Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Reports a Rootkit


  • This topic is locked This topic is locked
33 replies to this topic

#16 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 04 December 2012 - 11:29 AM

System Lookup has been scanning for 2 hours with no feedback..I'm not sure if it's working or not. I will let it run. By the way, I'm running it in safemode.

BC AdBot (Login to Remove)

 


#17 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 04 December 2012 - 04:32 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 08:23 on 04/12/2012 by user
Administrator - Elevation successful

========== filefind ==========

Searching for "services.exe"
C:\Windows\System32\services.exe --a---- 381952 bytes [23:35 23/09/2009] [07:10 11/04/2009] B8844F93D2C5F1DCDB179AAA9AF134B7
C:\Windows\SysWOW64\services.exe --a---- 279552 bytes [23:35 23/09/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe --a---- 384512 bytes [02:49 21/01/2008] [02:49 21/01/2008] DFAC660F0F139276CC9299812DE42719
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_2d69d4f782c83d8c\services.exe --a---- 384512 bytes [23:35 23/09/2009] [07:10 11/04/2009] 934E0B7D77FF78C18D9F8891221B6DE3
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_cf5fc067cd49010a\services.exe --a---- 279040 bytes [02:50 21/01/2008] [02:50 21/01/2008] 2B336AB6286D6C81FA02CBAB914E3C6C
C:\Windows\winsxs\x86_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6002.18005_none_d14b3973ca6acc56\services.exe --a---- 279552 bytes [23:35 23/09/2009] [06:27 11/04/2009] D4E6D91C1349B7BFB3599A6ADA56851B

-= EOF =-

#18 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 05 December 2012 - 10:03 AM

The report took many hours to complete, I hope it's what you were looking for. Thanks.

#19 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 05 December 2012 - 05:51 PM

Hello

Open notepad. Please copy the contents of the code box below. To do this highlight the contents of the box and right click on it. Paste this into the open notepad. Save it on the flash drive as fixlist.txt

Replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini
C:\Windows\assembly\GAC_64\Desktop.ini
C:\Users\user\AppData\Local\{59661dd9-d784-c997-6fcb-04efdd7204ce}

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

On Vista or Windows 7: Now please enter System Recovery Options.

Run FRST64 and press the Fix button just once and wait.
The tool will make a log on the flash drive (Fixlog.txt) please post it to your reply.

Gringo[/b]
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#20 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 05 December 2012 - 06:03 PM

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-12-2012
Ran by SYSTEM at 2012-12-05 16:59:45 Run:1
Running from F:\

==============================================

C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.0.6001.18000_none_2b7e5beb85a67240\services.exe copied successfully to C:\Windows\System32\services.exe
C:\Windows\assembly\GAC_32\Desktop.ini moved successfully.
C:\Windows\assembly\GAC_64\Desktop.ini moved successfully.
C:\Users\user\AppData\Local\{59661dd9-d784-c997-6fcb-04efdd7204ce} moved successfully.

==== End of Fixlog ====

#21 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 05 December 2012 - 06:55 PM

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#22 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 05 December 2012 - 07:10 PM

