr - ok
22:24:45.0572 2940 redbook - ok
22:24:45.0582 2940 RegSrvc - ok
22:24:45.0602 2940 RemoteAccess - ok
22:24:45.0612 2940 RemoteRegistry - ok
22:24:45.0632 2940 RFCOMM - ok
22:24:45.0642 2940 RpcLocator - ok
22:24:45.0652 2940 RpcSs - ok
22:24:45.0672 2940 RSVP - ok
22:24:45.0682 2940 S24EventMonitor - ok
22:24:45.0702 2940 s24trans - ok
22:24:45.0723 2940 SamSs - ok
22:24:45.0743 2940 SASDIFSV - ok
22:24:45.0753 2940 SASKUTIL - ok
22:24:45.0773 2940 SCardSvr - ok
22:24:45.0783 2940 Schedule - ok
22:24:45.0803 2940 ScsiAccess - ok
22:24:45.0823 2940 sdAuxService - ok
22:24:45.0843 2940 sdCoreService - ok
22:24:45.0853 2940 SeaPort - ok
22:24:45.0873 2940 Secdrv - ok
22:24:45.0883 2940 seclogon - ok
22:24:45.0903 2940 SENS - ok
22:24:45.0913 2940 Sentinel - ok
22:24:45.0933 2940 serenum - ok
22:24:45.0943 2940 Serial - ok
22:24:45.0993 2940 Sfloppy - ok
22:24:46.0003 2940 SharedAccess - ok
22:24:46.0023 2940 ShellHWDetection - ok
22:24:46.0033 2940 Simbad - ok
22:24:46.0053 2940 sisagp - ok
22:24:46.0063 2940 SLIP - ok
22:24:46.0073 2940 SMCIRDA - ok
22:24:46.0103 2940 SNCT511 - ok
22:24:46.0113 2940 SNP2STD - ok
22:24:46.0123 2940 SONYPVU1 - ok
22:24:46.0143 2940 Sparrow - ok
22:24:46.0153 2940 splitter - ok
22:24:46.0163 2940 Spooler - ok
22:24:46.0183 2940 sr - ok
22:24:46.0193 2940 srservice - ok
22:24:46.0203 2940 Srv - ok
22:24:46.0233 2940 SSDPSRV - ok
22:24:46.0243 2940 STAC97 - ok
22:24:46.0253 2940 stisvc - ok
22:24:46.0273 2940 streamip - ok
22:24:46.0283 2940 swenum - ok
22:24:46.0303 2940 swmidi - ok
22:24:46.0313 2940 SwPrv - ok
22:24:46.0333 2940 symc810 - ok
22:24:46.0343 2940 symc8xx - ok
22:24:46.0363 2940 sym_hi - ok
22:24:46.0373 2940 sym_u3 - ok
22:24:46.0383 2940 sysaudio - ok
22:24:46.0393 2940 SysmonLog - ok
22:24:46.0414 2940 TapiSrv - ok
22:24:46.0424 2940 Tcpip - ok
22:24:46.0444 2940 TDPIPE - ok
22:24:46.0454 2940 TDTCP - ok
22:24:46.0464 2940 TermDD - ok
22:24:46.0474 2940 TermService - ok
22:24:46.0494 2940 Themes - ok
22:24:46.0504 2940 TlntSvr - ok
22:24:46.0514 2940 tmcomm - ok
22:24:46.0534 2940 TosIde - ok
22:24:46.0544 2940 TrkWks - ok
22:24:46.0564 2940 TuneUp.Defrag - ok
22:24:46.0584 2940 UdfReadr_xp - ok
22:24:46.0594 2940 Udfs - ok
22:24:46.0604 2940 UIUSys - ok
22:24:46.0624 2940 ultra - ok
22:24:46.0634 2940 Update - ok
22:24:46.0654 2940 upnphost - ok
22:24:46.0664 2940 UPS - ok
22:24:46.0674 2940 usbaudio - ok
22:24:46.0694 2940 usbccgp - ok
22:24:46.0704 2940 usbehci - ok
22:24:46.0714 2940 usbhub - ok
22:24:46.0734 2940 usbprint - ok
22:24:46.0744 2940 usbscan - ok
