Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with unknown trojan/worm/backdoor


  • This topic is locked This topic is locked
51 replies to this topic

#1 lilking420

lilking420

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 01 March 2012 - 10:11 PM

Cannot get rid of whatever this is... Have formatted and clean installed Windows multiple times and still have this thing.
Any insight will be greatly appreciated..

*EDIT* I have no clue what this infection is... no AV or anti-spy/malware progs have indicated any problems. Panda found the superhidden entry, but HouseCall, AVG, MBAM, F-Secure, Eset, BitDefender, come up clean. HJT shows some weird folder redirects. Began a couple weeks ago now with a DDoS attack (my dlink router indicated that) it also had it's firmware downgraded 1 step. Unfortunately, I did not have the presence of mind to get the logs saved. Now it seems that some form of Active Directory/Group policy is at work, but I am using Win 7 Home Premium which should have neither from what I understand. Rather than plaster this thread with logs, I will await a response, please inquire for whatever you need. I have a thought that this may be some sort of government surveillance as I youtube as Anon... no haxor, just messenger... whatever. Gotta get rid of this thing pronto. Thanks!

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by P at 20:55:00 on 2012-03-01
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2694 [GMT -6:00]
.
SP: Spybot - Search && Destroy *Enabled/Updated* {1EAF1D03-5480-F3B2-EB14-11F0F5EE2699}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\PeerBlock\peerblock.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11f_ActiveX.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = www.dell.com
uDefault_Page_URL = www.dell.com
mWinlogon: Userinit=userinit.exe
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
mRun: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
TCP: Interfaces\{AC87DA20-5A66-4049-AB22-DD1010F94204} : DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
Notify: SDWinLogon - SDWinLogon.dll
IFEO: taskmgr.exe - "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files (x86)\Spybot - Search & Destroy 2\SDHelper.dll
mRun-x64: [SDTray] "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe"
IFEO-X64: taskmgr.exe - "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\P\AppData\Roaming\Mozilla\Firefox\Profiles\9dhfk4d6.default\
FF - plugin: C:\Program Files (x86)\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Users\P\AppData\Roaming\Mozilla\Firefox\Profiles\9dhfk4d6.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AdobeARMservice;Adobe Acrobat Update Service;C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-1-3 63928]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [2012-3-1 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2012-3-1 1185704]
R2 SDWSCService;Spybot-S&D 2 Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [2012-3-1 166528]
R3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
R3 amdkmdap;amdkmdap;C:\Windows\system32\DRIVERS\atikmpag.sys --> C:\Windows\system32\DRIVERS\atikmpag.sys [?]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;C:\Windows\system32\DRIVERS\CtClsFlt.sys --> C:\Windows\system32\DRIVERS\CtClsFlt.sys [?]
R3 nuviocir;Nuvoton W836x7HG CIR Device Driver;C:\Windows\system32\DRIVERS\nuviocir_win7_x64.sys --> C:\Windows\system32\DRIVERS\nuviocir_win7_x64.sys [?]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-3-1 24176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R4 KProcessHacker2;KProcessHacker2;C:\Program Files\Process Hacker 2\kprocesshacker.sys [2012-3-1 36424]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\drivers\nusb3hub.sys --> C:\Windows\system32\drivers\nusb3hub.sys [?]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\drivers\nusb3xhc.sys --> C:\Windows\system32\drivers\nusb3xhc.sys [?]
S3 PORTMON;PORTMON;C:\Users\P\Documents\SysinternalsSuite\PORTMSYS.SYS [2012-3-1 28656]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
S4 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2012-03-02 01:17:36 69000 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B498165F-C6FD-4DD1-9728-CCEAED10C4D0}\offreg.dll
2012-03-02 00:06:59 -------- d-----w- C:\Program Files\CCleaner
2012-03-01 22:22:18 -------- d-----w- C:\Users\P\AppData\Roaming\QuickScan
2012-03-01 21:12:44 -------- d-----w- C:\Users\P\AppData\Roaming\Process Hacker 2
2012-03-01 20:03:39 -------- d-----w- C:\Program Files\Process Hacker 2
2012-03-01 17:08:45 -------- d-----w- C:\Users\P\AppData\Local\Adobe
2012-03-01 15:28:48 -------- d-----w- C:\Program Files\PeerBlock
2012-03-01 13:55:09 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-03-01 11:24:13 -------- d-----w- C:\Windows\SysWow64\Wat
2012-03-01 11:24:13 -------- d-----w- C:\Windows\System32\Wat
2012-03-01 11:21:18 -------- d-----w- C:\Users\P\AppData\Roaming\Roxio Log Files
2012-03-01 08:03:24 8199504 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-01 08:03:22 8643640 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B498165F-C6FD-4DD1-9728-CCEAED10C4D0}\mpengine.dll
2012-03-01 06:23:49 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2012-03-01 06:23:44 17272 ----a-w- C:\Windows\System32\sdnclean64.exe
2012-03-01 06:23:41 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy 2
2012-03-01 06:10:48 -------- d-----w- C:\tmp
2012-03-01 05:35:56 -------- d-----w- C:\Users\P\AppData\Local\Diagnostics
2012-03-01 05:02:06 -------- d-----w- C:\Users\P\AppData\Roaming\f-secure
2012-03-01 05:02:02 -------- d-----w- C:\ProgramData\F-Secure
2012-03-01 04:54:33 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-01 04:54:18 472808 ------w- C:\Windows\SysWow64\deployJava1.dll
2012-03-01 04:40:49 43520 ----a-w- C:\Windows\System32\csrsrv.dll
2012-03-01 04:36:04 1923952 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2012-03-01 04:36:00 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-03-01 04:33:42 5561216 ----a-w- C:\Windows\System32\ntoskrnl.exe
2012-03-01 04:33:42 3967872 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2012-03-01 04:33:42 3912576 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2012-03-01 04:33:21 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-01 04:33:21 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-01 04:27:29 -------- d-----w- C:\Users\P\AppData\Local\ATI
2012-03-01 04:27:28 -------- d-----w- C:\Users\P\AppData\Roaming\Dell Touch Zone
2012-03-01 04:27:03 -------- d-----w- C:\Users\P\AppData\Local\VirtualStore
.
==================== Find3M ====================
.
2012-01-29 11:10:42 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-12-16 08:46:06 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-16 07:52:58 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 20:55:23.54 ===============

Attached Files


Edited by lilking420, 02 March 2012 - 12:53 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 04 March 2012 - 11:34 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Please download ComboFix from any of the links below, and save it to your desktop. For information regarding this download, please visit this web page: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

IMPORTANT....

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Do not install any other programs until this if fixed.


How to : Disable Anti-virus and Firewall...
http://www.bleepingcomputer.com/forums/topic114351.html

Double click on ComboFix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt
Note:
Do not mouse click ComboFix's window while it's running. That may cause it to stall


Note: If you have difficulty properly disabling your protective programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html
===

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs for my review.

Let me know what problem persists.

#3 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 04 March 2012 - 03:02 PM

Hi Nasdaq. Thank you for taking up my cause... Here's the logs you requested... BTW... since my first post I had to restore to the only image I have for this machine... It was created shortly after I set the computer up. Though it appears whatever this issue is has gnawed its way into the BIOS or recovery info on my disc... I have tried the same WITH a full format on all disks as well. Also, I have been researching while i was waitin and found this video... Anonymous trojan info on youtube... the description contains some info, but keep in mind I am unsure if this is my issue... just that it is a possibility. Slowloris/Zeus trojan...?




ComboFix 12-03-04.01 - P 03/04/2012 13:49:00.1.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2506 [GMT -6:00]
Running from: c:\users\P\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-02-04 to 2012-03-04 )))))))))))))))))))))))))))))))
.
.
2012-03-04 19:02 . 2012-03-04 19:04 -------- d-----w- c:\users\P\SecurityScans
2012-03-04 19:01 . 2012-03-04 19:01 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-03-04 18:28 . 2012-03-04 18:28 -------- d-----w- c:\users\P\AppData\Local\Apps
2012-03-04 17:17 . 2012-02-09 19:17 927800 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{3F547261-7B7C-4E63-9357-05BA0210D14C}\gapaengine.dll
2012-03-04 17:17 . 2012-03-01 19:21 8643640 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{36AEFF0E-5037-4632-AB41-D5C1543B3AB1}\mpengine.dll
2012-03-04 17:14 . 2012-03-04 17:14 -------- d-----w- c:\program files (x86)\Microsoft Security Client
2012-03-04 17:14 . 2012-03-04 17:14 -------- d-----w- c:\program files\Microsoft Security Client
2012-03-04 17:11 . 2012-02-20 07:05 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BBDFD850-EA41-4549-AE86-8A6C19B34C87}\mpengine.dll
2012-03-04 17:02 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-03-04 17:02 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-03-04 16:29 . 2012-03-04 16:29 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-04 16:10 . 2012-03-04 16:10 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-04 16:10 . 2012-03-04 16:10 -------- d-----w- c:\program files\Java
2012-03-04 16:09 . 2012-03-04 16:09 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-04 16:09 . 2012-03-04 16:09 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-04 16:09 . 2012-03-04 16:09 -------- d-----w- c:\program files (x86)\Java
2012-03-04 16:06 . 2012-03-04 16:06 -------- d-----w- c:\users\P\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 17:22 . 2011-11-16 05:42 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-01-31 12:44 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-11-25 219632]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [x]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [x]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2011-04-27 288272]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-11-25 1116656]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 DellOSDservice;DellOSDservice;c:\program files\Dell\OSD\DellOSDservice.exe [2010-07-06 7168]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 nuviocir;Nuvoton W836x7HG CIR Device Driver;c:\windows\system32\DRIVERS\nuviocir_win7_x64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - WS2IFSL
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 1436736]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
FF - ProfilePath - c:\users\P\AppData\Roaming\Mozilla\Firefox\Profiles\if9pgvzc.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Toolbar-Locked - (no file)
AddRemove-{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC} - c:\programdata\Uninstall\{6F0BBEFE-BE1C-419B-BA1F-D36C9E7915BC}\setup.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe
.
**************************************************************************
.
Completion time: 2012-03-04 13:55:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-04 19:55
.
Pre-Run: 959,191,891,968 bytes free
Post-Run: 959,114,739,712 bytes free
.
- - End Of File - - CE2F36FAD5221D2B9520654850FCF79F






Results of screen317's Security Check version 0.99.31
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Security Center service is not running! This report may not be accurate!
Windows Firewall Disabled!
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:

Java™ 6 Update 31
Adobe Reader X (10.1.1)
Mozilla Firefox (8.0.)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
Microsoft Security Essentials msseces.exe
Microsoft Security Client Antimalware MsMpEng.exe
``````````End of Log````````````




Please advise at your convenience Nasdaq. Thanks again!

Edited by lilking420, 04 March 2012 - 03:13 PM.


#4 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 05 March 2012 - 09:28 AM

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please post the logs for my review.

Please let me know what problem persists.

#5 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 05 March 2012 - 03:20 PM

14:03:11.0918 1088 TDSS rootkit removing tool 2.7.19.0 Mar 5 2012 11:23:39
14:03:12.0433 1088 ============================================================
14:03:12.0433 1088 Current date / time: 2012/03/05 14:03:12.0433
14:03:12.0433 1088 SystemInfo:
14:03:12.0433 1088
14:03:12.0433 1088 OS Version: 6.1.7601 ServicePack: 1.0
14:03:12.0433 1088 Product type: Workstation
14:03:12.0433 1088 ComputerName: MININT-KOA32FC
14:03:12.0433 1088 UserName: P
14:03:12.0433 1088 Windows directory: C:\Windows
14:03:12.0433 1088 System windows directory: C:\Windows
14:03:12.0433 1088 Running under WOW64
14:03:12.0433 1088 Processor architecture: Intel x64
14:03:12.0433 1088 Number of processors: 2
14:03:12.0433 1088 Page size: 0x1000
14:03:12.0433 1088 Boot type: Normal boot
14:03:12.0433 1088 ============================================================
14:03:13.0104 1088 Drive \Device\Harddisk0\DR0 - Size: 0xE8E0DB6000 (931.51 Gb), SectorSize: 0x200, Cylinders: 0x1DB01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
14:03:13.0104 1088 \Device\Harddisk0\DR0:
14:03:13.0104 1088 MBR used
14:03:13.0104 1088 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x72BAD800
14:03:13.0104 1088 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x72BAE000, BlocksNum 0x1B58000
14:03:13.0166 1088 Initialize success
14:03:13.0166 1088 ============================================================
14:03:18.0813 1128 ============================================================
14:03:18.0813 1128 Scan started
14:03:18.0813 1128 Mode: Manual; SigCheck; TDLFS;
14:03:18.0813 1128 ============================================================
14:03:19.0281 1128 1394ohci (a87d604aea360176311474c87a63bb88) C:\Windows\system32\drivers\1394ohci.sys
14:03:19.0313 1128 1394ohci - ok
14:03:19.0328 1128 ACPI (d81d9e70b8a6dd14d42d7b4efa65d5f2) C:\Windows\system32\drivers\ACPI.sys
14:03:19.0344 1128 ACPI - ok
14:03:19.0359 1128 AcpiPmi (99f8e788246d495ce3794d7e7821d2ca) C:\Windows\system32\drivers\acpipmi.sys
14:03:19.0359 1128 AcpiPmi - ok
14:03:19.0391 1128 adp94xx (2f6b34b83843f0c5118b63ac634f5bf4) C:\Windows\system32\drivers\adp94xx.sys
14:03:19.0406 1128 adp94xx - ok
14:03:19.0422 1128 adpahci (597f78224ee9224ea1a13d6350ced962) C:\Windows\system32\drivers\adpahci.sys
14:03:19.0437 1128 adpahci - ok
14:03:19.0437 1128 adpu320 (e109549c90f62fb570b9540c4b148e54) C:\Windows\system32\drivers\adpu320.sys
14:03:19.0453 1128 adpu320 - ok
14:03:19.0484 1128 AFD (1c7857b62de5994a75b054a9fd4c3825) C:\Windows\system32\drivers\afd.sys
14:03:19.0500 1128 AFD - ok
14:03:19.0515 1128 agp440 (608c14dba7299d8cb6ed035a68a15799) C:\Windows\system32\drivers\agp440.sys
14:03:19.0531 1128 agp440 - ok
14:03:19.0531 1128 aliide (5812713a477a3ad7363c7438ca2ee038) C:\Windows\system32\drivers\aliide.sys
14:03:19.0547 1128 aliide - ok
14:03:19.0562 1128 amdide (1ff8b4431c353ce385c875f194924c0c) C:\Windows\system32\drivers\amdide.sys
14:03:19.0562 1128 amdide - ok
14:03:19.0578 1128 AmdK8 (7024f087cff1833a806193ef9d22cda9) C:\Windows\system32\drivers\amdk8.sys
14:03:19.0593 1128 AmdK8 - ok
14:03:19.0703 1128 amdkmdag (b64724ca6c9f3d8325f0f1a02c6adfaf) C:\Windows\system32\DRIVERS\atikmdag.sys
14:03:19.0781 1128 amdkmdag - ok
14:03:19.0796 1128 amdkmdap (18f03be6118ba9d8a9dc0b98997dc98e) C:\Windows\system32\DRIVERS\atikmpag.sys
14:03:19.0812 1128 amdkmdap - ok
14:03:19.0843 1128 AmdPPM (1e56388b3fe0d031c44144eb8c4d6217) C:\Windows\system32\DRIVERS\amdppm.sys
14:03:19.0843 1128 AmdPPM - ok
14:03:19.0874 1128 amdsata (cc3021d064eb6d3c2f949530e2b0ba47) C:\Windows\system32\drivers\amdsata.sys
14:03:19.0890 1128 amdsata - ok
14:03:19.0890 1128 amdsbs (f67f933e79241ed32ff46a4f29b5120b) C:\Windows\system32\drivers\amdsbs.sys
14:03:19.0905 1128 amdsbs - ok
14:03:19.0921 1128 amdxata (ffc5a0f6263574ef0d5467496b721f77) C:\Windows\system32\drivers\amdxata.sys
14:03:19.0921 1128 amdxata - ok
14:03:19.0937 1128 AppID (89a69c3f2f319b43379399547526d952) C:\Windows\system32\drivers\appid.sys
14:03:19.0952 1128 AppID - ok
14:03:20.0061 1128 arc (c484f8ceb1717c540242531db7845c4e) C:\Windows\system32\drivers\arc.sys
14:03:20.0061 1128 arc - ok
14:03:20.0077 1128 arcsas (019af6924aefe7839f61c830227fe79c) C:\Windows\system32\drivers\arcsas.sys
14:03:20.0093 1128 arcsas - ok
14:03:20.0093 1128 AsyncMac (769765ce2cc62867468cea93969b2242) C:\Windows\system32\DRIVERS\asyncmac.sys
14:03:20.0124 1128 AsyncMac - ok
14:03:20.0139 1128 atapi (02062c0b390b7729edc9e69c680a6f3c) C:\Windows\system32\drivers\atapi.sys
14:03:20.0139 1128 atapi - ok
14:03:20.0171 1128 AtiPcie (e82e61f46d1336447f4deff8c074f13e) C:\Windows\system32\drivers\AtiPcie64.sys
14:03:20.0186 1128 AtiPcie - ok
14:03:20.0217 1128 b06bdrv (3e5b191307609f7514148c6832bb0842) C:\Windows\system32\drivers\bxvbda.sys
14:03:20.0217 1128 b06bdrv - ok
14:03:20.0249 1128 b57nd60a (b5ace6968304a3900eeb1ebfd9622df2) C:\Windows\system32\DRIVERS\b57nd60a.sys
14:03:20.0249 1128 b57nd60a - ok
14:03:20.0311 1128 BCM43XX (8b5d16d20774fc3727f44e161be2c0ac) C:\Windows\system32\DRIVERS\bcmwl664.sys
14:03:20.0358 1128 BCM43XX - ok
14:03:20.0373 1128 Beep (16a47ce2decc9b099349a5f840654746) C:\Windows\system32\drivers\Beep.sys
14:03:20.0405 1128 Beep - ok
14:03:20.0405 1128 blbdrive (61583ee3c3a17003c4acd0475646b4d3) C:\Windows\system32\DRIVERS\blbdrive.sys
14:03:20.0420 1128 blbdrive - ok
14:03:20.0436 1128 bowser (6c02a83164f5cc0a262f4199f0871cf5) C:\Windows\system32\DRIVERS\bowser.sys
14:03:20.0451 1128 bowser - ok
14:03:20.0451 1128 BrFiltLo (f09eee9edc320b5e1501f749fde686c8) C:\Windows\system32\drivers\BrFiltLo.sys
14:03:20.0467 1128 BrFiltLo - ok
14:03:20.0483 1128 BrFiltUp (b114d3098e9bdb8bea8b053685831be6) C:\Windows\system32\drivers\BrFiltUp.sys
14:03:20.0483 1128 BrFiltUp - ok
14:03:20.0498 1128 BridgeMP (5c2f352a4e961d72518261257aae204b) C:\Windows\system32\DRIVERS\bridge.sys
14:03:20.0529 1128 BridgeMP - ok
14:03:20.0529 1128 Brserid (43bea8d483bf1870f018e2d02e06a5bd) C:\Windows\System32\Drivers\Brserid.sys
14:03:20.0545 1128 Brserid - ok
14:03:20.0545 1128 BrSerWdm (a6eca2151b08a09caceca35c07f05b42) C:\Windows\System32\Drivers\BrSerWdm.sys
14:03:20.0561 1128 BrSerWdm - ok
14:03:20.0576 1128 BrUsbMdm (b79968002c277e869cf38bd22cd61524) C:\Windows\System32\Drivers\BrUsbMdm.sys
14:03:20.0576 1128 BrUsbMdm - ok
14:03:20.0592 1128 BrUsbSer (a87528880231c54e75ea7a44943b38bf) C:\Windows\System32\Drivers\BrUsbSer.sys
14:03:20.0592 1128 BrUsbSer - ok
14:03:20.0607 1128 BTHMODEM (9da669f11d1f894ab4eb69bf546a42e8) C:\Windows\system32\drivers\bthmodem.sys
14:03:20.0623 1128 BTHMODEM - ok
14:03:20.0639 1128 cdfs (b8bd2bb284668c84865658c77574381a) C:\Windows\system32\DRIVERS\cdfs.sys
14:03:20.0654 1128 cdfs - ok
14:03:20.0670 1128 cdrom (f036ce71586e93d94dab220d7bdf4416) C:\Windows\system32\DRIVERS\cdrom.sys
14:03:20.0685 1128 cdrom - ok
14:03:20.0685 1128 circlass (d7cd5c4e1b71fa62050515314cfb52cf) C:\Windows\system32\DRIVERS\circlass.sys
14:03:20.0701 1128 circlass - ok
14:03:20.0732 1128 CLFS (fe1ec06f2253f691fe36217c592a0206) C:\Windows\system32\CLFS.sys
14:03:20.0732 1128 CLFS - ok
14:03:20.0748 1128 CmBatt (0840155d0bddf1190f84a663c284bd33) C:\Windows\system32\drivers\CmBatt.sys
14:03:20.0763 1128 CmBatt - ok
14:03:20.0779 1128 cmdide (e19d3f095812725d88f9001985b94edd) C:\Windows\system32\drivers\cmdide.sys
14:03:20.0779 1128 cmdide - ok
14:03:20.0795 1128 CNG (c4943b6c962e4b82197542447ad599f4) C:\Windows\system32\Drivers\cng.sys
14:03:20.0810 1128 CNG - ok
14:03:20.0826 1128 Compbatt (102de219c3f61415f964c88e9085ad14) C:\Windows\system32\drivers\compbatt.sys
14:03:20.0826 1128 Compbatt - ok
14:03:20.0841 1128 CompositeBus (03edb043586cceba243d689bdda370a8) C:\Windows\system32\DRIVERS\CompositeBus.sys
14:03:20.0857 1128 CompositeBus - ok
14:03:20.0873 1128 crcdisk (1c827878a998c18847245fe1f34ee597) C:\Windows\system32\drivers\crcdisk.sys
14:03:20.0873 1128 crcdisk - ok
14:03:20.0904 1128 CtClsFlt (ed5cf92396a62f4c15110dcdb5e854d9) C:\Windows\system32\DRIVERS\CtClsFlt.sys
14:03:20.0919 1128 CtClsFlt - ok
14:03:20.0935 1128 DfsC (9bb2ef44eaa163b29c4a4587887a0fe4) C:\Windows\system32\Drivers\dfsc.sys
14:03:20.0966 1128 DfsC - ok
14:03:20.0966 1128 discache (13096b05847ec78f0977f2c0f79e9ab3) C:\Windows\system32\drivers\discache.sys
14:03:20.0997 1128 discache - ok
14:03:20.0997 1128 Disk (9819eee8b5ea3784ec4af3b137a5244c) C:\Windows\system32\drivers\disk.sys
14:03:21.0013 1128 Disk - ok
14:03:21.0029 1128 drmkaud (9b19f34400d24df84c858a421c205754) C:\Windows\system32\drivers\drmkaud.sys
14:03:21.0044 1128 drmkaud - ok
14:03:21.0075 1128 DXGKrnl (f5bee30450e18e6b83a5012c100616fd) C:\Windows\System32\drivers\dxgkrnl.sys
14:03:21.0091 1128 DXGKrnl - ok
14:03:21.0153 1128 ebdrv (dc5d737f51be844d8c82c695eb17372f) C:\Windows\system32\drivers\evbda.sys
14:03:21.0185 1128 ebdrv - ok
14:03:21.0200 1128 elxstor (0e5da5369a0fcaea12456dd852545184) C:\Windows\system32\drivers\elxstor.sys
14:03:21.0216 1128 elxstor - ok
14:03:21.0231 1128 ErrDev (34a3c54752046e79a126e15c51db409b) C:\Windows\system32\drivers\errdev.sys
14:03:21.0231 1128 ErrDev - ok
14:03:21.0247 1128 exfat (a510c654ec00c1e9bdd91eeb3a59823b) C:\Windows\system32\drivers\exfat.sys
14:03:21.0278 1128 exfat - ok
14:03:21.0294 1128 fastfat (0adc83218b66a6db380c330836f3e36d) C:\Windows\system32\drivers\fastfat.sys
14:03:21.0325 1128 fastfat - ok
14:03:21.0325 1128 fdc (d765d19cd8ef61f650c384f62fac00ab) C:\Windows\system32\drivers\fdc.sys
14:03:21.0341 1128 fdc - ok
14:03:21.0356 1128 FileInfo (655661be46b5f5f3fd454e2c3095b930) C:\Windows\system32\drivers\fileinfo.sys
14:03:21.0356 1128 FileInfo - ok
14:03:21.0356 1128 Filetrace (5f671ab5bc87eea04ec38a6cd5962a47) C:\Windows\system32\drivers\filetrace.sys
14:03:21.0387 1128 Filetrace - ok
14:03:21.0403 1128 flpydisk (c172a0f53008eaeb8ea33fe10e177af5) C:\Windows\system32\drivers\flpydisk.sys
14:03:21.0403 1128 flpydisk - ok
14:03:21.0419 1128 FltMgr (da6b67270fd9db3697b20fce94950741) C:\Windows\system32\drivers\fltmgr.sys
14:03:21.0419 1128 FltMgr - ok
14:03:21.0434 1128 FsDepends (d43703496149971890703b4b1b723eac) C:\Windows\system32\drivers\FsDepends.sys
14:03:21.0450 1128 FsDepends - ok
14:03:21.0450 1128 Fs_Rec (e95ef8547de20cf0603557c0cf7a9462) C:\Windows\system32\drivers\Fs_Rec.sys
14:03:21.0465 1128 Fs_Rec - ok
14:03:21.0465 1128 fvevol (1f7b25b858fa27015169fe95e54108ed) C:\Windows\system32\DRIVERS\fvevol.sys
14:03:21.0481 1128 fvevol - ok
14:03:21.0497 1128 gagp30kx (8c778d335c9d272cfd3298ab02abe3b6) C:\Windows\system32\drivers\gagp30kx.sys
14:03:21.0497 1128 gagp30kx - ok
14:03:21.0512 1128 hcw85cir (f2523ef6460fc42405b12248338ab2f0) C:\Windows\system32\drivers\hcw85cir.sys
14:03:21.0528 1128 hcw85cir - ok
14:03:21.0528 1128 HDAudBus (97bfed39b6b79eb12cddbfeed51f56bb) C:\Windows\system32\DRIVERS\HDAudBus.sys
14:03:21.0543 1128 HDAudBus - ok
14:03:21.0559 1128 HidBatt (78e86380454a7b10a5eb255dc44a355f) C:\Windows\system32\drivers\HidBatt.sys
14:03:21.0559 1128 HidBatt - ok
14:03:21.0575 1128 HidBth (7fd2a313f7afe5c4dab14798c48dd104) C:\Windows\system32\drivers\hidbth.sys
14:03:21.0575 1128 HidBth - ok
14:03:21.0590 1128 HidIr (0a77d29f311b88cfae3b13f9c1a73825) C:\Windows\system32\DRIVERS\hidir.sys
14:03:21.0606 1128 HidIr - ok
14:03:21.0621 1128 HidUsb (9592090a7e2b61cd582b612b6df70536) C:\Windows\system32\DRIVERS\hidusb.sys
14:03:21.0621 1128 HidUsb - ok
14:03:21.0637 1128 HpSAMD (39d2abcd392f3d8a6dce7b60ae7b8efc) C:\Windows\system32\drivers\HpSAMD.sys
14:03:21.0653 1128 HpSAMD - ok
14:03:21.0668 1128 HTTP (0ea7de1acb728dd5a369fd742d6eee28) C:\Windows\system32\drivers\HTTP.sys
14:03:21.0699 1128 HTTP - ok
14:03:21.0699 1128 hwpolicy (a5462bd6884960c9dc85ed49d34ff392) C:\Windows\system32\drivers\hwpolicy.sys
14:03:21.0715 1128 hwpolicy - ok
14:03:21.0715 1128 i8042prt (fa55c73d4affa7ee23ac4be53b4592d3) C:\Windows\system32\drivers\i8042prt.sys
14:03:21.0731 1128 i8042prt - ok
14:03:21.0762 1128 iaStorV (aaaf44db3bd0b9d1fb6969b23ecc8366) C:\Windows\system32\drivers\iaStorV.sys
14:03:21.0777 1128 iaStorV - ok
14:03:21.0777 1128 iirsp (5c18831c61933628f5bb0ea2675b9d21) C:\Windows\system32\drivers\iirsp.sys
14:03:21.0793 1128 iirsp - ok
14:03:21.0840 1128 IntcAzAudAddService (235362d403d9d677514649d88db31914) C:\Windows\system32\drivers\RTKVHD64.sys
14:03:21.0887 1128 IntcAzAudAddService - ok
14:03:21.0887 1128 intelide (f00f20e70c6ec3aa366910083a0518aa) C:\Windows\system32\drivers\intelide.sys
14:03:21.0887 1128 intelide - ok
14:03:21.0902 1128 intelppm (ada036632c664caa754079041cf1f8c1) C:\Windows\system32\drivers\intelppm.sys
14:03:21.0918 1128 intelppm - ok
14:03:21.0933 1128 IpFilterDriver (c9f0e1bd74365a8771590e9008d22ab6) C:\Windows\system32\DRIVERS\ipfltdrv.sys
14:03:21.0949 1128 IpFilterDriver - ok
14:03:21.0965 1128 IPMIDRV (0fc1aea580957aa8817b8f305d18ca3a) C:\Windows\system32\drivers\IPMIDrv.sys
14:03:21.0980 1128 IPMIDRV - ok
14:03:21.0980 1128 IPNAT (af9b39a7e7b6caa203b3862582e9f2d0) C:\Windows\system32\drivers\ipnat.sys
14:03:22.0011 1128 IPNAT - ok
14:03:22.0027 1128 IRENUM (3abf5e7213eb28966d55d58b515d5ce9) C:\Windows\system32\drivers\irenum.sys
14:03:22.0027 1128 IRENUM - ok
14:03:22.0043 1128 isapnp (2f7b28dc3e1183e5eb418df55c204f38) C:\Windows\system32\drivers\isapnp.sys
14:03:22.0043 1128 isapnp - ok
14:03:22.0058 1128 iScsiPrt (d931d7309deb2317035b07c9f9e6b0bd) C:\Windows\system32\drivers\msiscsi.sys
14:03:22.0074 1128 iScsiPrt - ok
14:03:22.0074 1128 kbdclass (bc02336f1cba7dcc7d1213bb588a68a5) C:\Windows\system32\DRIVERS\kbdclass.sys
14:03:22.0089 1128 kbdclass - ok
14:03:22.0089 1128 kbdhid (0705eff5b42a9db58548eec3b26bb484) C:\Windows\system32\DRIVERS\kbdhid.sys
14:03:22.0105 1128 kbdhid - ok
14:03:22.0121 1128 KSecDD (da1e991a61cfdd755a589e206b97644b) C:\Windows\system32\Drivers\ksecdd.sys
14:03:22.0136 1128 KSecDD - ok
14:03:22.0152 1128 KSecPkg (7e33198d956943a4f11a5474c1e9106f) C:\Windows\system32\Drivers\ksecpkg.sys
14:03:22.0152 1128 KSecPkg - ok
14:03:22.0167 1128 ksthunk (6869281e78cb31a43e969f06b57347c4) C:\Windows\system32\drivers\ksthunk.sys
14:03:22.0199 1128 ksthunk - ok
