Jump to content


 

Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - Internet Searches Redirected

Started by Irkd , May 19 2012 06:11 PM

  • This topic is locked This topic is locked
16 replies to this topic

#1 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 19 May 2012 - 06:11 PM

First, thank you for setting up and running this site. If you can help me I will truly be grateful. My middle schooler has picked up a computer virus and I can't figure out how to fix it. Internet searches are all being redirected, whether from Bing or Google. Internet Explorer is running really slowly and closing randomly. The PC goes into long HD reads and writes. And MS Outlook on the PC will retrieve e-mail messages from but won't send to my child's associated aol.com e-mail account.

I have followed the steps in the guide: backup done; firewall on; CD emulator disabled; and have run DDS and GMER. Thanks in advance for any help.

Here are the DDS.txt results:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 9.0.8112.16421
Run by Keir at 18:18:37 on 2012-05-19
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.905 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\atieclxx.exe
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e_ActiveX.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cobian Backup 11\cbVSCService11.exe
C:\Program Files\Cobian Backup 11\Cobian.exe
C:\Program Files\Cobian Backup 11\cbInterface.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe -k swprv
C:\Windows\System32\mobsync.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
mURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Do Not Track: {31332eef-cb9f-458f-afeb-d30e9a66b6ba} - c:\program files\avg\avg2012\avgdtiex.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: AVG Security Toolbar: {95b7759c-8c7f-4bf1-b163-73684a933233} - c:\program files\avg secure search\11.0.0.9\AVG Secure Search_toolbar.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [vProt] "c:\program files\avg secure search\vprot.exe"
mRun: [ROC_roc_dec12] "c:\program files\avg secure search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRunOnce: [GrpConv] grpconv -o
mRunOnce: [*WerKernelReporting] %SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\avg\avg2012\avgdtiex.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{5132BDD6-D237-46D5-8F59-81FD5719B338} : DhcpNameServer = 192.168.1.1 68.237.161.12
TCP: Interfaces\{BF24CA03-083A-4AD3-8CE9-9EE5B4454EBA} : DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\11.0.2\ViProtocol.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2012-4-19 24896]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2012-1-31 31952]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2012-2-22 235216]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-12-23 41040]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2012-3-19 301248]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2012-3-9 163328]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2012-2-14 193288]
R2 cbVSCService11;Cobian Backup 11 Volume Shadow Copy Requester;c:\program files\cobian backup 11\cbVSCService11.exe [2012-5-19 67584]
R2 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]
R2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files\nvidia corporation\3d vision\nvSCPAPISvr.exe [2011-10-15 381248]
R2 vToolbarUpdater11.0.2;vToolbarUpdater11.0.2;c:\program files\common files\avg secure search\vtoolbarupdater\11.0.2\ToolbarUpdater.exe [2012-4-29 932736]
R3 amdkmdag;amdkmdag;c:\windows\system32\drivers\atikmdag.sys [2012-3-9 9183232]
R3 amdkmdap;amdkmdap;c:\windows\system32\drivers\atikmpag.sys [2012-3-8 265216]
R3 AtiHDAudioService;AMD Function Driver for HD Audio Service;c:\windows\system32\drivers\AtihdLH3.sys [2011-12-5 83472]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2011-12-23 139856]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\avgidsfilterx.sys [2011-12-23 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2011-12-23 17232]
R3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-1-20 16896]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\avgidsagent.exe [2012-4-30 5106744]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2011-5-7 1025352]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-05-19 16:19:19 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-19 05:03:24 2730536 ----a-w- c:\programdata\microsoft\windows defender\definition updates\backup\mpengine.dll
2012-05-19 05:03:18 6737808 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{e5624afe-3097-4c08-81c7-fd4a8515e32b}\mpengine.dll
2012-05-19 05:03:15 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-19 04:55:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-19 04:49:58 -------- d-----w- c:\users\keir\appdata\local\temp
2012-05-19 04:49:29 -------- d-sh--w- C:\$RECYCLE.BIN
2012-05-19 04:41:10 98816 ----a-w- c:\windows\sed.exe
2012-05-19 04:41:10 518144 ----a-w- c:\windows\SWREG.exe
2012-05-19 04:41:10 256000 ----a-w- c:\windows\PEV.exe
2012-05-19 04:41:10 208896 ----a-w- c:\windows\MBR.exe
2012-05-19 03:28:02 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-19 03:28:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-10 20:08:04 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 20:08:04 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 20:08:03 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-05 14:01:00 -------- d-----w- c:\users\keir\appdata\local\AVG Secure Search
.
==================== Find3M ====================
.
2012-04-19 08:50:26 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-31 18:43:30 0 ----a-w- c:\windows\ativpsrm.bin
2012-03-30 12:39:11 905600 ----a-w- c:\windows\system32\drivers\tcpip.sys
2012-03-20 23:28:50 53120 ----a-w- c:\windows\system32\drivers\partmgr.sys
2012-03-19 09:17:28 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-03-09 06:26:40 9183232 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-03-09 05:26:32 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-03-09 05:26:20 54784 ----a-w- c:\windows\system32\OVDecode.dll
2012-03-09 05:25:16 13238272 ----a-w- c:\windows\system32\amdocl.dll
2012-03-09 05:24:14 48128 ----a-w- c:\windows\system32\OpenCL.dll
2012-03-09 05:16:44 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 05:16:28 791552 ----a-w- c:\windows\system32\aticfx32.dll
2012-03-09 05:11:24 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 05:10:54 405504 ----a-w- c:\windows\system32\atieclxx.exe
2012-03-09 05:10:06 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2012-03-09 05:08:40 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2012-03-09 05:07:58 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-03-09 05:07:50 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 05:04:18 6200320 ----a-w- c:\windows\system32\atidxx32.dll
2012-03-09 04:39:20 19739136 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 04:36:10 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2012-03-09 04:23:44 5062656 ----a-w- c:\windows\system32\atiumdva.dll
2012-03-09 04:23:16 5954048 ----a-w- c:\windows\system32\atiumdag.dll
2012-03-09 04:18:26 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-03-09 04:18:12 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-03-09 04:12:38 13715968 ----a-w- c:\windows\system32\aticaldd.dll
2012-03-09 04:05:12 53760 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:05:12 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:58:40 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:58:26 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2012-03-09 03:58:10 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-03-09 03:57:34 265216 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-03-09 03:56:56 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2012-03-09 03:56:38 30208 ----a-w- c:\windows\system32\atiu9pag.dll
2012-03-09 03:56:10 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2012-03-09 03:55:58 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 03:47:16 51200 ----a-w- c:\windows\system32\coinst.dll
2012-03-01 14:46:01 219648 ----a-w- c:\windows\system32\d3d10_1core.dll
2012-03-01 14:46:01 160768 ----a-w- c:\windows\system32\d3d10_1.dll
2012-02-29 15:11:45 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11:42 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09:53 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 14:08:47 1172480 ----a-w- c:\windows\system32\d3d10warp.dll
2012-02-29 13:44:50 683008 ----a-w- c:\windows\system32\d2d1.dll
2012-02-29 13:41:40 1069056 ----a-w- c:\windows\system32\DWrite.dll
2012-02-29 13:32:37 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18:55 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11:21 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11:07 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03:16 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-22 09:25:32 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
============= FINISH: 18:19:09.33 ===============

Attached Files


 

  • BC Ads
  • BleepingComputer.com

#2 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 19 May 2012 - 08:04 PM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the Watch Topic Button, select Immediate Notification, and click on Proceed. This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of hartaches if things don't go as planed. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into notepad and print them in case it is necessary for you to go offline during the cleanup process. To open notepad, navigate to Start Menu > All Programs > Accessories > Notepad. Please remember to copy the entire post so you do not miss any instructions.

Security Check

  • Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.



Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#3 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 19 May 2012 - 09:19 PM

Thank you so much for the lightning fast response. I followed your directions.

I ran Security Check and ComboFix from my parental/administrator account on my child's PC. The logs are below. After running them, when I switch user to my child's account on the PC (which is not an administrator account), Internet Searches continue to be redirected as before and Outlook continues to not be able to send updates to the associated aol.com account. Internet searches appear to be running fine from my administrator account and are not being redirected. I do not use Outlook for e-mail on my administrator account on this PC. Note: I disabled AVG Anti-Virus as directed but I could not find a way to "disable" SuperantiSpyware but I did not open it when I ran the logs.

Any advice would be greatly appreciated.


Here is the Security Check checkup log:


Results of screen317's Security Check version 0.99.32
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
AVG 2012
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
SUPERAntiSpyware
Java™ 6 Update 26
Java version out of date!
Adobe Reader 9 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
``````````End of Log````````````


And here is the ComboFix log:

ComboFix 12-05-19.02 - Keir 05/19/2012 21:57:24.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2386 [GMT -4:00]
Running from: c:\users\Keir\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-04-20 to 2012-05-20 )))))))))))))))))))))))))))))))
.
.
2012-05-20 02:01 . 2012-05-20 02:01 -------- d-----w- c:\users\Mr. C\AppData\Local\temp
2012-05-20 02:01 . 2012-05-20 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-19 16:19 . 2012-05-19 16:19 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-19 05:03 . 2012-05-15 05:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5624AFE-3097-4C08-81C7-FD4A8515E32B}\mpengine.dll
2012-05-19 05:03 . 2012-02-23 14:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-19 04:55 . 2012-05-19 04:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-19 04:49 . 2012-05-20 02:01 -------- d-----w- c:\users\Keir\AppData\Local\temp
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\users\Mr. C\AppData\Roaming\SUPERAntiSpyware.com
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-10 20:08 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 20:08 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 20:08 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-05 14:01 . 2012-05-05 14:01 -------- d-----w- c:\users\Keir\AppData\Local\AVG Secure Search
2012-04-30 14:46 . 2012-04-30 14:46 -------- d-----w- c:\users\Mr. C\AppData\Local\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-19 09:17 . 2012-03-19 09:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-03-09 06:26 . 2012-03-09 06:26 9183232 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-03-09 05:26 . 2012-03-09 05:26 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-03-09 05:26 . 2012-03-09 05:26 54784 ----a-w- c:\windows\system32\OVDecode.dll
2012-03-09 05:25 . 2012-03-09 05:25 13238272 ----a-w- c:\windows\system32\amdocl.dll
2012-03-09 05:24 . 2012-03-09 05:24 48128 ----a-w- c:\windows\system32\OpenCL.dll
2012-03-09 05:16 . 2012-03-09 05:16 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 05:16 . 2012-03-09 05:16 791552 ----a-w- c:\windows\system32\aticfx32.dll
2012-03-09 05:11 . 2012-03-09 05:11 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 05:10 . 2012-03-09 05:10 405504 ----a-w- c:\windows\system32\atieclxx.exe
2012-03-09 05:10 . 2012-03-09 05:10 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2012-03-09 05:08 . 2012-03-09 05:08 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2012-03-09 05:07 . 2012-03-09 05:07 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-03-09 05:07 . 2012-03-09 05:07 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 05:04 . 2012-03-09 05:04 6200320 ----a-w- c:\windows\system32\atidxx32.dll
2012-03-09 04:39 . 2012-03-09 04:39 19739136 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 04:36 . 2012-03-09 04:36 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2012-03-09 04:23 . 2012-03-09 04:23 5062656 ----a-w- c:\windows\system32\atiumdva.dll
2012-03-09 04:23 . 2012-03-09 04:23 5954048 ----a-w- c:\windows\system32\atiumdag.dll
2012-03-09 04:18 . 2012-03-09 04:18 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-03-09 04:18 . 2012-03-09 04:18 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-03-09 04:12 . 2012-03-09 04:12 13715968 ----a-w- c:\windows\system32\aticaldd.dll
2012-03-09 04:05 . 2012-03-09 04:05 53760 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:05 . 2012-03-09 04:05 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:58 . 2012-03-09 03:58 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:58 . 2012-03-09 03:58 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2012-03-09 03:58 . 2012-03-09 03:58 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-03-09 03:57 . 2012-03-09 03:57 265216 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-03-09 03:56 . 2012-03-09 03:56 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2012-03-09 03:56 . 2012-03-09 03:56 30208 ----a-w- c:\windows\system32\atiu9pag.dll
2012-03-09 03:56 . 2012-03-09 03:56 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2012-03-09 03:55 . 2012-03-09 03:55 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 03:47 . 2012-03-09 03:47 51200 ----a-w- c:\windows\system32\coinst.dll
2012-02-29 15:11 . 2012-04-11 19:34 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-11 19:34 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-11 19:34 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-11 19:34 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-11 19:35 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-11 19:35 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-11 19:35 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-11 19:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-22 09:25 . 2012-02-22 09:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-29 16:06 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-04-29 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-29 1116544]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-16 928096]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 636032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Users^Keir^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Keir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 14:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-11-12 18:56 4706304 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-19 22:01
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:26,b1,61,1d,22,26,cd,01
.
Completion time: 2012-05-19 22:02:11
ComboFix-quarantined-files.txt 2012-05-20 02:02
ComboFix2.txt 2012-05-19 04:49
.
Pre-Run: 354,136,272,896 bytes free
Post-Run: 354,108,841,984 bytes free
.
- - End Of File - - 1EA2FD337BBD2E0689F843CC4484D870

#4 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 19 May 2012 - 09:24 PM

Greetings

I want you to run these next,

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#5 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 20 May 2012 - 12:22 PM

Gringo:

Thank you again. I followed your directions. The MBR and TDSSKiller logs are below. The Internet redirection continues to be solved on my child's account. But Outlook is still failing send to my child's associated aol.com e-mail account. I don't know if that's a virus problem or something else. The Outlook settings for the problem PC are the same for my other child's PC which works fine, so I suspect it's an infection related issue. The logs follow:


Here is the MBR log:

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-05-20 12:43:20
-----------------------------
12:43:20.084 OS Version: Windows 6.0.6002 Service Pack 2
12:43:20.084 Number of processors: 2 586 0x1706
12:43:20.084 ComputerName: XXXXXXX-DESKTOP UserName: Keir
12:43:31.830 Initialize success
12:51:23.112 AVAST engine defs: 12052000
12:51:38.618 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
12:51:38.618 Disk 0 Vendor: WDC_WD5000AAKS-00D2B0 12.01C02 Size: 476940MB BusType: 3
12:51:38.634 Disk 0 MBR read successfully
12:51:38.634 Disk 0 MBR scan
12:51:38.634 Disk 0 Windows VISTA default MBR code
12:51:38.634 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476938 MB offset 2048
12:51:38.634 Disk 0 scanning sectors +976771072
12:51:38.696 Disk 0 scanning C:\Windows\system32\drivers
12:51:44.452 Service scanning
12:51:56.870 Modules scanning
12:51:59.382 Disk 0 trace - called modules:
12:51:59.397 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS pciide.sys PCIIDEX.SYS atapi.sys
12:51:59.413 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x862da7c0]
12:51:59.413 3 CLASSPNP.SYS[8b19e8b3] -> nt!IofCallDriver -> [0x858c0178]
12:51:59.413 5 acpi.sys[806956bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x858b98a0]
12:52:01.784 AVAST engine scan C:\Windows
12:52:04.810 AVAST engine scan C:\Windows\system32
12:53:59.330 AVAST engine scan C:\Windows\system32\drivers
12:54:09.922 AVAST engine scan C:\Users\Keir
12:54:52.854 AVAST engine scan C:\ProgramData
12:55:43.741 Scan finished successfully
12:56:05.175 Disk 0 MBR has been saved successfully to "C:\Users\Keir\Desktop\MBR.dat"
12:56:05.175 The log file has been saved successfully to "C:\Users\Keir\Desktop\aswMBR.txt"


Here is the TDSSKiller log:

12:38:15.0755 5148 TDSS rootkit removing tool 2.7.35.0 May 16 2012 07:37:57
12:38:16.0036 5148 ============================================================
12:38:16.0036 5148 Current date / time: 2012/05/20 12:38:16.0036
12:38:16.0036 5148 SystemInfo:
12:38:16.0036 5148
12:38:16.0036 5148 OS Version: 6.0.6002 ServicePack: 2.0
12:38:16.0036 5148 Product type: Workstation
12:38:16.0036 5148 ComputerName: XXXXXXXX-DESKTOP
12:38:16.0036 5148 UserName: Keir
12:38:16.0036 5148 Windows directory: C:\Windows
12:38:16.0036 5148 System windows directory: C:\Windows
12:38:16.0036 5148 Processor architecture: Intel x86
12:38:16.0036 5148 Number of processors: 2
12:38:16.0036 5148 Page size: 0x1000
12:38:16.0036 5148 Boot type: Normal boot
12:38:16.0036 5148 ============================================================
12:38:16.0956 5148 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xED81, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000050
12:38:16.0956 5148 ============================================================
12:38:16.0956 5148 \Device\Harddisk0\DR0:
12:38:16.0956 5148 MBR partitions:
12:38:16.0956 5148 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x800, BlocksNum 0x3A385000
12:38:16.0956 5148 ============================================================
12:38:17.0003 5148 C: <-> \Device\Harddisk0\DR0\Partition0
12:38:17.0003 5148 ============================================================
12:38:17.0003 5148 Initialize success
12:38:17.0003 5148 ============================================================
12:38:35.0645 4280 ============================================================
12:38:35.0645 4280 Scan started
12:38:35.0645 4280 Mode: Manual;
12:38:35.0645 4280 ============================================================
12:38:36.0128 4280 !SASCORE (c0393eb99a6c72c6bef9bfc4a72b33a6) C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
12:38:36.0128 4280 !SASCORE - ok