22:24:46.0754 2940 USBSTOR - ok
22:24:46.0774 2940 usbuhci - ok
22:24:46.0784 2940 UxTuneUp - ok
22:24:46.0794 2940 VgaSave - ok
22:24:46.0814 2940 viaagp - ok
22:24:46.0824 2940 ViaIde - ok
22:24:46.0834 2940 VolSnap - ok
22:24:46.0854 2940 VSS - ok
22:24:46.0874 2940 w22n51 - ok
22:24:46.0884 2940 w29n51 - ok
22:24:46.0894 2940 w32time - ok
22:24:46.0914 2940 Wanarp - ok
22:24:46.0934 2940 WDICA - ok
22:24:46.0944 2940 wdmaud - ok
22:24:46.0954 2940 WebClient - ok
22:24:46.0974 2940 winachsf - ok
22:24:46.0994 2940 WinDriver6 - ok
22:24:47.0014 2940 winmgmt - ok
22:24:47.0024 2940 WinRM - ok
22:24:47.0064 2940 WLANKEEPER - ok
22:24:47.0074 2940 wltrysvc - ok
22:24:47.0084 2940 WmdmPmSN - ok
22:24:47.0105 2940 Wmi - ok
22:24:47.0125 2940 WmiApSrv - ok
22:24:47.0135 2940 WMPNetworkSvc - ok
22:24:47.0145 2940 WpdUsb - ok
22:24:47.0165 2940 WPFFontCache_v0400 - ok
22:24:47.0175 2940 WS2IFSL - ok
22:24:47.0185 2940 wscsvc - ok
22:24:47.0205 2940 WSTCODEC - ok
22:24:47.0225 2940 wuauserv - ok
22:24:47.0235 2940 WudfPf - ok
22:24:47.0255 2940 WUDFRd - ok
22:24:47.0265 2940 WudfSvc - ok
22:24:47.0285 2940 WZCSVC - ok
22:24:47.0295 2940 xmlprov - ok
22:24:47.0315 2940 zebrbus - ok
22:24:47.0325 2940 zebrceb - ok
22:24:47.0335 2940 zebrmdfl - ok
22:24:47.0355 2940 zebrmdm - ok
22:24:47.0365 2940 zebrmdmc - ok
22:24:47.0375 2940 zebrsce - ok
22:24:47.0425 2940 {6080A529-897E-4629-A488-ABA0C29B635E} - ok
22:24:47.0445 2940 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} - ok
22:24:47.0465 2940 {E2B953A6-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:24:47.0485 2940 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55} - ok
22:24:47.0535 2940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
22:24:48.0456 2940 \Device\Harddisk0\DR0 - ok
22:24:48.0507 2940 MBR (0x1B8) (e5fa06aca0d60ba9c870d0ef3d9898c9) \Device\Harddisk1\DR4
22:24:49.0718 2940 \Device\Harddisk1\DR4 - ok
22:24:49.0728 2940 Boot (0x1200) (098a8fa4a8ca5cd11d5f37f13c3b0b10) \Device\Harddisk0\DR0\Partition0
22:24:49.0738 2940 \Device\Harddisk0\DR0\Partition0 - ok
22:24:49.0758 2940 Boot (0x1200) (11367c834cd7711dc5c2760ff56b409a) \Device\Harddisk1\DR4\Partition0
22:24:49.0768 2940 \Device\Harddisk1\DR4\Partition0 - ok
22:24:49.0768 2940 ============================================================
22:24:49.0768 2940 Scan finished
22:24:49.0768 2940 ============================================================
22:24:49.0798 1872 Detected object count: 0
22:24:49.0798 1872 Actual detected object count: 0
22:25:00.0314 2124 Deinitialize success