14:03:22.0214 1128 lltdio (1538831cf8ad2979a04c423779465827) C:\Windows\system32\DRIVERS\lltdio.sys
14:03:22.0245 1128 lltdio - ok
14:03:22.0261 1128 LSI_FC (1a93e54eb0ece102495a51266dcdb6a6) C:\Windows\system32\drivers\lsi_fc.sys
14:03:22.0261 1128 LSI_FC - ok
14:03:22.0277 1128 LSI_SAS (1047184a9fdc8bdbff857175875ee810) C:\Windows\system32\drivers\lsi_sas.sys
14:03:22.0277 1128 LSI_SAS - ok
14:03:22.0292 1128 LSI_SAS2 (30f5c0de1ee8b5bc9306c1f0e4a75f93) C:\Windows\system32\drivers\lsi_sas2.sys
14:03:22.0292 1128 LSI_SAS2 - ok
14:03:22.0308 1128 LSI_SCSI (0504eacaff0d3c8aed161c4b0d369d4a) C:\Windows\system32\drivers\lsi_scsi.sys
14:03:22.0323 1128 LSI_SCSI - ok
14:03:22.0339 1128 luafv (43d0f98e1d56ccddb0d5254cff7b356e) C:\Windows\system32\drivers\luafv.sys
14:03:22.0355 1128 luafv - ok
14:03:22.0370 1128 megasas (a55805f747c6edb6a9080d7c633bd0f4) C:\Windows\system32\drivers\megasas.sys
14:03:22.0370 1128 megasas - ok
14:03:22.0386 1128 MegaSR (baf74ce0072480c3b6b7c13b2a94d6b3) C:\Windows\system32\drivers\MegaSR.sys
14:03:22.0401 1128 MegaSR - ok
14:03:22.0417 1128 Modem (800ba92f7010378b09f9ed9270f07137) C:\Windows\system32\drivers\modem.sys
14:03:22.0433 1128 Modem - ok
14:03:22.0448 1128 monitor (b03d591dc7da45ece20b3b467e6aadaa) C:\Windows\system32\DRIVERS\monitor.sys
14:03:22.0464 1128 monitor - ok
14:03:22.0464 1128 mouclass (7d27ea49f3c1f687d357e77a470aea99) C:\Windows\system32\DRIVERS\mouclass.sys
14:03:22.0479 1128 mouclass - ok
14:03:22.0479 1128 mouhid (d3bf052c40b0c4166d9fd86a4288c1e6) C:\Windows\system32\DRIVERS\mouhid.sys
14:03:22.0495 1128 mouhid - ok
14:03:22.0495 1128 mountmgr (32e7a3d591d671a6df2db515a5cbe0fa) C:\Windows\system32\drivers\mountmgr.sys
14:03:22.0511 1128 mountmgr - ok
14:03:22.0542 1128 MpFilter (c177a7ebf5e8a0b596f618870516cab8) C:\Windows\system32\DRIVERS\MpFilter.sys
14:03:22.0542 1128 MpFilter - ok
14:03:22.0557 1128 mpio (a44b420d30bd56e145d6a2bc8768ec58) C:\Windows\system32\drivers\mpio.sys
14:03:22.0557 1128 mpio - ok
14:03:22.0573 1128 MpNWMon (8fbf6b31fe8af1833d93c5913d5b4d55) C:\Windows\system32\DRIVERS\MpNWMon.sys
14:03:22.0589 1128 MpNWMon - ok
14:03:22.0589 1128 mpsdrv (6c38c9e45ae0ea2fa5e551f2ed5e978f) C:\Windows\system32\drivers\mpsdrv.sys
14:03:22.0620 1128 mpsdrv - ok
14:03:22.0635 1128 MRxDAV (dc722758b8261e1abafd31a3c0a66380) C:\Windows\system32\drivers\mrxdav.sys
14:03:22.0651 1128 MRxDAV - ok
14:03:22.0667 1128 mrxsmb (a5d9106a73dc88564c825d317cac68ac) C:\Windows\system32\DRIVERS\mrxsmb.sys
14:03:22.0682 1128 mrxsmb - ok
14:03:22.0713 1128 mrxsmb10 (d711b3c1d5f42c0c2415687be09fc163) C:\Windows\system32\DRIVERS\mrxsmb10.sys
14:03:22.0729 1128 mrxsmb10 - ok
14:03:22.0745 1128 mrxsmb20 (9423e9d355c8d303e76b8cfbd8a5c30c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
14:03:22.0760 1128 mrxsmb20 - ok
14:03:22.0760 1128 msahci (c25f0bafa182cbca2dd3c851c2e75796) C:\Windows\system32\drivers\msahci.sys
14:03:22.0776 1128 msahci - ok
14:03:22.0791 1128 msdsm (db801a638d011b9633829eb6f663c900) C:\Windows\system32\drivers\msdsm.sys
14:03:22.0791 1128 msdsm - ok
14:03:22.0807 1128 Msfs (aa3fb40e17ce1388fa1bedab50ea8f96) C:\Windows\system32\drivers\Msfs.sys
14:03:22.0838 1128 Msfs - ok
14:03:22.0854 1128 mshidkmdf (f9d215a46a8b9753f61767fa72a20326) C:\Windows\System32\drivers\mshidkmdf.sys
14:03:22.0869 1128 mshidkmdf - ok
14:03:22.0885 1128 msisadrv (d916874bbd4f8b07bfb7fa9b3ccae29d) C:\Windows\system32\drivers\msisadrv.sys
14:03:22.0885 1128 msisadrv - ok
14:03:22.0901 1128 MSKSSRV (49ccf2c4fea34ffad8b1b59d49439366) C:\Windows\system32\drivers\MSKSSRV.sys
14:03:22.0932 1128 MSKSSRV - ok
14:03:22.0932 1128 MSPCLOCK (bdd71ace35a232104ddd349ee70e1ab3) C:\Windows\system32\drivers\MSPCLOCK.sys
14:03:22.0963 1128 MSPCLOCK - ok
14:03:22.0979 1128 MSPQM (4ed981241db27c3383d72092b618a1d0) C:\Windows\system32\drivers\MSPQM.sys
14:03:22.0994 1128 MSPQM - ok
14:03:23.0010 1128 MsRPC (759a9eeb0fa9ed79da1fb7d4ef78866d) C:\Windows\system32\drivers\MsRPC.sys
14:03:23.0025 1128 MsRPC - ok
14:03:23.0025 1128 mssmbios (0eed230e37515a0eaee3c2e1bc97b288) C:\Windows\system32\DRIVERS\mssmbios.sys
14:03:23.0041 1128 mssmbios - ok
14:03:23.0041 1128 MSTEE (2e66f9ecb30b4221a318c92ac2250779) C:\Windows\system32\drivers\MSTEE.sys
14:03:23.0072 1128 MSTEE - ok
14:03:23.0088 1128 MTConfig (7ea404308934e675bffde8edf0757bcd) C:\Windows\system32\DRIVERS\MTConfig.sys
14:03:23.0103 1128 MTConfig - ok
14:03:23.0103 1128 Mup (f9a18612fd3526fe473c1bda678d61c8) C:\Windows\system32\Drivers\mup.sys
14:03:23.0119 1128 Mup - ok
14:03:23.0135 1128 NativeWifiP (1ea3749c4114db3e3161156ffffa6b33) C:\Windows\system32\DRIVERS\nwifi.sys
14:03:23.0150 1128 NativeWifiP - ok
14:03:23.0166 1128 NDIS (79b47fd40d9a817e932f9d26fac0a81c) C:\Windows\system32\drivers\ndis.sys
14:03:23.0181 1128 NDIS - ok
14:03:23.0197 1128 NdisCap (9f9a1f53aad7da4d6fef5bb73ab811ac) C:\Windows\system32\DRIVERS\ndiscap.sys
14:03:23.0213 1128 NdisCap - ok
14:03:23.0228 1128 NdisTapi (30639c932d9fef22b31268fe25a1b6e5) C:\Windows\system32\DRIVERS\ndistapi.sys
14:03:23.0259 1128 NdisTapi - ok
14:03:23.0259 1128 Ndisuio (136185f9fb2cc61e573e676aa5402356) C:\Windows\system32\DRIVERS\ndisuio.sys
14:03:23.0291 1128 Ndisuio - ok
14:03:23.0291 1128 NdisWan (53f7305169863f0a2bddc49e116c2e11) C:\Windows\system32\DRIVERS\ndiswan.sys
14:03:23.0322 1128 NdisWan - ok
14:03:23.0337 1128 NDProxy (015c0d8e0e0421b4cfd48cffe2825879) C:\Windows\system32\drivers\NDProxy.sys
14:03:23.0353 1128 NDProxy - ok
14:03:23.0369 1128 NetBIOS (86743d9f5d2b1048062b14b1d84501c4) C:\Windows\system32\DRIVERS\netbios.sys
14:03:23.0400 1128 NetBIOS - ok
14:03:23.0400 1128 NetBT (09594d1089c523423b32a4229263f068) C:\Windows\system32\DRIVERS\netbt.sys
14:03:23.0431 1128 NetBT - ok
14:03:23.0447 1128 nfrd960 (77889813be4d166cdab78ddba990da92) C:\Windows\system32\drivers\nfrd960.sys
14:03:23.0462 1128 nfrd960 - ok
14:03:23.0478 1128 NisDrv (5f7d72cbcdd025af1f38fdeee5646968) C:\Windows\system32\DRIVERS\NisDrvWFP.sys
14:03:23.0478 1128 NisDrv - ok
14:03:23.0493 1128 Npfs (1e4c4ab5c9b8dd13179bbdc75a2a01f7) C:\Windows\system32\drivers\Npfs.sys
14:03:23.0525 1128 Npfs - ok
14:03:23.0540 1128 nsiproxy (e7f5ae18af4168178a642a9247c63001) C:\Windows\system32\drivers\nsiproxy.sys
14:03:23.0556 1128 nsiproxy - ok
14:03:23.0603 1128 Ntfs (a2f74975097f52a00745f9637451fdd8) C:\Windows\system32\drivers\Ntfs.sys
14:03:23.0618 1128 Ntfs - ok
14:03:23.0634 1128 Null (9899284589f75fa8724ff3d16aed75c1) C:\Windows\system32\drivers\Null.sys
14:03:23.0665 1128 Null - ok
14:03:23.0681 1128 nusb3hub (786db821bfd57c0551dbbe4f75384a7d) C:\Windows\system32\drivers\nusb3hub.sys
14:03:23.0696 1128 nusb3hub - ok
14:03:23.0712 1128 nusb3xhc (daa8005caf745042bb427a1ed7433354) C:\Windows\system32\drivers\nusb3xhc.sys
14:03:23.0712 1128 nusb3xhc - ok
14:03:23.0743 1128 nuviocir (be29aa3cba78480ab8591873197cb56a) C:\Windows\system32\DRIVERS\nuviocir_win7_x64.sys
14:03:23.0743 1128 nuviocir - ok
14:03:23.0774 1128 nvraid (0a92cb65770442ed0dc44834632f66ad) C:\Windows\system32\drivers\nvraid.sys
14:03:23.0774 1128 nvraid - ok
14:03:23.0790 1128 nvstor (dab0e87525c10052bf65f06152f37e4a) C:\Windows\system32\drivers\nvstor.sys
14:03:23.0805 1128 nvstor - ok
14:03:23.0805 1128 nv_agp (270d7cd42d6e3979f6dd0146650f0e05) C:\Windows\system32\drivers\nv_agp.sys
14:03:23.0821 1128 nv_agp - ok
14:03:23.0821 1128 ohci1394 (3589478e4b22ce21b41fa1bfc0b8b8a0) C:\Windows\system32\drivers\ohci1394.sys
14:03:23.0837 1128 ohci1394 - ok
14:03:23.0852 1128 Parport (0086431c29c35be1dbc43f52cc273887) C:\Windows\system32\drivers\parport.sys
14:03:23.0852 1128 Parport - ok
14:03:23.0868 1128 partmgr (871eadac56b0a4c6512bbe32753ccf79) C:\Windows\system32\drivers\partmgr.sys
14:03:23.0883 1128 partmgr - ok
14:03:23.0899 1128 PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - ok
14:03:23.0915 1128 pci (94575c0571d1462a0f70bde6bd6ee6b3) C:\Windows\system32\drivers\pci.sys
14:03:23.0930 1128 pci - ok
14:03:23.0930 1128 pciide (b5b8b5ef2e5cb34df8dcf8831e3534fa) C:\Windows\system32\drivers\pciide.sys
14:03:23.0946 1128 pciide - ok
14:03:23.0946 1128 pcmcia (b2e81d4e87ce48589f98cb8c05b01f2f) C:\Windows\system32\drivers\pcmcia.sys
14:03:23.0961 1128 pcmcia - ok
14:03:23.0977 1128 pcw (d6b9c2e1a11a3a4b26a182ffef18f603) C:\Windows\system32\drivers\pcw.sys
14:03:23.0977 1128 pcw - ok
14:03:23.0993 1128 PEAUTH (68769c3356b3be5d1c732c97b9a80d6e) C:\Windows\system32\drivers\peauth.sys
14:03:24.0024 1128 PEAUTH - ok
14:03:24.0071 1128 PptpMiniport (f92a2c41117a11a00be01ca01a7fcde9) C:\Windows\system32\DRIVERS\raspptp.sys
14:03:24.0086 1128 PptpMiniport - ok
14:03:24.0117 1128 Processor (0d922e23c041efb1c3fac2a6f943c9bf) C:\Windows\system32\drivers\processr.sys
14:03:24.0117 1128 Processor - ok
14:03:24.0133 1128 Psched (0557cf5a2556bd58e26384169d72438d) C:\Windows\system32\DRIVERS\pacer.sys
14:03:24.0164 1128 Psched - ok
14:03:24.0180 1128 PxHlpa64 (87b04878a6d59d6c79251dc960c674c1) C:\Windows\system32\Drivers\PxHlpa64.sys
14:03:24.0195 1128 PxHlpa64 - ok
14:03:24.0227 1128 ql2300 (a53a15a11ebfd21077463ee2c7afeef0) C:\Windows\system32\drivers\ql2300.sys
14:03:24.0242 1128 ql2300 - ok
14:03:24.0258 1128 ql40xx (4f6d12b51de1aaeff7dc58c4d75423c8) C:\Windows\system32\drivers\ql40xx.sys
14:03:24.0258 1128 ql40xx - ok
14:03:24.0273 1128 QWAVEdrv (76707bb36430888d9ce9d705398adb6c) C:\Windows\system32\drivers\qwavedrv.sys
14:03:24.0289 1128 QWAVEdrv - ok
14:03:24.0305 1128 RasAcd (5a0da8ad5762fa2d91678a8a01311704) C:\Windows\system32\DRIVERS\rasacd.sys
14:03:24.0320 1128 RasAcd - ok
14:03:24.0336 1128 RasAgileVpn (7ecff9b22276b73f43a99a15a6094e90) C:\Windows\system32\DRIVERS\AgileVpn.sys
14:03:24.0367 1128 RasAgileVpn - ok
14:03:24.0383 1128 Rasl2tp (471815800ae33e6f1c32fb1b97c490ca) C:\Windows\system32\DRIVERS\rasl2tp.sys
14:03:24.0414 1128 Rasl2tp - ok
14:03:24.0414 1128 RasPppoe (855c9b1cd4756c5e9a2aa58a15f58c25) C:\Windows\system32\DRIVERS\raspppoe.sys
14:03:24.0445 1128 RasPppoe - ok
14:03:24.0461 1128 RasSstp (e8b1e447b008d07ff47d016c2b0eeecb) C:\Windows\system32\DRIVERS\rassstp.sys
14:03:24.0492 1128 RasSstp - ok
14:03:24.0492 1128 rdbss (77f665941019a1594d887a74f301fa2f) C:\Windows\system32\DRIVERS\rdbss.sys
14:03:24.0523 1128 rdbss - ok
14:03:24.0523 1128 rdpbus (302da2a0539f2cf54d7c6cc30c1f2d8d) C:\Windows\system32\drivers\rdpbus.sys
14:03:24.0539 1128 rdpbus - ok
14:03:24.0554 1128 RDPCDD (cea6cc257fc9b7715f1c2b4849286d24) C:\Windows\system32\DRIVERS\RDPCDD.sys
14:03:24.0585 1128 RDPCDD - ok
14:03:24.0601 1128 RDPENCDD (bb5971a4f00659529a5c44831af22365) C:\Windows\system32\drivers\rdpencdd.sys
14:03:24.0632 1128 RDPENCDD - ok
14:03:24.0632 1128 RDPREFMP (216f3fa57533d98e1f74ded70113177a) C:\Windows\system32\drivers\rdprefmp.sys
14:03:24.0663 1128 RDPREFMP - ok
14:03:24.0679 1128 RDPWD (15b66c206b5cb095bab980553f38ed23) C:\Windows\system32\drivers\RDPWD.sys
14:03:24.0695 1128 RDPWD - ok
14:03:24.0710 1128 rdyboost (34ed295fa0121c241bfef24764fc4520) C:\Windows\system32\drivers\rdyboost.sys
14:03:24.0710 1128 rdyboost - ok
14:03:24.0741 1128 rspndr (ddc86e4f8e7456261e637e3552e804ff) C:\Windows\system32\DRIVERS\rspndr.sys
14:03:24.0773 1128 rspndr - ok
14:03:24.0804 1128 RTL8167 (ee082e06a82ff630351d1e0ebbd3d8d0) C:\Windows\system32\DRIVERS\Rt64win7.sys
14:03:24.0819 1128 RTL8167 - ok
14:03:24.0819 1128 sbp2port (ac03af3329579fffb455aa2daabbe22b) C:\Windows\system32\drivers\sbp2port.sys
14:03:24.0835 1128 sbp2port - ok
14:03:24.0851 1128 scfilter (253f38d0d7074c02ff8deb9836c97d2b) C:\Windows\system32\DRIVERS\scfilter.sys
14:03:24.0882 1128 scfilter - ok
14:03:24.0897 1128 secdrv (3ea8a16169c26afbeb544e0e48421186) C:\Windows\system32\drivers\secdrv.sys
14:03:24.0913 1128 secdrv - ok
14:03:24.0944 1128 Serenum (cb624c0035412af0debec78c41f5ca1b) C:\Windows\system32\drivers\serenum.sys
14:03:24.0960 1128 Serenum - ok
14:03:24.0960 1128 Serial (c1d8e28b2c2adfaec4ba89e9fda69bd6) C:\Windows\system32\drivers\serial.sys
14:03:24.0975 1128 Serial - ok
14:03:24.0975 1128 sermouse (1c545a7d0691cc4a027396535691c3e3) C:\Windows\system32\drivers\sermouse.sys
14:03:24.0991 1128 sermouse - ok
14:03:25.0007 1128 sffdisk (a554811bcd09279536440c964ae35bbf) C:\Windows\system32\drivers\sffdisk.sys
14:03:25.0022 1128 sffdisk - ok
14:03:25.0022 1128 sffp_mmc (ff414f0baefeba59bc6c04b3db0b87bf) C:\Windows\system32\drivers\sffp_mmc.sys
14:03:25.0038 1128 sffp_mmc - ok
14:03:25.0038 1128 sffp_sd (dd85b78243a19b59f0637dcf284da63c) C:\Windows\system32\drivers\sffp_sd.sys
14:03:25.0053 1128 sffp_sd - ok
14:03:25.0069 1128 sfloppy (a9d601643a1647211a1ee2ec4e433ff4) C:\Windows\system32\drivers\sfloppy.sys
14:03:25.0069 1128 sfloppy - ok
14:03:25.0100 1128 SiSRaid2 (843caf1e5fde1ffd5ff768f23a51e2e1) C:\Windows\system32\drivers\SiSRaid2.sys
14:03:25.0116 1128 SiSRaid2 - ok
14:03:25.0116 1128 SiSRaid4 (6a6c106d42e9ffff8b9fcb4f754f6da4) C:\Windows\system32\drivers\sisraid4.sys
14:03:25.0131 1128 SiSRaid4 - ok
14:03:25.0131 1128 Smb (548260a7b8654e024dc30bf8a7c5baa4) C:\Windows\system32\DRIVERS\smb.sys
14:03:25.0163 1128 Smb - ok
14:03:25.0178 1128 spldr (b9e31e5cacdfe584f34f730a677803f9) C:\Windows\system32\drivers\spldr.sys
14:03:25.0194 1128 spldr - ok
14:03:25.0225 1128 srv (441fba48bff01fdb9d5969ebc1838f0b) C:\Windows\system32\DRIVERS\srv.sys
14:03:25.0241 1128 srv - ok
14:03:25.0256 1128 srv2 (b4adebbf5e3677cce9651e0f01f7cc28) C:\Windows\system32\DRIVERS\srv2.sys
14:03:25.0272 1128 srv2 - ok
14:03:25.0287 1128 srvnet (27e461f0be5bff5fc737328f749538c3) C:\Windows\system32\DRIVERS\srvnet.sys
14:03:25.0287 1128 srvnet - ok
14:03:25.0303 1128 stexstor (f3817967ed533d08327dc73bc4d5542a) C:\Windows\system32\drivers\stexstor.sys
14:03:25.0303 1128 stexstor - ok
14:03:25.0319 1128 swenum (d01ec09b6711a5f8e7e6564a4d0fbc90) C:\Windows\system32\DRIVERS\swenum.sys
14:03:25.0334 1128 swenum - ok
14:03:25.0397 1128 Tcpip (fc62769e7bff2896035aeed399108162) C:\Windows\system32\drivers\tcpip.sys
14:03:25.0428 1128 Tcpip - ok
14:03:25.0459 1128 TCPIP6 (fc62769e7bff2896035aeed399108162) C:\Windows\system32\DRIVERS\tcpip.sys
14:03:25.0490 1128 TCPIP6 - ok
14:03:25.0506 1128 tcpipreg (df687e3d8836bfb04fcc0615bf15a519) C:\Windows\system32\drivers\tcpipreg.sys
14:03:25.0521 1128 tcpipreg - ok
14:03:25.0553 1128 TDPIPE (3371d21011695b16333a3934340c4e7c) C:\Windows\system32\drivers\tdpipe.sys
14:03:25.0568 1128 TDPIPE - ok
14:03:25.0584 1128 TDTCP (e4245bda3190a582d55ed09e137401a9) C:\Windows\system32\drivers\tdtcp.sys
14:03:25.0615 1128 TDTCP - ok
14:03:25.0615 1128 tdx (ddad5a7ab24d8b65f8d724f5c20fd806) C:\Windows\system32\DRIVERS\tdx.sys
14:03:25.0646 1128 tdx - ok
14:03:25.0646 1128 TermDD (561e7e1f06895d78de991e01dd0fb6e5) C:\Windows\system32\DRIVERS\termdd.sys
14:03:25.0662 1128 TermDD - ok