12:38:36.0550 4280 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
12:38:36.0550 4280 ACPI - ok
12:38:36.0596 4280 adp94xx (04f0fcac69c7c71a3ac4eb97fafc8303) C:\Windows\system32\drivers\adp94xx.sys
12:38:36.0596 4280 adp94xx - ok
12:38:36.0643 4280 adpahci (60505e0041f7751bdbb80f88bf45c2ce) C:\Windows\system32\drivers\adpahci.sys
12:38:36.0643 4280 adpahci - ok
12:38:36.0659 4280 adpu160m (8a42779b02aec986eab64ecfc98f8bd7) C:\Windows\system32\drivers\adpu160m.sys
12:38:36.0659 4280 adpu160m - ok
12:38:36.0674 4280 adpu320 (241c9e37f8ce45ef51c3de27515ca4e5) C:\Windows\system32\drivers\adpu320.sys
12:38:36.0674 4280 adpu320 - ok
12:38:36.0706 4280 AeLookupSvc (9d1fda9e086ba64e3c93c9de32461bcf) C:\Windows\System32\aelupsvc.dll
12:38:36.0706 4280 AeLookupSvc - ok
12:38:36.0768 4280 AFD (3911b972b55fea0478476b2e777b29fa) C:\Windows\system32\drivers\afd.sys
12:38:36.0768 4280 AFD - ok
12:38:36.0799 4280 agp440 (13f9e33747e6b41a3ff305c37db0d360) C:\Windows\system32\drivers\agp440.sys
12:38:36.0799 4280 agp440 - ok
12:38:36.0830 4280 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
12:38:36.0830 4280 aic78xx - ok
12:38:36.0846 4280 ALG (a1545b731579895d8cc44fc0481c1192) C:\Windows\System32\alg.exe
12:38:36.0846 4280 ALG - ok
12:38:36.0862 4280 aliide (9eaef5fc9b8e351afa7e78a6fae91f91) C:\Windows\system32\drivers\aliide.sys
12:38:36.0862 4280 aliide - ok
12:38:36.0924 4280 AMD External Events Utility (4b9298fd6707980ab8e3a8f0e642ec9a) C:\Windows\system32\atiesrxx.exe
12:38:36.0940 4280 AMD External Events Utility - ok
12:38:36.0955 4280 amdagp (c47344bc706e5f0b9dce369516661578) C:\Windows\system32\drivers\amdagp.sys
12:38:36.0955 4280 amdagp - ok
12:38:36.0955 4280 amdide (9b78a39a4c173fdbc1321e0dd659b34c) C:\Windows\system32\drivers\amdide.sys
12:38:36.0971 4280 amdide - ok
12:38:36.0971 4280 AmdK7 (18f29b49ad23ecee3d2a826c725c8d48) C:\Windows\system32\drivers\amdk7.sys
12:38:36.0971 4280 AmdK7 - ok
12:38:36.0986 4280 AmdK8 (93ae7f7dd54ab986a6f1a1b37be7442d) C:\Windows\system32\drivers\amdk8.sys
12:38:36.0986 4280 AmdK8 - ok
12:38:40.0434 4280 amdkmdag (5c297f25a4a09d14bfe2cab5de2f1457) C:\Windows\system32\DRIVERS\atikmdag.sys
12:38:40.0481 4280 amdkmdag - ok
12:38:41.0011 4280 amdkmdap (ff2e35d9bd35f36a0126a0ca7556e43d) C:\Windows\system32\DRIVERS\atikmpag.sys
12:38:41.0011 4280 amdkmdap - ok
12:38:41.0042 4280 Appinfo (c6d704c7f0434dc791aac37cac4b6e14) C:\Windows\System32\appinfo.dll
12:38:41.0042 4280 Appinfo - ok
12:38:41.0074 4280 arc (5d2888182fb46632511acee92fdad522) C:\Windows\system32\drivers\arc.sys
12:38:41.0074 4280 arc - ok
12:38:41.0105 4280 arcsas (5e2a321bd7c8b3624e41fdec3e244945) C:\Windows\system32\drivers\arcsas.sys
12:38:41.0105 4280 arcsas - ok
12:38:41.0120 4280 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
12:38:41.0120 4280 AsyncMac - ok
12:38:41.0136 4280 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
12:38:41.0136 4280 atapi - ok
12:38:41.0198 4280 AtiHDAudioService (9f7ccf1d6faf646f71f029a30ded2dc7) C:\Windows\system32\drivers\AtihdLH3.sys
12:38:41.0198 4280 AtiHDAudioService - ok
12:38:41.0230 4280 AudioEndpointBuilder (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
12:38:41.0230 4280 AudioEndpointBuilder - ok
12:38:41.0245 4280 Audiosrv (68e2a1a0407a66cf50da0300852424ab) C:\Windows\System32\Audiosrv.dll
12:38:41.0245 4280 Audiosrv - ok
12:38:41.0604 4280 AVG Security Toolbar Service (080d4fe1435401a370f122614ea514cd) C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
12:38:41.0604 4280 AVG Security Toolbar Service - ok
12:38:41.0916 4280 AVGIDSAgent (ba60fd7a64b9759a14c0fba4a9ed4c7b) C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
12:38:41.0932 4280 AVGIDSAgent - ok
12:38:42.0041 4280 AVGIDSDriver (1074f787080068c71303b61fae7e7ca4) C:\Windows\system32\DRIVERS\avgidsdriverx.sys
12:38:42.0041 4280 AVGIDSDriver - ok
12:38:42.0056 4280 AVGIDSFilter (61a7e0b02f82cff3db2445bbe50b3589) C:\Windows\system32\DRIVERS\avgidsfilterx.sys
12:38:42.0056 4280 AVGIDSFilter - ok
12:38:42.0103 4280 AVGIDSHX (d63d83659eedf60b3a3e620281a888e5) C:\Windows\system32\DRIVERS\avgidshx.sys
12:38:42.0103 4280 AVGIDSHX - ok
12:38:42.0119 4280 AVGIDSShim (baf975b72062f53d327788e99d64197e) C:\Windows\system32\DRIVERS\avgidsshimx.sys
12:38:42.0119 4280 AVGIDSShim - ok
12:38:42.0150 4280 Avgldx86 (dda6a2a18841e4c9172bb85958b8d948) C:\Windows\system32\DRIVERS\avgldx86.sys
12:38:42.0150 4280 Avgldx86 - ok
12:38:42.0244 4280 Avgmfx86 (ccdd61545aaea265977e4b1efdc74e8c) C:\Windows\system32\DRIVERS\avgmfx86.sys
12:38:42.0244 4280 Avgmfx86 - ok
12:38:42.0259 4280 Avgrkx86 (1fd90b28d2c3100bf4500199c8ad6358) C:\Windows\system32\DRIVERS\avgrkx86.sys
12:38:42.0259 4280 Avgrkx86 - ok
12:38:42.0306 4280 Avgtdix (1263f2554ace925c237a40b4c568d815) C:\Windows\system32\DRIVERS\avgtdix.sys
12:38:42.0306 4280 Avgtdix - ok
12:38:42.0384 4280 avgwd (ea1145debcd508fd25bd1e95c4346929) C:\Program Files\AVG\AVG2012\avgwdsvc.exe
12:38:42.0384 4280 avgwd - ok
12:38:42.0431 4280 BCM43XV (cf6a67c90951e3e763d2135dede44b85) C:\Windows\system32\DRIVERS\bcmwl6.sys
12:38:42.0431 4280 BCM43XV - ok
12:38:42.0446 4280 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
12:38:42.0446 4280 Beep - ok
12:38:42.0493 4280 BFE (c789af0f724fda5852fb9a7d3a432381) C:\Windows\System32\bfe.dll
12:38:42.0493 4280 BFE - ok
12:38:42.0540 4280 BITS (93952506c6d67330367f7e7934b6a02f) C:\Windows\system32\qmgr.dll
12:38:42.0540 4280 BITS - ok
12:38:42.0556 4280 blbdrive (d4df28447741fd3d953526e33a617397) C:\Windows\system32\drivers\blbdrive.sys
12:38:42.0556 4280 blbdrive - ok
12:38:42.0587 4280 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
12:38:42.0602 4280 bowser - ok
12:38:42.0602 4280 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
12:38:42.0602 4280 BrFiltLo - ok
12:38:42.0618 4280 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
12:38:42.0618 4280 BrFiltUp - ok
12:38:42.0634 4280 Browser (a3629a0c4226f9e9c72faaeebc3ad33c) C:\Windows\System32\browser.dll
12:38:42.0634 4280 Browser - ok
12:38:42.0649 4280 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
12:38:42.0649 4280 Brserid - ok
12:38:42.0665 4280 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
12:38:42.0665 4280 BrSerWdm - ok
12:38:42.0680 4280 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
12:38:42.0680 4280 BrUsbMdm - ok
12:38:42.0696 4280 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
12:38:42.0696 4280 BrUsbSer - ok
12:38:42.0712 4280 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
12:38:42.0712 4280 BTHMODEM - ok
12:38:42.0774 4280 catchme - ok
12:38:42.0805 4280 cbVSCService11 (58bf7714a312698108a96d0de2bb6825) C:\Program Files\Cobian Backup 11\cbVSCService11.exe
12:38:42.0805 4280 cbVSCService11 - ok
12:38:42.0836 4280 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
12:38:42.0836 4280 cdfs - ok
12:38:42.0852 4280 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
12:38:42.0852 4280 cdrom - ok
12:38:42.0868 4280 CertPropSvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
12:38:42.0883 4280 CertPropSvc - ok
12:38:42.0883 4280 circlass (e5d4133f37219dbcfe102bc61072589d) C:\Windows\system32\drivers\circlass.sys
12:38:42.0883 4280 circlass - ok
12:38:42.0914 4280 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
12:38:42.0914 4280 CLFS - ok
12:38:42.0977 4280 clr_optimization_v2.0.50727_32 (8ee772032e2fe80a924f3b8dd5082194) C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
12:38:42.0977 4280 clr_optimization_v2.0.50727_32 - ok
12:38:43.0024 4280 clr_optimization_v4.0.30319_32 (c5a75eb48e2344abdc162bda79e16841) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
12:38:43.0024 4280 clr_optimization_v4.0.30319_32 - ok
12:38:43.0039 4280 cmdide (0ca25e686a4928484e9fdabd168ab629) C:\Windows\system32\drivers\cmdide.sys
12:38:43.0039 4280 cmdide - ok
12:38:43.0055 4280 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\drivers\compbatt.sys
12:38:43.0055 4280 Compbatt - ok
12:38:43.0055 4280 COMSysApp - ok
12:38:43.0055 4280 crcdisk (741e9dff4f42d2d8477d0fc1dc0df871) C:\Windows\system32\drivers\crcdisk.sys
12:38:43.0055 4280 crcdisk - ok
12:38:43.0055 4280 Crusoe (1f07becdca750766a96cda811ba86410) C:\Windows\system32\drivers\crusoe.sys
12:38:43.0055 4280 Crusoe - ok
12:38:43.0086 4280 CryptSvc (fb27772beaf8e1d28ccd825c09da939b) C:\Windows\system32\cryptsvc.dll
12:38:43.0086 4280 CryptSvc - ok
12:38:43.0117 4280 DcomLaunch (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
12:38:43.0133 4280 DcomLaunch - ok
12:38:43.0164 4280 DfsC (622c41a07ca7e6dd91770f50d532cb6c) C:\Windows\system32\Drivers\dfsc.sys
12:38:43.0164 4280 DfsC - ok
12:38:43.0273 4280 DFSR (2cc3dcfb533a1035b13dcab6160ab38b) C:\Windows\system32\DFSR.exe
12:38:43.0289 4280 DFSR - ok
12:38:43.0367 4280 Dhcp (9028559c132146fb75eb7acf384b086a) C:\Windows\System32\dhcpcsvc.dll
12:38:43.0367 4280 Dhcp - ok
12:38:43.0398 4280 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
12:38:43.0398 4280 disk - ok
12:38:43.0429 4280 Dnscache (57d762f6f5974af0da2be88a3349baaa) C:\Windows\System32\dnsrslvr.dll
12:38:43.0429 4280 Dnscache - ok
12:38:43.0460 4280 dot3svc (324fd74686b1ef5e7c19a8af49e748f6) C:\Windows\System32\dot3svc.dll
12:38:43.0460 4280 dot3svc - ok
12:38:43.0460 4280 DPS (a622e888f8aa2f6b49e9bc466f0e5def) C:\Windows\system32\dps.dll
12:38:43.0476 4280 DPS - ok
12:38:43.0492 4280 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
12:38:43.0492 4280 drmkaud - ok
12:38:43.0523 4280 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
12:38:43.0523 4280 DXGKrnl - ok
12:38:43.0554 4280 e1express (908ed85b7806e8af3af5e9b74f7809d4) C:\Windows\system32\DRIVERS\e1e6032.sys
12:38:43.0554 4280 e1express - ok
12:38:43.0570 4280 E1G60 (5425f74ac0c1dbd96a1e04f17d63f94c) C:\Windows\system32\DRIVERS\E1G60I32.sys
12:38:43.0570 4280 E1G60 - ok
12:38:43.0585 4280 EapHost (c0b95e40d85cd807d614e264248a45b9) C:\Windows\System32\eapsvc.dll
12:38:43.0585 4280 EapHost - ok
12:38:43.0616 4280 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
12:38:43.0616 4280 Ecache - ok
12:38:43.0648 4280 ehRecvr (9be3744d295a7701eb425332014f0797) C:\Windows\ehome\ehRecvr.exe
12:38:43.0648 4280 ehRecvr - ok
12:38:43.0663 4280 ehSched (ad1870c8e5d6dd340c829e6074bf3c3f) C:\Windows\ehome\ehsched.exe
12:38:43.0679 4280 ehSched - ok
12:38:43.0679 4280 ehstart (c27c4ee8926e74aa72efcab24c5242c3) C:\Windows\ehome\ehstart.dll
12:38:43.0679 4280 ehstart - ok
12:38:43.0710 4280 elxstor (23b62471681a124889978f6295b3f4c6) C:\Windows\system32\drivers\elxstor.sys
12:38:43.0710 4280 elxstor - ok
12:38:43.0757 4280 EMDMgmt (4e6b23dfc917ea39306b529b773950f4) C:\Windows\system32\emdmgmt.dll