---------------------------- END---------------------------------------

2. -----------------COMBOFIX Log file--------------------------------

ComboFix 12-03-30.06 - Anand 03/31/2012 14:25:16.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.622 [GMT 13:00]
Running from: c:\documents and settings\Anand\Desktop\ComboFix.exe
AV: ESET Smart Security 4.2 *Disabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *Disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active
.
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Anand\Error.log
.
.
((((((((((((((((((((((((( Files Created from 2012-02-28 to 2012-03-31 )))))))))))))))))))))))))))))))
.
.
2012-03-30 19:45 . 2012-03-30 19:45 -------- d-----w- c:\documents and settings\Anand\Application Data\WinPatrol
2012-03-30 19:44 . 2012-03-30 19:44 -------- d-----w- c:\program files\BillP Studios
2012-03-30 19:44 . 2012-03-30 19:44 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
2012-03-30 19:44 . 2012-03-30 19:45 -------- d-----w- c:\program files\SpywareGuard
2012-03-30 19:35 . 2012-03-30 19:39 -------- d-----w- c:\program files\SpywareBlaster
2012-03-30 19:34 . 2012-03-30 19:34 45056 ----a-w- c:\windows\SnoopFreeDll.dll
2012-03-30 19:34 . 2012-03-30 19:34 221184 ----a-w- c:\windows\SnoopFreeUI.exe
2012-03-30 19:34 . 2012-03-30 19:34 9472 ----a-w- c:\windows\system32\drivers\SnopFree.sys
2012-03-30 19:34 . 2012-03-30 19:34 90112 ----a-w- c:\windows\system32\SnoopFreeSvc.exe
2012-03-30 11:02 . 2012-03-30 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-30 11:02 . 2012-03-30 11:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-30 10:27 . 2012-03-30 10:40 25888 ----a-w- c:\windows\system32\drivers\hitmanpro36.sys
2012-03-30 10:27 . 2012-03-30 10:27 -------- d-----w- c:\program files\HitmanPro
2012-03-30 08:55 . 2012-03-30 10:27 -------- d-----w- c:\documents and settings\All Users\Application Data\HitmanPro
2012-03-30 08:54 . 2012-03-30 08:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2012-03-30 04:02 . 2012-03-30 04:02 -------- d-----w- c:\documents and settings\Anand\Application Data\ParetoLogic
2012-03-29 12:55 . 2012-03-29 12:55 -------- d-----w- c:\documents and settings\Ramkishan\Local Settings\Application Data\ESET
2012-03-22 19:12 . 2012-03-22 19:12 4435968 ----a-w- c:\windows\system32\GPhotos.scr
2012-03-22 10:02 . 2012-03-22 10:02 -------- d-----w- c:\documents and settings\Anand\Application Data\mediabarim
2012-03-22 10:01 . 2012-03-22 21:00 -------- d-----w- c:\documents and settings\All Users\Application Data\boost_interprocess
2012-03-22 09:53 . 2012-03-22 09:53 -------- d-----w- c:\documents and settings\Anand\Local Settings\Application Data\PackageAware
2012-03-19 02:40 . 2012-03-19 02:40 19384 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2012-03-19 02:40 . 2012-03-19 02:40 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2012-03-19 02:40 . 2012-03-19 02:40 97208 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2012-03-19 02:40 . 2012-03-19 02:40 125880 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2012-03-19 02:40 . 2012-03-19 02:40 592824 ----a-w- c:\program files\Mozilla Firefox\gkmedias.dll
2012-03-19 02:40 . 2012-03-19 02:40 44472 ----a-w- c:\program files\Mozilla Firefox\mozglue.dll
2012-03-13 02:46 . 2012-03-22 03:04 -------- d-----w- c:\program files\ScreenshotCaptor
2012-03-12 07:15 . 2012-03-12 07:15 1409 ----a-w- c:\windows\QTFont.for
2012-03-08 11:56 . 2012-03-08 11:57 -------- d-----w- C:\Python32
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-17 06:25 . 2011-05-20 10:46 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-02-03 09:22 . 2003-09-25 00:35 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-21 01:38 . 2012-01-21 01:38 5120 ----a-w- c:\windows\DellBIOS.Sys
2012-01-09 16:20 . 2004-03-19 08:42 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-03-19 02:40 . 2012-03-19 02:40 97208 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2009-09-29 08:44 . 2009-09-29 08:44 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-03-07 3905920]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2005-10-07 176128]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2011-01-12 2219184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-01-03 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-01 843712]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-28 1032192]
"SnoopFreeUI"="SnoopFreeUI.exe" [2012-03-30 221184]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2012-03-25 329312]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2011-07-26 434080]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
c:\documents and settings\Administrator\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [N/A]
BTTray.lnk - c:\program files\Dell\Bluetooth Software\BTTray.exe [2004-4-26 561213]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2004-9-28 24576]
Windows Desktop Search.lnk - c:\program files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe [N/A]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2004-10-19 118784]
.
c:\documents and settings\Anand\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [N/A]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
2004-01-13 06:17 110592 ----a-w- c:\windows\SYSTEM32\LgNotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^PalTalk.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\PalTalk.lnk
backup=c:\windows\pss\PalTalk.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\SYSTEM32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelWireless]
2009-11-03 02:35 1202448 ----a-w- c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Anand\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\data\\applications\\Messenger\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\SYSTEM32\\hasplms.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 PCTCore;PCTools KDS;c:\windows\SYSTEM32\DRIVERS\PCTCore.sys [7/22/2009 11:00 PM 130936]