14:03:25.0677 1128 tssecsrv (ce18b2cdfc837c99e5fae9ca6cba5d30) C:\Windows\system32\DRIVERS\tssecsrv.sys
14:03:25.0709 1128 tssecsrv - ok
14:03:25.0709 1128 TsUsbFlt (d11c783e3ef9a3c52c0ebe83cc5000e9) C:\Windows\system32\drivers\tsusbflt.sys
14:03:25.0724 1128 TsUsbFlt - ok
14:03:25.0724 1128 TsUsbGD (9cc2ccae8a84820eaecb886d477cbcb8) C:\Windows\system32\drivers\TsUsbGD.sys
14:03:25.0740 1128 TsUsbGD - ok
14:03:25.0755 1128 tunnel (3566a8daafa27af944f5d705eaa64894) C:\Windows\system32\DRIVERS\tunnel.sys
14:03:25.0771 1128 tunnel - ok
14:03:25.0787 1128 uagp35 (b4dd609bd7e282bfc683cec7eaaaad67) C:\Windows\system32\drivers\uagp35.sys
14:03:25.0787 1128 uagp35 - ok
14:03:25.0802 1128 udfs (ff4232a1a64012baa1fd97c7b67df593) C:\Windows\system32\DRIVERS\udfs.sys
14:03:25.0833 1128 udfs - ok
14:03:25.0849 1128 uliagpkx (4bfe1bc28391222894cbf1e7d0e42320) C:\Windows\system32\drivers\uliagpkx.sys
14:03:25.0849 1128 uliagpkx - ok
14:03:25.0865 1128 umbus (dc54a574663a895c8763af0fa1ff7561) C:\Windows\system32\DRIVERS\umbus.sys
14:03:25.0865 1128 umbus - ok
14:03:25.0880 1128 UmPass (b2e8e8cb557b156da5493bbddcc1474d) C:\Windows\system32\drivers\umpass.sys
14:03:25.0880 1128 UmPass - ok
14:03:25.0911 1128 usbccgp (6f1a3157a1c89435352ceb543cdb359c) C:\Windows\system32\DRIVERS\usbccgp.sys
14:03:25.0927 1128 usbccgp - ok
14:03:25.0943 1128 usbcir (af0892a803fdda7492f595368e3b68e7) C:\Windows\system32\drivers\usbcir.sys
14:03:25.0958 1128 usbcir - ok
14:03:25.0974 1128 usbehci (c025055fe7b87701eb042095df1a2d7b) C:\Windows\system32\DRIVERS\usbehci.sys
14:03:25.0974 1128 usbehci - ok
14:03:26.0005 1128 usbhub (287c6c9410b111b68b52ca298f7b8c24) C:\Windows\system32\DRIVERS\usbhub.sys
14:03:26.0005 1128 usbhub - ok
14:03:26.0021 1128 usbohci (9840fc418b4cbd632d3d0a667a725c31) C:\Windows\system32\DRIVERS\usbohci.sys
14:03:26.0036 1128 usbohci - ok
14:03:26.0036 1128 usbprint (73188f58fb384e75c4063d29413cee3d) C:\Windows\system32\drivers\usbprint.sys
14:03:26.0052 1128 usbprint - ok
14:03:26.0067 1128 USBSTOR (fed648b01349a3c8395a5169db5fb7d6) C:\Windows\system32\DRIVERS\USBSTOR.SYS
14:03:26.0083 1128 USBSTOR - ok
14:03:26.0099 1128 usbuhci (62069a34518bcf9c1fd9e74b3f6db7cd) C:\Windows\system32\drivers\usbuhci.sys
14:03:26.0099 1128 usbuhci - ok
14:03:26.0130 1128 usbvideo (454800c2bc7f3927ce030141ee4f4c50) C:\Windows\system32\Drivers\usbvideo.sys
14:03:26.0145 1128 usbvideo - ok
14:03:26.0161 1128 vdrvroot (c5c876ccfc083ff3b128f933823e87bd) C:\Windows\system32\drivers\vdrvroot.sys
14:03:26.0161 1128 vdrvroot - ok
14:03:26.0177 1128 vga (da4da3f5e02943c2dc8c6ed875de68dd) C:\Windows\system32\DRIVERS\vgapnp.sys
14:03:26.0192 1128 vga - ok
14:03:26.0192 1128 VgaSave (53e92a310193cb3c03bea963de7d9cfc) C:\Windows\System32\drivers\vga.sys
14:03:26.0223 1128 VgaSave - ok
14:03:26.0239 1128 vhdmp (2ce2df28c83aeaf30084e1b1eb253cbb) C:\Windows\system32\drivers\vhdmp.sys
14:03:26.0255 1128 vhdmp - ok
14:03:26.0255 1128 viaide (e5689d93ffe4e5d66c0178761240dd54) C:\Windows\system32\drivers\viaide.sys
14:03:26.0270 1128 viaide - ok
14:03:26.0286 1128 volmgr (d2aafd421940f640b407aefaaebd91b0) C:\Windows\system32\drivers\volmgr.sys
14:03:26.0286 1128 volmgr - ok
14:03:26.0301 1128 volmgrx (a255814907c89be58b79ef2f189b843b) C:\Windows\system32\drivers\volmgrx.sys
14:03:26.0317 1128 volmgrx - ok
14:03:26.0317 1128 volsnap (0d08d2f3b3ff84e433346669b5e0f639) C:\Windows\system32\drivers\volsnap.sys
14:03:26.0333 1128 volsnap - ok
14:03:26.0348 1128 vsmraid (5e2016ea6ebaca03c04feac5f330d997) C:\Windows\system32\drivers\vsmraid.sys
14:03:26.0348 1128 vsmraid - ok
14:03:26.0364 1128 vwifibus (36d4720b72b5c5d9cb2b9c29e9df67a1) C:\Windows\system32\DRIVERS\vwifibus.sys
14:03:26.0364 1128 vwifibus - ok
14:03:26.0395 1128 vwififlt (6a3d66263414ff0d6fa754c646612f3f) C:\Windows\system32\DRIVERS\vwififlt.sys
14:03:26.0411 1128 vwififlt - ok
14:03:26.0411 1128 WacomPen (4e9440f4f152a7b944cb1663d3935a3e) C:\Windows\system32\drivers\wacompen.sys
14:03:26.0426 1128 WacomPen - ok
14:03:26.0426 1128 WANARP (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:03:26.0457 1128 WANARP - ok
14:03:26.0457 1128 Wanarpv6 (356afd78a6ed4457169241ac3965230c) C:\Windows\system32\DRIVERS\wanarp.sys
14:03:26.0489 1128 Wanarpv6 - ok
14:03:26.0504 1128 Wd (72889e16ff12ba0f235467d6091b17dc) C:\Windows\system32\drivers\wd.sys
14:03:26.0520 1128 Wd - ok
14:03:26.0535 1128 Wdf01000 (441bd2d7b4f98134c3a4f9fa570fd250) C:\Windows\system32\drivers\Wdf01000.sys
14:03:26.0551 1128 Wdf01000 - ok
14:03:26.0567 1128 WfpLwf (611b23304bf067451a9fdee01fbdd725) C:\Windows\system32\DRIVERS\wfplwf.sys
14:03:26.0598 1128 WfpLwf - ok
14:03:26.0613 1128 WIMMount (05ecaec3e4529a7153b3136ceb49f0ec) C:\Windows\system32\drivers\wimmount.sys
14:03:26.0613 1128 WIMMount - ok
14:03:26.0645 1128 WmiAcpi (f6ff8944478594d0e414d3f048f0d778) C:\Windows\system32\DRIVERS\wmiacpi.sys
14:03:26.0645 1128 WmiAcpi - ok
14:03:26.0660 1128 ws2ifsl (6bcc1d7d2fd2453957c5479a32364e52) C:\Windows\system32\drivers\ws2ifsl.sys
14:03:26.0691 1128 ws2ifsl - ok
14:03:26.0707 1128 WudfPf (d3381dc54c34d79b22cee0d65ba91b7c) C:\Windows\system32\drivers\WudfPf.sys
14:03:26.0738 1128 WudfPf - ok
14:03:26.0754 1128 WUDFRd (cf8d590be3373029d57af80914190682) C:\Windows\system32\DRIVERS\WUDFRd.sys
14:03:26.0769 1128 WUDFRd - ok
14:03:26.0801 1128 MBR (0x1B8) (a36c5e4f47e84449ff07ed3517b43a31) \Device\Harddisk0\DR0
14:03:26.0925 1128 \Device\Harddisk0\DR0 - ok
14:03:26.0925 1128 Boot (0x1200) (38c3408a13ca5c49b1b662a00f556a25) \Device\Harddisk0\DR0\Partition0
14:03:26.0925 1128 \Device\Harddisk0\DR0\Partition0 - ok
14:03:26.0941 1128 Boot (0x1200) (ce93b4585c22db378ea48048bf3c4575) \Device\Harddisk0\DR0\Partition1
14:03:26.0941 1128 \Device\Harddisk0\DR0\Partition1 - ok
14:03:26.0941 1128 ============================================================
14:03:26.0941 1128 Scan finished
14:03:26.0941 1128 ============================================================
14:03:26.0957 2600 Detected object count: 0
14:03:26.0957 2600 Actual detected object count: 0






aswMBR version 0.9.9.1649 Copyright© 2011 AVAST Software
Run date: 2012-03-05 14:08:40
-----------------------------
14:08:40.018 OS Version: Windows x64 6.1.7601 Service Pack 1
14:08:40.018 Number of processors: 2 586 0x603
14:08:40.019 ComputerName: MININT-KOA32FC UserName: P
14:08:41.900 Initialize success
14:10:03.604 AVAST engine defs: 12030501
14:10:40.857 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
14:10:40.859 Disk 0 Vendor: WDC_WD10 05.0 Size: 953869MB BusType: 11
14:10:40.868 Disk 0 MBR read successfully
14:10:40.870 Disk 0 MBR scan
14:10:40.872 Disk 0 Windows 7 default MBR code
14:10:40.875 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 939867 MB offset 2048
14:10:40.908 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 14000 MB offset 1924849664
14:10:40.947 Disk 0 scanning C:\Windows\system32\drivers
14:10:45.012 Service scanning
14:10:55.042 Modules scanning
14:10:55.047 Disk 0 trace - called modules:
14:10:55.059 ntoskrnl.exe CLASSPNP.SYS disk.sys amdxata.sys storport.sys hal.dll amdsata.sys
14:10:55.062 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004c152d0]
14:10:55.066 3 CLASSPNP.SYS[fffff8800197d43f] -> nt!IofCallDriver -> [0xfffffa8003cf0b80]
14:10:55.070 5 amdxata.sys[fffff88000df57a8] -> nt!IofCallDriver -> \Device\00000055[0xfffffa800489b440]
14:10:56.971 AVAST engine scan C:\Windows
14:10:59.956 AVAST engine scan C:\Windows\system32
14:12:33.305 AVAST engine scan C:\Windows\system32\drivers
14:12:39.363 AVAST engine scan C:\Users\P
14:13:29.469 AVAST engine scan C:\ProgramData
14:13:39.744 Scan finished successfully
14:18:44.024 Disk 0 MBR has been saved successfully to "C:\Users\P\Desktop\MBR.dat"
14:18:44.028 The log file has been saved successfully to "C:\Users\P\Desktop\aswMBR.txt"

Attached Files

  • Attached File  MBR.zip   555bytes   0 downloads


#6 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 06 March 2012 - 10:14 AM

No infection and the Master Boot Record is looking good.

Can you run ComboFix again and post the log.

Let me know what problem persists.

#7 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 09 March 2012 - 02:35 AM

At the moment I have found that group policy is installed, this is a home premium installation, no network at the moments, and workgroup on old network... Multiple NTUSER.NT and desktop.ini files all over the drive. I am having issues with all troubleshooters failing prior as they start, event viewer errors, Device manager is empty, disk management states "unable to connect to virtual disk service", task scheduler states "Reading Data Failed", Help and support links don't do anything. I'm attching a few files to help...wanted to attach some screen shots but they too laRGE Also, I have been researching this further and I have found a possible sq1 compromise (7customizer/sqllite) and certificates I don't think are supposed to be here... firefox. I am unsure as to how i should go about examining those. Thanks and i look forward to your response. All of this has been issue since last clean install just prior to my coming here. Thanks Please advise.




ComboFix 12-03-04.01 - P 03/09/2012 0:43.3.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2980 [GMT -6:00]
Running from: c:\users\P\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\P\EULA.txt
c:\users\P\PeerBlock-Setup_v1.1_r518.exe
c:\windows\system32\ReadMe.txt
.
c:\windows\system32\grpconv.exe . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-09 to 2012-03-09 )))))))))))))))))))))))))))))))
.
.
2012-03-09 02:55 . 2012-03-09 02:55 -------- d-----w- c:\users\P\AppData\Local\Microsoft_Corporation
2012-03-09 01:23 . 2012-03-09 01:54 27016 ----a-w- c:\windows\SysWow64\drivers\PROCEXP141.SYS
2012-03-08 01:27 . 2012-03-08 01:27 -------- d-----w- c:\users\P\AppData\Local\VS Revo Group
2012-03-07 20:50 . 2009-12-30 16:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-03-07 20:50 . 2012-03-07 20:50 -------- d-----w- c:\program files\VS Revo Group
2012-03-07 19:35 . 2010-11-21 03:24 1229824 ----a-w- c:\windows\SysWow64\URLMON.del
2012-03-07 16:46 . 2012-03-07 16:46 -------- d-----r- C:\comment.htt
2012-03-07 14:02 . 2012-03-09 02:24 -------- d-s---w- c:\windows\RestoreSafeDeleted
2012-03-07 09:49 . 2012-03-07 09:49 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-03-07 09:43 . 2012-03-07 09:47 -------- d-----w- C:\BackSys_UnHackME
2012-03-07 09:39 . 2012-03-07 09:39 39184 ----a-w- c:\windows\SysWow64\Partizan.exe
2012-03-07 09:39 . 2012-03-07 09:39 35816 ----a-w- c:\windows\SysWow64\drivers\Partizan.sys
2012-03-07 09:33 . 2012-03-07 09:33 2 --shatw- c:\windows\winstart.bat
2012-03-07 09:33 . 2012-01-23 23:01 12800 ----a-w- c:\windows\SysWow64\drivers\UnHackMeDrv.sys
2012-03-07 09:33 . 2012-03-07 09:41 -------- d-----w- c:\program files (x86)\UnHackMe
2012-03-07 08:01 . 2012-03-07 08:02 -------- d-----w- c:\users\P\security-news.php_files
2012-03-07 05:30 . 2012-03-08 22:27 -------- d-----w- c:\program files\CCleaner
2012-03-06 22:41 . 2012-03-06 22:41 16200 ----a-w- c:\windows\stinger.sys
2012-03-06 22:40 . 2012-03-08 20:44 -------- d-----w- c:\program files (x86)\stinger
2012-03-06 19:09 . 2012-03-06 19:09 -------- d-----w- c:\program files (x86)\Foxit Software
2012-03-06 14:58 . 2010-11-21 03:24 390656 ----a-w- c:\users\P\winlogon.exe.BAK
2012-03-06 14:54 . 2012-03-07 18:15 -------- d-----w- c:\program files (x86)\7-Zip
2012-03-06 12:04 . 2012-03-06 12:04 -------- d-----w- c:\program files (x86)\NirSoft
2012-03-06 11:45 . 2012-03-06 11:45 22 --sha-w- c:\users\P\AppData\Roaming\Sys2662.Config.Repository.bin
2012-03-06 11:44 . 2012-03-06 18:57 -------- d-----w- c:\program files (x86)\jv16 PowerTools 2011
2012-03-06 09:20 . 2012-03-06 09:20 -------- d-----w- c:\users\P\AppData\Roaming\JAM Software
2012-03-06 06:38 . 2012-03-06 06:38 -------- d-----w- c:\users\P\AppData\Roaming\Malwarebytes
2012-03-06 06:37 . 2012-03-06 06:37 -------- d-----w- c:\programdata\Malwarebytes
2012-03-06 06:37 . 2012-03-06 18:57 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-06 01:45 . 2010-11-21 07:06 2560 ----a-w- c:\windows\system32\gptext.dll
2012-03-06 01:43 . 2010-11-21 07:06 3584 ----a-w- c:\windows\system32\gpapi.dll
2012-03-06 01:41 . 2010-11-21 07:06 2048 ----a-w- c:\windows\system32\gpprnext.dll
2012-03-06 01:40 . 2010-11-21 07:06 13312 ----a-w- c:\windows\system32\gpupdate.exe
2012-03-06 01:39 . 2010-11-21 07:06 31744 ----a-w- c:\windows\system32\gpresult.exe
2012-03-06 01:09 . 2010-11-21 07:06 57344 ----a-w- c:\windows\system32\gpedit.dll
2012-03-06 00:47 . 2012-03-06 00:47 -------- d-----w- c:\users\P\AppData\Local\Immunet
2012-03-06 00:46 . 2012-03-06 18:47 -------- dc----w- c:\windows\system32\DRVSTORE
2012-03-06 00:00 . 2012-03-06 18:57 -------- d-----w- c:\program files (x86)\ESET
2012-03-05 23:59 . 2012-03-07 15:40 -------- d-----w- C:\symbols
2012-03-05 22:25 . 2012-03-09 06:48 -------- d-----w- c:\program files\PeerBlock
2012-03-05 10:09 . 2012-03-05 10:09 -------- d-----w- c:\program files\Microsoft Windows Performance Toolkit
2012-03-05 10:09 . 2012-03-05 23:42 -------- d-----w- c:\program files\Debugging Tools for Windows (x64)
2012-03-05 10:09 . 2012-03-05 10:09 -------- d-----w- c:\program files (x86)\Application Verifier
2012-03-05 10:09 . 2012-03-05 10:09 -------- d-----w- c:\program files\Application Verifier (x64)
2012-03-05 10:05 . 2012-03-05 10:05 -------- d-----w- c:\program files\Microsoft SDKs
2012-03-05 07:36 . 2012-03-05 07:36 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-03-05 07:36 . 2012-03-05 07:36 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-03-05 07:36 . 2012-03-05 07:36 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-03-05 07:36 . 2012-03-05 07:36 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-03-05 07:00 . 2012-03-06 18:57 -------- d-----w- c:\windows\CheckSur
2012-03-05 03:08 . 2012-03-07 05:40 -------- d-----w- c:\users\P\AppData\Roaming\vlc
2012-03-05 03:07 . 2012-03-05 03:07 -------- d-----w- c:\program files (x86)\VideoLAN
2012-03-05 01:55 . 2012-03-05 01:55 -------- d-----w- C:\corrut recylce
2012-03-04 19:55 . 2012-03-07 14:28 -------- d-----w- c:\programdata\Sonic
2012-03-04 19:02 . 2012-03-05 07:29 -------- d-----w- c:\users\P\SecurityScans
2012-03-04 19:01 . 2012-03-04 19:01 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-03-04 18:28 . 2012-03-04 18:28 -------- d-----w- c:\users\P\AppData\Local\Apps
2012-03-04 17:11 . 2012-02-20 07:05 8643640 ------w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{BBDFD850-EA41-4549-AE86-8A6C19B34C87}\mpengine.dll
2012-03-04 17:02 . 2011-11-19 14:58 77312 ----a-w- c:\windows\system32\packager.dll