18:00:26.0171 2012 TDSS rootkit removing tool 2.8.15.0 Oct 31 2012 21:47:35
18:00:27.0965 2012 ============================================================
18:00:27.0965 2012 Current date / time: 2012/12/05 18:00:27.0965
18:00:27.0965 2012 SystemInfo:
18:00:27.0965 2012
18:00:27.0965 2012 OS Version: 6.0.6002 ServicePack: 2.0
18:00:27.0965 2012 Product type: Workstation
18:00:27.0965 2012 ComputerName: USER-PC
18:00:28.0012 2012 UserName: user
18:00:28.0012 2012 Windows directory: C:\Windows
18:00:28.0012 2012 System windows directory: C:\Windows
18:00:28.0012 2012 Running under WOW64
18:00:28.0012 2012 Processor architecture: Intel x64
18:00:28.0012 2012 Number of processors: 2
18:00:28.0012 2012 Page size: 0x1000
18:00:28.0012 2012 Boot type: Safe boot with network
18:00:28.0012 2012 ============================================================
18:00:34.0533 2012 Drive \Device\Harddisk0\DR0 - Size: 0x7470C06000 (465.76 Gb), SectorSize: 0x200, Cylinders: 0xFC59, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xF0, Type 'K0', Flags 0x00000040
18:00:34.0533 2012 Drive \Device\Harddisk1\DR1 - Size: 0x3CB00000 (0.95 Gb), SectorSize: 0x200, Cylinders: 0x7B, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
18:00:34.0548 2012 ============================================================
18:00:34.0548 2012 \Device\Harddisk0\DR0:
18:00:34.0548 2012 MBR partitions:
18:00:34.0548 2012 \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x389589E1
18:00:34.0548 2012 \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x38958A20, BlocksNum 0x1A2BE70
18:00:34.0548 2012 \Device\Harddisk1\DR1:
18:00:34.0548 2012 MBR partitions:
18:00:34.0548 2012 \Device\Harddisk1\DR1\Partition1: MBR, Type 0x6, StartLBA 0x81, BlocksNum 0x1DDE1F
18:00:34.0548 2012 ============================================================
18:00:34.0658 2012 C: <-> \Device\Harddisk0\DR0\Partition1
18:00:34.0829 2012 D: <-> \Device\Harddisk0\DR0\Partition2
18:00:34.0829 2012 ============================================================
18:00:34.0829 2012 Initialize success
18:00:34.0829 2012 ============================================================
18:00:37.0325 0968 ============================================================
18:00:37.0325 0968 Scan started
18:00:37.0325 0968 Mode: Manual;
18:00:37.0325 0968 ============================================================
18:00:39.0010 0968 ================ Scan system memory ========================
18:00:39.0010 0968 System memory - ok
18:00:39.0010 0968 ================ Scan services =============================
18:00:40.0383 0968 [ 1965AAFFAB07E3FB03C77F81BEBA3547 ] ACPI C:\Windows\system32\drivers\acpi.sys
18:00:40.0398 0968 ACPI - ok
18:00:40.0695 0968 [ D19C4EE2AC7C47B8F5F84FFF1A789D8A ] AdobeARMservice C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
18:00:40.0757 0968 AdobeARMservice - ok
18:00:41.0896 0968 [ 44C00A385CA9DBC1D5CF3781F8C26AEA ] AdobeFlashPlayerUpdateSvc C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
18:00:41.0974 0968 AdobeFlashPlayerUpdateSvc - ok
18:00:42.0068 0968 [ F14215E37CF124104575073F782111D2 ] adp94xx C:\Windows\system32\drivers\adp94xx.sys
18:00:42.0114 0968 adp94xx - ok
18:00:42.0192 0968 [ 7D05A75E3066861A6610F7EE04FF085C ] adpahci C:\Windows\system32\drivers\adpahci.sys
18:00:42.0270 0968 adpahci - ok
18:00:42.0286 0968 [ 820A201FE08A0C345B3BEDBC30E1A77C ] adpu160m C:\Windows\system32\drivers\adpu160m.sys
18:00:42.0317 0968 adpu160m - ok
18:00:42.0380 0968 [ 9B4AB6854559DC168FBB4C24FC52E794 ] adpu320 C:\Windows\system32\drivers\adpu320.sys
18:00:42.0411 0968 adpu320 - ok
18:00:42.0489 0968 [ 0F421175574BFE0BF2F4D8E910A253BB ] AeLookupSvc C:\Windows\System32\aelupsvc.dll
18:00:42.0489 0968 AeLookupSvc - ok
18:00:42.0614 0968 [ C4F6CE6087760AD70960C9EB130E7943 ] AFD C:\Windows\system32\drivers\afd.sys
18:00:42.0692 0968 AFD - ok
18:00:42.0785 0968 [ F6F6793B7F17B550ECFDBD3B229173F7 ] agp440 C:\Windows\system32\drivers\agp440.sys
18:00:42.0801 0968 agp440 - ok
18:00:42.0832 0968 [ 222CB641B4B8A1D1126F8033F9FD6A00 ] aic78xx C:\Windows\system32\drivers\djsvs.sys
18:00:42.0848 0968 aic78xx - ok
18:00:42.0863 0968 [ 5922F4F59B7868F3D74BBBBEB7B825A3 ] ALG C:\Windows\System32\alg.exe
18:00:42.0879 0968 ALG - ok
18:00:42.0910 0968 [ 157D0898D4B73F075CE9FA26B482DF98 ] aliide C:\Windows\system32\drivers\aliide.sys
18:00:42.0926 0968 aliide - ok
18:00:42.0941 0968 [ 970FA5059E61E30D25307B99903E991E ] amdide C:\Windows\system32\drivers\amdide.sys
18:00:42.0957 0968 amdide - ok
18:00:43.0019 0968 [ CDC3632A3A5EA4DBB83E46076A3165A1 ] AmdK8 C:\Windows\system32\drivers\amdk8.sys
18:00:43.0035 0968 AmdK8 - ok
18:00:43.0175 0968 [ 9C37B3FD5615477CB9A0CD116CF43F5C ] Appinfo C:\Windows\System32\appinfo.dll
18:00:43.0175 0968 Appinfo - ok
18:00:43.0378 0968 [ 7EF47644B74EBE721CC32211D3C35E76 ] Apple Mobile Device C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
18:00:43.0440 0968 Apple Mobile Device - ok
18:00:43.0503 0968 [ BA8417D4765F3988FF921F30F630E303 ] arc C:\Windows\system32\drivers\arc.sys
18:00:43.0518 0968 arc - ok
18:00:43.0581 0968 [ 9D41C435619733B34CC16A511E644B11 ] arcsas C:\Windows\system32\drivers\arcsas.sys
18:00:43.0596 0968 arcsas - ok
18:00:43.0643 0968 [ 22D13FF3DAFEC2A80634752B1EAA2DE6 ] AsyncMac C:\Windows\system32\DRIVERS\asyncmac.sys
18:00:43.0643 0968 AsyncMac - ok
18:00:43.0674 0968 [ E68D9B3A3905619732F7FE039466A623 ] atapi C:\Windows\system32\drivers\atapi.sys
18:00:43.0690 0968 atapi - ok
18:00:43.0815 0968 [ 79318C744693EC983D20E9337A2F8196 ] AudioEndpointBuilder C:\Windows\System32\Audiosrv.dll
18:00:43.0893 0968 AudioEndpointBuilder - ok
18:00:43.0986 0968 [ 79318C744693EC983D20E9337A2F8196 ] AudioSrv C:\Windows\System32\Audiosrv.dll
18:00:43.0986 0968 AudioSrv - ok
18:00:44.0720 0968 [ 56C73C5BC1656656CAC38A23B4310466 ] AVGIDSAgent C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
18:00:45.0328 0968 AVGIDSAgent - ok
18:00:45.0422 0968 [ 388056EBD5FE6718FE669078DBE37897 ] AVGIDSDriver C:\Windows\system32\DRIVERS\avgidsdrivera.sys
18:00:45.0453 0968 AVGIDSDriver - ok
18:00:45.0484 0968 [ 550E981747D6A6C55078C77346FFC2C6 ] AVGIDSHA C:\Windows\system32\DRIVERS\avgidsha.sys
18:00:45.0484 0968 AVGIDSHA - ok
18:00:45.0578 0968 [ 5989592A91A17587799792A81E1541D4 ] Avgldx64 C:\Windows\system32\DRIVERS\avgldx64.sys
18:00:45.0593 0968 Avgldx64 - ok
18:00:45.0640 0968 [ 3FC43AA02545FCDDC22817829114DEC8 ] Avgloga C:\Windows\system32\DRIVERS\avgloga.sys
18:00:45.0687 0968 Avgloga - ok
18:00:45.0765 0968 [ 767B4A485FB22AA0FC0BF5EEF00572B9 ] Avgmfx64 C:\Windows\system32\DRIVERS\avgmfx64.sys
18:00:45.0812 0968 Avgmfx64 - ok
18:00:45.0843 0968 [ FE4F444DBE4BBBDFD8FECF49398DEFC7 ] Avgrkx64 C:\Windows\system32\DRIVERS\avgrkx64.sys
18:00:45.0858 0968 Avgrkx64 - ok
18:00:45.0890 0968 [ 6E634525613D48A1D1657FB21F21F3B2 ] Avgtdia C:\Windows\system32\DRIVERS\avgtdia.sys
18:00:45.0890 0968 Avgtdia - ok
18:00:45.0952 0968 [ BFD698CC6E1DE2E0D23155DECC513D2F ] avgtp C:\Windows\system32\drivers\avgtpx64.sys
18:00:45.0952 0968 avgtp - ok
18:00:46.0046 0968 [ 6B72E1E329C4E98C6B6FDD2D265E3BA3 ] avgwd C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
18:00:46.0061 0968 avgwd - ok
18:00:46.0217 0968 [ FFB96C2589FFA60473EAD78B39FBDE29 ] BFE C:\Windows\System32\bfe.dll
18:00:46.0233 0968 BFE - ok
18:00:46.0467 0968 [ 6D316F4859634071CC25C4FD4589AD2C ] BITS C:\Windows\System32\qmgr.dll
18:00:46.0935 0968 BITS - ok
18:00:46.0982 0968 [ 79FEEB40056683F8F61398D81DDA65D2 ] blbdrive C:\Windows\system32\drivers\blbdrive.sys
18:00:46.0997 0968 blbdrive - ok
18:00:47.0231 0968 [ EBBCD5DFBB1DE70E8F4AF8FA59E401FD ] Bonjour Service C:\Program Files\Bonjour\mDNSResponder.exe
18:00:47.0403 0968 Bonjour Service - ok
18:00:47.0465 0968 [ 2348447A80920B2493A9B582A23E81E1 ] bowser C:\Windows\system32\DRIVERS\bowser.sys
18:00:47.0496 0968 bowser - ok
18:00:47.0559 0968 [ F09EEE9EDC320B5E1501F749FDE686C8 ] BrFiltLo C:\Windows\system32\drivers\brfiltlo.sys
18:00:47.0590 0968 BrFiltLo - ok
18:00:47.0621 0968 [ B114D3098E9BDB8BEA8B053685831BE6 ] BrFiltUp C:\Windows\system32\drivers\brfiltup.sys
18:00:47.0637 0968 BrFiltUp - ok
18:00:47.0715 0968 [ A1B39DE453433B115B4EA69EE0343816 ] Browser C:\Windows\System32\browser.dll
18:00:47.0746 0968 Browser - ok
18:00:47.0824 0968 [ F0F0BA4D815BE446AA6A4583CA3BCA9B ] Brserid C:\Windows\system32\drivers\brserid.sys
18:00:47.0840 0968 Brserid - ok
18:00:47.0886 0968 [ A6ECA2151B08A09CACECA35C07F05B42 ] BrSerWdm C:\Windows\system32\drivers\brserwdm.sys
18:00:47.0902 0968 BrSerWdm - ok
18:00:47.0949 0968 [ B79968002C277E869CF38BD22CD61524 ] BrUsbMdm C:\Windows\system32\drivers\brusbmdm.sys
18:00:47.0980 0968 BrUsbMdm - ok
18:00:48.0011 0968 [ A87528880231C54E75EA7A44943B38BF ] BrUsbSer C:\Windows\system32\drivers\brusbser.sys
18:00:48.0011 0968 BrUsbSer - ok
18:00:48.0074 0968 [ E0777B34E05F8A82A21856EFC900C29F ] BTHMODEM C:\Windows\system32\drivers\bthmodem.sys
18:00:48.0089 0968 BTHMODEM - ok
18:00:48.0136 0968 bxparoad - ok
18:00:48.0276 0968 [ 13C9B0406156A65A07D4BF9469091ED7 ] CAXHWBS3 C:\Windows\system32\DRIVERS\CAXHWBS3.sys
18:00:48.0370 0968 CAXHWBS3 - ok
18:00:48.0401 0968 [ B4D787DB8D30793A4D4DF9FEED18F136 ] cdfs C:\Windows\system32\DRIVERS\cdfs.sys
18:00:48.0432 0968 cdfs - ok
18:00:48.0526 0968 [ C025AA69BE3D0D25C7A2E746EF6F94FC ] cdrom C:\Windows\system32\DRIVERS\cdrom.sys
18:00:48.0557 0968 cdrom - ok
18:00:48.0604 0968 [ 5A268127633C7EE2A7FB87F39D748D56 ] CertPropSvc C:\Windows\System32\certprop.dll
18:00:48.0604 0968 CertPropSvc - ok
18:00:48.0651 0968 [ 02EA568D498BBDD4BA55BF3FCE34D456 ] circlass C:\Windows\system32\drivers\circlass.sys
18:00:48.0682 0968 circlass - ok
18:00:48.0744 0968 [ 3DCA9A18B204939CFB24BEA53E31EB48 ] CLFS C:\Windows\system32\CLFS.sys
18:00:48.0791 0968 CLFS - ok
18:00:48.0947 0968 [ 8EE772032E2FE80A924F3B8DD5082194 ] clr_optimization_v2.0.50727_32 C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
18:00:49.0010 0968 clr_optimization_v2.0.50727_32 - ok
18:00:49.0134 0968 [ CE07A466201096F021CD09D631B21540 ] clr_optimization_v2.0.50727_64 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
18:00:49.0134 0968 clr_optimization_v2.0.50727_64 - ok
18:00:49.0306 0968 [ C5A75EB48E2344ABDC162BDA79E16841 ] clr_optimization_v4.0.30319_32 C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
18:00:49.0602 0968 clr_optimization_v4.0.30319_32 - ok
18:00:49.0727 0968 [ C6F9AF94DCD58122A4D7E89DB6BED29D ] clr_optimization_v4.0.30319_64 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
18:00:50.0148 0968 clr_optimization_v4.0.30319_64 - ok
18:00:50.0180 0968 [ E5D5499A1C50A54B5161296B6AFE6192 ] cmdide C:\Windows\system32\drivers\cmdide.sys
18:00:50.0195 0968 cmdide - ok
18:00:50.0211 0968 [ 7FB8AD01DB0EABE60C8A861531A8F431 ] Compbatt C:\Windows\system32\drivers\compbatt.sys
18:00:50.0211 0968 Compbatt - ok
18:00:50.0242 0968 COMSysApp - ok
18:00:50.0258 0968 [ A8585B6412253803CE8EFCBD6D6DC15C ] crcdisk C:\Windows\system32\drivers\crcdisk.sys
18:00:50.0273 0968 crcdisk - ok