R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [5/14/2009 3:47 PM 115008]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/23/2011 5:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/13/2011 10:55 AM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/12/2011 12:38 PM 116608]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [1/12/2011 4:41 PM 810144]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/11/2011 7:31 PM 652360]
S3 {E2B953A7-195A-44F9-9BA3-3D5F4E32BB55};AIM 3.0 Part 01 Codec Driver CH-7009-B;c:\windows\SYSTEM32\DRIVERS\wA301b.sys [1/1/1980 4:00 AM 33847]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [6/2/2011 10:08 AM 11336]
S3 DellBIOS;DellBIOS;c:\windows\DellBIOS.Sys [1/21/2012 2:38 PM 5120]
S3 GoogleDesktopManager-060409-093314;Google Desktop Manager 5.9.906.4286;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/29/2009 9:44 PM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:23 PM 133104]
S3 hasplms;Sentinel HASP License Manager;c:\windows\system32\hasplms.exe -run --> c:\windows\system32\hasplms.exe -run [?]
S3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro36.sys [3/30/2012 11:27 PM 25888]
S3 MBAMProtector;MBAMProtector;\??\c:\windows\system32\drivers\mbam.sys --> c:\windows\system32\drivers\mbam.sys [?]
S3 PCDSRVC{E9D79540-57D5953E-06020101}_0;PCDSRVC{E9D79540-57D5953E-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\program files\Dell Support Center\pcdsrvc.pkms [12/14/2011 2:36 PM 21744]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [7/22/2009 10:59 PM 348752]
S3 SNCT511;PC Camera (6005 CIF);c:\windows\SYSTEM32\DRIVERS\snct511.sys [1/1/2005 4:21 PM 219136]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [3/19/2004 9:43 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S4 DiskSuiteService;PC Tools Disk Suite;c:\program files\PC Tools Disk Suite\DSService.exe [6/26/2009 8:16 PM 394560]
S4 gupdate1ca0f652340fd90;Google Update Service (gupdate1ca0f652340fd90);c:\program files\Google\Update\GoogleUpdate.exe [7/28/2009 10:23 PM 133104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder
.
2009-10-12 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClick.exe [2008-01-08 01:31]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 09:23]
.
2012-02-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-28 09:23]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225981888-670243166-1388584890-1005Core.job
- c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-17 07:37]
.
2012-03-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-225981888-670243166-1388584890-1005UA.job
- c:\documents and settings\Anand\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-17 07:37]
.
2012-03-31 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-225981888-670243166-1388584890-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 09:09]
.
2012-03-25 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-225981888-670243166-1388584890-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 09:09]
.
2012-03-31 c:\windows\Tasks\User_Feed_Synchronization-{08E708A2-C53B-475C-86F1-1E4C3451415D}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:31]
.
2009-10-12 c:\windows\Tasks\vlc.job
- c:\program files\VideoLAN\VLC\vlc.exe [2005-06-25 15:07]
.
2009-10-12 c:\windows\Tasks\wmplayer.job
- c:\program files\Windows Media Player\wmplayer.exe [2003-04-11 16:16]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
mStart Page = hxxp://www.yahoo.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;localhost
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: &Google Search - c:\program files\google\GoogleToolbar1.dll/cmsearch.html
IE: &Translate English Word - c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Backward Links - c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\Dell\Bluetooth Software\btsendto_ie_ctx.htm
IE: Similar Pages - c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar1.dll/cmtrans.html
TCP: DhcpNameServer = 192.168.1.1
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
DPF: {682C59F5-478C-4421-9070-AD170D143B77} - hxxp://www.dell.com/support/troubleshooting/Content/Ode/pcd86.cab
FF - ProfilePath - c:\documents and settings\Anand\Application Data\Mozilla\Firefox\Profiles\0hp50axf.default\
FF - prefs.js: browser.search.selectedEngine - WOT Safe Search
FF - prefs.js: browser.startup.homepage - google.com
FF - prefs.js: keyword.URL - hxxp://dts.search-results.com/sr?src=ffb&appid=1083&systemid=1&sr=0&q=
FF - user.js: network.http.max-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.notify.interval - 750000
FF - user.js: nglayout.initialpaint.delay - 750
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
Toolbar-{28387537-e3f9-4ed7-860c-11e69af4a8a0} - c:\progra~1\IMESHA~1\MediaBar\Datamngr\ToolBar\wincoreimdtx.dll
Toolbar-10 - (no file)
HKLM-Run-DATAMNGR - (no file)
MSConfigStartUp-Seagate Dashboard - c:\program files\Seagate\Seagate Dashboard\MemeoLauncher.exe
.
.
.
**************************************************************************
.
disk not found C:\
.
please note that you need administrator rights to perform deep scan
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files:
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PCDSRVC{E9D79540-57D5953E-06020101}_0]
"ImagePath"="\??\c:\program files\dell support center\pcdsrvc.pkms"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\LgNotify.dll
.
Completion time: 2012-03-31 14:57:37
ComboFix-quarantined-files.txt 2012-03-31 01:57
.
Pre-Run: 22,104,670,208 bytes free
Post-Run: 22,085,537,792 bytes free
.
- - End Of File - - 8F07B15DB21ED4985924FE4234A71C3C