2012-03-04 17:02 . 2011-11-19 14:01 67072 ----a-w- c:\windows\SysWow64\packager.dll
2012-03-04 16:29 . 2012-03-04 16:29 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-04 16:10 . 2012-03-04 16:10 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-04 16:10 . 2012-03-04 16:10 -------- d-----w- c:\program files\Java
2012-03-04 16:09 . 2012-03-04 16:09 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-04 16:09 . 2012-03-04 16:09 -------- d-----w- c:\program files (x86)\Java
2012-03-04 16:06 . 2012-03-04 16:06 -------- d-----w- c:\users\P\AppData\Local\Diagnostics
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-04 17:22 . 2011-11-16 05:42 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18 . 2010-11-21 03:27 279656 ----a-w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-04_19.53.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-08 13:33 . 2010-02-08 13:33 30616 c:\windows\SysWOW64\vfntlmless.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 51024 c:\windows\SysWOW64\vcomp100.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 80720 c:\windows\SysWOW64\mfcm100u.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 80208 c:\windows\SysWOW64\mfcm100.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 60752 c:\windows\SysWOW64\mfc100rus.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 43344 c:\windows\SysWOW64\mfc100kor.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 43856 c:\windows\SysWOW64\mfc100jpn.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 62288 c:\windows\SysWOW64\mfc100ita.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 64336 c:\windows\SysWOW64\mfc100fra.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 63824 c:\windows\SysWOW64\mfc100esn.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 55120 c:\windows\SysWOW64\mfc100enu.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 64336 c:\windows\SysWOW64\mfc100deu.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 36176 c:\windows\SysWOW64\mfc100cht.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 36176 c:\windows\SysWOW64\mfc100chs.dll
+ 2010-11-21 03:09 . 2012-03-05 23:59 29970 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-05 23:59 34872 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2010-02-08 13:32 . 2010-02-08 13:32 38416 c:\windows\system32\vfntlmless.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 57168 c:\windows\system32\vcomp100.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 91472 c:\windows\system32\mfcm100u.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 91472 c:\windows\system32\mfcm100.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 60752 c:\windows\system32\mfc100rus.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 43344 c:\windows\system32\mfc100kor.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 43856 c:\windows\system32\mfc100jpn.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 62288 c:\windows\system32\mfc100ita.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 64336 c:\windows\system32\mfc100fra.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 63824 c:\windows\system32\mfc100esn.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 55120 c:\windows\system32\mfc100enu.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 64336 c:\windows\system32\mfc100deu.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 36176 c:\windows\system32\mfc100cht.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 36176 c:\windows\system32\mfc100chs.dll
+ 2012-03-06 19:04 . 2012-03-06 16:31 67584 c:\windows\system32\LogFiles\Srt\bootstat.dat
- 2009-07-14 05:30 . 2012-03-04 16:08 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 05:30 . 2012-03-08 01:20 86016 c:\windows\system32\DriverStore\infpub.dat
+ 2009-07-14 04:46 . 2012-03-08 06:18 87976 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2012-03-05 05:12 . 2012-03-05 05:12 10240 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Xml.Serializ#\59e70022e798ce28f9f5b8870c5c8bf2\System.Xml.Serialization.ni.dll
+ 2012-03-05 05:12 . 2012-03-05 05:12 43520 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Pres#\42d44cc48edbf4d5b19af6d6afc6cd62\System.Windows.Presentation.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 86016 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Web.Applicat#\5c5a54c265c044f359659e6eeff29171\System.Web.ApplicationServices.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 97792 c:\windows\assembly\NativeImages_v4.0.30319_64\System.AddIn.Contra#\09132e10556be9ab331f43b2a8c52235\System.AddIn.Contract.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 14336 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualC\49a7edb0d7f35bebc304b303b0700ddc\Microsoft.VisualC.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 10752 c:\windows\assembly\NativeImages_v4.0.30319_64\dfsvc\5b39108886107f654624373c54000e3c\dfsvc.ni.exe
+ 2012-03-05 04:03 . 2012-03-05 04:03 58368 c:\windows\assembly\NativeImages_v4.0.30319_64\Accessibility\41d4534c5a98fd1bc7edc2f73cd41a0a\Accessibility.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 60416 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Windows.Pres#\265f654b8eed2ac1e42d225a30433c37\System.Windows.Presentation.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 54784 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\62889e05923a83fa32400e7f3b28f9c6\System.Web.DynamicData.Design.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 72192 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationFontCac#\c1577aa4e5874f1debc9a63343e5a0d7\PresentationFontCache.ni.exe
+ 2012-03-05 04:02 . 2012-03-05 04:02 33792 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Run#\2d80e48139b13bf06e85c0c1db06bc20\Microsoft.WSMan.Runtime.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 45056 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\df5c0dac9e7db175acc8a9755942f87f\Microsoft.Windows.Diagnosis.Commands.UpdateDiagReport.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 36864 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\8a9356f77bd1d1155202f59119ee57c9\Microsoft.Windows.Diagnosis.Commands.WriteDiagProgress.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 59904 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\8260ae5a7d4a7e7cd907c958858da284\Microsoft.Windows.Diagnosis.SDHost.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 40448 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\4e53199f22c13aa3e4bc6f063da0aee7\Microsoft.Windows.Diagnosis.Commands.UpdateDiagRootcause.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 70144 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\371120a0816ba5ce909b8e1341da376f\Microsoft.Windows.Diagnosis.SDEngine.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 43520 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\0f361440d7cbda4bf5b44bfbd4623812\Microsoft.Windows.Diagnosis.Commands.GetDiagInput.ni.dll
+ 2011-11-16 10:28 . 2012-03-05 09:51 1744 c:\windows\system32\wdi\ERCQueuedResolutions.dat
+ 2011-11-16 10:31 . 2012-03-05 23:59 5810 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4250527756-4061364433-3525517181-1002_UserData.bin
+ 2012-03-05 10:09 . 2012-03-05 10:09 3638 c:\windows\Installer\{89026002-A893-42D9-9E20-6829B844735E}\AvrfIcon.exe
+ 2010-02-08 13:33 . 2010-02-08 13:33 138768 c:\windows\SysWOW64\vrfcore.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 359320 c:\windows\SysWOW64\vfprintpthelper.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 288664 c:\windows\SysWOW64\vfprint.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 230296 c:\windows\SysWOW64\vfLuaPriv.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 161176 c:\windows\SysWOW64\vfcompat.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 337304 c:\windows\SysWOW64\vfbasics.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 768848 c:\windows\SysWOW64\msvcr100.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 421200 c:\windows\SysWOW64\msvcp100.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 137544 c:\windows\SysWOW64\atl100.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 165272 c:\windows\SysWOW64\appverif.exe
+ 2010-02-08 13:32 . 2010-02-08 13:32 154520 c:\windows\system32\vrfcore.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 717720 c:\windows\system32\vfprintpthelper.dll
+ 2010-02-08 13:32 . 2010-02-08 13:32 414736 c:\windows\system32\vfprint.dll
+ 2010-02-08 13:32 . 2010-02-08 13:32 266136 c:\windows\system32\vfLuaPriv.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 179096 c:\windows\system32\vfcompat.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 386576 c:\windows\system32\vfbasics.dll
+ 2009-07-14 02:36 . 2012-03-08 01:21 623940 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-08 01:21 106316 c:\windows\system32\perfc009.dat
+ 2011-02-19 06:52 . 2011-02-19 06:52 829264 c:\windows\system32\msvcr100.dll
+ 2011-02-20 04:51 . 2011-02-20 04:51 608080 c:\windows\system32\msvcp100.dll
+ 2009-07-14 04:45 . 2012-03-08 03:42 304688 c:\windows\system32\FNTCACHE.DAT
+ 2009-07-14 05:30 . 2012-03-08 01:20 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2012-03-04 16:08 143360 c:\windows\system32\DriverStore\infstrng.dat
- 2009-07-14 05:30 . 2011-11-16 14:37 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2009-07-14 05:30 . 2012-03-07 05:32 143360 c:\windows\system32\DriverStore\infstor.dat
+ 2010-11-21 03:23 . 2010-11-21 03:23 350208 c:\windows\system32\drivers\HdAudio.sys
- 2009-07-14 05:38 . 2011-11-02 19:25 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2009-07-14 05:38 . 2012-03-06 19:02 262144 c:\windows\system32\config\systemprofile\ntuser.dat
+ 2011-01-07 21:02 . 2011-01-07 21:02 158536 c:\windows\system32\atl100.dll
+ 2010-02-08 13:33 . 2010-02-08 13:33 205208 c:\windows\system32\appverif.exe
+ 2009-07-14 05:01 . 2012-03-08 21:35 264152 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2012-03-05 10:05 . 2012-03-05 10:05 759808 c:\windows\Installer\d9301.msi
+ 2012-03-05 10:05 . 2012-03-05 10:05 790528 c:\windows\Installer\d92fb.msi
+ 2012-03-05 10:05 . 2012-03-05 10:05 974336 c:\windows\Installer\d92f1.msi
+ 2010-03-19 15:19 . 2010-03-19 15:19 155136 c:\windows\Installer\d8422.msi
+ 2010-03-19 14:55 . 2010-03-19 14:55 168960 c:\windows\Installer\d24f8.msi
+ 2012-03-05 10:05 . 2012-03-05 10:05 692224 c:\windows\Installer\d24f2.msi
+ 2012-03-05 05:12 . 2012-03-05 05:12 336896 c:\windows\assembly\NativeImages_v4.0.30319_64\WindowsFormsIntegra#\6bdb6c455153a223a2180c883ea5a06c\WindowsFormsIntegration.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 231424 c:\windows\assembly\NativeImages_v4.0.30319_64\UIAutomationTypes\a5daacd5d0f46d77f10814f975152b34\UIAutomationTypes.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 122368 c:\windows\assembly\NativeImages_v4.0.30319_64\UIAutomationProvider\86dd26195072a7ba1241c316a90d76c0\UIAutomationProvider.ni.dll
+ 2012-03-05 05:12 . 2012-03-05 05:12 645120 c:\windows\assembly\NativeImages_v4.0.30319_64\UIAutomationClient\8df6331b51fe3ae5b9d0cf8c582d3f84\UIAutomationClient.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 528896 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Xml.Linq\6bc2cf9d31ae7e22349af3ddb1306c96\System.Xml.Linq.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 256000 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Inpu#\f9e5fcb862d898327924fcac2ff47c4d\System.Windows.Input.Manipulations.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 903168 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\5f61f0305f22aed705e0680f58fc5d89\System.Transactions.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 281088 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceProce#\6afb4b90a21aae2e499f577b92102b85\System.ServiceProcess.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 517120 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel#\bfb5e1c0961fe330c89c043a188cc807\System.ServiceModel.Routing.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 108032 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel#\671c48760746239f2dfb0b64a7413624\System.ServiceModel.Channels.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 946688 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Security\d8342f4b914e190a9e5c89c7703dd11f\System.Security.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 376832 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Runtime.Seri#\9426384a1d2d2e815e093a0fe88da585\System.Runtime.Serialization.Formatters.Soap.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 987648 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Runtime.Remo#\73d3849c909668636452b43f54edb54e\System.Runtime.Remoting.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 176640 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\55ac95edd96a5e6b675bb9b42d460b0b\System.Numerics.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 933376 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Net\21fa922f90a47d10fd11107efff5ea4f\System.Net.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 781824 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Messaging\c07fc2256ec2210bfd7f7abf1639833e\System.Messaging.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 521728 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Management.I#\655c314109b3ab211e13b88d0769651b\System.Management.Instrumentation.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 531456 c:\windows\assembly\NativeImages_v4.0.30319_64\System.IO.Log\cf1c0c4152c5548179dd3e2870f25cc4\System.IO.Log.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 290816 c:\windows\assembly\NativeImages_v4.0.30319_64\System.IdentityMode#\d8dc2ea040e12c679b5d779370a19e58\System.IdentityModel.Selectors.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 348672 c:\windows\assembly\NativeImages_v4.0.30319_64\System.EnterpriseSe#\fef2650a5b3bf39527150b4058762611\System.EnterpriseServices.Wrapper.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 512000 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Dynamic\994e60f26b11755207e9c7ebb9fd688b\System.Dynamic.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 632832 c:\windows\assembly\NativeImages_v4.0.30319_64\System.DirectorySer#\bc62e3c6c42db6e63c18038e9bac5a5c\System.DirectoryServices.Protocols.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 141824 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Device\5373b5adf6f12ca3ac8806827259a986\System.Device.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 176128 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data.DataSet#\938f42c2d694b3935ca890fee7d0c8a7\System.Data.DataSetExtensions.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 181760 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Configuratio#\cde466cd9b88dc7857c40ac43bf7632c\System.Configuration.Install.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 255488 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ComponentMod#\081bebeff0574ed1969b05eafab5b342\System.ComponentModel.DataAnnotations.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 865792 c:\windows\assembly\NativeImages_v4.0.30319_64\System.AddIn\e88489a8cc6a68a7ebb4617d1a20e5e7\System.AddIn.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 560640 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Activities.D#\ba36345815c2011c3f054ebee01a0569\System.Activities.DurableInstancing.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 432128 c:\windows\assembly\NativeImages_v4.0.30319_64\SMSvcHost\70edc7fbf7505880ab1652b35f6e9517\SMSvcHost.ni.exe