18:00:50.0320 0968 [ CA78B312C44E4D52E842C2C8BD48E452 ] CryptSvc C:\Windows\system32\cryptsvc.dll
18:00:50.0367 0968 CryptSvc - ok
18:00:50.0492 0968 [ CF8B9A3A5E7DC57724A89D0C3E8CF9EF ] DcomLaunch C:\Windows\system32\rpcss.dll
18:00:50.0616 0968 DcomLaunch - ok
18:00:50.0710 0968 [ 8B722BA35205C71E7951CDC4CDBADE19 ] DfsC C:\Windows\system32\Drivers\dfsc.sys
18:00:50.0710 0968 DfsC - ok
18:00:50.0944 0968 [ C647F468F7DE343DF8C143655C5557D4 ] DFSR C:\Windows\system32\DFSR.exe
18:00:51.0381 0968 DFSR - ok
18:00:51.0521 0968 [ 3ED0321127CE70ACDAABBF77E157C2A7 ] Dhcp C:\Windows\System32\dhcpcsvc.dll
18:00:51.0615 0968 Dhcp - ok
18:00:51.0646 0968 [ B0107E40ECDB5FA692EBF832F295D905 ] disk C:\Windows\system32\drivers\disk.sys
18:00:51.0662 0968 disk - ok
18:00:51.0708 0968 [ 06230F1B721494A6DF8D47FD395BB1B0 ] Dnscache C:\Windows\System32\dnsrslvr.dll
18:00:51.0724 0968 Dnscache - ok
18:00:51.0786 0968 [ 1A7156DD1E850E9914E5E991E3225B94 ] dot3svc C:\Windows\System32\dot3svc.dll
18:00:51.0896 0968 dot3svc - ok
18:00:51.0989 0968 [ 1583B39790DB3EAEC7EDB0CB0140C708 ] DPS C:\Windows\system32\dps.dll
18:00:52.0005 0968 DPS - ok
18:00:52.0036 0968 [ F1A78A98CFC2EE02144C6BEC945447E6 ] drmkaud C:\Windows\system32\drivers\drmkaud.sys
18:00:52.0036 0968 drmkaud - ok
18:00:52.0145 0968 [ B8E554E502D5123BC111F99D6A2181B4 ] DXGKrnl C:\Windows\System32\drivers\dxgkrnl.sys
18:00:52.0270 0968 DXGKrnl - ok
18:00:52.0332 0968 [ 264CEE7B031A9D6C827F3D0CB031F2FE ] E1G60 C:\Windows\system32\DRIVERS\E1G6032E.sys
18:00:52.0379 0968 E1G60 - ok
18:00:52.0410 0968 [ C2303883FD9BE49DC36A6400643002EA ] EapHost C:\Windows\System32\eapsvc.dll
18:00:52.0473 0968 EapHost - ok
18:00:52.0551 0968 [ 5F94962BE5A62DB6E447FF6470C4F48A ] Ecache C:\Windows\system32\drivers\ecache.sys
18:00:52.0598 0968 Ecache - ok
18:00:52.0754 0968 [ 14CE384D2E27B64C256BDA4DC39C312D ] ehRecvr C:\Windows\ehome\ehRecvr.exe
18:00:52.0800 0968 ehRecvr - ok
18:00:52.0847 0968 [ B93159C1313D66FDFBBE876F5189CD52 ] ehSched C:\Windows\ehome\ehsched.exe
18:00:52.0878 0968 ehSched - ok
18:00:52.0941 0968 [ F5EE2527D74449868E3C3227A59BCD28 ] ehstart C:\Windows\ehome\ehstart.dll
18:00:52.0956 0968 ehstart - ok
18:00:52.0988 0968 [ C4636D6E10469404AB5308D9FD45ED07 ] elxstor C:\Windows\system32\drivers\elxstor.sys
18:00:53.0050 0968 elxstor - ok
18:00:53.0144 0968 [ A9B18B63A4FD6BAAB83326706D857FAB ] EMDMgmt C:\Windows\system32\emdmgmt.dll
18:00:53.0253 0968 EMDMgmt - ok
18:00:53.0284 0968 [ BC3A58E938BB277E46BF4B3003B01ABD ] ErrDev C:\Windows\system32\drivers\errdev.sys
18:00:53.0284 0968 ErrDev - ok
18:00:53.0362 0968 [ E12F22B73F153DECE721CD45EC05B4AF ] EventSystem C:\Windows\system32\es.dll
18:00:53.0440 0968 EventSystem - ok
18:00:53.0487 0968 [ 486844F47B6636044A42454614ED4523 ] exfat C:\Windows\system32\drivers\exfat.sys
18:00:53.0502 0968 exfat - ok
18:00:53.0549 0968 [ 1A4BEE34277784619DDAF0422C0C6E23 ] fastfat C:\Windows\system32\drivers\fastfat.sys
18:00:53.0580 0968 fastfat - ok
18:00:53.0627 0968 [ 81B79B6DF71FA1D2C6D688D830616E39 ] fdc C:\Windows\system32\DRIVERS\fdc.sys
18:00:53.0658 0968 fdc - ok
18:00:53.0705 0968 [ BB9267ACACD8B7533DD936C34A0CBA5E ] fdPHost C:\Windows\system32\fdPHost.dll
18:00:53.0721 0968 fdPHost - ok
18:00:53.0752 0968 [ 300C80931EABBE1DB7591C516EFE8D0F ] FDResPub C:\Windows\system32\fdrespub.dll
18:00:53.0783 0968 FDResPub - ok
18:00:53.0814 0968 [ 457B7D1D533E4BD62A99AED9C7BB4C59 ] FileInfo C:\Windows\system32\drivers\fileinfo.sys
18:00:53.0830 0968 FileInfo - ok
18:00:53.0877 0968 [ D421327FD6EFCCAF884A54C58E1B0D7F ] Filetrace C:\Windows\system32\drivers\filetrace.sys
18:00:53.0877 0968 Filetrace - ok
18:00:53.0986 0968 [ 227846995AFEEFA70D328BF5334A86A5 ] FLEXnet Licensing Service C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
18:00:54.0095 0968 FLEXnet Licensing Service - ok
18:00:54.0142 0968 [ 230923EA2B80F79B0F88D90F87B87EBD ] flpydisk C:\Windows\system32\DRIVERS\flpydisk.sys
18:00:54.0142 0968 flpydisk - ok
18:00:54.0204 0968 [ E3041BC26D6930D61F42AEDB79C91720 ] FltMgr C:\Windows\system32\drivers\fltmgr.sys
18:00:54.0251 0968 FltMgr - ok
18:00:54.0470 0968 [ BE1C5BD1CA7ED015BC6FA1AE67E592C8 ] FontCache C:\Windows\system32\FntCache.dll
18:00:54.0594 0968 FontCache - ok
18:00:54.0657 0968 [ BC5B0BE5AF3510B0FD8C140EE42C6D3E ] FontCache3.0.0.0 C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
18:00:54.0688 0968 FontCache3.0.0.0 - ok
18:00:54.0766 0968 [ 5779B86CD8B32519FBECB136394D946A ] Fs_Rec C:\Windows\system32\drivers\Fs_Rec.sys
18:00:54.0782 0968 Fs_Rec - ok
18:00:54.0813 0968 [ C8E416668D3DC2BE3D4FE4C79224997F ] gagp30kx C:\Windows\system32\drivers\gagp30kx.sys
18:00:54.0828 0968 gagp30kx - ok
18:00:55.0000 0968 [ 617DC2877015270914CA3C03873560D5 ] GameConsoleService C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
18:00:55.0031 0968 GameConsoleService - ok
18:00:55.0078 0968 [ E403AACF8C7BB11375122D2464560311 ] GEARAspiWDM C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
18:00:55.0078 0968 GEARAspiWDM - ok
18:00:55.0187 0968 [ A0E1B575BA8F504968CD40C0FAEB2384 ] gpsvc C:\Windows\System32\gpsvc.dll
18:00:55.0296 0968 gpsvc - ok
18:00:55.0421 0968 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdate C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
18:00:55.0437 0968 gupdate - ok
18:00:55.0499 0968 [ 8F0DE4FEF8201E306F9938B0905AC96A ] gupdatem C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
18:00:55.0499 0968 gupdatem - ok
18:00:55.0577 0968 [ 5D4BC124FAAE6730AC002CDB67BF1A1C ] gusvc C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
18:00:55.0593 0968 gusvc - ok
18:00:55.0702 0968 [ F942C5820205F2FB453243EDFEC82A3D ] HDAudBus C:\Windows\system32\DRIVERS\HDAudBus.sys
18:00:55.0764 0968 HDAudBus - ok
18:00:55.0796 0968 [ B4881C84A180E75B8C25DC1D726C375F ] HidBth C:\Windows\system32\drivers\hidbth.sys
18:00:55.0796 0968 HidBth - ok
18:00:55.0827 0968 [ 4E77A77E2C986E8F88F996BB3E1AD829 ] HidIr C:\Windows\system32\drivers\hidir.sys
18:00:55.0827 0968 HidIr - ok
18:00:55.0874 0968 [ 59361D38A297755D46A540E450202B2A ] hidserv C:\Windows\System32\hidserv.dll
18:00:55.0889 0968 hidserv - ok
18:00:55.0952 0968 [ 443BDD2D30BB4F00795C797E2CF99EDF ] HidUsb C:\Windows\system32\DRIVERS\hidusb.sys
18:00:55.0952 0968 HidUsb - ok
18:00:55.0998 0968 [ B12F367EA39C0795FD57E31242CE1A5A ] hkmsvc C:\Windows\system32\kmsvc.dll
18:00:56.0014 0968 hkmsvc - ok
18:00:56.0123 0968 [ A19B0BB5A7EB6DF2DD4A0711D36955EE ] HP Health Check Service c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
18:00:56.0123 0968 HP Health Check Service - ok
18:00:56.0139 0968 [ D7109A1E6BD2DFDBCBA72A6BC626A13B ] HpCISSs C:\Windows\system32\drivers\hpcisss.sys
18:00:56.0154 0968 HpCISSs - ok
18:00:56.0232 0968 [ AF2D47FCCA4B1502C564FDBCA163E495 ] HSF_DP C:\Windows\system32\DRIVERS\CAX_DP.sys
18:00:56.0310 0968 HSF_DP - ok
18:00:56.0373 0968 [ 098F1E4E5C9CB5B0063A959063631610 ] HTTP C:\Windows\system32\drivers\HTTP.sys
18:00:56.0388 0968 HTTP - ok
18:00:56.0404 0968 [ DA94C854CEA5FAC549D4E1F6E88349E8 ] i2omp C:\Windows\system32\drivers\i2omp.sys
18:00:56.0404 0968 i2omp - ok
18:00:56.0435 0968 [ CBB597659A2713CE0C9CC20C88C7591F ] i8042prt C:\Windows\system32\DRIVERS\i8042prt.sys
18:00:56.0435 0968 i8042prt - ok
18:00:56.0451 0968 [ 3E3BF3627D886736D0B4E90054F929F6 ] iaStorV C:\Windows\system32\drivers\iastorv.sys
18:00:56.0466 0968 iaStorV - ok
18:00:56.0529 0968 [ 749F5F8CEDCA70F2A512945325FC489D ] idsvc C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\infocard.exe
18:00:56.0544 0968 idsvc - ok
18:00:56.0560 0968 [ 8C3951AD2FE886EF76C7B5027C3125D3 ] iirsp C:\Windows\system32\drivers\iirsp.sys
18:00:56.0560 0968 iirsp - ok
18:00:56.0607 0968 [ 0C9EA6E654E7B0471741E343A6C671AF ] IKEEXT C:\Windows\System32\ikeext.dll
18:00:56.0622 0968 IKEEXT - ok
18:00:56.0669 0968 [ 1EDAB7F9B9DE4424BECCDEF950CE2FF0 ] IntcAzAudAddService C:\Windows\system32\drivers\RTKVHD64.sys
18:00:56.0700 0968 IntcAzAudAddService - ok
18:00:56.0716 0968 [ DF797A12176F11B2D301C5B234BB200E ] intelide C:\Windows\system32\drivers\intelide.sys
18:00:56.0716 0968 intelide - ok
18:00:56.0732 0968 [ BFD84AF32FA1BAD6231C4585CB469630 ] intelppm C:\Windows\system32\DRIVERS\intelppm.sys
18:00:56.0732 0968 intelppm - ok
18:00:56.0747 0968 [ 5624BC1BC5EEB49C0AB76A8114F05EA3 ] IPBusEnum C:\Windows\system32\ipbusenum.dll
18:00:56.0763 0968 IPBusEnum - ok
18:00:56.0794 0968 [ D8AABC341311E4780D6FCE8C73C0AD81 ] IpFilterDriver C:\Windows\system32\DRIVERS\ipfltdrv.sys
18:00:56.0794 0968 IpFilterDriver - ok
18:00:56.0810 0968 IpInIp - ok
18:00:56.0825 0968 [ 9C2EE2E6E5A7203BFAE15C299475EC67 ] IPMIDRV C:\Windows\system32\drivers\ipmidrv.sys
18:00:56.0825 0968 IPMIDRV - ok
18:00:56.0841 0968 [ B7E6212F581EA5F6AB0C3A6CEEEB89BE ] IPNAT C:\Windows\system32\DRIVERS\ipnat.sys
18:00:56.0856 0968 IPNAT - ok
18:00:56.0903 0968 [ 50D6CCC6FF5561F9F56946B3E6164FB8 ] iPod Service C:\Program Files\iPod\bin\iPodService.exe
18:00:56.0919 0968 iPod Service - ok
18:00:56.0950 0968 [ 8C42CA155343A2F11D29FECA67FAA88D ] IRENUM C:\Windows\system32\drivers\irenum.sys
18:00:56.0950 0968 IRENUM - ok
18:00:56.0966 0968 [ 0672BFCEDC6FC468A2B0500D81437F4F ] isapnp C:\Windows\system32\drivers\isapnp.sys
18:00:56.0966 0968 isapnp - ok
18:00:56.0997 0968 [ E4FDF99599F27EC25D2CF6D754243520 ] iScsiPrt C:\Windows\system32\DRIVERS\msiscsi.sys
18:00:56.0997 0968 iScsiPrt - ok
18:00:57.0012 0968 [ 63C766CDC609FF8206CB447A65ABBA4A ] iteatapi C:\Windows\system32\drivers\iteatapi.sys
18:00:57.0012 0968 iteatapi - ok
18:00:57.0028 0968 [ 1281FE73B17664631D12F643CBEA3F59 ] iteraid C:\Windows\system32\drivers\iteraid.sys
18:00:57.0028 0968 iteraid - ok
18:00:57.0044 0968 [ 423696F3BA6472DD17699209B933BC26 ] kbdclass C:\Windows\system32\DRIVERS\kbdclass.sys
18:00:57.0059 0968 kbdclass - ok
18:00:57.0075 0968 [ BF8783A5066CFECF45095459E8010FA7 ] kbdhid C:\Windows\system32\DRIVERS\kbdhid.sys
18:00:57.0075 0968 kbdhid - ok
18:00:57.0090 0968 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] KeyIso C:\Windows\system32\lsass.exe
18:00:57.0090 0968 KeyIso - ok
18:00:57.0137 0968 [ 88956AD9FA510848AD176777A6C6C1F5 ] KSecDD C:\Windows\system32\Drivers\ksecdd.sys
18:00:57.0153 0968 KSecDD - ok
18:00:57.0168 0968 [ 1D419CF43DB29396ECD7113D129D94EB ] ksthunk C:\Windows\system32\drivers\ksthunk.sys
18:00:57.0168 0968 ksthunk - ok
18:00:57.0200 0968 [ 1FAF6926F3416D3DA05C5B265491BDAE ] KtmRm C:\Windows\system32\msdtckrm.dll
18:00:57.0200 0968 KtmRm - ok
18:00:57.0246 0968 [ 50C7A3CB427E9BB5ED0708A669956AB5 ] LanmanServer C:\Windows\System32\srvsvc.dll
18:00:57.0262 0968 LanmanServer - ok
18:00:57.0309 0968 [ CAF86FC1388BE1E470F1A7B43E348ADB ] LanmanWorkstation C:\Windows\System32\wkssvc.dll
18:00:57.0324 0968 LanmanWorkstation - ok
18:00:57.0371 0968 [ E75ADCFAFDEF3F4C3AF3332928D59926 ] LightScribeService c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
18:00:57.0371 0968 LightScribeService - ok
18:00:57.0387 0968 [ 96ECE2659B6654C10A0C310AE3A6D02C ] lltdio C:\Windows\system32\DRIVERS\lltdio.sys
18:00:57.0387 0968 lltdio - ok