I will wait for your advice.

Thanks a lot
Anand

**Will Watts** · 03-31-2012, 03:30 AM

Hi protocoder, the logs are looking better now.

I see you have "TuneUp Utilities 2008" installed. Please be aware that we advise strongly against Registry Cleaners here, the majority of the time they will cause more damage than they're worth - I advise you to ignore the Registry Cleaning function of this program.

Your Java is out of date.

Java(TM) can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. Let me know if it does not.

Make sure you untick the box next to whatever free program they prompt you to install, unless you want it.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

--------------------------------------

You have this program installed, Malwarebytes Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

Click the Update tab
Click Check for Updates
If an update is found, it will download and install the latest version.
The program will close to update and reopen.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything else is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
--------------------------------------

Please also run the ESET online scan; this uses the latest ESET database for malware and allows us to detect malware in the event that your onboard ESET program is non-functioning.

It's important to run an online scan to search for any remnants that may be lurking. Please go to here to run an online scannner from ESET.

Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click on Advanced Settings and ensure these options are ticked:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
Click Scan
Wait for the scan to finish
If any threats were found, click the 'List of found threats' , then click Export to text file....
Save it to your desktop, then please copy and paste that log as a reply to this topic.

------------------------------------------------------

protocoder · 03-31-2012, 10:22 PM

Hi Someguy201,

Thank you very much for great help and time for me.

1. TuneupUtilities, I would mostly use to manage those start up functions and to uninstall programs but I have tons of programs with no uninstall files, not sure how to free them, so some times I use shredder. No I don't use it to touch registries, I was doing it couple of years ago and I read the literature here that your team doesn't like it so I stopped.

Question: What should I be doing with loads of orphan programs and registries hanging around.

2. Malaware scan seems to be ok Here is the log.

Malwarebytes Anti-Malware 1.60.1.1000
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: v2012.03.31.13

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
Anand :: ANAND [administrator]

4/1/2012 10:00:03 AM
mbam-log-2012-04-01 (10-00-03).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 250433
Time elapsed: 18 minute(s), 55 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)
------------------------------- END --------------------------------------