+ 2012-03-05 04:48 . 2012-03-05 04:48 185344 c:\windows\assembly\NativeImages_v4.0.30319_64\SMDiagnostics\9d160b8d7c69ce50ac1db59a8fa2bcb5\SMDiagnostics.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 622592 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationFramewo#\dbb2bb145d0bac0d0615f52739ad2702\PresentationFramework.Aero.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 428032 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationFramewo#\4d9a6f376f83a6ea5b71a678566ee1de\PresentationFramework.Royale.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 802304 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationFramewo#\3ec560f5f3b643e02b6025363034d624\PresentationFramework.Luna.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 349184 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationFramewo#\1767cdd5d245b5087045d1ad2fbdd8fd\PresentationFramework.Classic.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 289280 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\10abc6daca21b4d51f5e34abe73cb5cb\Microsoft.VisualBasic.Compatibility.Data.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 600064 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\385ffb17c4890d76682d1d0c81f39e09\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 279552 c:\windows\assembly\NativeImages_v4.0.30319_64\CustomMarshalers\39973e3573bd27e6897e631ac1570c85\CustomMarshalers.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 468992 c:\windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\600f8ca5fcc54f10623903952fcc10ac\WsatConfig.ni.exe
+ 2012-03-05 04:03 . 2012-03-05 04:03 329216 c:\windows\assembly\NativeImages_v2.0.50727_64\WindowsFormsIntegra#\ddb96c334583dc79463edcb14ae16c99\WindowsFormsIntegration.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 653312 c:\windows\assembly\NativeImages_v2.0.50727_64\UIAutomationClient\152b577b846875cb3ac5e2097451daf0\UIAutomationClient.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 304128 c:\windows\assembly\NativeImages_v2.0.50727_64\TaskScheduler\fb5fce5cf09733b71a796d1da399f07a\TaskScheduler.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 529920 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Xml.Linq\bc3bbe78635aeacaeea3b310ea5ff002\System.Xml.Linq.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 187392 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Routing\894b696a87ad47b5e18ac89954813a94\System.Web.Routing.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 449024 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity\a6885ee42ea49eb80f1bd18a5252684d\System.Web.Entity.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 398848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Entity.D#\88ffeea88ac9ce23de0c5a27a95e773a\System.Web.Entity.Design.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 753664 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.DynamicD#\7a311c3305dbbd5cfa2613997608a4ae\System.Web.DynamicData.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 204800 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Abstract#\e5069f3c90b4413dd2f3dc226c80bc68\System.Web.Abstractions.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 916480 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Net\e238ca4ca02f9309283c98e1a4235bbd\System.Net.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 534016 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Management.I#\c340633057ed6b9ffcf2214cb348a1fa\System.Management.Instrumentation.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 569856 c:\windows\assembly\NativeImages_v2.0.50727_64\System.IO.Log\c24a84d54ad05618cf6cab545c31b06b\System.IO.Log.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 629760 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\be6635364f1af379afff83dd877a4e03\System.Data.Services.Design.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 194560 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.DataSet#\027959159200e828ccfddaef5f01b3a9\System.Data.DataSetExtensions.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 132096 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ComponentMod#\8c954be3f8d070b1364844741ff4b4b1\System.ComponentModel.DataAnnotations.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 889344 c:\windows\assembly\NativeImages_v2.0.50727_64\System.AddIn\bd9159951d0caa9bf5c90c44fc96661b\System.AddIn.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 156672 c:\windows\assembly\NativeImages_v2.0.50727_64\System.AddIn.Contra#\edf038eef2dc9f21b13da8bdc046a834\System.AddIn.Contract.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 297984 c:\windows\assembly\NativeImages_v2.0.50727_64\sysglobl\0ba53d547dabd039b0cfc9ce52fa6c57\sysglobl.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 525824 c:\windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\8bfc7a328911ae69686576bd24f4f771\SMSvcHost.ni.exe
+ 2012-03-05 04:02 . 2012-03-05 04:02 855040 c:\windows\assembly\NativeImages_v2.0.50727_64\napsnap\9c808282a0cfdc5bafcb43e1778d97d6\napsnap.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 162816 c:\windows\assembly\NativeImages_v2.0.50727_64\napinit\616ce317134d4225fc7eec80f9351855\napinit.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 175104 c:\windows\assembly\NativeImages_v2.0.50727_64\naphlpr\fd2464358cddfa04f46d55b9153249e3\naphlpr.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 127488 c:\windows\assembly\NativeImages_v2.0.50727_64\napcrypt\717cc07bafa8f50a6f87be383fa9018b\napcrypt.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 184320 c:\windows\assembly\NativeImages_v2.0.50727_64\MSBuild\a4b5d98bf175a3f10c47f223195c34b0\MSBuild.ni.exe
+ 2012-03-05 04:02 . 2012-03-05 04:02 681984 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.WSMan.Man#\04532b2b5174ca249e01a8b21d0ba6fd\Microsoft.WSMan.Management.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 122368 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Windows.D#\5cd854d075caf8b50de3c803b4303e03\Microsoft.Windows.Diagnosis.TroubleshootingPack.ni.dll
+ 2012-03-05 04:01 . 2012-03-05 04:01 105984 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Vsa\cb1c199305d00b2424e707311eb9dcfd\Microsoft.Vsa.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 584192 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Transacti#\b2438f632ab1dcbb1cb91c5a1226aaf1\Microsoft.Transactions.Bridge.Dtc.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 999936 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\d7f5b39fba028d2f9e2b3a772845a2a6\Microsoft.PowerShell.GraphicalHost.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 416768 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\99bb7896ddbe74236efaa97733c63cbc\Microsoft.PowerShell.Commands.Diagnostics.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 713216 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\71542ecf96342dc1464fe471852be89a\Microsoft.PowerShell.ConsoleHost.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 237056 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\0bafa5e2dc431bb12108395cf2e18773\Microsoft.PowerShell.Security.ni.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 4368720 c:\windows\SysWOW64\mfc100u.dll
+ 2011-01-07 21:39 . 2011-01-07 21:39 4342600 c:\windows\SysWOW64\mfc100.dll
+ 2009-06-25 19:20 . 2009-06-25 19:20 1485176 c:\windows\SysWOW64\LegitCheckControl.DLL
+ 1999-05-06 04:22 . 2010-11-21 03:24 1490944 c:\windows\system32\urlmon.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 5523280 c:\windows\system32\mfc100u.dll
+ 2011-01-07 21:02 . 2011-01-07 21:02 5493576 c:\windows\system32\mfc100.dll
+ 2009-07-14 04:45 . 2012-03-08 03:45 7189662 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-03-04 17:23 7189662 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
+ 2011-11-16 09:20 . 2012-03-05 23:54 8131536 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4250527756-4061364433-3525517181-1002-8192.dat
+ 2011-11-16 09:20 . 2012-03-05 10:22 2418240 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4250527756-4061364433-3525517181-1002-4096.dat
+ 2011-01-08 02:05 . 2011-01-08 02:05 4583936 c:\windows\Installer\d9331.msp
+ 2012-03-05 10:06 . 2012-03-05 10:06 2447872 c:\windows\Installer\d9307.msi
+ 2011-01-08 02:10 . 2011-01-08 02:10 3991040 c:\windows\Installer\135316.msp
+ 2012-03-05 04:04 . 2012-03-05 04:04 5237248 c:\windows\assembly\NativeImages_v4.0.30319_64\WindowsBase\9d5feeb6727e222673d5bd89f0620ddd\WindowsBase.ni.dll
+ 2012-03-05 05:12 . 2012-03-05 05:12 1430016 c:\windows\assembly\NativeImages_v4.0.30319_64\UIAutomationClients#\68f44d619637fac197ee6c8ac9f2aec9\UIAutomationClientsideProviders.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 7037952 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Xml\ff247393a6deb90d63811aa88c84dc7e\System.Xml.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 2449408 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Xaml\e158bd31f13cbc20f6fc7c7f426113d7\System.Xaml.ni.dll
+ 2012-03-05 05:12 . 2012-03-05 05:12 5627904 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Form#\843d0370292b7b124f9b9231f87e8e6a\System.Windows.Forms.DataVisualization.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 2236416 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Web.Services\be0e793afecb54a67a688e4528676e70\System.Web.Services.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 2735616 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Speech\ae3a837b63de8d3f3fc63a7bfc16589a\System.Speech.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 1579008 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel#\aec154cbfb0eec1497fb89ebd6deb344\System.ServiceModel.Discovery.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 1918976 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel#\80b8b6324a73493227b2672b2d6820d3\System.ServiceModel.Activities.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 3412992 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Runtime.Seri#\717540eea541a2769a6cf621fd948678\System.Runtime.Serialization.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 1348096 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Runtime.Dura#\dc7fbde064d5710780a6b8f27554dc57\System.Runtime.DurableInstancing.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 1467392 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Printing\31c34917df5f24f1ffdd62bfa23f2fb7\System.Printing.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 1470464 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Management\15112a35e0e355fc344792e49c41628f\System.Management.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 1416192 c:\windows\assembly\NativeImages_v4.0.30319_64\System.IdentityModel\bffc049b6775c3f6f144917a4387a0be\System.IdentityModel.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 1098752 c:\windows\assembly\NativeImages_v4.0.30319_64\System.EnterpriseSe#\fef2650a5b3bf39527150b4058762611\System.EnterpriseServices.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 2290688 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\0443ad47a6be56beca12a7a13261c8ed\System.Drawing.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 1217536 c:\windows\assembly\NativeImages_v4.0.30319_64\System.DirectorySer#\d94ef12e883b2354af26f19ec7e25110\System.DirectoryServices.AccountManagement.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 1622528 c:\windows\assembly\NativeImages_v4.0.30319_64\System.DirectorySer#\026c74ff72ba4fce837134953778e755\System.DirectoryServices.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 2402816 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Deployment\e8e5fcc8e7eb9ce898be3c22e8902ee4\System.Deployment.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 8601600 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data\8d734fe538fe6f226eab465c8d8e3d5c\System.Data.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 3390976 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data.SqlXml\83aa1c4f17f57067d3be29e560331349\System.Data.SqlXml.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 1798656 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data.Service#\6a0bcd0e756819ea795b161d2156e9a8\System.Data.Services.Client.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 3386368 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data.Linq\1548624d8ec5142825864c5f59be9b49\System.Data.Linq.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 1257472 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\2672be84bcad1c772163d15db0e2864e\System.Configuration.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 1007616 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ComponentMod#\228bb21cab2c9ce2f69d5e24a9352a3f\System.ComponentModel.Composition.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 5695488 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Activities\36f5aa69b510e3aeb24ef402d12c20e0\System.Activities.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 5048832 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Activities.P#\7be5ac01354a0c03d5587607687de1e1\System.Activities.Presentation.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 2064896 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Activities.C#\8d549e47084ec2661c944a1eeb9a2be5\System.Activities.Core.Presentation.ni.dll