18:00:57.0418 0968 [ 961CCBD0B1CCB5675D64976FAE37D092 ] lltdsvc C:\Windows\System32\lltdsvc.dll
18:00:57.0418 0968 lltdsvc - ok
18:00:57.0434 0968 [ A47F8080CACC23C91FE823AD19AA5612 ] lmhosts C:\Windows\System32\lmhsvc.dll
18:00:57.0434 0968 lmhosts - ok
18:00:57.0449 0968 [ ACBE1AF32D3123E330A07BFBC5EC4A9B ] LSI_FC C:\Windows\system32\drivers\lsi_fc.sys
18:00:57.0465 0968 LSI_FC - ok
18:00:57.0465 0968 [ 799FFB2FC4729FA46D2157C0065B3525 ] LSI_SAS C:\Windows\system32\drivers\lsi_sas.sys
18:00:57.0480 0968 LSI_SAS - ok
18:00:57.0496 0968 [ F445FF1DAAD8A226366BFAF42551226B ] LSI_SCSI C:\Windows\system32\drivers\lsi_scsi.sys
18:00:57.0496 0968 LSI_SCSI - ok
18:00:57.0527 0968 [ 52F87B9CC8932C2A7375C3B2A9BE5E3E ] luafv C:\Windows\system32\drivers\luafv.sys
18:00:57.0527 0968 luafv - ok
18:00:57.0590 0968 [ E6CB119EF2E148EAA1A247343550756E ] McciCMService C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
18:00:57.0590 0968 McciCMService - ok
18:00:57.0652 0968 [ BE3D584D7C021EB7D89166EECB83C341 ] McciCMService64 C:\Program Files\Common Files\Motive\McciCMService.exe
18:00:57.0668 0968 McciCMService64 - ok
18:00:57.0683 0968 [ 76A58DF02BD4EA29F189B82D0BEF17F8 ] Mcx2Svc C:\Windows\system32\Mcx2Svc.dll
18:00:57.0699 0968 Mcx2Svc - ok
18:00:57.0730 0968 [ E4F44EC214B3E381E1FC844A02926666 ] mdmxsdk C:\Windows\system32\DRIVERS\mdmxsdk.sys
18:00:57.0730 0968 mdmxsdk - ok
18:00:57.0761 0968 [ 5C5CD6AACED32FB26C3FB34B3DCF972F ] megasas C:\Windows\system32\drivers\megasas.sys
18:00:57.0777 0968 megasas - ok
18:00:57.0792 0968 [ 859BC2436B076C77C159ED694ACFE8F8 ] MegaSR C:\Windows\system32\drivers\megasr.sys
18:00:57.0808 0968 MegaSR - ok
18:00:57.0824 0968 [ 3CBE4995E80E13CCFBC42E5DCF3AC81A ] MMCSS C:\Windows\system32\mmcss.dll
18:00:57.0824 0968 MMCSS - ok
18:00:57.0839 0968 [ 59848D5CC74606F0EE7557983BB73C2E ] Modem C:\Windows\system32\drivers\modem.sys
18:00:57.0839 0968 Modem - ok
18:00:57.0855 0968 [ C247CC2A57E0A0C8C6DCCF7807B3E9E5 ] monitor C:\Windows\system32\DRIVERS\monitor.sys
18:00:57.0855 0968 monitor - ok
18:00:57.0870 0968 [ 9367304E5E412B120CF5F4EA14E4E4F1 ] mouclass C:\Windows\system32\DRIVERS\mouclass.sys
18:00:57.0870 0968 mouclass - ok
18:00:57.0886 0968 [ C2C2BD5C5CE5AAF786DDD74B75D2AC69 ] mouhid C:\Windows\system32\DRIVERS\mouhid.sys
18:00:57.0886 0968 mouhid - ok
18:00:57.0917 0968 [ 11BC9B1E8801B01F7F6ADB9EAD30019B ] MountMgr C:\Windows\system32\drivers\mountmgr.sys
18:00:57.0917 0968 MountMgr - ok
18:00:57.0917 0968 Mp3Rocket Toolbar Helper - ok
18:00:57.0948 0968 [ F8276EB8698142884498A528DFEA8478 ] mpio C:\Windows\system32\drivers\mpio.sys
18:00:57.0948 0968 mpio - ok
18:00:57.0980 0968 [ C92B9ABDB65A5991E00C28F13491DBA2 ] mpsdrv C:\Windows\system32\drivers\mpsdrv.sys
18:00:57.0980 0968 mpsdrv - ok
18:00:58.0011 0968 [ 3C200630A89EF2C0864D515B7A75802E ] Mraid35x C:\Windows\system32\drivers\mraid35x.sys
18:00:58.0011 0968 Mraid35x - ok
18:00:58.0042 0968 [ 9BD4DCB5412921864A7AACDEDFBD1923 ] MREMP50 C:\PROGRA~2\COMMON~1\Motive\MREMP50.SYS
18:00:58.0042 0968 MREMP50 - ok
18:00:58.0042 0968 MREMP50a64 - ok
18:00:58.0058 0968 MREMPR5 - ok
18:00:58.0058 0968 MRENDIS5 - ok
18:00:58.0073 0968 [ 07C02C892E8E1A72D6BF35004F0E9C5E ] MRESP50 C:\PROGRA~2\COMMON~1\Motive\MRESP50.SYS
18:00:58.0073 0968 MRESP50 - ok
18:00:58.0073 0968 MRESP50a64 - ok
18:00:58.0104 0968 [ 7C1DE4AA96DC0C071611F9E7DE02A68D ] MRxDAV C:\Windows\system32\drivers\mrxdav.sys
18:00:58.0104 0968 MRxDAV - ok
18:00:58.0151 0968 [ 1485811B320FF8C7EDAD1CAEBB1C6C2B ] mrxsmb C:\Windows\system32\DRIVERS\mrxsmb.sys
18:00:58.0151 0968 mrxsmb - ok
18:00:58.0198 0968 [ 3B929A60C833FC615FD97FBA82BC7632 ] mrxsmb10 C:\Windows\system32\DRIVERS\mrxsmb10.sys
18:00:58.0198 0968 mrxsmb10 - ok
18:00:58.0214 0968 [ C64AB3E1F53B4F5B5BB6D796B2D7BEC3 ] mrxsmb20 C:\Windows\system32\DRIVERS\mrxsmb20.sys
18:00:58.0214 0968 mrxsmb20 - ok
18:00:58.0229 0968 [ 1AC860612B85D8E85EE257D372E39F4D ] msahci C:\Windows\system32\drivers\msahci.sys
18:00:58.0229 0968 msahci - ok
18:00:58.0245 0968 [ 264BBB4AAF312A485F0E44B65A6B7202 ] msdsm C:\Windows\system32\drivers\msdsm.sys
18:00:58.0260 0968 msdsm - ok
18:00:58.0276 0968 [ 7EC02CE772F068ED0BEAFA3DA341A9BC ] MSDTC C:\Windows\System32\msdtc.exe
18:00:58.0276 0968 MSDTC - ok
18:00:58.0323 0968 [ 704F59BFC4512D2BB0146AEC31B10A7C ] Msfs C:\Windows\system32\drivers\Msfs.sys
18:00:58.0323 0968 Msfs - ok
18:00:58.0323 0968 [ 00EBC952961664780D43DCA157E79B27 ] msisadrv C:\Windows\system32\drivers\msisadrv.sys
18:00:58.0323 0968 msisadrv - ok
18:00:58.0354 0968 [ 366B0C1F4478B519C181E37D43DCDA32 ] MSiSCSI C:\Windows\system32\iscsiexe.dll
18:00:58.0370 0968 MSiSCSI - ok
18:00:58.0370 0968 msiserver - ok
18:00:58.0401 0968 [ 0EA73E498F53B96D83DBFCA074AD4CF8 ] MSKSSRV C:\Windows\system32\drivers\MSKSSRV.sys
18:00:58.0401 0968 MSKSSRV - ok
18:00:58.0416 0968 [ 52E59B7E992A58E740AA63F57EDBAE8B ] MSPCLOCK C:\Windows\system32\drivers\MSPCLOCK.sys
18:00:58.0432 0968 MSPCLOCK - ok
18:00:58.0448 0968 [ 49084A75BAE043AE02D5B44D02991BB2 ] MSPQM C:\Windows\system32\drivers\MSPQM.sys
18:00:58.0448 0968 MSPQM - ok
18:00:58.0494 0968 [ DC6CCF440CDEDE4293DB41C37A5060A5 ] MsRPC C:\Windows\system32\drivers\MsRPC.sys
18:00:58.0510 0968 MsRPC - ok
18:00:58.0526 0968 [ 855796E59DF77EA93AF46F20155BF55B ] mssmbios C:\Windows\system32\DRIVERS\mssmbios.sys
18:00:58.0526 0968 mssmbios - ok
18:00:58.0541 0968 [ 86D632D75D05D5B7C7C043FA3564AE86 ] MSTEE C:\Windows\system32\drivers\MSTEE.sys
18:00:58.0541 0968 MSTEE - ok
18:00:58.0557 0968 [ 0CC49F78D8ACA0877D885F149084E543 ] Mup C:\Windows\system32\Drivers\mup.sys
18:00:58.0557 0968 Mup - ok
18:00:58.0572 0968 [ A5B10C845E7538C60C0F5D87A57CB3F5 ] napagent C:\Windows\system32\qagentRT.dll
18:00:58.0588 0968 napagent - ok
18:00:58.0635 0968 [ 2007B826C4ACD94AE32232B41F0842B9 ] NativeWifiP C:\Windows\system32\DRIVERS\nwifi.sys
18:00:58.0635 0968 NativeWifiP - ok
18:00:58.0682 0968 [ 65950E07329FCEE8E6516B17C8D0ABB6 ] NDIS C:\Windows\system32\drivers\ndis.sys
18:00:58.0713 0968 NDIS - ok
18:00:58.0760 0968 [ 64DF698A425478E321981431AC171334 ] NdisTapi C:\Windows\system32\DRIVERS\ndistapi.sys
18:00:58.0760 0968 NdisTapi - ok
18:00:58.0775 0968 [ 8BAA43196D7B5BB972C9A6B2BBF61A19 ] Ndisuio C:\Windows\system32\DRIVERS\ndisuio.sys
18:00:58.0775 0968 Ndisuio - ok
18:00:58.0806 0968 [ F8158771905260982CE724076419EF19 ] NdisWan C:\Windows\system32\DRIVERS\ndiswan.sys
18:00:58.0806 0968 NdisWan - ok
18:00:58.0822 0968 [ 9CB77ED7CB72850253E973A2D6AFDF49 ] NDProxy C:\Windows\system32\drivers\NDProxy.sys
18:00:58.0838 0968 NDProxy - ok
18:00:58.0853 0968 [ A499294F5029A7862ADC115BDA7371CE ] NetBIOS C:\Windows\system32\DRIVERS\netbios.sys
18:00:58.0853 0968 NetBIOS - ok
18:00:58.0869 0968 [ FC2C792EBDDC8E28DF939D6A92C83D61 ] netbt C:\Windows\system32\DRIVERS\netbt.sys
18:00:58.0869 0968 netbt - ok
18:00:58.0869 0968 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] Netlogon C:\Windows\system32\lsass.exe
18:00:58.0869 0968 Netlogon - ok
18:00:58.0916 0968 [ 9B63B29DEFC0F3115A559D2597BF5D75 ] Netman C:\Windows\System32\netman.dll
18:00:58.0916 0968 Netman - ok
18:00:58.0931 0968 [ 7846D0136CC2B264926A73047BA7688A ] netprofm C:\Windows\System32\netprofm.dll
18:00:58.0947 0968 netprofm - ok
18:00:58.0994 0968 [ B69D6BB680C85243AF0263B3E01D5E77 ] netr7364 C:\Windows\system32\DRIVERS\netr7364.sys
18:00:58.0994 0968 netr7364 - ok
18:00:59.0025 0968 [ 74751DDA198165947FD7454D83F49825 ] NetTcpPortSharing C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe
18:00:59.0025 0968 NetTcpPortSharing - ok
18:00:59.0056 0968 [ 4AC08BD6AF2DF42E0C3196D826C8AEA7 ] nfrd960 C:\Windows\system32\drivers\nfrd960.sys
18:00:59.0056 0968 nfrd960 - ok
18:00:59.0072 0968 [ F145BF4C4668E7E312069F81EF847CFC ] NlaSvc C:\Windows\System32\nlasvc.dll
18:00:59.0087 0968 NlaSvc - ok
18:00:59.0118 0968 [ B298874F8E0EA93F06EC40AA8D146478 ] Npfs C:\Windows\system32\drivers\Npfs.sys
18:00:59.0118 0968 Npfs - ok
18:00:59.0134 0968 [ ACB62BAA1C319B17752553DF3026EEEB ] nsi C:\Windows\system32\nsisvc.dll
18:00:59.0150 0968 nsi - ok
18:00:59.0150 0968 [ 1523AF19EE8B030BA682F7A53537EAEB ] nsiproxy C:\Windows\system32\drivers\nsiproxy.sys
18:00:59.0150 0968 nsiproxy - ok
18:00:59.0212 0968 [ BAC869DFB98E499BA4D9BB1FB43270E1 ] Ntfs C:\Windows\system32\drivers\Ntfs.sys
18:00:59.0243 0968 Ntfs - ok
18:00:59.0290 0968 [ D4012918D3A3847B44B888D56BC095D6 ] NuidFltr C:\Windows\system32\DRIVERS\NuidFltr.sys
18:00:59.0321 0968 NuidFltr - ok
18:00:59.0337 0968 [ DD5D684975352B85B52E3FD5347C20CB ] Null C:\Windows\system32\drivers\Null.sys
18:00:59.0337 0968 Null - ok
18:00:59.0384 0968 [ 98350606682594521D56ECCB5D01ECF7 ] NVENETFD C:\Windows\system32\DRIVERS\nvmfdx64.sys
18:00:59.0399 0968 NVENETFD - ok
18:00:59.0571 0968 [ E57F802BA29010C557B549392F7E3CA1 ] nvlddmkm C:\Windows\system32\DRIVERS\nvlddmkm.sys
18:00:59.0727 0968 nvlddmkm - ok
18:00:59.0758 0968 [ 2C040B7ADA5B06F6FACADAC8514AA034 ] nvraid C:\Windows\system32\drivers\nvraid.sys
18:00:59.0758 0968 nvraid - ok
18:00:59.0789 0968 [ 16D36074B84DA72D160233C8D132DC89 ] nvsmu C:\Windows\system32\drivers\nvsmu.sys
18:00:59.0805 0968 nvsmu - ok
18:00:59.0820 0968 [ F7EA0FE82842D05EDA3EFDD376DBFDBA ] nvstor C:\Windows\system32\drivers\nvstor.sys
18:00:59.0820 0968 nvstor - ok
18:00:59.0852 0968 [ CC015D29C3BE698D14BD9B5E23E33C0D ] nvsvc C:\Windows\system32\nvvsvc.exe
18:00:59.0852 0968 nvsvc - ok
18:00:59.0883 0968 [ 19067CA93075EF4823E3938A686F532F ] nv_agp C:\Windows\system32\drivers\nv_agp.sys
18:00:59.0883 0968 nv_agp - ok
18:00:59.0883 0968 NwlnkFlt - ok
18:00:59.0898 0968 NwlnkFwd - ok
18:00:59.0961 0968 [ B5B1CE65AC15BBD11C0619E3EF7CFC28 ] ohci1394 C:\Windows\system32\DRIVERS\ohci1394.sys
18:00:59.0961 0968 ohci1394 - ok
18:01:00.0008 0968 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] p2pimsvc C:\Windows\system32\p2psvc.dll
18:01:00.0023 0968 p2pimsvc - ok
18:01:00.0039 0968 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] p2psvc C:\Windows\system32\p2psvc.dll
18:01:00.0054 0968 p2psvc - ok
18:01:00.0086 0968 [ AECD57F94C887F58919F307C35498EA0 ] Parport C:\Windows\system32\drivers\parport.sys
18:01:00.0086 0968 Parport - ok
18:01:00.0117 0968 [ B43751085E2ABE389DA466BC62A4B987 ] partmgr C:\Windows\system32\drivers\partmgr.sys
18:01:00.0117 0968 partmgr - ok
18:01:00.0132 0968 [ 9AB157B374192FF276C1628FBDBA2B0E ] PcaSvc C:\Windows\System32\pcasvc.dll
18:01:00.0148 0968 PcaSvc - ok
18:01:00.0195 0968 [ 7204F835A4355D1AB2853E57C9FF177C ] PCD5SRVC{8AAF211B-043E02A9-05040000} C:\PROGRA~1\PC-DOC~1\PCD5SRVC_x64.pkms
18:01:00.0304 0968 PCD5SRVC{8AAF211B-043E02A9-05040000} - ok
18:01:00.0351 0968 [ 47AB1E0FC9D0E12BB53BA246E3A0906D ] pci C:\Windows\system32\drivers\pci.sys
18:01:00.0351 0968 pci - ok
18:01:00.0382 0968 [ 2657F6C0B78C36D95034BE109336E382 ] pciide C:\Windows\system32\drivers\pciide.sys
18:01:00.0398 0968 pciide - ok
18:01:00.0429 0968 [ 037661F3D7C507C9993B7010CEEE6288 ] pcmcia C:\Windows\system32\drivers\pcmcia.sys
18:01:00.0429 0968 pcmcia - ok
18:01:00.0460 0968 [ 58865916F53592A61549B04941BFD80D ] PEAUTH C:\Windows\system32\drivers\peauth.sys