3. ESET online Scan

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a988bed75b0c4743901b609ea349cf5d
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-03-30 03:16:13
# local_time=2012-03-30 04:16:13 (+1200, New Zealand Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 84054155 84054155 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8202 39157077 100 100 9453 37416458 0 0
# scanned=146477
# found=15
# cleaned=15
# scan_time=22193
# nod_component=V3 Build:0x30000000
C:\data\applications\exe_deleted_from_windows\FixCamera.exe a variant of Win32/KillProc.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\data\Download\MyPhoneExplorer_Setup_1.8.2.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\data\Download\YouTubeDownloaderSetup274.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\data\Download\YouTubeDownloaderSetup33.exe a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Application Data\YouTube Downloader\ytd_installer.exe probably a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Common Files\Spigot\wtxpcom\components\WidgiToolbarFF.dll.5 a variant of Win32/Adware.Toolbar.Dealio application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Perfect Uninstaller\PerfectUninstaller_Setup.exe a variant of Win32/PerfectUninstaller application (deleted - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Perfect Uninstaller\PU.exe a variant of Win32/PerfectUninstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001117.exe a variant of Win32/KillProc.A application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001121.exe Win32/OpenCandy application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001122.exe multiple threats (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001123.exe a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001124.exe probably a variant of Win32/Toolbar.Widgi application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001126.exe a variant of Win32/PerfectUninstaller application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP2\A0001127.exe a variant of Win32/PerfectUninstaller application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=a988bed75b0c4743901b609ea349cf5d
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-04-01 01:26:30
# local_time=2012-04-01 01:26:30 (+1200, New Zealand Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 84232050 84232050 0 0
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=2560 16777215 100 0 0 0 0 0
# compatibility_mode=8202 39157157 100 100 3821 37594353 0 0
# scanned=144195
# found=0
# cleaned=0
# scan_time=10541
# nod_component=V3 Build:0x30000000
----------------------------------------- END ---------------------------

Do you think Win32/Olmasco.O trojan is destroyed. I wait for your advice.

Thanks a lot
Anand

**Will Watts** · 04-01-2012, 06:04 AM

Hi protocoder,

Quote:

Question: What should I be doing with loads of orphan programs and registries hanging around.

In general, not much. The effects of having too many orphaned registry keys is negligible. I notice you have Perfect Uninstaller on your system, you may have noticed that it was partially detected by ESET as an unwanted program. I would uninstall this, and use Revo uninstaller instead. This is a much more reliable alternative, and will also take care of orphaned keys from uninstalled programs.

None of the ESET results were serious, and it looks like it has deleted them all anyway. I'm happy to say your logs are clean.

Disconnect from the internet and disable your AntiVirus temporarily.

Go to

-> Run -> copy/paste in the following single line command & click OK

ComboFix /Uninstall

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Re-enable your AntiVirus now. Reconnect to the internet at your leisure.
------------------------------------------------------

To help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

MICROSOFT UPDATES

It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. Please go to Microsoft and download all the critical updates to help prevent possible re-infection.

SOFTWARE
You need an antivirus that is continually updated and a good firewall. In Windows Vista and 7, the Windows inbuilt firewall is usually sufficient, but XP users are recommended to have a good 3rd party firewall. However, be very wary with any security software that is advertised in popups. They are not only usually of no use, but often have malware in them. If you ever have doubts about the legitimacy of an anti-spyware or anti-virus program, it is best to post your question in our General Security forum.

Remember never to install more than one AntiVirus program as they will conflict with each other.

WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam, and helps to protect your computer against online threats when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
- Green to go
- Yellow for caution
- Red to stop
WOT and has an add-on available for all major browsers.
Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. The Plus Version has more features, and you can read Winpatrol's FAQ if you run into any problems.
MVPS HOSTS FILE replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Windows Vista users see here, and Windows 7 users see here. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file.
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders System Restore unavailable by simple means. With ERUNT, you're able to restore the damaged Registry.

Vista/Windows 7 users - see this link for proper setup of Erunt Automatically Backup your Windows Vista Registry daily using ERUNT - The Winhelponline Blog

SPYWARE PREVENTION

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

PC Safety & Security - What Do I Need?
Think Prevention

Have a look here if your PC is still running a bit slow
Is your PC running slow...?

Please respond to this thread one more time so we can mark this issue as resolved.

protocoder · 04-01-2012, 11:51 AM

Hi Someguy201,

Thank you so much. Really appreciate your time to me. Thank you for the tips I would do as advised. I forgot to mention, I have upgraded my java too.
Now I will go ahead and Uninstall combofix and Perfect installer as well.
Thanks a lot
Cheers
Anand

**Will Watts** · 04-01-2012, 11:53 AM

You're welcome!