+ 2012-03-05 04:49 . 2012-03-05 04:49 4232704 c:\windows\assembly\NativeImages_v4.0.30319_64\ReachFramework\8d8f46afc9b2b65144f29a609f63398e\ReachFramework.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 2056192 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationUI\735f127d0957bacdfe6522f0b8a2dcb0\PresentationUI.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 1623040 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\6b82e7a7001a661cb712067b75b7c5ec\Microsoft.VisualBasic.Activities.Compiler.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 1838080 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\6a21c9b7113a1bd6eddff12e138fc96b\Microsoft.VisualBasic.Compatibility.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 2317312 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.VisualBas#\60ff6c1510fb0e2d70e616650eb7ae47\Microsoft.VisualBasic.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 1526784 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Transacti#\2e6537fafd64c81032b0aaebb7d3180a\Microsoft.Transactions.Bridge.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 3313664 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.JScript\f38dbc9d7ebe981a7c22b72dffb4a2af\Microsoft.JScript.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 2009600 c:\windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\1cf22b5ea0ef63e71b6416a36b656b8a\Microsoft.CSharp.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1459712 c:\windows\assembly\NativeImages_v2.0.50727_64\UIAutomationClients#\dac9f71ca1332da2a359e2d07589b7e9\UIAutomationClientsideProviders.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1818112 c:\windows\assembly\NativeImages_v2.0.50727_64\System.WorkflowServ#\5571a92171f93c8a4806b9f1805f1c56\System.WorkflowServices.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 3336704 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Mobile\2b012fd0a270bdac848843047bb93312\System.Web.Mobile.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 3044352 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\cf203792167bd243b057b8daf79e0d98\System.Web.Extensions.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1155072 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Web.Extensio#\7f261dc1eaa3e4e0b93c44678888dd44\System.Web.Extensions.Design.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 2727936 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Speech\a49bc70b640e21c9bcecbd8122203283\System.Speech.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 2312704 c:\windows\assembly\NativeImages_v2.0.50727_64\System.ServiceModel#\8ef813ce3f85ea3b3f499d734ac8019e\System.ServiceModel.Web.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1230848 c:\windows\assembly\NativeImages_v2.0.50727_64\System.DirectorySer#\48a91957a4b86c3bcebec68eb1471def\System.DirectoryServices.AccountManagement.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 2805760 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Services\2dd10ff57a987aa347518b0abfcaf8b3\System.Data.Services.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1868288 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Service#\0177f6ff2b3faf1805b3ba63e0e20ad0\System.Data.Services.Client.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 3480576 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Linq\dd28d55dd94fb4d1e4dca6393e4b15a4\System.Data.Linq.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 1080320 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity.#\caf124d5431e8d8aba046e54a8b7dea5\System.Data.Entity.Design.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 3315200 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Core\9e59bc2c8cf98cd315468ca01f68663c\System.Core.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 1884160 c:\windows\assembly\NativeImages_v2.0.50727_64\PresentationBuildTa#\0618574a66f03040f765c43693bf58f6\PresentationBuildTasks.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 3601920 c:\windows\assembly\NativeImages_v2.0.50727_64\Narrator\24f9a2d494b01bcbc6919f60a278c715\Narrator.ni.exe
+ 2012-03-05 04:02 . 2012-03-05 04:02 2327552 c:\windows\assembly\NativeImages_v2.0.50727_64\MMCEx\8988116626390eae76ef9e492c0e2894\MMCEx.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 2131968 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualBas#\e05059a258a8b75d8981f29ecd9baf72\Microsoft.VisualBasic.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 5350912 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\ecc930a57b339ba3d126b05b2d756a01\Microsoft.PowerShell.Editor.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 2176512 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\8d5a4862d0e61fdd2e958fc989df3cca\Microsoft.PowerShell.Commands.Utility.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 2105344 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\713f3cf6037ed7047485c738934f9054\Microsoft.PowerShell.GPowerShell.ni.dll
+ 2012-03-05 04:02 . 2012-03-05 04:02 1131008 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.PowerShel#\09516cb547f50c165051c5512c0770d3\Microsoft.PowerShell.Commands.Management.ni.dll
+ 2012-03-05 04:01 . 2012-03-05 04:01 3213312 c:\windows\assembly\NativeImages_v2.0.50727_64\Microsoft.JScript\551b383e39b9fedb84e25c9fc7d763ee\Microsoft.JScript.ni.dll
+ 2009-07-14 02:34 . 2012-03-08 02:44 10223616 c:\windows\system32\SMI\Store\Machine\schema.dat
- 2009-07-14 02:34 . 2012-03-04 17:20 10223616 c:\windows\system32\SMI\Store\Machine\SCHEMA.DAT
+ 2011-11-16 09:20 . 2012-03-08 21:35 12940992 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4250527756-4061364433-3525517181-1002-12288.dat
+ 2012-03-05 10:06 . 2012-03-05 10:06 20184576 c:\windows\Installer\d9319.msi
+ 2012-03-05 10:06 . 2012-03-05 10:06 17529856 c:\windows\Installer\d9313.msi
+ 2012-03-05 10:06 . 2012-03-05 10:06 17019904 c:\windows\Installer\d930d.msi
+ 2012-03-05 04:49 . 2012-03-05 04:49 17290752 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\97347a1967260991cca95e94b5ba2d41\System.Windows.Forms.ni.dll
+ 2012-03-05 05:11 . 2012-03-05 05:11 24551936 c:\windows\assembly\NativeImages_v4.0.30319_64\System.ServiceModel\49314ff27e3a21bbb1fb675a295f6571\System.ServiceModel.ni.dll
+ 2012-03-05 05:10 . 2012-03-05 05:10 18480128 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Data.Entity\78e35b4bf12ee4833ed720a490e958f2\System.Data.Entity.ni.dll
+ 2012-03-05 04:04 . 2012-03-05 04:04 10439168 c:\windows\assembly\NativeImages_v4.0.30319_64\System.Core\fcefa2871c7dc4d397ff8c6f92abf0d5\System.Core.ni.dll
+ 2012-03-05 04:48 . 2012-03-05 04:48 24406528 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationFramewo#\d0dddbe96a81cd6869f9643fa2809d71\PresentationFramework.ni.dll
+ 2012-03-05 04:47 . 2012-03-05 04:47 15907328 c:\windows\assembly\NativeImages_v4.0.30319_64\PresentationCore\efb6d518bb284cdc29a96068726320c0\PresentationCore.ni.dll
+ 2012-03-05 04:03 . 2012-03-05 04:03 13760000 c:\windows\assembly\NativeImages_v2.0.50727_64\System.Data.Entity\00b730e56986ad4f378e420fa8606395\System.Data.Entity.ni.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-11-07 2646128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
3;2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 Revoflt;Revoflt;c:\windows\system32\DRIVERS\revoflt.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
R4 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R4 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-11-07 24176]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
Trusted Zone: microsoft.com\update
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
FF - ProfilePath - c:\users\P\AppData\Roaming\Mozilla\Firefox\Profiles\if9pgvzc.default\
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-09 00:59:25 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-09 06:59
ComboFix2.txt 2012-03-05 01:48
ComboFix3.txt 2012-03-04 19:55
.
Pre-Run: 960,976,482,304 bytes free
Post-Run: 960,979,275,776 bytes free
.
- - End Of File - - D20217F8B77F5E8BBD08767003FC4AD2







**********************************************************

Attached Files



#8 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 09 March 2012 - 09:00 AM

For what ever it's worth let see if you have a copy of this file on the computer.

c:\windows\system32\grpconv.exe . . . is missing!!

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe to run it.
  • Copy and paste the content of the following bold text into the main textfield:


    :filefind
    grpconv.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
===

Multiple NTUSER.NT and desktop.ini files all over the drive.

Required and set by the operating system. Leave them alone.
===

Please run the DDS program.

2 Files will be created please post the Attach.txt log.
I would like to see what errors are being generated.
===

Event erros
http://ask-leo.com/what_is_the_event_viewer_and_should_i_care.html
What can you find that would indicate what the problems are generated from.

#9 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 09 March 2012 - 11:09 PM

Thank again for your assistance Nasdaq. It appears my right click is no longer working randomly... it works on firefox but randomly not in notepad or windows explorer. Here's the logs you requested.


SystemLook 30.07.11 by jpshortstuff
Log created at 21:13 on 09/03/2012 by P
Administrator - Elevation successful

========== filefind ==========

Searching for "grpconv.exe"
C:\Windows\SysWOW64\grpconv.exe --a---- 16384 bytes [23:40 13/07/2009] [01:14 14/07/2009] 67517491E2367098334372E0C167F515

-= EOF =-



.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_31
Run by P at 21:20:54 on 2012-03-09
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2647 [GMT -6:00]
.
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\locator.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\PeerBlock\peerblock.exe
C:\Program Files\Process Hacker 2\ProcessHacker.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\P\Desktop\SystemLook_x64.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uRun: [PeerBlock] C:\Program Files\PeerBlock\peerblock.exe
uRun: [Process Hacker 2] "C:\Program Files\Process Hacker 2\ProcessHacker.exe" -hide
uPolicies-explorer: DisablePersonalDirChange =
mPolicies-system: ConsentPromptBehaviorAdmin = 0 (0x0)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableLUA = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
mPolicies-system: PromptOnSecureDesktop = 0 (0x0)
mPolicies-system: DisableBkGndGroupPolicy =
Trusted Zone: microsoft.com\update
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
TCP: Interfaces\{F569CF1E-572D-4CFB-B9C7-D8D641F2C390} : DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\P\AppData\Roaming\Mozilla\Firefox\Profiles\if9pgvzc.default\
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre6\bin\plugin2\npjp2.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
R0 PxHlpa64;PxHlpa64;C:\Windows\system32\Drivers\PxHlpa64.sys --> C:\Windows\system32\Drivers\PxHlpa64.sys [?]
R1 vwififlt;Virtual WiFi Filter Driver;C:\Windows\system32\DRIVERS\vwififlt.sys --> C:\Windows\system32\DRIVERS\vwififlt.sys [?]
R2 AMD External Events Utility;AMD External Events Utility;C:\Windows\system32\atiesrxx.exe --> C:\Windows\system32\atiesrxx.exe [?]
R3 pbfilter;pbfilter;C:\Program Files\PeerBlock\pbfilter.sys [2012-3-5 24176]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\system32\DRIVERS\Rt64win7.sys --> C:\Windows\system32\DRIVERS\Rt64win7.sys [?]
R4 KProcessHacker2;KProcessHacker2;C:\Program Files\Process Hacker 2\kprocesshacker.sys [2012-3-9 36424]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-3-18 138576]
S3 amdkmdag;amdkmdag;C:\Windows\system32\DRIVERS\atikmdag.sys --> C:\Windows\system32\DRIVERS\atikmdag.sys [?]
S3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;C:\Windows\system32\drivers\nusb3hub.sys --> C:\Windows\system32\drivers\nusb3hub.sys [?]
S3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;C:\Windows\system32\drivers\nusb3xhc.sys --> C:\Windows\system32\drivers\nusb3xhc.sys [?]
S3 Revoflt;Revoflt;C:\Windows\system32\DRIVERS\revoflt.sys --> C:\Windows\system32\DRIVERS\revoflt.sys [?]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\system32\drivers\tsusbflt.sys --> C:\Windows\system32\drivers\tsusbflt.sys [?]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\system32\drivers\TsUsbGD.sys --> C:\Windows\system32\drivers\TsUsbGD.sys [?]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
S4 RoxMediaDB12OEM;RoxMediaDB12OEM;"C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe" --> C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [?]
S4 RoxWatch12;Roxio Hard Drive Watcher 12;"C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" --> C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [?]
.
=============== Created Last 30 ================
.
2012-03-10 01:49:07 -------- d-----w- C:\eeb84a98e80cd7c113143a6b491dad
2012-03-09 19:53:53 -------- d-----w- C:\Users\P\AppData\Roaming\OpenOffice.org
2012-03-09 19:51:39 -------- d-----w- C:\Program Files (x86)\OpenOffice.org 3
2012-03-09 18:50:32 -------- d-sh--w- C:\Windows\Installer
2012-03-09 18:32:07 -------- d-----w- C:\Users\P\Temp
2012-03-09 17:36:04 -------- d-----w- C:\Users\P\AppData\Roaming\Process Hacker 2
2012-03-09 16:58:45 -------- d-----w- C:\Program Files\Process Hacker 2
2012-03-09 15:36:23 525576 ----a-w- C:\IE6.0sp1-KB841237-Windows-2000-XP-x86-ENU.exe
2012-03-09 15:36:23 297216 ----a-w- C:\IE6.0sp1-KB841237-Windows-NT4sp6a-98-ME-x86-ENU.exe
2012-03-09 06:57:02 -------- d-sh--w- C:\$RECYCLE.BIN
2012-03-09 02:55:47 -------- d-----w- C:\Users\P\AppData\Local\Microsoft_Corporation
2012-03-09 01:23:10 27016 ----a-w- C:\Windows\SysWow64\drivers\PROCEXP141.SYS
2012-03-08 20:55:03 8643640 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll
2012-03-08 01:27:18 -------- d-----w- C:\Users\P\AppData\Local\VS Revo Group
2012-03-07 20:50:18 31800 ----a-w- C:\Windows\System32\drivers\revoflt.sys
2012-03-07 20:50:14 -------- d-----w- C:\Program Files\VS Revo Group
2012-03-07 19:35:52 1229824 ----a-w- C:\Windows\SysWow64\URLMON.del
2012-03-07 16:46:42 -------- d-----r- C:\comment.htt
2012-03-07 14:02:07 -------- d-s---w- C:\Windows\RestoreSafeDeleted
2012-03-07 09:49:47 39184 ----a-w- C:\Windows\System32\Partizan.exe
2012-03-07 09:43:27 -------- d-----w- C:\BackSys_UnHackME
2012-03-07 09:33:55 2 --shatw- C:\Windows\winstart.bat
2012-03-07 09:33:51 12800 ----a-w- C:\Windows\SysWow64\drivers\UnHackMeDrv.sys
2012-03-07 09:33:48 -------- d-----w- C:\Program Files (x86)\UnHackMe
2012-03-07 08:01:58 -------- d-----w- C:\Users\P\security-news.php_files
2012-03-07 05:30:14 -------- d-----w- C:\Program Files\CCleaner
2012-03-06 22:41:15 16200 ----a-w- C:\Windows\stinger.sys
2012-03-06 22:40:26 -------- d-----w- C:\Program Files (x86)\stinger
2012-03-06 19:09:32 -------- d-----w- C:\Program Files (x86)\Foxit Software