18:01:00.0491 0968 PEAUTH - ok
18:01:00.0554 0968 [ 0ED8727EA0172860F47258456C06CAEA ] PerfHost C:\Windows\SysWow64\perfhost.exe
18:01:00.0616 0968 PerfHost - ok
18:01:00.0678 0968 [ E9E68C1A0F25CF4A7AC966EEA74EE89E ] pla C:\Windows\system32\pla.dll
18:01:00.0710 0968 pla - ok
18:01:00.0741 0968 [ FE6B0F59215C9FD9F9D26539C58C8B82 ] PlugPlay C:\Windows\system32\umpnpmgr.dll
18:01:00.0756 0968 PlugPlay - ok
18:01:00.0803 0968 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] PNRPAutoReg C:\Windows\system32\p2psvc.dll
18:01:00.0803 0968 PNRPAutoReg - ok
18:01:00.0834 0968 [ 9AE31D2E1D15C10D91318E0EC149CEAC ] PNRPsvc C:\Windows\system32\p2psvc.dll
18:01:00.0834 0968 PNRPsvc - ok
18:01:00.0881 0968 [ 89A5560671C2D8B4A4B51F3E1AA069D8 ] PolicyAgent C:\Windows\System32\ipsecsvc.dll
18:01:00.0897 0968 PolicyAgent - ok
18:01:00.0944 0968 [ 23386E9952025F5F21C368971E2E7301 ] PptpMiniport C:\Windows\system32\DRIVERS\raspptp.sys
18:01:00.0944 0968 PptpMiniport - ok
18:01:00.0975 0968 [ 5080E59ECEE0BC923F14018803AA7A01 ] Processor C:\Windows\system32\drivers\processr.sys
18:01:00.0975 0968 Processor - ok
18:01:00.0990 0968 [ E058CE4FC2449D8BFA14739C83B7FF2A ] ProfSvc C:\Windows\system32\profsvc.dll
18:01:00.0990 0968 ProfSvc - ok
18:01:01.0022 0968 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] ProtectedStorage C:\Windows\system32\lsass.exe
18:01:01.0022 0968 ProtectedStorage - ok
18:01:01.0053 0968 [ 1D0A3F565397D08707F3D75B88586645 ] Ps2 C:\Windows\system32\DRIVERS\PS2.sys
18:01:01.0053 0968 Ps2 - ok
18:01:01.0100 0968 [ C5AB7F0809392D0DA027F4A2A81BFA31 ] PSched C:\Windows\system32\DRIVERS\pacer.sys
18:01:01.0100 0968 PSched - ok
18:01:01.0146 0968 [ 0B83F4E681062F3839BE2EC1D98FD94A ] ql2300 C:\Windows\system32\drivers\ql2300.sys
18:01:01.0178 0968 ql2300 - ok
18:01:01.0193 0968 [ E1C80F8D4D1E39EF9595809C1369BF2A ] ql40xx C:\Windows\system32\drivers\ql40xx.sys
18:01:01.0193 0968 ql40xx - ok
18:01:01.0224 0968 [ 90574842C3DA781E279061A3EFF91F07 ] QWAVE C:\Windows\system32\qwave.dll
18:01:01.0224 0968 QWAVE - ok
18:01:01.0240 0968 [ E8D76EDAB77EC9C634C27B8EAC33ADC5 ] QWAVEdrv C:\Windows\system32\drivers\qwavedrv.sys
18:01:01.0240 0968 QWAVEdrv - ok
18:01:01.0256 0968 [ 1013B3B663A56D3DDD784F581C1BD005 ] RasAcd C:\Windows\system32\DRIVERS\rasacd.sys
18:01:01.0256 0968 RasAcd - ok
18:01:01.0271 0968 [ B2AE18F847D07F0044404DDF7CB04497 ] RasAuto C:\Windows\System32\rasauto.dll
18:01:01.0271 0968 RasAuto - ok
18:01:01.0287 0968 [ AC7BC4D42A7E558718DFDEC599BBFC2C ] Rasl2tp C:\Windows\system32\DRIVERS\rasl2tp.sys
18:01:01.0287 0968 Rasl2tp - ok
18:01:01.0302 0968 [ 3AD83E4046C43BE510DE681588ACB8AF ] RasMan C:\Windows\System32\rasmans.dll
18:01:01.0318 0968 RasMan - ok
18:01:01.0349 0968 [ 4517FBF8B42524AFE4EDE1DE102AAE3E ] RasPppoe C:\Windows\system32\DRIVERS\raspppoe.sys
18:01:01.0349 0968 RasPppoe - ok
18:01:01.0380 0968 [ C6A593B51F34C33E5474539544072527 ] RasSstp C:\Windows\system32\DRIVERS\rassstp.sys
18:01:01.0380 0968 RasSstp - ok
18:01:01.0443 0968 [ 322DB5C6B55E8D8EE8D6F358B2AAABB1 ] rdbss C:\Windows\system32\DRIVERS\rdbss.sys
18:01:01.0443 0968 rdbss - ok
18:01:01.0458 0968 [ 603900CC05F6BE65CCBF373800AF3716 ] RDPCDD C:\Windows\system32\DRIVERS\RDPCDD.sys
18:01:01.0505 0968 RDPCDD - ok
18:01:01.0536 0968 [ C045D1FB111C28DF0D1BE8D4BDA22C06 ] rdpdr C:\Windows\system32\drivers\rdpdr.sys
18:01:01.0536 0968 rdpdr - ok
18:01:01.0552 0968 [ CAB9421DAF3D97B33D0D055858E2C3AB ] RDPENCDD C:\Windows\system32\drivers\rdpencdd.sys
18:01:01.0552 0968 RDPENCDD - ok
18:01:01.0583 0968 [ AE4BD9E1C33D351D8E607FC81F15160C ] RDPWD C:\Windows\system32\drivers\RDPWD.sys
18:01:01.0583 0968 RDPWD - ok
18:01:01.0614 0968 [ C612B9557DA73F70D41F8A6FBC8E5344 ] RemoteAccess C:\Windows\System32\mprdim.dll
18:01:01.0614 0968 RemoteAccess - ok
18:01:01.0630 0968 [ 44B9D8EC2F3EF3A0EFB00857AF70D861 ] RemoteRegistry C:\Windows\system32\regsvc.dll
18:01:01.0630 0968 RemoteRegistry - ok
18:01:01.0661 0968 [ 9C3AC71A9934B884FAC567A8807E9C4D ] Revoflt C:\Windows\system32\DRIVERS\revoflt.sys
18:01:01.0677 0968 Revoflt - ok
18:01:01.0692 0968 [ F46C457840D4B7A4DAAFEE739CE04102 ] RpcLocator C:\Windows\system32\locator.exe
18:01:01.0692 0968 RpcLocator - ok
18:01:01.0755 0968 [ CF8B9A3A5E7DC57724A89D0C3E8CF9EF ] RpcSs C:\Windows\system32\rpcss.dll
18:01:01.0755 0968 RpcSs - ok
18:01:01.0770 0968 [ 22A9CB08B1A6707C1550C6BF099AAE73 ] rspndr C:\Windows\system32\DRIVERS\rspndr.sys
18:01:01.0770 0968 rspndr - ok
18:01:01.0770 0968 [ 260BF9C43EE12C6898A9F5AAB0FB0E5D ] SamSs C:\Windows\system32\lsass.exe
18:01:01.0786 0968 SamSs - ok
18:01:01.0802 0968 [ CD9C693589C60AD59BBBCFB0E524E01B ] sbp2port C:\Windows\system32\drivers\sbp2port.sys
18:01:01.0802 0968 sbp2port - ok
18:01:01.0833 0968 [ FD1CDCF108D5EF3366F00D18B70FB89B ] SCardSvr C:\Windows\System32\SCardSvr.dll
18:01:01.0833 0968 SCardSvr - ok
18:01:01.0895 0968 [ 0F838C811AD295D2A4489B9993096C63 ] Schedule C:\Windows\system32\schedsvc.dll
18:01:01.0911 0968 Schedule - ok
18:01:01.0958 0968 [ 5A268127633C7EE2A7FB87F39D748D56 ] SCPolicySvc C:\Windows\System32\certprop.dll
18:01:01.0958 0968 SCPolicySvc - ok
18:01:01.0973 0968 [ 4FF71B076A7760FE75EA5AE2D0EE0018 ] SDRSVC C:\Windows\System32\SDRSVC.dll
18:01:01.0989 0968 SDRSVC - ok
18:01:02.0004 0968 [ 3EA8A16169C26AFBEB544E0E48421186 ] secdrv C:\Windows\system32\drivers\secdrv.sys
18:01:02.0020 0968 secdrv - ok
18:01:02.0036 0968 [ 5ACDCBC67FCF894A1815B9F96D704490 ] seclogon C:\Windows\system32\seclogon.dll
18:01:02.0036 0968 seclogon - ok
18:01:02.0051 0968 [ 90973A64B96CD647FF81C79443618EED ] SENS C:\Windows\System32\sens.dll
18:01:02.0067 0968 SENS - ok
18:01:02.0067 0968 [ F71BFE7AC6C52273B7C82CBF1BB2A222 ] Serenum C:\Windows\system32\drivers\serenum.sys
18:01:02.0067 0968 Serenum - ok
18:01:02.0082 0968 [ E62FAC91EE288DB29A9696A9D279929C ] Serial C:\Windows\system32\drivers\serial.sys
18:01:02.0098 0968 Serial - ok
18:01:02.0114 0968 [ A842F04833684BCEEA7336211BE478DF ] sermouse C:\Windows\system32\drivers\sermouse.sys
18:01:02.0114 0968 sermouse - ok
18:01:02.0145 0968 [ A8E4A4407A09F35DCCC3771AF590B0C4 ] SessionEnv C:\Windows\system32\sessenv.dll
18:01:02.0145 0968 SessionEnv - ok
18:01:02.0160 0968 [ 14D4B4465193A87C127933978E8C4106 ] sffdisk C:\Windows\system32\drivers\sffdisk.sys
18:01:02.0160 0968 sffdisk - ok
18:01:02.0176 0968 [ 7073AEE3F82F3D598E3825962AA98AB2 ] sffp_mmc C:\Windows\system32\drivers\sffp_mmc.sys
18:01:02.0192 0968 sffp_mmc - ok
18:01:02.0192 0968 [ 35E59EBE4A01A0532ED67975161C7B82 ] sffp_sd C:\Windows\system32\drivers\sffp_sd.sys
18:01:02.0192 0968 sffp_sd - ok
18:01:02.0207 0968 [ 6B7838C94135768BD455CBDC23E39E5F ] sfloppy C:\Windows\system32\drivers\sfloppy.sys
18:01:02.0207 0968 sfloppy - ok
18:01:02.0254 0968 [ 56793271ECDEDD350C5ADD305603E963 ] ShellHWDetection C:\Windows\System32\shsvcs.dll
18:01:02.0270 0968 ShellHWDetection - ok
18:01:02.0285 0968 [ 7A5DE502AEB719D4594C6471060A78B3 ] SiSRaid2 C:\Windows\system32\drivers\sisraid2.sys
18:01:02.0285 0968 SiSRaid2 - ok
18:01:02.0301 0968 [ 3A2F769FAB9582BC720E11EA1DFB184D ] SiSRaid4 C:\Windows\system32\drivers\sisraid4.sys
18:01:02.0301 0968 SiSRaid4 - ok
18:01:02.0363 0968 [ A9A27A8E257B45A604FDAD4F26FE7241 ] slsvc C:\Windows\system32\SLsvc.exe
18:01:02.0410 0968 slsvc - ok
18:01:02.0441 0968 [ FD74B4B7C2088E390A30C85A896FC3AF ] SLUINotify C:\Windows\system32\SLUINotify.dll
18:01:02.0441 0968 SLUINotify - ok
18:01:02.0488 0968 [ 290B6F6A0EC4FCDFC90F5CB6D7020473 ] Smb C:\Windows\system32\DRIVERS\smb.sys
18:01:02.0504 0968 Smb - ok
18:01:02.0535 0968 [ F8F47F38909823B1AF28D60B96340CFF ] SNMPTRAP C:\Windows\System32\snmptrap.exe
18:01:02.0535 0968 SNMPTRAP - ok
18:01:02.0582 0968 [ 386C3C63F00A7040C7EC5E384217E89D ] spldr C:\Windows\system32\drivers\spldr.sys
18:01:02.0582 0968 spldr - ok
18:01:02.0628 0968 [ F66FF751E7EFC816D266977939EF5DC3 ] Spooler C:\Windows\System32\spoolsv.exe
18:01:02.0644 0968 Spooler - ok
18:01:02.0675 0968 [ 880A57FCCB571EBD063D4DD50E93E46D ] srv C:\Windows\system32\DRIVERS\srv.sys
18:01:02.0675 0968 srv - ok
18:01:02.0722 0968 [ A1AD14A6D7A37891FFFECA35EBBB0730 ] srv2 C:\Windows\system32\DRIVERS\srv2.sys
18:01:02.0738 0968 srv2 - ok
18:01:02.0784 0968 [ 4BED62F4FA4D8300973F1151F4C4D8A7 ] srvnet C:\Windows\system32\DRIVERS\srvnet.sys
18:01:02.0784 0968 srvnet - ok
18:01:02.0831 0968 [ 192C74646EC5725AEF3F80D19FF75F6A ] SSDPSRV C:\Windows\System32\ssdpsrv.dll
18:01:02.0831 0968 SSDPSRV - ok
18:01:02.0862 0968 [ 2EE3FA0308E6185BA64A9A7F2E74332B ] SstpSvc C:\Windows\system32\sstpsvc.dll
18:01:02.0862 0968 SstpSvc - ok
18:01:02.0894 0968 [ 14B4DB4381E4A55F570D8BB699B791D6 ] StillCam C:\Windows\system32\DRIVERS\serscan.sys
18:01:02.0894 0968 StillCam - ok
18:01:02.0956 0968 [ 15825C1FBFB8779992CB65087F316AF5 ] stisvc C:\Windows\System32\wiaservc.dll
18:01:02.0956 0968 stisvc - ok
18:01:02.0972 0968 [ 8A851CA908B8B974F89C50D2E18D4F0C ] swenum C:\Windows\system32\DRIVERS\swenum.sys
18:01:02.0972 0968 swenum - ok
18:01:03.0018 0968 [ 6DE37F4DE19D4EFD9C48C43ADDBC949A ] swprv C:\Windows\System32\swprv.dll
18:01:03.0034 0968 swprv - ok
18:01:03.0050 0968 [ 2F26A2C6FC96B29BEFF5D8ED74E6625B ] Symc8xx C:\Windows\system32\drivers\symc8xx.sys
18:01:03.0050 0968 Symc8xx - ok
18:01:03.0065 0968 [ A909667976D3BCCD1DF813FED517D837 ] Sym_hi C:\Windows\system32\drivers\sym_hi.sys
18:01:03.0081 0968 Sym_hi - ok
18:01:03.0081 0968 [ 36887B56EC2D98B9C362F6AE4DE5B7B0 ] Sym_u3 C:\Windows\system32\drivers\sym_u3.sys
18:01:03.0081 0968 Sym_u3 - ok
18:01:03.0143 0968 [ 92D7A8B0F87B036F17D25885937897A6 ] SysMain C:\Windows\system32\sysmain.dll
18:01:03.0159 0968 SysMain - ok
18:01:03.0174 0968 [ 005CE42567F9113A3BCCB3B20073B029 ] TabletInputService C:\Windows\System32\TabSvc.dll
18:01:03.0174 0968 TabletInputService - ok
18:01:03.0206 0968 [ CC2562B4D55E0B6A4758C65407F63B79 ] TapiSrv C:\Windows\System32\tapisrv.dll
18:01:03.0221 0968 TapiSrv - ok
18:01:03.0237 0968 [ CDBE8D7C1E201B911CDC346D06617FB5 ] TBS C:\Windows\System32\tbssvc.dll
18:01:03.0237 0968 TBS - ok
18:01:03.0299 0968 [ AC8D5728E6AD6A7C4819D9A67008337A ] Tcpip C:\Windows\system32\drivers\tcpip.sys
18:01:03.0299 0968 Tcpip - ok
18:01:03.0346 0968 [ AC8D5728E6AD6A7C4819D9A67008337A ] Tcpip6 C:\Windows\system32\DRIVERS\tcpip.sys
18:01:03.0346 0968 Tcpip6 - ok
18:01:03.0393 0968 [ FD8FDE859E38E40A20085EBB0C22B416 ] tcpipreg C:\Windows\system32\drivers\tcpipreg.sys
18:01:03.0393 0968 tcpipreg - ok
18:01:03.0408 0968 [ 1D8BF4AAA5FB7A2761475781DC1195BC ] TDPIPE C:\Windows\system32\drivers\tdpipe.sys
18:01:03.0408 0968 TDPIPE - ok
18:01:03.0424 0968 [ 7F7E00CDF609DF657F4CDA02DD1C9BB1 ] TDTCP C:\Windows\system32\drivers\tdtcp.sys
18:01:03.0424 0968 TDTCP - ok
18:01:03.0455 0968 [ 458919C8C42E398DC4802178D5FFEE27 ] tdx C:\Windows\system32\DRIVERS\tdx.sys
18:01:03.0455 0968 tdx - ok
18:01:03.0471 0968 [ 8C19678D22649EC002EF2282EAE92F98 ] TermDD C:\Windows\system32\DRIVERS\termdd.sys
18:01:03.0471 0968 TermDD - ok
18:01:03.0486 0968 [ 5CDD30BC217082DAC71A9878D9BFD566 ] TermService C:\Windows\System32\termsrv.dll