12:38:43.0757 4280 EMDMgmt - ok
12:38:43.0788 4280 ErrDev (3db974f3935483555d7148663f726c61) C:\Windows\system32\drivers\errdev.sys
12:38:43.0788 4280 ErrDev - ok
12:38:43.0819 4280 EventSystem (67058c46504bc12d821f38cf99b7b28f) C:\Windows\system32\es.dll
12:38:43.0819 4280 EventSystem - ok
12:38:43.0850 4280 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
12:38:43.0850 4280 exfat - ok
12:38:43.0882 4280 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
12:38:43.0882 4280 fastfat - ok
12:38:43.0897 4280 fdc (afe1e8b9782a0dd7fb46bbd88e43f89a) C:\Windows\system32\DRIVERS\fdc.sys
12:38:43.0897 4280 fdc - ok
12:38:43.0897 4280 fdPHost (6629b5f0e98151f4afdd87567ea32ba3) C:\Windows\system32\fdPHost.dll
12:38:43.0897 4280 fdPHost - ok
12:38:43.0913 4280 FDResPub (89ed56dce8e47af40892778a5bd31fd2) C:\Windows\system32\fdrespub.dll
12:38:43.0913 4280 FDResPub - ok
12:38:43.0928 4280 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
12:38:43.0928 4280 FileInfo - ok
12:38:43.0928 4280 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
12:38:43.0928 4280 Filetrace - ok
12:38:43.0944 4280 flpydisk (85b7cf99d532820495d68d747fda9ebd) C:\Windows\system32\DRIVERS\flpydisk.sys
12:38:43.0944 4280 flpydisk - ok
12:38:43.0960 4280 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
12:38:43.0960 4280 FltMgr - ok
12:38:44.0053 4280 FontCache (8ce364388c8eca59b14b539179276d44) C:\Windows\system32\FntCache.dll
12:38:44.0053 4280 FontCache - ok
12:38:44.0100 4280 FontCache3.0.0.0 (c7fbdd1ed42f82bfa35167a5c9803ea3) C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
12:38:44.0100 4280 FontCache3.0.0.0 - ok
12:38:44.0116 4280 Fs_Rec (b972a66758577e0bfd1de0f91aaa27b5) C:\Windows\system32\drivers\Fs_Rec.sys
12:38:44.0116 4280 Fs_Rec - ok
12:38:44.0131 4280 gagp30kx (34582a6e6573d54a07ece5fe24a126b5) C:\Windows\system32\drivers\gagp30kx.sys
12:38:44.0131 4280 gagp30kx - ok
12:38:44.0178 4280 gpsvc (cd5d0aeee35dfd4e986a5aa1500a6e66) C:\Windows\System32\gpsvc.dll
12:38:44.0178 4280 gpsvc - ok
12:38:44.0240 4280 HdAudAddService (3f90e001369a07243763bd5a523d8722) C:\Windows\system32\drivers\HdAudio.sys
12:38:44.0256 4280 HdAudAddService - ok
12:38:44.0287 4280 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
12:38:44.0287 4280 HDAudBus - ok
12:38:44.0303 4280 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
12:38:44.0303 4280 HidBth - ok
12:38:44.0303 4280 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
12:38:44.0303 4280 HidIr - ok
12:38:44.0318 4280 hidserv (84067081f3318162797385e11a8f0582) C:\Windows\System32\hidserv.dll
12:38:44.0318 4280 hidserv - ok
12:38:44.0334 4280 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
12:38:44.0334 4280 HidUsb - ok
12:38:44.0350 4280 hkmsvc (d8ad255b37da92434c26e4876db7d418) C:\Windows\system32\kmsvc.dll
12:38:44.0350 4280 hkmsvc - ok
12:38:44.0365 4280 HpCISSs (16ee7b23a009e00d835cdb79574a91a6) C:\Windows\system32\drivers\hpcisss.sys
12:38:44.0365 4280 HpCISSs - ok
12:38:44.0381 4280 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
12:38:44.0396 4280 HTTP - ok
12:38:44.0396 4280 i2omp (c6b032d69650985468160fc9937cf5b4) C:\Windows\system32\drivers\i2omp.sys
12:38:44.0396 4280 i2omp - ok
12:38:44.0428 4280 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
12:38:44.0428 4280 i8042prt - ok
12:38:44.0443 4280 iaStorV (54155ea1b0df185878e0fc9ec3ac3a14) C:\Windows\system32\drivers\iastorv.sys
12:38:44.0459 4280 iaStorV - ok
12:38:44.0537 4280 idsvc (98477b08e61945f974ed9fdc4cb6bdab) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
12:38:44.0552 4280 idsvc - ok
12:38:44.0568 4280 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
12:38:44.0568 4280 iirsp - ok
12:38:44.0599 4280 IKEEXT (9908d8a397b76cd8d31d0d383c5773c9) C:\Windows\System32\ikeext.dll
12:38:44.0615 4280 IKEEXT - ok
12:38:44.0802 4280 IntcAzAudAddService (edc37b918e583a5a813c53d4f5588255) C:\Windows\system32\drivers\RTKVHDA.sys
12:38:44.0818 4280 IntcAzAudAddService - ok
12:38:44.0880 4280 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
12:38:44.0880 4280 intelide - ok
12:38:44.0896 4280 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
12:38:44.0896 4280 intelppm - ok
12:38:44.0911 4280 IPBusEnum (9ac218c6e6105477484c6fdbe7d409a4) C:\Windows\system32\ipbusenum.dll
12:38:44.0911 4280 IPBusEnum - ok
12:38:44.0927 4280 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
12:38:44.0927 4280 IpFilterDriver - ok
12:38:44.0942 4280 iphlpsvc (1998bd97f950680bb55f55a7244679c2) C:\Windows\System32\iphlpsvc.dll
12:38:44.0942 4280 iphlpsvc - ok
12:38:44.0958 4280 IpInIp - ok
12:38:44.0989 4280 IPMIDRV (b25aaf203552b7b3491139d582b39ad1) C:\Windows\system32\drivers\ipmidrv.sys
12:38:44.0989 4280 IPMIDRV - ok
12:38:45.0005 4280 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
12:38:45.0005 4280 IPNAT - ok
12:38:45.0020 4280 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
12:38:45.0020 4280 IRENUM - ok
12:38:45.0036 4280 isapnp (6c70698a3e5c4376c6ab5c7c17fb0614) C:\Windows\system32\drivers\isapnp.sys
12:38:45.0036 4280 isapnp - ok
12:38:45.0067 4280 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
12:38:45.0067 4280 iScsiPrt - ok
12:38:45.0083 4280 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
12:38:45.0083 4280 iteatapi - ok
12:38:45.0098 4280 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
12:38:45.0098 4280 iteraid - ok
12:38:45.0114 4280 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
12:38:45.0114 4280 kbdclass - ok
12:38:45.0130 4280 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
12:38:45.0130 4280 kbdhid - ok
12:38:45.0161 4280 KeyIso (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
12:38:45.0161 4280 KeyIso - ok
12:38:45.0208 4280 KSecDD (2b2f1638466e8cb091400c9019cc730e) C:\Windows\system32\Drivers\ksecdd.sys
12:38:45.0208 4280 KSecDD - ok
12:38:45.0254 4280 KtmRm (8078f8f8f7a79e2e6b494523a828c585) C:\Windows\system32\msdtckrm.dll
12:38:45.0254 4280 KtmRm - ok
12:38:45.0270 4280 LanmanServer (1bf5eebfd518dd7298434d8c862f825d) C:\Windows\System32\srvsvc.dll
12:38:45.0270 4280 LanmanServer - ok
12:38:45.0301 4280 LanmanWorkstation (1db69705b695b987082c8baec0c6b34f) C:\Windows\System32\wkssvc.dll
12:38:45.0301 4280 LanmanWorkstation - ok
12:38:45.0317 4280 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
12:38:45.0317 4280 lltdio - ok
12:38:45.0332 4280 lltdsvc (2d5a428872f1442631d0959a34abff63) C:\Windows\System32\lltdsvc.dll
12:38:45.0348 4280 lltdsvc - ok
12:38:45.0364 4280 lmhosts (35d40113e4a5b961b6ce5c5857702518) C:\Windows\System32\lmhsvc.dll
12:38:45.0364 4280 lmhosts - ok
12:38:45.0379 4280 LSI_FC (c7e15e82879bf3235b559563d4185365) C:\Windows\system32\drivers\lsi_fc.sys
12:38:45.0379 4280 LSI_FC - ok
12:38:45.0395 4280 LSI_SAS (ee01ebae8c9bf0fa072e0ff68718920a) C:\Windows\system32\drivers\lsi_sas.sys
12:38:45.0395 4280 LSI_SAS - ok
12:38:45.0410 4280 LSI_SCSI (912a04696e9ca30146a62afa1463dd5c) C:\Windows\system32\drivers\lsi_scsi.sys
12:38:45.0410 4280 LSI_SCSI - ok
12:38:45.0426 4280 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
12:38:45.0426 4280 luafv - ok
12:38:45.0442 4280 Mcx2Svc (aef9babb8a506bc4ce0451a64aaded46) C:\Windows\system32\Mcx2Svc.dll
12:38:45.0442 4280 Mcx2Svc - ok
12:38:45.0457 4280 megasas (0001ce609d66632fa17b84705f658879) C:\Windows\system32\drivers\megasas.sys
12:38:45.0457 4280 megasas - ok
12:38:45.0473 4280 MegaSR (c252f32cd9a49dbfc25ecf26ebd51a99) C:\Windows\system32\drivers\megasr.sys
12:38:45.0488 4280 MegaSR - ok
12:38:45.0504 4280 MMCSS (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
12:38:45.0504 4280 MMCSS - ok
12:38:45.0520 4280 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
12:38:45.0520 4280 Modem - ok
12:38:45.0535 4280 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
12:38:45.0535 4280 monitor - ok
12:38:45.0551 4280 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
12:38:45.0551 4280 mouclass - ok
12:38:45.0566 4280 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
12:38:45.0566 4280 mouhid - ok
12:38:45.0566 4280 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
12:38:45.0566 4280 MountMgr - ok
12:38:45.0598 4280 mpio (511d011289755dd9f9a7579fb0b064e6) C:\Windows\system32\drivers\mpio.sys
12:38:45.0598 4280 mpio - ok
12:38:45.0613 4280 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
12:38:45.0613 4280 mpsdrv - ok
12:38:45.0644 4280 MpsSvc (5de62c6e9108f14f6794060a9bdecaec) C:\Windows\system32\mpssvc.dll
12:38:45.0660 4280 MpsSvc - ok
12:38:45.0660 4280 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
12:38:45.0660 4280 Mraid35x - ok
12:38:45.0676 4280 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
12:38:45.0676 4280 MRxDAV - ok
12:38:45.0722 4280 mrxsmb (1e94971c4b446ab2290deb71d01cf0c2) C:\Windows\system32\DRIVERS\mrxsmb.sys
12:38:45.0722 4280 mrxsmb - ok
12:38:45.0754 4280 mrxsmb10 (4fccb34d793b116423209c0f8b7a3b03) C:\Windows\system32\DRIVERS\mrxsmb10.sys
12:38:45.0754 4280 mrxsmb10 - ok
12:38:45.0769 4280 mrxsmb20 (c3cb1b40ad4a0124d617a1199b0b9d7c) C:\Windows\system32\DRIVERS\mrxsmb20.sys
12:38:45.0769 4280 mrxsmb20 - ok
12:38:45.0785 4280 msahci (28023e86f17001f7cd9b15a5bc9ae07d) C:\Windows\system32\drivers\msahci.sys
12:38:45.0785 4280 msahci - ok
12:38:45.0785 4280 msdsm (4468b0f385a86ecddaf8d3ca662ec0e7) C:\Windows\system32\drivers\msdsm.sys
12:38:45.0785 4280 msdsm - ok
12:38:45.0816 4280 MSDTC (fd7520cc3a80c5fc8c48852bb24c6ded) C:\Windows\System32\msdtc.exe
12:38:45.0816 4280 MSDTC - ok
12:38:45.0832 4280 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
12:38:45.0832 4280 Msfs - ok
12:38:45.0847 4280 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
12:38:45.0847 4280 msisadrv - ok
12:38:45.0878 4280 MSiSCSI (85466c0757a23d9a9aecdc0755203cb2) C:\Windows\system32\iscsiexe.dll
12:38:45.0894 4280 MSiSCSI - ok
12:38:45.0894 4280 msiserver - ok
12:38:45.0925 4280 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
12:38:45.0925 4280 MSKSSRV - ok
12:38:45.0941 4280 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
12:38:45.0941 4280 MSPCLOCK - ok
12:38:45.0956 4280 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
12:38:45.0956 4280 MSPQM - ok
12:38:45.0972 4280 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
12:38:45.0972 4280 MsRPC - ok
12:38:46.0003 4280 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
12:38:46.0003 4280 mssmbios - ok
12:38:46.0003 4280 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
12:38:46.0003 4280 MSTEE - ok
12:38:46.0003 4280 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