2012-03-06 14:58:21 390656 ----a-w- C:\Users\P\winlogon.exe.BAK
2012-03-06 12:04:05 -------- d-----w- C:\Program Files (x86)\NirSoft
2012-03-06 11:45:06 22 --sha-w- C:\Users\P\AppData\Roaming\Sys2662.Config.Repository.bin
2012-03-06 11:44:47 -------- d-----w- C:\Program Files (x86)\jv16 PowerTools 2011
2012-03-06 09:20:30 -------- d-----w- C:\Users\P\AppData\Roaming\JAM Software
2012-03-06 06:38:02 -------- d-----w- C:\Users\P\AppData\Roaming\Malwarebytes
2012-03-06 06:37:42 -------- d-----w- C:\ProgramData\Malwarebytes
2012-03-06 06:37:34 -------- d-----w- C:\Program Files (x86)\Malwarebytes' Anti-Malware
2012-03-06 01:45:09 2560 ----a-w- C:\Windows\System32\gptext.dll
2012-03-06 01:43:34 3584 ----a-w- C:\Windows\System32\gpapi.dll
2012-03-06 01:41:39 2048 ----a-w- C:\Windows\System32\gpprnext.dll
2012-03-06 01:40:32 13312 ----a-w- C:\Windows\System32\gpupdate.exe
2012-03-06 01:39:26 31744 ----a-w- C:\Windows\System32\gpresult.exe
2012-03-06 01:09:01 57344 ----a-w- C:\Windows\System32\gpedit.dll
2012-03-06 00:47:08 -------- d-----w- C:\Users\P\AppData\Local\Immunet
2012-03-06 00:00:45 -------- d-----w- C:\Program Files (x86)\ESET
2012-03-05 23:59:30 -------- d-----w- C:\symbols
2012-03-05 22:25:34 -------- d-----w- C:\Program Files\PeerBlock
2012-03-05 10:09:58 -------- d-----w- C:\Program Files\Microsoft Windows Performance Toolkit
2012-03-05 10:09:46 -------- d-----w- C:\Program Files\Debugging Tools for Windows (x64)
2012-03-05 10:09:36 -------- d-----w- C:\Program Files (x86)\Application Verifier
2012-03-05 10:09:34 -------- d-----w- C:\Program Files\Application Verifier (x64)
2012-03-05 09:12:17 -------- d-----w- C:\Windows\pss
2012-03-05 07:36:12 626688 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcr80.dll
2012-03-05 07:36:12 548864 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcp80.dll
2012-03-05 07:36:12 479232 ----a-w- C:\Program Files (x86)\Mozilla Firefox\msvcm80.dll
2012-03-05 07:36:12 45016 ----a-w- C:\Program Files (x86)\Mozilla Firefox\mozutils.dll
2012-03-05 07:00:28 -------- d-----w- C:\Windows\CheckSur
2012-03-05 03:07:56 -------- d-----w- C:\Program Files (x86)\VideoLAN
2012-03-05 01:55:30 -------- d-----w- C:\corrut recylce
2012-03-04 19:48:12 98816 ----a-w- C:\Windows\sed.exe
2012-03-04 19:48:12 518144 ----a-w- C:\Windows\SWREG.exe
2012-03-04 19:48:12 256000 ----a-w- C:\Windows\PEV.exe
2012-03-04 19:48:12 208896 ----a-w- C:\Windows\MBR.exe
2012-03-04 19:02:32 -------- d-----w- C:\Users\P\SecurityScans
2012-03-04 19:01:21 -------- d-----w- C:\Program Files\Microsoft Baseline Security Analyzer 2
2012-03-04 18:28:06 -------- d-----w- C:\Users\P\AppData\Local\Apps
2012-03-04 17:12:00 8199504 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Backup\mpengine.dll
2012-03-04 17:11:58 8643640 ------w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{BBDFD850-EA41-4549-AE86-8A6C19B34C87}\mpengine.dll
2012-03-04 17:02:01 77312 ----a-w- C:\Windows\System32\packager.dll
2012-03-04 17:02:01 67072 ----a-w- C:\Windows\SysWow64\packager.dll
2012-03-04 16:29:58 162664 ----a-w- C:\ProgramData\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-04 16:10:23 525544 ----a-w- C:\Windows\System32\deployJava1.dll
2012-03-04 16:09:47 472808 ----a-w- C:\Windows\SysWow64\deployJava1.dll
2012-03-04 16:06:20 -------- d-----w- C:\Users\P\AppData\Local\Diagnostics
.
==================== Find3M ====================
.
2012-03-04 17:22:23 414368 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-02-23 15:18:36 279656 ------w- C:\Windows\System32\MpSigStub.exe
2012-01-14 04:06:27 3145728 ----a-w- C:\Windows\System32\win32k.sys
2012-01-04 10:44:20 509952 ----a-w- C:\Windows\System32\ntshrui.dll
2012-01-04 08:58:41 442880 ----a-w- C:\Windows\SysWow64\ntshrui.dll
2011-12-30 06:26:08 515584 ----a-w- C:\Windows\System32\timedate.cpl
2011-12-30 05:27:56 478720 ----a-w- C:\Windows\SysWow64\timedate.cpl
2011-12-28 03:59:24 498688 ----a-w- C:\Windows\System32\drivers\afd.sys
2011-12-16 08:46:06 634880 ----a-w- C:\Windows\System32\msvcrt.dll
2011-12-16 07:52:58 690688 ----a-w- C:\Windows\SysWow64\msvcrt.dll
2011-12-14 07:11:03 2308096 ----a-w- C:\Windows\System32\jscript9.dll
2011-12-14 07:04:56 1345536 ----a-w- C:\Windows\urlmon.dll
2011-12-14 07:04:30 1390080 ----a-w- C:\Windows\System32\wininet.dll
2011-12-14 07:03:38 1493504 ----a-w- C:\Windows\System32\inetcpl.cpl
2011-12-14 06:57:28 2382848 ----a-w- C:\Windows\System32\mshtml.tlb
2011-12-14 03:30:38 12282368 ----a-w- C:\Windows\SysWow64\MSHTML.del
2011-12-14 03:04:54 1798656 ----a-w- C:\Windows\SysWow64\jscript9.dll
2011-12-14 02:57:18 1127424 ----a-w- C:\Windows\SysWow64\wininet.dll
2011-12-14 02:56:58 1427456 ----a-w- C:\Windows\SysWow64\inetcpl.cpl
2011-12-14 02:50:04 2382848 ----a-w- C:\Windows\SysWow64\mshtml.tlb
.
============= FINISH: 21:21:17.44 ===============


Attached File  Attach.zip   785bytes   1 downloads


This is what I get when I run Event Viewer and incidentally also when I attempt to run mmc.


Attached File  EvtVwr error Screen .jpg   16.63KB   3 downloads


The link you provided regarding the event viewer seems to not refer to issues when event viewer is working...? hopefully I didn't overlook something... let me know. Attached a few screens... examples of the errors I have been seeing. Please let me know what ya need. Thanks again bro!

Attached Files



#10 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 09 March 2012 - 11:47 PM

One other thing I just thought of... remote desktop connections continually redo themselves even though I have disabled their services several times... unfortunately I cannot access the services.msc getting the not enough space error. I am attaching a screen shot of my user directory that is now got 100's of weird folders appearing... and on this one an error I get when trying to start Help from paint. thanks




Found this link regarding a similar issue... no answers or resolutions but likely very similar to my issue...
My http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/66862096-14de-42af-912a-e64036997055/

Attached Files


Edited by lilking420, 09 March 2012 - 11:53 PM.


#11 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 10 March 2012 - 09:24 AM

Nasdaq. Last night after I posted, my computer locked me out... welcome screen... enter password... and I received an error that prevented me from logging in... and dammit I cannot remember what the error was... had something to do with permissions. I thought I wrote it down but I was beat... anyways, I wound up having to reimage again to get back in... I'm sure things have changed now... please advise. Thanks argh

#12 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 11 March 2012 - 10:20 AM

Sorry for this long delay. I lost my internet all day yesterday and just got it back.

Re re image and run ComboFix and post the log.

#13 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 12 March 2012 - 07:16 PM

No worries... thanks for your persistence on this issue! It is much appreciated! Here ya go. :-)





ComboFix 12-03-10.02 - P 03/12/2012 19:04:39.2.2 - x64
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.3836.2555 [GMT -5:00]
Running from: c:\users\P\Desktop\ComboFix.exe
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2012-02-13 to 2012-03-13 )))))))))))))))))))))))))))))))
.
.
2012-03-13 00:08 . 2012-03-13 00:08 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-03-12 23:16 . 2012-03-12 23:16 626688 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcr80.dll
2012-03-12 23:16 . 2012-03-12 23:16 548864 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcp80.dll
2012-03-12 23:16 . 2012-03-12 23:16 479232 ----a-w- c:\program files (x86)\Mozilla Firefox\msvcm80.dll
2012-03-12 23:16 . 2012-03-12 23:16 45016 ----a-w- c:\program files (x86)\Mozilla Firefox\mozutils.dll
2012-03-12 06:27 . 2012-03-12 06:27 -------- d-----w- c:\users\P\AppData\Local\ElevatedDiagnostics
2012-03-11 22:45 . 2012-03-11 22:45 -------- d-----w- c:\users\P\AppData\Roaming\Malwarebytes
2012-03-11 22:45 . 2012-03-11 22:45 -------- d-----w- c:\programdata\Malwarebytes
2012-03-11 22:45 . 2012-03-11 22:45 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-03-11 22:45 . 2011-12-10 20:24 23152 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-10 14:13 . 2012-03-11 14:05 -------- d-----w- c:\users\P\AppData\Roaming\Process Hacker 2
2012-03-10 14:05 . 2012-03-10 14:05 525544 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-10 14:05 . 2012-03-10 14:05 -------- d-----w- c:\program files\Java
2012-03-10 14:05 . 2012-03-10 14:05 -------- d-----w- c:\program files (x86)\Common Files\Java
2012-03-10 14:04 . 2012-03-10 14:04 472808 ----a-w- c:\windows\SysWow64\deployJava1.dll
2012-03-10 14:04 . 2012-03-10 14:04 -------- d-----w- c:\program files (x86)\Java
2012-03-10 12:35 . 2012-03-10 12:35 -------- d-----w- c:\program files\Process Hacker 2
2012-03-10 12:33 . 2012-03-10 12:33 -------- d-----w- c:\program files\7-Zip
2012-03-10 12:29 . 2012-03-12 07:10 -------- d-----w- C:\Util Files
2012-03-10 12:07 . 2012-03-10 12:07 -------- d-----w- c:\users\P\AppData\Roaming\Roxio Log Files
2012-03-10 09:19 . 2012-03-10 09:19 -------- d-----w- c:\users\P\AppData\Local\Diagnostics
2012-03-10 08:57 . 2012-03-10 08:57 -------- d-----w- c:\program files\Microsoft Silverlight
2012-03-10 08:30 . 2012-03-10 08:30 162664 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10140.bin
2012-03-10 08:10 . 2012-03-01 19:21 8643640 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{278D151A-1C91-492C-A71C-7A61DF3EB962}\mpengine.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-02-23 15:18 . 2010-11-21 03:27 279656 ------w- c:\windows\system32\MpSigStub.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2012-03-12_21.42.36 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-21 03:09 . 2012-03-12 21:50 26348 c:\windows\system32\wdi\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2009-07-14 05:10 . 2012-03-12 21:50 32562 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
+ 2012-03-10 08:03 . 2012-03-12 21:45 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-10 08:03 . 2012-03-12 07:02 16384 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2012-03-10 08:03 . 2012-03-12 07:02 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2012-03-10 08:03 . 2012-03-12 21:45 32768 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2012-03-10 08:03 . 2012-03-12 07:02 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2012-03-10 08:03 . 2012-03-12 21:45 16384 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-11-16 10:31 . 2012-03-12 21:50 3696 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4250527756-4061364433-3525517181-1002_UserData.bin
+ 2012-03-13 00:09 . 2012-03-13 00:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2012-03-12 21:42 . 2012-03-12 21:42 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2012-03-13 00:09 . 2012-03-13 00:09 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-07-14 02:36 . 2012-03-12 21:53 623940 c:\windows\system32\perfh009.dat
- 2009-07-14 02:36 . 2012-03-10 21:37 623940 c:\windows\system32\perfh009.dat
+ 2009-07-14 02:36 . 2012-03-12 21:53 106316 c:\windows\system32\perfc009.dat
- 2009-07-14 02:36 . 2012-03-10 21:37 106316 c:\windows\system32\perfc009.dat
- 2009-07-14 05:01 . 2012-03-12 21:41 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
+ 2009-07-14 05:01 . 2012-03-13 00:09 228720 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-11-16 09:20 . 2012-03-12 21:41 10103960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4250527756-4061364433-3525517181-1002-8192.dat
+ 2011-11-16 09:20 . 2012-03-13 00:09 10103960 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-4250527756-4061364433-3525517181-1002-8192.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Process Hacker 2"="c:\program files\Process Hacker 2\ProcessHacker.exe" [2012-01-22 1393664]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"Dell Webcam Central"="c:\program files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe" [2009-06-24 409744]
"StartCCC"="c:\program files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-09-22 98304]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-01-13 652360]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
R3 nusb3hub;Renesas Electronics USB 3.0 Hub Driver;c:\windows\system32\drivers\nusb3hub.sys [x]
R3 nusb3xhc;Renesas Electronics USB 3.0 Host Controller Driver;c:\windows\system32\drivers\nusb3xhc.sys [x]
R3 PCDSRVC{67F2314B-25F2B3C0-06020101}_0;PCDSRVC{67F2314B-25F2B3C0-06020101}_0 - PCDR Kernel Mode Service Helper Driver;c:\gencotst\pcdsrvc_x64.pkms [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R4 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
R4 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [x]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [x]
S2 DellOSDservice;DellOSDservice;c:\program files\Dell\OSD\DellOSDservice.exe [2010-07-06 7168]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [x]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [x]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [x]
S3 nuviocir;Nuvoton W836x7HG CIR Device Driver;c:\windows\system32\DRIVERS\nuviocir_win7_x64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-06-23 10920552]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 24.159.193.40 24.205.224.36 68.190.192.35
FF - ProfilePath - c:\users\P\AppData\Roaming\Mozilla\Firefox\Profiles\if9pgvzc.default\
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\PCDSRVC{67F2314B-25F2B3C0-06020101}_0]
"ImagePath"="\??\c:\gencotst\pcdsrvc_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-03-12 19:11:52 - machine was rebooted
ComboFix-quarantined-files.txt 2012-03-13 00:11
ComboFix2.txt 2012-03-12 21:45
.
Pre-Run: 963,657,535,488 bytes free
Post-Run: 963,570,577,408 bytes free
.
- - End Of File - - 4D33ABEB500FA7C2BAC8BB46E645C9A2

#14 lilking420

lilking420
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:33 PM

Posted 12 March 2012 - 07:31 PM

This file concerns me... I should have NO remote access at all... why would this be addressed in task scheduler? any thoughts?

Attached Files



#15 nasdaq

nasdaq

  • Malware Response Team
  • 19,867 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:33 PM

Posted 13 March 2012 - 08:53 AM

This is the information I found on FWRemAPIsServer.dll
http://www.backgroundtask.eu/Systeemtaken/taakinfo/44232/FwRemoteSvr.dll/

The file you have is from Microsoft and should be good.


Your log is clean. Keep an eye on the system and let me know if 2 to 3 days if all is well.

If not let me know what has happened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users