18:01:03.0549 0968 TermService - ok
18:01:03.0564 0968 [ 56793271ECDEDD350C5ADD305603E963 ] Themes C:\Windows\system32\shsvcs.dll
18:01:03.0564 0968 Themes - ok
18:01:03.0596 0968 [ 3CBE4995E80E13CCFBC42E5DCF3AC81A ] THREADORDER C:\Windows\system32\mmcss.dll
18:01:03.0596 0968 THREADORDER - ok
18:01:03.0627 0968 [ F4689F05AF472A651A7B1B7B02D200E7 ] TrkWks C:\Windows\System32\trkwks.dll
18:01:03.0627 0968 TrkWks - ok
18:01:03.0674 0968 [ 66328B08EF5A9305D8EDE36B93930369 ] TrustedInstaller C:\Windows\servicing\TrustedInstaller.exe
18:01:03.0674 0968 TrustedInstaller - ok
18:01:03.0689 0968 [ 9E5409CD17C8BEF193AAD498F3BC2CB8 ] tssecsrv C:\Windows\system32\DRIVERS\tssecsrv.sys
18:01:03.0705 0968 tssecsrv - ok
18:01:03.0705 0968 [ 89EC74A9E602D16A75A4170511029B3C ] tunmp C:\Windows\system32\DRIVERS\tunmp.sys
18:01:03.0720 0968 tunmp - ok
18:01:03.0752 0968 [ 30A9B3F45AD081BFFC3BCAA9C812B609 ] tunnel C:\Windows\system32\DRIVERS\tunnel.sys
18:01:03.0752 0968 tunnel - ok
18:01:03.0783 0968 [ FEC266EF401966311744BD0F359F7F56 ] uagp35 C:\Windows\system32\drivers\uagp35.sys
18:01:03.0783 0968 uagp35 - ok
18:01:03.0814 0968 [ FAF2640A2A76ED03D449E443194C4C34 ] udfs C:\Windows\system32\DRIVERS\udfs.sys
18:01:03.0830 0968 udfs - ok
18:01:03.0861 0968 [ 060507C4113391394478F6953A79EEDC ] UI0Detect C:\Windows\system32\UI0Detect.exe
18:01:03.0861 0968 UI0Detect - ok
18:01:03.0876 0968 [ 4EC9447AC3AB462647F60E547208CA00 ] uliagpkx C:\Windows\system32\drivers\uliagpkx.sys
18:01:03.0892 0968 uliagpkx - ok
18:01:03.0908 0968 [ 697F0446134CDC8F99E69306184FBBB4 ] uliahci C:\Windows\system32\drivers\uliahci.sys
18:01:03.0908 0968 uliahci - ok
18:01:03.0939 0968 [ 31707F09846056651EA2C37858F5DDB0 ] UlSata C:\Windows\system32\drivers\ulsata.sys
18:01:03.0939 0968 UlSata - ok
18:01:03.0970 0968 [ 85E5E43ED5B48C8376281BAB519271B7 ] ulsata2 C:\Windows\system32\drivers\ulsata2.sys
18:01:03.0970 0968 ulsata2 - ok
18:01:04.0001 0968 [ 46E9A994C4FED537DD951F60B86AD3F4 ] umbus C:\Windows\system32\DRIVERS\umbus.sys
18:01:04.0001 0968 umbus - ok
18:01:04.0017 0968 [ 7093799FF80E9DECA0680D2E3535BE60 ] upnphost C:\Windows\System32\upnphost.dll
18:01:04.0032 0968 upnphost - ok
18:01:04.0064 0968 [ FB251567F41BC61988B26731DEC19E4B ] USBAAPL64 C:\Windows\system32\Drivers\usbaapl64.sys
18:01:04.0064 0968 USBAAPL64 - ok
18:01:04.0142 0968 [ 07E3498FC60834219D2356293DA0FECC ] usbccgp C:\Windows\system32\DRIVERS\usbccgp.sys
18:01:04.0142 0968 usbccgp - ok
18:01:04.0157 0968 [ 9247F7E0B65852C1F6631480984D6ED2 ] usbcir C:\Windows\system32\drivers\usbcir.sys
18:01:04.0157 0968 usbcir - ok
18:01:04.0188 0968 [ 827E44DE934A736EA31E91D353EB126F ] usbehci C:\Windows\system32\DRIVERS\usbehci.sys
18:01:04.0188 0968 usbehci - ok
18:01:04.0220 0968 [ BB35CD80A2ECECFADC73569B3D70C7D1 ] usbhub C:\Windows\system32\DRIVERS\usbhub.sys
18:01:04.0235 0968 usbhub - ok
18:01:04.0251 0968 [ E406B003A354776D317762694956B0FC ] usbohci C:\Windows\system32\DRIVERS\usbohci.sys
18:01:04.0251 0968 usbohci - ok
18:01:04.0282 0968 [ 28B693B6D31E7B9332C1BDCEFEF228C1 ] usbprint C:\Windows\system32\DRIVERS\usbprint.sys
18:01:04.0282 0968 usbprint - ok
18:01:04.0329 0968 [ EA0BF666868964FBE8CB10E50C97B9F1 ] usbscan C:\Windows\system32\DRIVERS\usbscan.sys
18:01:04.0329 0968 usbscan - ok
18:01:04.0360 0968 [ B854C1558FCA0C269A38663E8B59B581 ] USBSTOR C:\Windows\system32\DRIVERS\USBSTOR.SYS
18:01:04.0376 0968 USBSTOR - ok
18:01:04.0391 0968 [ B2872CBF9F47316ABD0E0C74A1ABA507 ] usbuhci C:\Windows\system32\DRIVERS\usbuhci.sys
18:01:04.0391 0968 usbuhci - ok
18:01:04.0438 0968 [ D76E231E4850BB3F88A3D9A78DF191E3 ] UxSms C:\Windows\System32\uxsms.dll
18:01:04.0438 0968 UxSms - ok
18:01:04.0485 0968 [ 294945381DFA7CE58CECF0A9896AF327 ] vds C:\Windows\System32\vds.exe
18:01:04.0485 0968 vds - ok
18:01:04.0516 0968 [ 916B94BCF1E09873FFF2D5FB11767BBC ] vga C:\Windows\system32\DRIVERS\vgapnp.sys
18:01:04.0516 0968 vga - ok
18:01:04.0547 0968 [ B83AB16B51FEDA65DD81B8C59D114D63 ] VgaSave C:\Windows\System32\drivers\vga.sys
18:01:04.0547 0968 VgaSave - ok
18:01:04.0563 0968 [ 8294B6C3FDB6C33F24E150DE647ECDAA ] viaide C:\Windows\system32\drivers\viaide.sys
18:01:04.0563 0968 viaide - ok
18:01:04.0578 0968 [ 2B7E885ED951519A12C450D24535DFCA ] volmgr C:\Windows\system32\drivers\volmgr.sys
18:01:04.0578 0968 volmgr - ok
18:01:04.0641 0968 [ CEC5AC15277D75D9E5DEC2E1C6EAF877 ] volmgrx C:\Windows\system32\drivers\volmgrx.sys
18:01:04.0641 0968 volmgrx - ok
18:01:04.0672 0968 [ 5280AADA24AB36B01A84A6424C475C8D ] volsnap C:\Windows\system32\drivers\volsnap.sys
18:01:04.0688 0968 volsnap - ok
18:01:04.0719 0968 [ A68F455ED2673835209318DD61BFBB0E ] vsmraid C:\Windows\system32\drivers\vsmraid.sys
18:01:04.0719 0968 vsmraid - ok
18:01:04.0766 0968 [ B75232DAD33BFD95BF6F0A3E6BFF51E1 ] VSS C:\Windows\system32\vssvc.exe
18:01:04.0797 0968 VSS - ok
18:01:04.0859 0968 [ 7DB85B78309C05C9F06F469ED976DC9E ] vToolbarUpdater13.2.0 C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
18:01:04.0875 0968 vToolbarUpdater13.2.0 - ok
18:01:04.0922 0968 [ F14A7DE2EA41883E250892E1E5230A9A ] W32Time C:\Windows\system32\w32time.dll
18:01:04.0922 0968 W32Time - ok
18:01:04.0937 0968 [ FEF8FE5923FEAD2CEE4DFABFCE3393A7 ] WacomPen C:\Windows\system32\drivers\wacompen.sys
18:01:04.0953 0968 WacomPen - ok
18:01:05.0000 0968 [ B8E7049622300D20BA6D8BE0C47C0CFD ] Wanarp C:\Windows\system32\DRIVERS\wanarp.sys
18:01:05.0000 0968 Wanarp - ok
18:01:05.0000 0968 [ B8E7049622300D20BA6D8BE0C47C0CFD ] Wanarpv6 C:\Windows\system32\DRIVERS\wanarp.sys
18:01:05.0000 0968 Wanarpv6 - ok
18:01:05.0031 0968 [ B4E4C37D0AA6100090A53213EE2BF1C1 ] wcncsvc C:\Windows\System32\wcncsvc.dll
18:01:05.0046 0968 wcncsvc - ok
18:01:05.0062 0968 [ EA4B369560E986F19D93F45A881484AC ] WcsPlugInService C:\Windows\System32\WcsPlugInService.dll
18:01:05.0078 0968 WcsPlugInService - ok
18:01:05.0078 0968 [ 0C17A0816F65B89E362E682AD5E7266E ] Wd C:\Windows\system32\drivers\wd.sys
18:01:05.0093 0968 Wd - ok
18:01:05.0124 0968 [ D02E7E4567DA1E7582FBF6A91144B0DF ] Wdf01000 C:\Windows\system32\drivers\Wdf01000.sys
18:01:05.0140 0968 Wdf01000 - ok
18:01:05.0156 0968 [ C5EFDA73EBFCA8B02A094898DE0A9276 ] WdiServiceHost C:\Windows\system32\wdi.dll
18:01:05.0156 0968 WdiServiceHost - ok
18:01:05.0171 0968 [ C5EFDA73EBFCA8B02A094898DE0A9276 ] WdiSystemHost C:\Windows\system32\wdi.dll
18:01:05.0171 0968 WdiSystemHost - ok
18:01:05.0187 0968 [ 3E6D05381CF35F75EBB055544A8ED9AC ] WebClient C:\Windows\System32\webclnt.dll
18:01:05.0187 0968 WebClient - ok
18:01:05.0218 0968 [ 8D40BC587993F876658BF9FB0F7D3462 ] Wecsvc C:\Windows\system32\wecsvc.dll
18:01:05.0218 0968 Wecsvc - ok
18:01:05.0234 0968 [ 9C980351D7E96288EA0C23AE232BD065 ] wercplsupport C:\Windows\System32\wercplsupport.dll
18:01:05.0249 0968 wercplsupport - ok
18:01:05.0265 0968 [ 66B9ECEBC46683F47EDC06333C075FEF ] WerSvc C:\Windows\System32\WerSvc.dll
18:01:05.0265 0968 WerSvc - ok
18:01:05.0296 0968 [ 8A22B0C097336AACE9BBCEB81EC6FD63 ] winachsf C:\Windows\system32\DRIVERS\CAX_CNXT.sys
18:01:05.0312 0968 winachsf - ok
18:01:05.0312 0968 WinDefend - ok
18:01:05.0327 0968 WinHttpAutoProxySvc - ok
18:01:05.0390 0968 [ D2E7296ED1BD26D8DB2799770C077A02 ] Winmgmt C:\Windows\system32\wbem\WMIsvc.dll
18:01:05.0390 0968 Winmgmt - ok
18:01:05.0452 0968 [ 6CBB0C68F13B9C2EC1B16F5FA5E7C869 ] WinRM C:\Windows\system32\WsmSvc.dll
18:01:05.0499 0968 WinRM - ok
18:01:05.0546 0968 [ EC339C8115E91BAED835957E9A677F16 ] Wlansvc C:\Windows\System32\wlansvc.dll
18:01:05.0608 0968 Wlansvc - ok
18:01:05.0624 0968 [ E18AEBAAA5A773FE11AA2C70F65320F5 ] WmiAcpi C:\Windows\system32\DRIVERS\wmiacpi.sys
18:01:05.0624 0968 WmiAcpi - ok
18:01:05.0670 0968 [ 21FA389E65A852698B6A1341F36EE02D ] wmiApSrv C:\Windows\system32\wbem\WmiApSrv.exe
18:01:05.0670 0968 wmiApSrv - ok
18:01:05.0686 0968 WMPNetworkSvc - ok
18:01:05.0702 0968 [ CBC156C913F099E6680D1DF9307DB7A8 ] WPCSvc C:\Windows\System32\wpcsvc.dll
18:01:05.0717 0968 WPCSvc - ok
18:01:05.0748 0968 [ 490A18B4E4D53DC10879DEAA8E8B70D9 ] WPDBusEnum C:\Windows\system32\wpdbusenum.dll
18:01:05.0748 0968 WPDBusEnum - ok
18:01:05.0795 0968 [ 5E2401B3FC1089C90E081291357371A9 ] WpdUsb C:\Windows\system32\DRIVERS\wpdusb.sys
18:01:05.0811 0968 WpdUsb - ok
18:01:05.0951 0968 [ 991E2C2CF3BC204C2BB2EE1476149E4E ] WPFFontCache_v0400 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe
18:01:05.0967 0968 WPFFontCache_v0400 - ok
18:01:05.0982 0968 [ 8A900348370E359B6BFF6A550E4649E1 ] ws2ifsl C:\Windows\system32\drivers\ws2ifsl.sys
18:01:05.0998 0968 ws2ifsl - ok
18:01:06.0014 0968 [ 9EA3E6D0EF7A5C2B9181961052A4B01A ] wscsvc C:\Windows\system32\wscsvc.dll
18:01:06.0014 0968 wscsvc - ok
18:01:06.0029 0968 WSearch - ok
18:01:06.0107 0968 [ D9EF901DCA379CFE914E9FA13B73B4C4 ] wuauserv C:\Windows\system32\wuaueng.dll
18:01:06.0138 0968 wuauserv - ok
18:01:06.0185 0968 [ 501A65252617B495C0F1832F908D54D8 ] WUDFRd C:\Windows\system32\DRIVERS\WUDFRd.sys
18:01:06.0201 0968 WUDFRd - ok
18:01:06.0216 0968 [ 6CBD51FF913C851D56ED9DC7F2A27DDE ] wudfsvc C:\Windows\System32\WUDFSvc.dll
18:01:06.0232 0968 wudfsvc - ok
18:01:06.0248 0968 [ 1912006552F36FE7E61AEED34BBDDAE8 ] XAudio C:\Windows\system32\DRIVERS\xaudio64.sys
18:01:06.0248 0968 XAudio - ok
18:01:06.0263 0968 XAudioService - ok
18:01:06.0310 0968 [ DD0042F0C3B606A6A8B92D49AFB18AD6 ] YahooAUService C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
18:01:06.0326 0968 YahooAUService - ok
18:01:06.0341 0968 ================ Scan global ===============================
18:01:06.0357 0968 [ 060DC3A7A9A2626031EB23D90151428D ] C:\Windows\system32\basesrv.dll
18:01:06.0404 0968 [ AA137104CDFC81818A309CDE32ABB74A ] C:\Windows\system32\winsrv.dll
18:01:06.0419 0968 [ AA137104CDFC81818A309CDE32ABB74A ] C:\Windows\system32\winsrv.dll
18:01:06.0450 0968 [ DFAC660F0F139276CC9299812DE42719 ] C:\Windows\system32\services.exe
18:01:06.0513 0968 [Global] - ok
18:01:06.0513 0968 ================ Scan MBR ==================================
18:01:06.0544 0968 [ 81CD5EC01DB0CE57EDD853F82462EF27 ] \Device\Harddisk0\DR0
18:01:06.0903 0968 \Device\Harddisk0\DR0 - ok
18:01:06.0918 0968 [ 06449E7C4AF0550B77E260798769AA40 ] \Device\Harddisk1\DR1
18:01:06.0918 0968 \Device\Harddisk1\DR1 - ok
18:01:06.0918 0968 ================ Scan VBR ==================================
18:01:06.0918 0968 [ 8D1CA09794DE86BB4E86104F3635F48E ] \Device\Harddisk0\DR0\Partition1
18:01:06.0934 0968 \Device\Harddisk0\DR0\Partition1 - ok
18:01:06.0934 0968 [ A70F436686F2696A404D9C327A9DC9C6 ] \Device\Harddisk0\DR0\Partition2
18:01:06.0934 0968 \Device\Harddisk0\DR0\Partition2 - ok
18:01:06.0934 0968 [ 18246E28E79A513EADC02E86BCF7DE07 ] \Device\Harddisk1\DR1\Partition1
18:01:06.0934 0968 \Device\Harddisk1\DR1\Partition1 - ok
18:01:06.0950 0968 ============================================================
18:01:06.0950 0968 Scan finished
18:01:06.0950 0968 ============================================================
18:01:06.0950 0700 Detected object count: 0
18:01:06.0950 0700 Actual detected object count: 0