12:38:46.0019 4280 Mup - ok
12:38:46.0034 4280 napagent (e4eaf0c5c1b41b5c83386cf212ca9584) C:\Windows\system32\qagentRT.dll
12:38:46.0050 4280 napagent - ok
12:38:46.0081 4280 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
12:38:46.0081 4280 NativeWifiP - ok
12:38:46.0128 4280 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
12:38:46.0128 4280 NDIS - ok
12:38:46.0144 4280 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
12:38:46.0144 4280 NdisTapi - ok
12:38:46.0144 4280 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
12:38:46.0144 4280 Ndisuio - ok
12:38:46.0175 4280 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
12:38:46.0175 4280 NdisWan - ok
12:38:46.0175 4280 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
12:38:46.0175 4280 NDProxy - ok
12:38:46.0206 4280 Net Driver HPZ12 (949941e4de88df1faf49a4b3cffb756f) C:\Windows\system32\HPZinw12.dll
12:38:46.0206 4280 Net Driver HPZ12 - ok
12:38:46.0222 4280 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
12:38:46.0222 4280 NetBIOS - ok
12:38:46.0237 4280 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
12:38:46.0253 4280 netbt - ok
12:38:46.0284 4280 Netlogon (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
12:38:46.0284 4280 Netlogon - ok
12:38:46.0300 4280 Netman (c8052711daecc48b982434c5116ca401) C:\Windows\System32\netman.dll
12:38:46.0315 4280 Netman - ok
12:38:46.0393 4280 netprofm (2ef3bbe22e5a5acd1428ee387a0d0172) C:\Windows\System32\netprofm.dll
12:38:46.0409 4280 netprofm - ok
12:38:46.0565 4280 NetTcpPortSharing (d6c4e4a39a36029ac0813d476fbd0248) C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
12:38:46.0565 4280 NetTcpPortSharing - ok
12:38:46.0596 4280 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
12:38:46.0596 4280 nfrd960 - ok
12:38:46.0612 4280 NlaSvc (2997b15415f9bbe05b5a4c1c85e0c6a2) C:\Windows\System32\nlasvc.dll
12:38:46.0612 4280 NlaSvc - ok
12:38:46.0627 4280 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
12:38:46.0627 4280 Npfs - ok
12:38:46.0643 4280 nsi (8bb86f0c7eea2bded6fe095d0b4ca9bd) C:\Windows\system32\nsisvc.dll
12:38:46.0643 4280 nsi - ok
12:38:46.0658 4280 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
12:38:46.0658 4280 nsiproxy - ok
12:38:47.0017 4280 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
12:38:47.0033 4280 Ntfs - ok
12:38:47.0048 4280 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
12:38:47.0048 4280 ntrigdigi - ok
12:38:47.0048 4280 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
12:38:47.0048 4280 Null - ok
12:38:47.0080 4280 nvraid (2edf9e7751554b42cbb60116de727101) C:\Windows\system32\drivers\nvraid.sys
12:38:47.0080 4280 nvraid - ok
12:38:47.0095 4280 nvstor (abed0c09758d1d97db0042dbb2688177) C:\Windows\system32\drivers\nvstor.sys
12:38:47.0095 4280 nvstor - ok
12:38:47.0173 4280 nvsvc (d122f7c5f79c68868f5dc28cefeb2ecf) C:\Windows\system32\nvvsvc.exe
12:38:47.0173 4280 nvsvc - ok
12:38:47.0251 4280 nv_agp (18bbdf913916b71bd54575bdb6eeac0b) C:\Windows\system32\drivers\nv_agp.sys
12:38:47.0251 4280 nv_agp - ok
12:38:47.0251 4280 NwlnkFlt - ok
12:38:47.0267 4280 NwlnkFwd - ok
12:38:47.0360 4280 odserv (785f487a64950f3cb8e9f16253ba3b7b) C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE
12:38:47.0360 4280 odserv - ok
12:38:47.0376 4280 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
12:38:47.0376 4280 ohci1394 - ok
12:38:47.0438 4280 ose (9d10f99a6712e28f8acd5641e3a7ea6b) C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
12:38:47.0438 4280 ose - ok
12:38:47.0657 4280 osppsvc (358a9cca612c68eb2f07ddad4ce1d8d7) C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
12:38:47.0672 4280 osppsvc - ok
12:38:47.0766 4280 p2pimsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
12:38:47.0766 4280 p2pimsvc - ok
12:38:47.0782 4280 p2psvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
12:38:47.0782 4280 p2psvc - ok
12:38:47.0813 4280 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
12:38:47.0813 4280 Parport - ok
12:38:47.0844 4280 partmgr (b9c2b89f08670e159f7181891e449cd9) C:\Windows\system32\drivers\partmgr.sys
12:38:47.0844 4280 partmgr - ok
12:38:47.0860 4280 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
12:38:47.0860 4280 Parvdm - ok
12:38:47.0875 4280 PcaSvc (c6276ad11f4bb49b58aa1ed88537f14a) C:\Windows\System32\pcasvc.dll
12:38:47.0875 4280 PcaSvc - ok
12:38:47.0891 4280 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
12:38:47.0891 4280 pci - ok
12:38:47.0906 4280 pciide (1636d43f10416aeb483bc6001097b26c) C:\Windows\system32\drivers\pciide.sys
12:38:47.0906 4280 pciide - ok
12:38:47.0922 4280 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
12:38:47.0922 4280 pcmcia - ok
12:38:47.0984 4280 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
12:38:48.0000 4280 PEAUTH - ok
12:38:48.0094 4280 pla (b1689df169143f57053f795390c99db3) C:\Windows\system32\pla.dll
12:38:48.0109 4280 pla - ok
12:38:48.0172 4280 PlugPlay (c5e7f8a996ec0a82d508fd9064a5569e) C:\Windows\system32\umpnpmgr.dll
12:38:48.0172 4280 PlugPlay - ok
12:38:48.0203 4280 Pml Driver HPZ12 (2f4ca141a609caf5c98f6e4760ef1b9b) C:\Windows\system32\HPZipm12.dll
12:38:48.0203 4280 Pml Driver HPZ12 - ok
12:38:48.0234 4280 PNRPAutoReg (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
12:38:48.0234 4280 PNRPAutoReg - ok
12:38:48.0250 4280 PNRPsvc (0c8e8e61ad1eb0b250b846712c917506) C:\Windows\system32\p2psvc.dll
12:38:48.0250 4280 PNRPsvc - ok
12:38:48.0265 4280 PolicyAgent (d0494460421a03cd5225cca0059aa146) C:\Windows\System32\ipsecsvc.dll
12:38:48.0281 4280 PolicyAgent - ok
12:38:48.0296 4280 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
12:38:48.0296 4280 PptpMiniport - ok
12:38:48.0312 4280 Processor (2027293619dd0f047c584cf2e7df4ffd) C:\Windows\system32\drivers\processr.sys
12:38:48.0312 4280 Processor - ok
12:38:48.0328 4280 ProfSvc (0508faa222d28835310b7bfca7a77346) C:\Windows\system32\profsvc.dll
12:38:48.0328 4280 ProfSvc - ok
12:38:48.0359 4280 ProtectedStorage (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
12:38:48.0374 4280 ProtectedStorage - ok
12:38:48.0390 4280 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
12:38:48.0390 4280 PSched - ok
12:38:48.0452 4280 ql2300 (0a6db55afb7820c99aa1f3a1d270f4f6) C:\Windows\system32\drivers\ql2300.sys
12:38:48.0468 4280 ql2300 - ok
12:38:48.0484 4280 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
12:38:48.0484 4280 ql40xx - ok
12:38:48.0515 4280 QWAVE (e9ecae663f47e6cb43962d18ab18890f) C:\Windows\system32\qwave.dll
12:38:48.0515 4280 QWAVE - ok
12:38:48.0530 4280 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
12:38:48.0530 4280 QWAVEdrv - ok
12:38:48.0530 4280 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
12:38:48.0530 4280 RasAcd - ok
12:38:48.0546 4280 RasAuto (f6a452eb4ceadbb51c9e0ee6b3ecef0f) C:\Windows\System32\rasauto.dll
12:38:48.0546 4280 RasAuto - ok
12:38:48.0562 4280 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
12:38:48.0562 4280 Rasl2tp - ok
12:38:48.0593 4280 RasMan (75d47445d70ca6f9f894b032fbc64fcf) C:\Windows\System32\rasmans.dll
12:38:48.0593 4280 RasMan - ok
12:38:48.0608 4280 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
12:38:48.0608 4280 RasPppoe - ok
12:38:48.0624 4280 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
12:38:48.0624 4280 RasSstp - ok
12:38:48.0640 4280 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
12:38:48.0640 4280 rdbss - ok
12:38:48.0655 4280 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
12:38:48.0655 4280 RDPCDD - ok
12:38:48.0671 4280 rdpdr (fbc0bacd9c3d7f6956853f64a66e252d) C:\Windows\system32\drivers\rdpdr.sys
12:38:48.0671 4280 rdpdr - ok
12:38:48.0671 4280 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
12:38:48.0671 4280 RDPENCDD - ok
12:38:48.0702 4280 RDPWD (79c6df8477250f5c54f7c5ae1d6b814e) C:\Windows\system32\drivers\RDPWD.sys
12:38:48.0718 4280 RDPWD - ok
12:38:48.0749 4280 RemoteAccess (bcdd6b4804d06b1f7ebf29e53a57ece9) C:\Windows\System32\mprdim.dll
12:38:48.0749 4280 RemoteAccess - ok
12:38:48.0764 4280 RemoteRegistry (9e6894ea18daff37b63e1005f83ae4ab) C:\Windows\system32\regsvc.dll
12:38:48.0764 4280 RemoteRegistry - ok
12:38:48.0780 4280 RpcLocator (5123f83cbc4349d065534eeb6bbdc42b) C:\Windows\system32\locator.exe
12:38:48.0780 4280 RpcLocator - ok
12:38:48.0811 4280 RpcSs (3b5b4d53fec14f7476ca29a20cc31ac9) C:\Windows\system32\rpcss.dll
12:38:48.0811 4280 RpcSs - ok
12:38:48.0811 4280 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
12:38:48.0811 4280 rspndr - ok
12:38:48.0827 4280 SamSs (a3e186b4b935905b829219502557314e) C:\Windows\system32\lsass.exe
12:38:48.0827 4280 SamSs - ok
12:38:48.0889 4280 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
12:38:48.0889 4280 SASDIFSV - ok
12:38:48.0920 4280 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
12:38:48.0920 4280 SASKUTIL - ok
12:38:48.0936 4280 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
12:38:48.0936 4280 sbp2port - ok
12:38:48.0967 4280 SCardSvr (77b7a11a0c3d78d3386398fbbea1b632) C:\Windows\System32\SCardSvr.dll
12:38:48.0967 4280 SCardSvr - ok
12:38:48.0998 4280 Schedule (1a58069db21d05eb2ab58ee5753ebe8d) C:\Windows\system32\schedsvc.dll
12:38:49.0014 4280 Schedule - ok
12:38:49.0030 4280 SCPolicySvc (312ec3e37a0a1f2006534913e37b4423) C:\Windows\System32\certprop.dll
12:38:49.0030 4280 SCPolicySvc - ok
12:38:49.0045 4280 SDRSVC (716313d9f6b0529d03f726d5aaf6f191) C:\Windows\System32\SDRSVC.dll
12:38:49.0045 4280 SDRSVC - ok
12:38:49.0061 4280 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
12:38:49.0061 4280 secdrv - ok
12:38:49.0076 4280 seclogon (fd5199d4d8a521005e4b5ee7fe00fa9b) C:\Windows\system32\seclogon.dll
12:38:49.0076 4280 seclogon - ok
12:38:49.0108 4280 SENS (a9bbab5759771e523f55563d6cbe140f) C:\Windows\system32\sens.dll
12:38:49.0108 4280 SENS - ok
12:38:49.0123 4280 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
12:38:49.0123 4280 Serenum - ok
12:38:49.0139 4280 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
12:38:49.0139 4280 Serial - ok
12:38:49.0139 4280 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
12:38:49.0139 4280 sermouse - ok
12:38:49.0154 4280 SessionEnv (d2193326f729b163125610dbf3e17d57) C:\Windows\system32\sessenv.dll
12:38:49.0154 4280 SessionEnv - ok
12:38:49.0170 4280 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\drivers\sffdisk.sys
12:38:49.0170 4280 sffdisk - ok
12:38:49.0170 4280 sffp_mmc (e95d451f7ea3e583aec75f3b3ee42dc5) C:\Windows\system32\drivers\sffp_mmc.sys
12:38:49.0170 4280 sffp_mmc - ok
12:38:49.0186 4280 sffp_sd (3d0ea348784b7ac9ea9bd9f317980979) C:\Windows\system32\drivers\sffp_sd.sys
12:38:49.0186 4280 sffp_sd - ok
12:38:49.0186 4280 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
12:38:49.0186 4280 sfloppy - ok
12:38:49.0217 4280 SharedAccess (e1499bd0ff76b1b2fbbf1af339d91165) C:\Windows\System32\ipnathlp.dll
12:38:49.0217 4280 SharedAccess - ok
12:38:49.0232 4280 ShellHWDetection (c7230fbee14437716701c15be02c27b8) C:\Windows\System32\shsvcs.dll
12:38:49.0232 4280 ShellHWDetection - ok
12:38:49.0248 4280 sisagp (1d76624a09a054f682d746b924e2dbc3) C:\Windows\system32\drivers\sisagp.sys
12:38:49.0248 4280 sisagp - ok
12:38:49.0264 4280 SiSRaid2 (43cb7aa756c7db280d01da9b676cfde2) C:\Windows\system32\drivers\sisraid2.sys
12:38:49.0264 4280 SiSRaid2 - ok
12:38:49.0279 4280 SiSRaid4 (a99c6c8b0baa970d8aa59ddc50b57f94) C:\Windows\system32\drivers\sisraid4.sys
12:38:49.0279 4280 SiSRaid4 - ok
12:38:49.0420 4280 slsvc (862bb4cbc05d80c5b45be430e5ef872f) C:\Windows\system32\SLsvc.exe
12:38:49.0435 4280 slsvc - ok
12:38:49.0513 4280 SLUINotify (6edc422215cd78aa8a9cde6b30abbd35) C:\Windows\system32\SLUINotify.dll
12:38:49.0513 4280 SLUINotify - ok
12:38:49.0591 4280 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
12:38:49.0669 4280 Smb - ok
12:38:49.0669 4280 SNMPTRAP (2a146a055b4401c16ee62d18b8e2a032) C:\Windows\System32\snmptrap.exe
12:38:49.0669 4280 SNMPTRAP - ok
12:38:49.0685 4280 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
12:38:49.0685 4280 spldr - ok
12:38:49.0716 4280 Spooler (8554097e5136c3bf9f69fe578a1b35f4) C:\Windows\System32\spoolsv.exe
12:38:49.0716 4280 Spooler - ok
12:38:49.0778 4280 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
12:38:49.0778 4280 srv - ok
12:38:49.0810 4280 srv2 (ff33aff99564b1aa534f58868cbe41ef) C:\Windows\system32\DRIVERS\srv2.sys
12:38:49.0810 4280 srv2 - ok
12:38:49.0841 4280 srvnet (7605c0e1d01a08f3ecd743f38b834a44) C:\Windows\system32\DRIVERS\srvnet.sys
12:38:49.0841 4280 srvnet - ok
12:38:49.0872 4280 SSDPSRV (03d50b37234967433a5ea5ba72bc0b62) C:\Windows\System32\ssdpsrv.dll
12:38:49.0872 4280 SSDPSRV - ok
12:38:49.0903 4280 SstpSvc (6f1a32e7b7b30f004d9a20afadb14944) C:\Windows\system32\sstpsvc.dll
12:38:49.0903 4280 SstpSvc - ok
12:38:50.0012 4280 Stereo Service (9e1222c417291bc836210743624a8e5e) C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
12:38:50.0012 4280 Stereo Service - ok
12:38:50.0075 4280 stisvc (5de7d67e49b88f5f07f3e53c4b92a352) C:\Windows\System32\wiaservc.dll
12:38:50.0075 4280 stisvc - ok
12:38:50.0122 4280 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
12:38:50.0122 4280 swenum - ok
12:38:50.0153 4280 swprv (f21fd248040681cca1fb6c9a03aaa93d) C:\Windows\System32\swprv.dll
12:38:50.0153 4280 swprv - ok
12:38:50.0200 4280 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
12:38:50.0200 4280 Symc8xx - ok
12:38:50.0231 4280 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
12:38:50.0231 4280 Sym_hi - ok
12:38:50.0231 4280 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
12:38:50.0231 4280 Sym_u3 - ok
12:38:50.0293 4280 SysMain (9a51b04e9886aa4ee90093586b0ba88d) C:\Windows\system32\sysmain.dll
12:38:50.0293 4280 SysMain - ok
12:38:50.0309 4280 TabletInputService (2dca225eae15f42c0933e998ee0231c3) C:\Windows\System32\TabSvc.dll
12:38:50.0309 4280 TabletInputService - ok
12:38:50.0356 4280 TapiSrv (d7673e4b38ce21ee54c59eeeb65e2483) C:\Windows\System32\tapisrv.dll
12:38:50.0356 4280 TapiSrv - ok
12:38:50.0371 4280 TBS (cb05822cd9cc6c688168e113c603dbe7) C:\Windows\System32\tbssvc.dll
12:38:50.0371 4280 TBS - ok
12:38:50.0480 4280 Tcpip (27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\drivers\tcpip.sys
12:38:50.0480 4280 Tcpip - ok
12:38:50.0496 4280 Tcpip6 (27d470dabc77bc60d0a3b0e4deb6cb91) C:\Windows\system32\DRIVERS\tcpip.sys
12:38:50.0496 4280 Tcpip6 - ok
12:38:50.0543 4280 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
12:38:50.0543 4280 tcpipreg - ok
12:38:50.0574 4280 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
12:38:50.0574 4280 TDPIPE - ok
12:38:50.0590 4280 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
12:38:50.0590 4280 TDTCP - ok
12:38:50.0605 4280 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
12:38:50.0605 4280 tdx - ok
12:38:50.0636 4280 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
12:38:50.0636 4280 TermDD - ok
12:38:50.0668 4280 TermService (bb95da09bef6e7a131bff3ba5032090d) C:\Windows\System32\termsrv.dll
12:38:50.0668 4280 TermService - ok
12:38:50.0699 4280 Themes (c7230fbee14437716701c15be02c27b8) C:\Windows\system32\shsvcs.dll
12:38:50.0699 4280 Themes - ok
12:38:50.0730 4280 THREADORDER (1076ffcffaae8385fd62dfcb25ac4708) C:\Windows\system32\mmcss.dll
12:38:50.0730 4280 THREADORDER - ok
12:38:50.0746 4280 TrkWks (ec74e77d0eb004bd3a809b5f8fb8c2ce) C:\Windows\System32\trkwks.dll
12:38:50.0746 4280 TrkWks - ok
12:38:50.0777 4280 TrustedInstaller (97d9d6a04e3ad9b6c626b9931db78dba) C:\Windows\servicing\TrustedInstaller.exe
12:38:50.0777 4280 TrustedInstaller - ok
12:38:50.0792 4280 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
12:38:50.0792 4280 tssecsrv - ok
12:38:50.0792 4280 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
12:38:50.0792 4280 tunmp - ok
12:38:50.0808 4280 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
12:38:50.0808 4280 tunnel - ok
12:38:50.0839 4280 uagp35 (7d33c4db2ce363c8518d2dfcf533941f) C:\Windows\system32\drivers\uagp35.sys
12:38:50.0839 4280 uagp35 - ok
12:38:50.0855 4280 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
12:38:50.0870 4280 udfs - ok
12:38:50.0917 4280 UI0Detect (ecef404f62863755951e09c802c94ad5) C:\Windows\system32\UI0Detect.exe
12:38:50.0917 4280 UI0Detect - ok
12:38:50.0933 4280 uliagpkx (b0acfdc9e4af279e9116c03e014b2b27) C:\Windows\system32\drivers\uliagpkx.sys
12:38:50.0933 4280 uliagpkx - ok
12:38:50.0964 4280 uliahci (9224bb254f591de4ca8d572a5f0d635c) C:\Windows\system32\drivers\uliahci.sys
12:38:50.0964 4280 uliahci - ok
12:38:50.0995 4280 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
12:38:50.0995 4280 UlSata - ok
12:38:51.0011 4280 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
12:38:51.0011 4280 ulsata2 - ok
12:38:51.0026 4280 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
12:38:51.0026 4280 umbus - ok
12:38:51.0042 4280 upnphost (68308183f4ae0be7bf8ecd07cb297999) C:\Windows\System32\upnphost.dll
12:38:51.0042 4280 upnphost - ok
12:38:51.0120 4280 usbaudio (32db9517628ff0d070682aab61e688f0) C:\Windows\system32\drivers\usbaudio.sys
12:38:51.0120 4280 usbaudio - ok
12:38:51.0136 4280 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
12:38:51.0136 4280 usbccgp - ok
12:38:51.0167 4280 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
12:38:51.0167 4280 usbcir - ok
12:38:51.0198 4280 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
12:38:51.0198 4280 usbehci - ok
12:38:51.0198 4280 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
12:38:51.0214 4280 usbhub - ok
12:38:51.0229 4280 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
12:38:51.0229 4280 usbohci - ok
12:38:51.0245 4280 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\drivers\usbprint.sys
12:38:51.0245 4280 usbprint - ok
12:38:51.0260 4280 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
12:38:51.0260 4280 USBSTOR - ok
12:38:51.0276 4280 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
12:38:51.0276 4280 usbuhci - ok
12:38:51.0323 4280 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
12:38:51.0323 4280 usbvideo - ok
12:38:51.0338 4280 UxSms (1509e705f3ac1d474c92454a5c2dd81f) C:\Windows\System32\uxsms.dll
12:38:51.0354 4280 UxSms - ok
12:38:51.0370 4280 vds (cd88d1b7776dc17a119049742ec07eb4) C:\Windows\System32\vds.exe
12:38:51.0370 4280 vds - ok
12:38:51.0416 4280 vga (87b06e1f30b749a114f74622d013f8d4) C:\Windows\system32\DRIVERS\vgapnp.sys
12:38:51.0416 4280 vga - ok
12:38:51.0432 4280 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
12:38:51.0432 4280 VgaSave - ok
12:38:51.0432 4280 viaagp (5d7159def58a800d5781ba3a879627bc) C:\Windows\system32\drivers\viaagp.sys
12:38:51.0432 4280 viaagp - ok
12:38:51.0448 4280 ViaC7 (c4f3a691b5bad343e6249bd8c2d45dee) C:\Windows\system32\drivers\viac7.sys
12:38:51.0448 4280 ViaC7 - ok
12:38:51.0479 4280 viaide (aadf5587a4063f52c2c3fed7887426fc) C:\Windows\system32\drivers\viaide.sys
12:38:51.0479 4280 viaide - ok
12:38:51.0479 4280 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
12:38:51.0479 4280 volmgr - ok
12:38:51.0510 4280 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
12:38:51.0510 4280 volmgrx - ok
12:38:51.0572 4280 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
12:38:51.0572 4280 volsnap - ok
12:38:51.0588 4280 vsmraid (587253e09325e6bf226b299774b728a9) C:\Windows\system32\drivers\vsmraid.sys
12:38:51.0588 4280 vsmraid - ok
12:38:51.0650 4280 VSS (db3d19f850c6eb32bdcb9bc0836acddb) C:\Windows\system32\vssvc.exe
12:38:51.0650 4280 VSS - ok
12:38:51.0806 4280 vToolbarUpdater11.0.2 (56e1e4442e4613fb2039a6b7421f4e58) C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe
12:38:51.0806 4280 vToolbarUpdater11.0.2 - ok
12:38:51.0900 4280 W32Time (96ea68b9eb310a69c25ebb0282b2b9de) C:\Windows\system32\w32time.dll
12:38:51.0900 4280 W32Time - ok
12:38:51.0916 4280 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
12:38:51.0916 4280 WacomPen - ok
12:38:51.0947 4280 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
12:38:51.0947 4280 Wanarp - ok
12:38:51.0947 4280 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
12:38:51.0947 4280 Wanarpv6 - ok
12:38:51.0978 4280 wcncsvc (a3cd60fd826381b49f03832590e069af) C:\Windows\System32\wcncsvc.dll
12:38:51.0978 4280 wcncsvc - ok
12:38:52.0009 4280 WcsPlugInService (11bcb7afcdd7aadacb5746f544d3a9c7) C:\Windows\System32\WcsPlugInService.dll
12:38:52.0009 4280 WcsPlugInService - ok
12:38:52.0025 4280 Wd (78fe9542363f297b18c027b2d7e7c07f) C:\Windows\system32\drivers\wd.sys
12:38:52.0025 4280 Wd - ok
12:38:52.0040 4280 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
12:38:52.0040 4280 Wdf01000 - ok
12:38:52.0103 4280 WdiServiceHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
12:38:52.0118 4280 WdiServiceHost - ok
12:38:52.0118 4280 WdiSystemHost (abfc76b48bb6c96e3338d8943c5d93b5) C:\Windows\system32\wdi.dll
12:38:52.0118 4280 WdiSystemHost - ok
12:38:52.0150 4280 WebClient (04c37d8107320312fbae09926103d5e2) C:\Windows\System32\webclnt.dll
12:38:52.0150 4280 WebClient - ok
12:38:52.0181 4280 Wecsvc (ae3736e7e8892241c23e4ebbb7453b60) C:\Windows\system32\wecsvc.dll
12:38:52.0181 4280 Wecsvc - ok