#23 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 05 December 2012 - 07:40 PM

Hello

I would like you to download an updated version of combofix.

update combofix

Delete the version of combofix you have now on your desktop and download a new one from here

Link 1
Link 2
Link 3
**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note:Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer
[/list]
"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#24 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 06 December 2012 - 08:54 AM

ComboFix 12-12-04.01 - user 12/05/2012 19:08:04.3.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3964.2377 [GMT -6:00]
Running from: c:\users\user\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\user\AppData\Local\{1E58CE49-5124-48B1-8901-6C23A783B31E}
c:\users\user\AppData\Local\{1E58CE49-5124-48B1-8901-6C23A783B31E}\chrome.manifest
c:\users\user\AppData\Local\{1E58CE49-5124-48B1-8901-6C23A783B31E}\chrome\content\_cfg.js
c:\users\user\AppData\Local\{1E58CE49-5124-48B1-8901-6C23A783B31E}\chrome\content\overlay.xul
c:\users\user\AppData\Local\{1E58CE49-5124-48B1-8901-6C23A783B31E}\install.rdf
c:\users\user\AppData\Roaming\kikin
c:\users\user\AppData\Roaming\kikin\cr_kkes.xml
c:\users\user\AppData\Roaming\kikin\ff_kkes.xml
c:\users\user\AppData\Roaming\kikin\ie_configuration.xml
c:\users\user\AppData\Roaming\kikin\ie_kkes.xml
c:\users\user\AppData\Roaming\kikin\ie_settings.xml
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Live Security Platinum
c:\windows\SwSys1.bmp
c:\windows\SwSys2.bmp
.
.
((((((((((((((((((((((((( Files Created from 2012-11-06 to 2012-12-06 )))))))))))))))))))))))))))))))
.
.
2012-12-06 07:22 . 2012-12-06 13:31 -------- d-----w- c:\users\user\AppData\Local\temp
2012-12-06 07:22 . 2012-12-06 07:22 -------- d-----w- c:\users\Doug\AppData\Local\temp
2012-12-06 07:22 . 2012-12-06 07:22 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-06 00:16 . 2012-11-19 07:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{176787F7-B1F7-4BA1-A7BA-F0D095F11730}\mpengine.dll
2012-12-03 20:28 . 2012-12-03 20:28 -------- d-----w- C:\FRST
2012-11-30 01:29 . 2012-11-30 01:29 -------- d-----w- c:\program files (x86)\ESET
2012-11-29 19:32 . 2012-11-29 19:32 -------- d-----w- c:\program files (x86)\ERUNT
2012-11-29 19:23 . 2012-12-03 15:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\users\user\AppData\Local\VS Revo Group
2012-11-29 17:46 . 2009-12-30 17:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\program files\VS Revo Group
2012-11-29 15:55 . 2012-11-29 15:55 -------- d-----w- c:\users\user\AppData\Roaming\AVG2013
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Local\AVG Secure Search
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Roaming\TuneUp Software
2012-11-29 15:46 . 2012-11-29 15:46 30568 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-11-29 15:46 . 2012-12-02 21:53 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-11-29 15:46 . 2012-11-29 15:47 -------- d-----w- c:\programdata\AVG2013
2012-11-29 15:46 . 2012-11-29 15:46 -------- d-----w- C:\$AVG
2012-11-29 15:45 . 2012-11-29 15:45 -------- d-----w- c:\program files (x86)\AVG
2012-11-29 15:27 . 2012-11-29 15:27 -------- d--h--w- c:\programdata\Common Files
2012-11-29 15:27 . 2012-12-06 00:08 -------- d-----w- c:\programdata\MFAData
2012-11-29 15:27 . 2012-11-29 19:24 -------- d-----w- c:\users\user\AppData\Local\Avg2013
2012-11-29 15:27 . 2012-11-29 15:27 -------- d-----w- c:\users\user\AppData\Local\MFAData
2012-11-28 15:30 . 2012-11-28 15:30 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2012-11-28 15:29 . 2012-11-28 15:29 -------- d-----w- c:\programdata\Malwarebytes
2012-11-28 15:29 . 2012-11-30 00:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-28 15:29 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-27 19:13 . 2012-11-27 19:13 -------- d-----w-rogram Files (x86) c:\progra~3\OOROGR~1
2012-11-26 12:48 . 2012-11-26 12:49 -------- d-----w-ogram Files (x86) c:\progra~3\ROD9E4~1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 03:04 . 2006-11-02 12:35 66395536 ----a-w- c:\windows\system32\mrt.exe
2012-10-22 19:02 . 2012-10-22 19:02 154464 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2012-10-15 09:48 . 2012-10-15 09:48 63328 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-10-08 18:30 . 2012-03-30 18:53 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-08 18:30 . 2011-06-02 13:11 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-08 18:30 . 2012-09-20 20:30 9575864 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-10-05 09:32 . 2012-10-05 09:32 111456 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2012-10-02 09:30 . 2012-10-02 09:30 185696 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-09-21 09:46 . 2012-09-21 09:46 200032 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-09-21 09:46 . 2012-09-21 09:46 225120 ----a-w- c:\windows\system32\drivers\avgloga.sys
2012-09-14 09:05 . 2012-09-14 09:05 40800 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2012-09-12 22:26 . 2012-09-12 22:23 489712 ----a-w- c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files (x86)\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-17 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-17 189736]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-01-01 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-06 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:30]
.
2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-11-26 c:\windows\Tasks\HPCeeScheduleForuser.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-02 18:12]
.
2012-11-29 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 16:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-12 15853088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-12 82464]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to MP3 Converter - c:\users\user\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {{9FB232C5-6909-4F81-99B4-BAB4998940F2}
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
Wow6432Node-HKLM-Run-vProt - c:\program files (x86)\AVG Secure Search\vprot.exe
Wow6432Node-HKLM-Run-ROC_roc_ssl_v12 - c:\program files (x86)\AVG Secure Search\ROC_roc_ssl_v12.exe
WebBrowser-{00F2C0C6-2194-484E-9064-44E57787867B} - (no file)
HKLM-Run-SmartMenu - c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{8AAF211B-043E02A9-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
------------------------ Other Running Processes ------------------------
.
c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\AVG\AVG2013\avgidsagent.exe
c:\program files (x86)\AVG\AVG2013\avgwdsvc.exe
c:\program files (x86)\Common Files\LightScribe\LSSrvc.exe
c:\program files (x86)\Common Files\Motive\McciCMService.exe
c:\program files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
c:\program files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\program files (x86)\Hewlett-Packard\KBD\kbd.exe
.
**************************************************************************
.
Completion time: 2012-12-06 07:40:17 - machine was rebooted
ComboFix-quarantined-files.txt 2012-12-06 13:40
.
Pre-Run: 248,027,222,016 bytes free
Post-Run: 252,543,922,176 bytes free
.
- - End Of File - - 8EBA588E08DCE7E5A4CCF7F2B3DD9374

#25 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 06 December 2012 - 06:56 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

Edited by gringo_pr, 06 December 2012 - 06:57 PM.

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#26 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 07 December 2012 - 09:39 AM

ComboFix 12-12-04.01 - user 12/06/2012 21:42:15.4.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3964.1602 [GMT -6:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-12-07 10:18 . 2012-12-07 10:18 -------- d-----w- c:\users\user\AppData\Local\temp
2012-12-07 10:18 . 2012-12-07 10:18 -------- d-----w- c:\users\Doug\AppData\Local\temp
2012-12-07 10:18 . 2012-12-07 10:18 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-06 00:16 . 2012-11-19 07:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{176787F7-B1F7-4BA1-A7BA-F0D095F11730}\mpengine.dll
2012-12-03 20:28 . 2012-12-03 20:28 -------- d-----w- C:\FRST
2012-11-30 01:29 . 2012-11-30 01:29 -------- d-----w- c:\program files (x86)\ESET
2012-11-29 19:32 . 2012-11-29 19:32 -------- d-----w- c:\program files (x86)\ERUNT
2012-11-29 19:23 . 2012-12-03 15:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\users\user\AppData\Local\VS Revo Group
2012-11-29 17:46 . 2009-12-30 17:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\program files\VS Revo Group
2012-11-29 15:55 . 2012-11-29 15:55 -------- d-----w- c:\users\user\AppData\Roaming\AVG2013
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Local\AVG Secure Search
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Roaming\TuneUp Software
2012-11-29 15:46 . 2012-11-29 15:46 30568 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-11-29 15:46 . 2012-12-02 21:53 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-11-29 15:46 . 2012-11-29 15:47 -------- d-----w- c:\programdata\AVG2013
2012-11-29 15:46 . 2012-11-29 15:46 -------- d-----w- C:\$AVG
2012-11-29 15:45 . 2012-11-29 15:45 -------- d-----w- c:\program files (x86)\AVG
2012-11-29 15:27 . 2012-11-29 15:27 -------- d--h--w- c:\programdata\Common Files
2012-11-29 15:27 . 2012-12-06 23:54 -------- d-----w- c:\programdata\MFAData
2012-11-29 15:27 . 2012-11-29 19:24 -------- d-----w- c:\users\user\AppData\Local\Avg2013
2012-11-29 15:27 . 2012-11-29 15:27 -------- d-----w- c:\users\user\AppData\Local\MFAData
2012-11-28 15:30 . 2012-11-28 15:30 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2012-11-28 15:29 . 2012-11-28 15:29 -------- d-----w- c:\programdata\Malwarebytes
2012-11-28 15:29 . 2012-11-30 00:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-28 15:29 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-27 19:13 . 2012-11-27 19:13 -------- d-----w-rogram Files (x86) c:\progra~3\OOROGR~1
2012-11-26 12:48 . 2012-11-26 12:49 -------- d-----w-ogram Files (x86) c:\progra~3\ROD9E4~1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 03:04 . 2006-11-02 12:35 66395536 ----a-w- c:\windows\system32\mrt.exe
2012-10-22 19:02 . 2012-10-22 19:02 154464 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2012-10-15 09:48 . 2012-10-15 09:48 63328 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-10-08 18:30 . 2012-03-30 18:53 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-08 18:30 . 2011-06-02 13:11 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-08 18:30 . 2012-09-20 20:30 9575864 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-10-05 09:32 . 2012-10-05 09:32 111456 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2012-10-02 09:30 . 2012-10-02 09:30 185696 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-09-21 09:46 . 2012-09-21 09:46 200032 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-09-21 09:46 . 2012-09-21 09:46 225120 ----a-w- c:\windows\system32\drivers\avgloga.sys
2012-09-14 09:05 . 2012-09-14 09:05 40800 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2012-09-12 22:26 . 2012-09-12 22:23 489712 ----a-w- c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files (x86)\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-17 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-17 189736]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-01-01 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:30]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-11-26 c:\windows\Tasks\HPCeeScheduleForuser.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-02 18:12]
.
2012-11-29 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 16:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-12 15853088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-12 82464]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to MP3 Converter - c:\users\user\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {{9FB232C5-6909-4F81-99B4-BAB4998940F2}
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{00F2C0C6-2194-484E-9064-44E57787867B} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{8AAF211B-043E02A9-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-12-07 04:23:40
ComboFix-quarantined-files.txt 2012-12-07 10:23
ComboFix2.txt 2012-12-06 13:40
.
Pre-Run: 248,329,093,120 bytes free
Post-Run: 248,457,015,296 bytes free
.
- - End Of File - - FEC69006C6B946DFB21D42F82EFE5995