12:38:52.0196 4280 wercplsupport (670ff720071ed741206d69bd995ea453) C:\Windows\System32\wercplsupport.dll
12:38:52.0196 4280 wercplsupport - ok
12:38:52.0228 4280 WerSvc (32b88481d3b326da6deb07b1d03481e7) C:\Windows\System32\WerSvc.dll
12:38:52.0228 4280 WerSvc - ok
12:38:52.0290 4280 WinDefend (4575aa12561c5648483403541d0d7f2b) C:\Program Files\Windows Defender\mpsvc.dll
12:38:52.0306 4280 WinDefend - ok
12:38:52.0306 4280 WinHttpAutoProxySvc - ok
12:38:52.0462 4280 Winmgmt (6b2a1d0e80110e3d04e6863c6e62fd8a) C:\Windows\system32\wbem\WMIsvc.dll
12:38:52.0462 4280 Winmgmt - ok
12:38:52.0571 4280 WinRM (7cfe68bdc065e55aa5e8421607037511) C:\Windows\system32\WsmSvc.dll
12:38:52.0571 4280 WinRM - ok
12:38:52.0633 4280 Wlansvc (c008405e4feeb069e30da1d823910234) C:\Windows\System32\wlansvc.dll
12:38:52.0633 4280 Wlansvc - ok
12:38:52.0680 4280 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\drivers\wmiacpi.sys
12:38:52.0680 4280 WmiAcpi - ok
12:38:52.0711 4280 wmiApSrv (43be3875207dcb62a85c8c49970b66cc) C:\Windows\system32\wbem\WmiApSrv.exe
12:38:52.0711 4280 wmiApSrv - ok
12:38:52.0820 4280 WMPNetworkSvc (3978704576a121a9204f8cc49a301a9b) C:\Program Files\Windows Media Player\wmpnetwk.exe
12:38:52.0820 4280 WMPNetworkSvc - ok
12:38:52.0836 4280 WPCSvc (cfc5a04558f5070cee3e3a7809f3ff52) C:\Windows\System32\wpcsvc.dll
12:38:52.0836 4280 WPCSvc - ok
12:38:52.0852 4280 WPDBusEnum (801fbdb89d472b3c467eb112a0fc9246) C:\Windows\system32\wpdbusenum.dll
12:38:52.0867 4280 WPDBusEnum - ok
12:38:52.0914 4280 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
12:38:52.0914 4280 WpdUsb - ok
12:38:53.0023 4280 WPFFontCache_v0400 (dcf3e3edf5109ee8bc02fe6e1f045795) C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe
12:38:53.0039 4280 WPFFontCache_v0400 - ok
12:38:53.0054 4280 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
12:38:53.0054 4280 ws2ifsl - ok
12:38:53.0070 4280 wscsvc (1ca6c40261ddc0425987980d0cd2aaab) C:\Windows\system32\wscsvc.dll
12:38:53.0086 4280 wscsvc - ok
12:38:53.0101 4280 WSDPrintDevice (4422ac5ed8d4c2f0db63e71d4c069dd7) C:\Windows\system32\DRIVERS\WSDPrint.sys
12:38:53.0101 4280 WSDPrintDevice - ok
12:38:53.0101 4280 WSearch - ok
12:38:53.0257 4280 wuauserv (6298277b73c77fa99106b271a7525163) C:\Windows\system32\wuaueng.dll
12:38:53.0273 4280 wuauserv - ok
12:38:53.0398 4280 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
12:38:53.0398 4280 WUDFRd - ok
12:38:53.0429 4280 wudfsvc (575a4190d989f64732119e4114045a4f) C:\Windows\System32\WUDFSvc.dll
12:38:53.0429 4280 wudfsvc - ok
12:38:53.0460 4280 MBR (0x1B8) (5c616939100b85e558da92b899a0fc36) \Device\Harddisk0\DR0
12:38:53.0678 4280 \Device\Harddisk0\DR0 - ok
12:38:53.0678 4280 Boot (0x1200) (ff970f8d40880359c2033875734d1f9a) \Device\Harddisk0\DR0\Partition0
12:38:53.0678 4280 \Device\Harddisk0\DR0\Partition0 - ok
12:38:53.0678 4280 ============================================================
12:38:53.0678 4280 Scan finished
12:38:53.0678 4280 ============================================================
12:38:53.0694 4292 Detected object count: 0
12:38:53.0694 4292 Actual detected object count: 0

#6 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 20 May 2012 - 01:14 PM

Greetings

Start Internet Explorer.
On the Tools menu, click Internet Options.
Click the Programs tab.
In the E-mail box , click the program you want.
Click OK.


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#7 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 20 May 2012 - 07:02 PM

Gringo:

Thank you again. I did not understand your last instructions and I could not find to download the program CFScript from.

I did not understand the part of your instructions that are in bold.

Start Internet Explorer.
On the Tools menu, click Internet Options.
Click the Programs tab.
In the E-mail box , click the program you want.
Click OK.

I have attached a picture of what I see. By "click the program you want", do you mean to select Outlook as the default program in Internet Explorer?

Also, I'd be grateful if you could let me know where I could DL CFScript from. I didn't see in the location with all the other downloads.

Thank you so much for all of your help.

#8 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 20 May 2012 - 10:57 PM

Greetings


I have attached a picture of what I see. By "click the program you want", do you mean to select Outlook as the default program in Internet Explorer?
Yes

Also, I'd be grateful if you could let me know where I could DL CFScript from. I didn't see in the location with all the other downloads.

you don't download it - you have to make it

start where it says open notepad..


gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#9 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 21 May 2012 - 07:54 AM

Gringo: Thank you and sorry for being a newb. I ran ComboFix again and the log is below.

I'm not seeing google redirects any more. It looks like Outlook has been reset. When I click on it, it's going into the setup wizard. I'm guessing that the combofix run I just did reset it. Please let me know if it's OK to reconfigure Outlook for my child's aol.com e-mail account. And thank you for all of your help again.



Here's the log:

ComboFix 12-05-20.10 - Keir 05/21/2012 8:33.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3325.2387 [GMT -4:00]
Running from: c:\users\Mr. C\Desktop\ComboFix.exe
Command switches used :: c:\users\Mr. C\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {5A2746B1-DEE9-F85A-FBCD-ADB11639C5F0}
SP: AVG Anti-Virus Free Edition 2012 *Disabled/Updated* {E146A755-F8D3-F7D4-C17D-96C36DBE8F4D}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\wbem\Performance\WmiApRpl_new.ini
.
.
((((((((((((((((((((((((( Files Created from 2012-04-21 to 2012-05-21 )))))))))))))))))))))))))))))))
.
.
2012-05-21 12:37 . 2012-05-21 12:37 -------- d-----w- c:\users\Keir\AppData\Local\temp
2012-05-21 12:37 . 2012-05-21 12:37 -------- d-----w- c:\users\Mr. C\AppData\Local\temp
2012-05-21 12:37 . 2012-05-21 12:37 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-05-19 16:19 . 2012-05-19 16:19 -------- d-----w- c:\program files\Cobian Backup 11
2012-05-19 05:03 . 2012-05-15 05:43 6737808 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{E5624AFE-3097-4C08-81C7-FD4A8515E32B}\mpengine.dll
2012-05-19 05:03 . 2012-02-23 14:18 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-05-19 04:55 . 2012-05-19 04:55 -------- d-----w- C:\TDSSKiller_Quarantine
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\users\Mr. C\AppData\Roaming\SUPERAntiSpyware.com
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-05-19 03:28 . 2012-05-19 03:28 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2012-05-10 20:08 . 2012-04-03 08:16 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe
2012-05-10 20:08 . 2012-04-03 08:16 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe
2012-05-10 20:08 . 2012-04-02 13:36 2044928 ----a-w- c:\windows\system32\win32k.sys
2012-05-05 14:01 . 2012-05-05 14:01 -------- d-----w- c:\users\Keir\AppData\Local\AVG Secure Search
2012-04-30 14:46 . 2012-04-30 14:46 -------- d-----w- c:\users\Mr. C\AppData\Local\AVG Secure Search
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-04-19 08:50 . 2012-04-19 08:50 24896 ----a-w- c:\windows\system32\drivers\avgidshx.sys
2012-03-19 09:17 . 2012-03-19 09:17 301248 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2012-03-09 06:26 . 2012-03-09 06:26 9183232 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2012-03-09 05:26 . 2012-03-09 05:26 64512 ----a-w- c:\windows\system32\OpenVideo.dll
2012-03-09 05:26 . 2012-03-09 05:26 54784 ----a-w- c:\windows\system32\OVDecode.dll
2012-03-09 05:25 . 2012-03-09 05:25 13238272 ----a-w- c:\windows\system32\amdocl.dll
2012-03-09 05:24 . 2012-03-09 05:24 48128 ----a-w- c:\windows\system32\OpenCL.dll
2012-03-09 05:16 . 2012-03-09 05:16 159744 ----a-w- c:\windows\system32\atiapfxx.exe
2012-03-09 05:16 . 2012-03-09 05:16 791552 ----a-w- c:\windows\system32\aticfx32.dll
2012-03-09 05:11 . 2012-03-09 05:11 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2012-03-09 05:10 . 2012-03-09 05:10 405504 ----a-w- c:\windows\system32\atieclxx.exe
2012-03-09 05:10 . 2012-03-09 05:10 163328 ----a-w- c:\windows\system32\atiesrxx.exe
2012-03-09 05:08 . 2012-03-09 05:08 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2012-03-09 05:07 . 2012-03-09 05:07 20992 ----a-w- c:\windows\system32\atimuixx.dll
2012-03-09 05:07 . 2012-03-09 05:07 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2012-03-09 05:04 . 2012-03-09 05:04 6200320 ----a-w- c:\windows\system32\atidxx32.dll
2012-03-09 04:39 . 2012-03-09 04:39 19739136 ----a-w- c:\windows\system32\atioglxx.dll
2012-03-09 04:36 . 2012-03-09 04:36 1828864 ----a-w- c:\windows\system32\atiumdmv.dll
2012-03-09 04:23 . 2012-03-09 04:23 5062656 ----a-w- c:\windows\system32\atiumdva.dll
2012-03-09 04:23 . 2012-03-09 04:23 5954048 ----a-w- c:\windows\system32\atiumdag.dll
2012-03-09 04:18 . 2012-03-09 04:18 46080 ----a-w- c:\windows\system32\aticalrt.dll
2012-03-09 04:18 . 2012-03-09 04:18 44032 ----a-w- c:\windows\system32\aticalcl.dll
2012-03-09 04:12 . 2012-03-09 04:12 13715968 ----a-w- c:\windows\system32\aticaldd.dll
2012-03-09 04:05 . 2012-03-09 04:05 53760 ----a-w- c:\windows\system32\atimpc32.dll
2012-03-09 04:05 . 2012-03-09 04:05 53760 ----a-w- c:\windows\system32\amdpcom32.dll
2012-03-09 03:58 . 2012-03-09 03:58 356352 ----a-w- c:\windows\system32\atiadlxx.dll
2012-03-09 03:58 . 2012-03-09 03:58 14336 ----a-w- c:\windows\system32\atiglpxx.dll
2012-03-09 03:58 . 2012-03-09 03:58 33280 ----a-w- c:\windows\system32\atigktxx.dll
2012-03-09 03:57 . 2012-03-09 03:57 265216 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2012-03-09 03:56 . 2012-03-09 03:56 33280 ----a-w- c:\windows\system32\atiuxpag.dll
2012-03-09 03:56 . 2012-03-09 03:56 30208 ----a-w- c:\windows\system32\atiu9pag.dll
2012-03-09 03:56 . 2012-03-09 03:56 37376 ----a-w- c:\windows\system32\atitmpxx.dll
2012-03-09 03:55 . 2012-03-09 03:55 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2012-03-09 03:47 . 2012-03-09 03:47 51200 ----a-w- c:\windows\system32\coinst.dll
2012-02-29 15:11 . 2012-04-11 19:34 5120 ----a-w- c:\windows\system32\wmi.dll
2012-02-29 15:11 . 2012-04-11 19:34 172032 ----a-w- c:\windows\system32\wintrust.dll
2012-02-29 15:09 . 2012-04-11 19:34 157696 ----a-w- c:\windows\system32\imagehlp.dll
2012-02-29 13:32 . 2012-04-11 19:34 12800 ----a-w- c:\windows\system32\drivers\fs_rec.sys
2012-02-28 01:18 . 2012-04-11 19:35 1799168 ----a-w- c:\windows\system32\jscript9.dll
2012-02-28 01:11 . 2012-04-11 19:35 1427456 ----a-w- c:\windows\system32\inetcpl.cpl
2012-02-28 01:11 . 2012-04-11 19:35 1127424 ----a-w- c:\windows\system32\wininet.dll
2012-02-28 01:03 . 2012-04-11 19:35 2382848 ----a-w- c:\windows\system32\mshtml.tlb
2012-02-22 09:25 . 2012-02-22 09:25 235216 ----a-w- c:\windows\system32\drivers\avgldx86.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}]
2012-04-29 16:06 2067328 ----a-w- c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{95B7759C-8C7F-4BF1-B163-73684A933233}"= "c:\program files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll" [2012-04-29 2067328]
.
[HKEY_CLASSES_ROOT\clsid\{95b7759c-8c7f-4bf1-b163-73684a933233}]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj.1]
[HKEY_CLASSES_ROOT\AVG Secure Search.PugiObj]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG_TRAY"="c:\program files\AVG\AVG2012\avgtray.exe" [2012-04-05 2587008]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"vProt"="c:\program files\AVG Secure Search\vprot.exe" [2012-04-29 1116544]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-16 928096]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2012-03-09 636032]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2012-03-27 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"*WerKernelReporting"="c:\windows\SYSTEM32\WerFault.exe" [2009-04-11 217088]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0c:\progra~1\AVG\AVG2012\avgrsx.exe /sync /restart
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKLM\~\startupfolder\C:^Users^Keir^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 3.1.lnk]
path=c:\users\Keir\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OpenOffice.org 3.1.lnk
backup=c:\windows\pss\OpenOffice.org 3.1.lnk.Startup
backupExtension=.Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 14:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RtHDVCpl]
2007-11-12 18:56 4706304 ----a-w- c:\windows\RtHDVCpl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-04-08 16:59 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - c:\program files\AVG\AVG2012\avgdtiex.dll
TCP: DhcpNameServer = 192.168.1.1 68.237.161.12
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-05-21 08:37
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (LocalSystem)
"{95B7759C-8C7F-4BF1-B163-73684A933233}"=hex:51,66,7a,6c,4c,1d,38,12,f2,76,a4,
91,4d,c2,9f,0e,ce,75,30,28,4f,cd,76,27
"{18DF081C-E8AD-4283-A596-FA578C2EBDC3}"=hex:51,66,7a,6c,4c,1d,38,12,72,0b,cc,
1c,9f,a6,ed,07,da,80,b9,17,89,70,f9,d7
"{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}"=hex:51,66,7a,6c,4c,1d,38,12,7c,f0,b1,
38,5c,21,3d,0e,d9,78,0d,25,e1,c9,8c,d4
"{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}"=hex:51,66,7a,6c,4c,1d,38,12,07,5b,93,
aa,6e,60,ba,0b,f0,6d,b2,b7,80,44,00,83
"{B4F3A835-0E21-4959-BA22-42B3008E02FF}"=hex:51,66,7a,6c,4c,1d,38,12,5b,ab,e0,
b0,13,40,37,0c,c5,34,01,f3,05,d0,46,eb
"{DBC80044-A445-435B-BC74-9C25C1C588A9}"=hex:51,66,7a,6c,4c,1d,38,12,2a,03,db,
df,77,ea,35,06,c3,62,df,65,c4,9b,cc,bd
"{FF059E31-CC5A-4E2E-BF3B-96E929D65503}"=hex:51,66,7a,6c,4c,1d,38,12,5f,9d,16,
fb,68,82,40,0b,c0,2d,d5,a9,2c,88,11,17
"{BDEADE7F-C265-11D0-BCED-00A0C90AB50F}"=hex:51,66,7a,6c,4c,1d,38,12,11,dd,f9,
b9,57,8c,be,54,c3,fb,43,e0,cc,54,f1,1b
.
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (LocalSystem)
"Timestamp"=hex:26,b1,61,1d,22,26,cd,01
.
Completion time: 2012-05-21 08:38:24
ComboFix-quarantined-files.txt 2012-05-21 12:38
ComboFix2.txt 2012-05-20 02:02
ComboFix3.txt 2012-05-19 04:49
.
Pre-Run: 354,093,924,352 bytes free
Post-Run: 354,205,368,320 bytes free
.
- - End Of File - - 456FCA8527BF92226CC9455F9EF5AF7F

#10 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 21 May 2012 - 01:02 PM

Greetings

Please let me know if it's OK to reconfigure Outlook for my child's aol.com e-mail account. - yes i think now would be a good time to do this.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (it does allot better of a job

Programs to remove

Adobe Reader 9.5.1
Java™ 6 Update 26
 [/list]

  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]
Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.


: Malwarebytes' Anti-Malware :

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#11 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 21 May 2012 - 09:41 PM

Gringo:

Thank you again for your help. Here is the MalWare log. It didn't find anything so I did not get an option to "remove selected". The HiJackThis log is also below. I'll add another reply to give a status update on the computer.


Malware Log:

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.21.06

Windows Vista Service Pack 2 x86 NTFS
Internet Explorer 9.0.8112.16421
Keir :: XXXXXXXX-DESKTOP [administrator]

5/21/2012 10:12:11 PM
mbam-log-2012-05-21 (22-12-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 209270
Time elapsed: 3 minute(s), 30 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)


HiJackThis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:38:43 PM, on 5/21/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16421)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\AVG Secure Search\vprot.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Windows\System32\notepad.exe
C:\Windows\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10e_ActiveX.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Do Not Track - {31332EEF-CB9F-458F-AFEB-D30E9A66B6BA} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG2012\avgssie.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O2 - BHO: SkypeIEPluginBHO - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
O3 - Toolbar: AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files\AVG Secure Search\11.0.0.9\AVG Secure Search_toolbar.dll
O4 - HKLM\..\Run: [AVG_TRAY] "C:\Program Files\AVG\AVG2012\avgtray.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [vProt] "C:\Program Files\AVG Secure Search\vprot.exe"
O4 - HKLM\..\Run: [ROC_roc_dec12] "C:\Program Files\AVG Secure Search\ROC_roc_dec12.exe" /PROMPT /CMPID=roc_dec12
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: AVG Do Not Track - {68BCFFE1-A2DA-4B40-9068-87ECBFC19D16} - C:\Program Files\AVG\AVG2012\avgdtiex.dll
O9 - Extra button: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra 'Tools' menuitem: Click to call with Skype - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG2012\avgpp.dll
O18 - Protocol: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
O18 - Protocol: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files\Common Files\AVG Secure Search\ViProtocolInstaller\11.0.2\ViProtocol.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: SAS Core Service (!SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG2012\avgwdsvc.exe
O23 - Service: Cobian Backup 11 Volume Shadow Copy Requester (cbVSCService11) - CobianSoft, Luis Cobian - C:\Program Files\Cobian Backup 11\cbVSCService11.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: vToolbarUpdater11.0.2 - Unknown owner - C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\11.0.2\ToolbarUpdater.exe

--
End of file - 6688 bytes

#12 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 21 May 2012 - 09:54 PM

Greetings

These logs are looking very good, we are almost done!!! Just one more scan to go.

:Remove unneeded start-up entries:

This part of the fix is purely optional
These are programs that start up when you turn on your computer but don't need to be, any of these programs you can click on their icons (or start from the control panel) and start the program when you need it. By stopping these programs you will boot up faster and your computer will work faster.

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    • O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
      O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
      O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
      O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
      O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

    NOTE**You can research each of those lines >here< and see if you want to keep them or not
    just copy the name between the brackets and paste into the search space
    O4 - HKLM\..\Run: [IntelliPoint]


NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan - Vista and win 7 right click on IE shortcut and run as admin

Go Eset web page to run an online scanner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the ActiveX control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
    Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Click on copy to clipboard or copy and paste the results here in this topic

Copy and paste that log as a reply to this topic

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#13 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 21 May 2012 - 10:20 PM

Gringo:

Thank you for your latest reply, I will follow your instructions. In the meantime, here is the update. The browser redirection has stopped. I reconfigured/reset my child's Outlook program and re-connected Outlook to my child's e-mail account. It appears to be sending e-mails but I'm getting errors when receiving and it won't open e-mails with large files attached, that is, it will try to open the e-mail but after a while it will say that it's unable to do so. I have attached a screenshot of the error message. If this is an issue that I should take up with aol, please let me know. This problem seemed to come up at the same time as the re-direct problem, so I have assumed that they were related.

I'll do the things you said in your last reply and re-post.

Thanks a ton!

Attached Files


#14 gringo_pr

gringo_pr

    Bleepin Gringo

  • Malware Response Team
  • PipPipPipPipPipPip
  • 122,845 posts
  • Gender:Male
  • Location:Puerto rico

Posted 21 May 2012 - 10:30 PM

check these to see if it helps

http://support.microsoft.com/kb/813514#top



gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic

Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

#15 Irkd

Irkd

    New Member

  • Members
  • Pip
  • 8 posts

Posted 21 May 2012 - 11:36 PM

Gringo:

I removed the noted startup files and ran ESET Scan. The scan returned no infections and no removed files (no log was generated).

Thank you for the link to the help topic.

I'll take a look.
Back to Virus, Trojan, Spyware, and Malware Removal Logs


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Logs
  4. Privacy Policy
  5. Rules ·