#27 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 07 December 2012 - 11:44 AM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache:: 

File::
c:\windows\system32\devenum0.dll
c:\windows\Tasks\fcnkx.job

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#28 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 07 December 2012 - 04:49 PM

ComboFix 12-12-04.01 - user 12/07/2012 10:55:06.5.2 - x64
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3964.1191 [GMT -6:00]
Running from: c:\users\user\Desktop\ComboFix.exe
Command switches used :: c:\users\user\Desktop\CFScript.txt
AV: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: AVG Anti-Virus Free Edition 2013 *Disabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\windows\system32\devenum0.dll"
"c:\windows\Tasks\fcnkx.job"
.
.
((((((((((((((((((((((((( Files Created from 2012-11-07 to 2012-12-07 )))))))))))))))))))))))))))))))
.
.
2012-12-07 21:39 . 2012-12-07 21:39 -------- d-----w- c:\users\user\AppData\Local\temp
2012-12-07 21:39 . 2012-12-07 21:39 -------- d-----w- c:\users\Doug\AppData\Local\temp
2012-12-07 21:39 . 2012-12-07 21:39 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-12-07 14:36 . 2012-11-19 07:01 9125352 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{82A27DF7-36C3-48DD-94B1-F940B8CF8B25}\mpengine.dll
2012-12-03 20:28 . 2012-12-03 20:28 -------- d-----w- C:\FRST
2012-11-30 01:29 . 2012-11-30 01:29 -------- d-----w- c:\program files (x86)\ESET
2012-11-29 19:32 . 2012-11-29 19:32 -------- d-----w- c:\program files (x86)\ERUNT
2012-11-29 19:23 . 2012-12-03 15:01 -------- d-----w- C:\TDSSKiller_Quarantine
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\users\user\AppData\Local\VS Revo Group
2012-11-29 17:46 . 2009-12-30 17:21 31800 ----a-w- c:\windows\system32\drivers\revoflt.sys
2012-11-29 17:46 . 2012-11-29 17:46 -------- d-----w- c:\program files\VS Revo Group
2012-11-29 15:55 . 2012-11-29 15:55 -------- d-----w- c:\users\user\AppData\Roaming\AVG2013
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Local\AVG Secure Search
2012-11-29 15:47 . 2012-11-29 15:47 -------- d-----w- c:\users\user\AppData\Roaming\TuneUp Software
2012-11-29 15:46 . 2012-11-29 15:46 30568 ----a-w- c:\windows\system32\drivers\avgtpx64.sys
2012-11-29 15:46 . 2012-12-02 21:53 -------- d-----w- c:\program files (x86)\Common Files\AVG Secure Search
2012-11-29 15:46 . 2012-11-29 15:47 -------- d-----w- c:\programdata\AVG2013
2012-11-29 15:46 . 2012-11-29 15:46 -------- d-----w- C:\$AVG
2012-11-29 15:45 . 2012-11-29 15:45 -------- d-----w- c:\program files (x86)\AVG
2012-11-29 15:27 . 2012-11-29 15:27 -------- d--h--w- c:\programdata\Common Files
2012-11-29 15:27 . 2012-12-06 23:54 -------- d-----w- c:\programdata\MFAData
2012-11-29 15:27 . 2012-11-29 19:24 -------- d-----w- c:\users\user\AppData\Local\Avg2013
2012-11-29 15:27 . 2012-11-29 15:27 -------- d-----w- c:\users\user\AppData\Local\MFAData
2012-11-28 15:30 . 2012-11-28 15:30 -------- d-----w- c:\users\user\AppData\Roaming\Malwarebytes
2012-11-28 15:29 . 2012-11-28 15:29 -------- d-----w- c:\programdata\Malwarebytes
2012-11-28 15:29 . 2012-11-30 00:44 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-11-28 15:29 . 2012-09-30 01:54 25928 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-11-27 19:13 . 2012-11-27 19:13 -------- d-----w-rogram Files (x86) c:\progra~3\OOROGR~1
2012-11-26 12:48 . 2012-11-26 12:49 -------- d-----w-ogram Files (x86) c:\progra~3\ROD9E4~1
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-30 03:04 . 2006-11-02 12:35 66395536 ----a-w- c:\windows\system32\mrt.exe
2012-10-22 19:02 . 2012-10-22 19:02 154464 ----a-w- c:\windows\system32\drivers\avgidsdrivera.sys
2012-10-15 09:48 . 2012-10-15 09:48 63328 ----a-w- c:\windows\system32\drivers\avgidsha.sys
2012-10-08 18:30 . 2012-03-30 18:53 696760 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2012-10-08 18:30 . 2011-06-02 13:11 73656 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-10-08 18:30 . 2012-09-20 20:30 9575864 ----a-w- c:\windows\SysWow64\FlashPlayerInstaller.exe
2012-10-05 09:32 . 2012-10-05 09:32 111456 ----a-w- c:\windows\system32\drivers\avgmfx64.sys
2012-10-02 09:30 . 2012-10-02 09:30 185696 ----a-w- c:\windows\system32\drivers\avgldx64.sys
2012-09-21 09:46 . 2012-09-21 09:46 200032 ----a-w- c:\windows\system32\drivers\avgtdia.sys
2012-09-21 09:46 . 2012-09-21 09:46 225120 ----a-w- c:\windows\system32\drivers\avgloga.sys
2012-09-14 09:05 . 2012-09-14 09:05 40800 ----a-w- c:\windows\system32\drivers\avgrkx64.sys
2012-09-12 22:26 . 2012-09-12 22:23 489712 ----a-w- c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Catalina Marketing Corp\UninstallCouponActivator.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1555968]
"HPAdvisor"="c:\program files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe" [2010-06-30 1689144]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 138240]
"LightScribe Control Panel"="c:\program files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-08-22 2363392]
"swg"="c:\program files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-03-28 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2007-04-18 65536]
"KBD"="c:\program files (x86)\Hewlett-Packard\KBD\KbdStub.EXE" [2008-07-21 12288]
"HP Health Check Scheduler"="c:\program files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"UpdateP2GoShortCut"="c:\program files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" [2008-09-11 210216]
"TSMAgent"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe" [2008-10-17 1152296]
"CLMLServer for HP TouchSmart"="c:\program files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe" [2008-10-17 189736]
"DVDAgent"="c:\program files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe" [2008-09-26 1148200]
"APSDaemon"="c:\program files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2012-02-21 59240]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-07-27 919008]
"QuickTime Task"="c:\program files (x86)\QuickTime\QTTask.exe" [2011-10-24 421888]
"TkBellExe"="c:\program files (x86)\real\realplayer\Update\realsched.exe" [2012-01-01 296056]
"iTunesHelper"="c:\program files (x86)\iTunes\iTunesHelper.exe" [2012-03-27 421736]
"AVG_UI"="c:\program files (x86)\AVG\AVG2013\avgui.exe" [2012-11-07 3143800]
.
c:\users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files (x86)\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
PictureMover.lnk - c:\program files (x86)\PictureMover\Bin\PictureMover.exe [2008-9-8 430080]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"LoadAppInit_DLLs"=1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
Themes
.
Contents of the 'Scheduled Tasks' folder
.
2012-12-07 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe [2012-03-30 18:30]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2009-12-28 02:04]
.
2012-11-26 c:\windows\Tasks\HPCeeScheduleForuser.job
- c:\program files (x86)\Hewlett-Packard\SDP\Ceement\HPCEE.exe [2009-06-02 18:12]
.
2012-11-29 c:\windows\Tasks\PCDRScheduledMaintenance.job
- c:\program files\PC-Doctor for Windows\pcdr5cuiw32.exe [2008-09-10 16:43]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-12 15853088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-10-12 82464]
"SmartMenu"="c:\program files (x86)\Hewlett-Packard\HP MediaSmart\SmartMenu.exe" [BU]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uLocal Page = c:\windows\system32\blank.htm
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Free YouTube to MP3 Converter - c:\users\user\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
IE: {{9FB232C5-6909-4F81-99B4-BAB4998940F2}
TCP: DhcpNameServer = 192.168.1.254
.
- - - - ORPHANS REMOVED - - - -
.
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
WebBrowser-{00F2C0C6-2194-484E-9064-44E57787867B} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\PCD5SRVC{8AAF211B-043E02A9-05040000}]
"ImagePath"="\??\c:\progra~1\PC-DOC~1\PCD5SRVC_x64.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_4_402_287_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{73C9DFA0-750D-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_4_402_287.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="IFlashBroker5"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{6AE38AE0-750C-11E1-B0C4-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
[HKEY_LOCAL_MACHINE\software\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\software\Wow6432Node\Classes]
"SymbolicLinkValue"=hex(6):5c,00,52,00,45,00,47,00,49,00,53,00,54,00,52,00,59,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,4f,00,46,00,\
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2012-12-07 15:46:42
ComboFix-quarantined-files.txt 2012-12-07 21:46
ComboFix2.txt 2012-12-07 10:23
ComboFix3.txt 2012-12-06 13:40
.
Pre-Run: 248,487,890,944 bytes free
Post-Run: 248,447,389,696 bytes free
.
- - End Of File - - 5164698A7A7AEB0CF22487C7AA88FC91

Running much better.

#29 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,312 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:12:46 AM

Posted 07 December 2012 - 09:28 PM

Hello

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. P2P programs form a direct conduit on to your computer, their security measures are easily circumvented and malware writers are increasingly exploiting them to spread their wares on to your computer. Further to that, if your P2P program is not configured correctly, your computer may be sharing more files than you realise. There have been cases where people's passwords, address books and other personal, private, and financial details have been exposed to a file sharing network by a badly configured program.

Please read these short reports on the dangers of peer-2-peer programs and file sharing.

FBI Cyber Education Letter
File sharing infects 500,000 computers
USAToday
infoworld


These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Ask Toolbar
Babylon toolbar on IE
Coupon Printer for Windows
Dealio Toolbar v4.0
FrostWire 5.2.11
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.



Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

Clean Out Temp Files

  • This small application you may want to keep and use once a week to keep the computer clean.

    Download CCleaner from here http://www.ccleaner.com/

  • Run the installer to install the application.
  • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
  • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
  • Click Run Cleaner.
  • Close CCleaner.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic


Please Only Copy And Paste Reports Into Topic - Do Not Attach

My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#30 Mikeyb1

Mikeyb1
  • Topic Starter

  • Members
  • 133 posts
  • OFFLINE
  •  
  • Local time:11:46 PM

Posted 08 December 2012 - 12:29 AM

Malwarebytes Anti-Malware 1.65.1.1000
www.malwarebytes.org

Database version: v2012.12.08.02

Windows Vista Service Pack 2 x64 NTFS
Internet Explorer 9.0.8112.16421
user :: USER-PC [administrator]

12/7/2012 11:16:10 PM
mbam-log-2012-12-07 (23-16-10).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 243312
Time elapsed: 3 minute(s), 46 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)





Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:28:49 PM, on 12/7/2012
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v9.00 (9.00.8112.16455)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe
C:\hp\support\hpsysdrv.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe
C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe
C:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\AVG\AVG2013\avgui.exe
C:\Program Files (x86)\Hewlett-Packard\KBD\kbd.exe
C:\Program Files (x86)\Windows Media Player\wmplayer.exe
C:\Program Files (x86)\AVG\AVG2013\avgcfgex.exe
C:\Program Files (x86)\Real\RealPlayer\update\realsched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Users\user\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=bestbuy&pf=cndt
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\Program Files (x86)\Hewlett-Packard\KBD\KbdStub.EXE
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files (x86)\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "c:\Program Files (x86)\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "c:\Program Files (x86)\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe\MUITransfer\MUIStartMenu.exe" "c:\Program Files (x86)\CyberLink\CyberLink DVD Suite Deluxe" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [TSMAgent] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\TSMAgent.exe"
O4 - HKLM\..\Run: [CLMLServer for HP TouchSmart] "c:\Program Files (x86)\Hewlett-Packard\TouchSmart\Media\Kernel\CLML\CLMLSvc.exe"
O4 - HKLM\..\Run: [DVDAgent] "c:\Program Files (x86)\Hewlett-Packard\Media\DVD\DVDAgent.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "c:\program files (x86)\real\realplayer\Update\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG_UI] "C:\Program Files (x86)\AVG\AVG2013\avgui.exe" /TRAYONLY
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [HPAdvisor] C:\Program Files (x86)\Hewlett-Packard\HP Advisor\HPAdvisor.exe view=DOCKVIEW
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_4_402_287_ActiveX.exe -update activex
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files (x86)\ERUNT\AUTOBACK.EXE
O4 - Global Startup: PictureMover.lnk = C:\Program Files (x86)\PictureMover\Bin\PictureMover.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Free YouTube to MP3 Converter - C:\Users\user\AppData\Roaming\DVDVideoSoftIEHelpers\freeyoutubetomp3converter.htm
O9 - Extra button: (no name) - {9FB232C5-6909-4F81-99B4-BAB4998940F2} - (no file)
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2013\avgidsagent.exe
O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files (x86)\AVG\AVG2013\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files (x86)\Common Files\Motive\McciCMService.exe
O23 - Service: McciCMService64 - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: Mp3Rocket Toolbar Helper - Unknown owner - C:\Program Files (x86)\MP3 Rocket Toolbar\MP3RocketSvc.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: vToolbarUpdater13.2.0 - Unknown owner - C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\13.2.0\ToolbarUpdater.exe
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)
O23 - Service: Yahoo! Updater (YahooAUService) - Yahoo! Inc. - C:\Program Files (x86)\Yahoo!\SoftwareUpdate\YahooAUService.exe

--
End of file - 11406 bytes




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users